freeipa

Clone
Source Code
GIT

#7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
Closed: fixed 4 years ago by frenaud. Opened 4 years ago by ftweedal.

Closed: fixed
Reopen Issue

Issue

Converting python-cryptography Name with multi-valued RDN to ipapython.dn.DN flattens the name into single-valued RDNs.

Steps to Reproduce

  1. Construct a Name with multi-valued RDN. (Example certificate below)
  2. Apply DN to the Name.
  3. Observe that DN structre was flattened.

Actual behavior

With certificate:

-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIFALE9OAwwDQYJKoZIhvcNAQELBQAwQjEeMAkGA1UEBhMC
QVUwEQYDVQQIEwpRdWVlbnNsYW5kMRMwEQYDVQQKEwpBY21lLCBJbmMuMQswCQYD
VQQDEwJDQTAeFw0xOTA1MjgwMjUyMTdaFw0xOTA4MjgwMjUyMTdaMEIxHjAJBgNV
BAYTAkFVMBEGA1UECBMKUXVlZW5zbGFuZDETMBEGA1UEChMKQWNtZSwgSW5jLjEL
MAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQhzXb
385c33IoOKQfsxPbHoTyxjIJ6sTT7Aj0qKMfac4c1chgKK9vp1YXWmPgKHScQz3T
oRQjtmUiDxH+EiSTjQ8HMi8/S15JwJyB0KaFmjv+0W3A5WJbb8HmgnBJN/30pDfn
fxBF6wNb04gAoZG2JqCKOVQJtVZBHGOxUsdibk2WY7FKppwybMLtB1j/euJCRtv1
uMOTso/isRo+saAzw9MWiI5vFDpAZ1acxdb1EMmQOPbWda0WlM8vVqlk0i96Zp0N
2j7n+Ic9AMVosyKfohUEl2iwGwHothRtoPcIX58VRU7QzDfuaYKIv6/dKR6WXlMB
q8mDJcD3fkooFpcXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIPFxJp6EHC9sHvl
T4y06zgBfnPg5XFLD+F5JLKJZuQ3eQF7nBH3DzI9kAOpRZmHdEGIMKpj1Kd7qTVF
+WGy7U2Fx5gfWPXjL5VOOe9uPy0gsZAQebuSr1pWAMo/XIQzIK9TZV8/RBnLwZe4
MeK++2JnGYC3FrxEjGm5EyGPDRGIMvccAHIckZUasmr82DcbpvJhWDx+OQE0+bGP
JUZhqVLizhu3dpz+WcBxh0AS4xEKsCl7PmELUFlTNKeahUGPWPwjGD9zPHszVmzq
3Zpmxil9rrtCBnCEYbJY/rsnkwEU4Jckcpe9kvQ1cMCMITK1YMRdPcO1+o7brGqH
IzClrDA=
-----END CERTIFICATE-----

Observe the flattening of the structure:

>>> cert.subject
<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value='AU')>, <NameAttribute
(oid=<ObjectIdentifier(oid=2.5.4.8, name=stateOrProvinceName)>, value='Queensland')>, <NameAttribute(oid=
<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, value='Acme, Inc.')>, <NameAttribute(oid=<Object
Identifier(oid=2.5.4.3, name=commonName)>, value='CA')>])>                                              
>>> DN(cert.subject)
ipapython.dn.DN('CN=CA,O=Acme\, Inc.,ST=Queensland,C=AU')

Expected behavior

>>> DN(cert.subject)
ipapython.dn.DN('CN=CA,O=Acme\, Inc.,ST=Queensland+C=AU')
#                                                 ^

master:

  • 891d54e dn: handle multi-valued RDNs in Name conversion

ipa-4-6:

  • 030ec9a dn: handle multi-valued RDNs in Name conversion

ipa-4-7:

  • b4936d9 dn: handle multi-valued RDNs in Name conversion

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.6.6
4 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1714921
4 years ago

Issue linked to Bugzilla: Bug 1714921

master:

  • ad74729 (HEAD) dn: sort AVAs when converting from x509.Name

ipa-4-7:

  • cc2bbcf dn: sort AVAs when converting from x509.Name

ipa-4-6:

  • 9e3f471 dn: sort AVAs when converting from x509.Name

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1714921
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.