From f1a1c6eca1b294f24174d7b0e1f78de46d9d5b05 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blipton@redhat.com>
Date: Jan 31 2017 09:20:28 +0000
Subject: csrgen: Add a CSR generation profile for user certificates


https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
index c9437f5..2cd6ce2 100644
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -3,12 +3,15 @@ NULL =
 profiledir = $(IPA_DATA_DIR)/csrgen/profiles
 profile_DATA =				\
 	profiles/caIPAserviceCert.json	\
+	profiles/userCert.json		\
 	$(NULL)
 
 ruledir = $(IPA_DATA_DIR)/csrgen/rules
 rule_DATA =				\
 	rules/dataDNS.json		\
+	rules/dataEmail.json		\
 	rules/dataHostCN.json		\
+	rules/dataUsernameCN.json	\
 	rules/syntaxSAN.json		\
 	rules/syntaxSubject.json	\
 	$(NULL)
diff --git a/install/share/csrgen/profiles/userCert.json b/install/share/csrgen/profiles/userCert.json
new file mode 100644
index 0000000..d5f822e
--- /dev/null
+++ b/install/share/csrgen/profiles/userCert.json
@@ -0,0 +1,14 @@
+[
+    {
+        "syntax": "syntaxSubject",
+        "data": [
+            "dataUsernameCN"
+        ]
+    },
+    {
+        "syntax": "syntaxSAN",
+        "data": [
+            "dataEmail"
+        ]
+    }
+]
diff --git a/install/share/csrgen/rules/dataEmail.json b/install/share/csrgen/rules/dataEmail.json
new file mode 100644
index 0000000..cfc1f60
--- /dev/null
+++ b/install/share/csrgen/rules/dataEmail.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "email = {{ipa.datafield(subject.mail.0)}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "email:{{ipa.datafield(subject.mail.0)|quote}}"
+    }
+  ]
+}
diff --git a/install/share/csrgen/rules/dataUsernameCN.json b/install/share/csrgen/rules/dataUsernameCN.json
new file mode 100644
index 0000000..c3e2409
--- /dev/null
+++ b/install/share/csrgen/rules/dataUsernameCN.json
@@ -0,0 +1,12 @@
+{
+  "rules": [
+    {
+      "helper": "openssl",
+      "template": "{{ipa.datafield(config.ipacertificatesubjectbase.0)}}\nCN={{ipa.datafield(subject.uid.0)}}"
+    },
+    {
+      "helper": "certutil",
+      "template": "CN={{ipa.datafield(subject.uid.0)|quote}},{{ipa.datafield(config.ipacertificatesubjectbase.0)|quote}}"
+    }
+  ]
+}