Update CRMFPopClient by including ability to control encoding of some subject name components. Some subject name components like CN, L, ST, O, OU, ... are defined as choice of TeletexString, PrintableString, UniversalString, UTF8String, and BMPString. CRMFPopClient should provide ability to control choice for above subject name components.
This enhancement is require to test solution for ticket #448 aka https://bugzilla.redhat.com/show_bug.cgi?id=883122
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Command-Line_Tools_Guide/CRMF_Pop_Request.html
Here is a sample of CRMFPopClient command:
CRMFPopClient -p password -d '.' -o 'req.txt' -n 'cn=aa,ou=bb,o=cc'
Option '-n' specifies subject name included in generated certificate request.[[BR]] All subject name components are encoded with preselected default types.[[BR]] CRMFPopClient tool for components like: CN, UID, L, ST, OU, and O sets default encoding type to PrintableString.[[BR]][[BR]] CRMFPopClient tool requires presence of KRA transport certificate placed in transport.txt file which can be extracted from CA's CS.cfg from line including KRA's transport certificate:[[BR]] ca.connector.KRA.transportCert=...
PrintableString
transport.txt
CS.cfg
ca.connector.KRA.transportCert=...
To keep backwards compatibility with current set of CRMFPopClient parameters, encoding types can be introduced as a prefix to component name value separated by colon from component name value.[[BR]]
Here is an updated CRMFPopClient command sample with subject name including specific encodings for two of its components.
CRMFPopClient -p password -d '.' -k true -o 'req.txt' -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'
Above sample command will generate certificate request with subject name 'cn=aa,ou=bb,o=cc', where aa will be encoded as UTF8String, bb as BMPString, and cc as PrintableString.
aa
UTF8String
bb
BMPString
cc
Here is how to test new option to control encoding of subject name components in request generated by CRMFPopClient:
certutil -N -d .
CRMFPopClient -p <password> -d '.' -k true -o 'req.txt' -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
AtoB req1.txt req1.bin
dumpasn1
dumpasn1 req.bin
[[BR]] Here is a sample result matching CRMFPopClient test command line included in above procedure and also listed below:[[BR]] CRMFPopClient -p <password> -d '.' -k true -o 'req.txt' -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc' [[BR]]
dumpasn1 req.bin 0 2210: SEQUENCE { 4 2206: SEQUENCE { 8 1922: SEQUENCE { 12 1: INTEGER 1 15 342: SEQUENCE { 19 1: [0] 02 22 43: [5] { 24 41: SEQUENCE { 26 11: SET { 28 9: SEQUENCE { 30 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 35 2: PrintableString 'cc' : } : } 39 13: SET { 41 11: SEQUENCE { 43 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 48 4: BMPString 'bb' : } : } 54 11: SET { 56 9: SEQUENCE { 58 3: OBJECT IDENTIFIER commonName (2 5 4 3) 63 2: UTF8String 'aa' : } : } : } : } 67 290: [6] { 71 13: SEQUENCE { 73 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 1' 84 0: NULL : } 86 271: BIT STRING, encapsulates { 91 266: SEQUENCE { 95 257: INTEGER : 00 C2 BB 05 16 83 F7 B4 E7 0D 55 16 29 96 62 5C : C7 01 22 29 9F 71 82 18 DF FA 56 B2 D6 B0 EE 65 : 9D 7C E5 88 BF 29 66 C5 96 A4 B8 23 BC 00 B7 A5 : 67 20 60 24 51 DD E3 53 3E 06 63 68 8D 6E 68 99 : 3F A2 D6 0D 38 7D 8A 2C B4 FC 00 FC 5C 5D 8F 61 : 9C 50 51 DE B9 95 E6 AD 48 E5 D5 79 E6 5F 35 BB : 18 24 C9 EA 8C 17 87 67 2A F5 D9 53 F4 A3 1B 6A : 6C EA 55 2C 4C 12 51 BC 63 CC 75 B3 C7 3D 05 CE : [ Another 129 bytes skipped ] 356 3: INTEGER 65537 : } : } : } : } 361 1569: SEQUENCE { 365 1531: SEQUENCE { 369 9: OBJECT IDENTIFIER pkiArchiveOptions (1 3 6 1 5 5 7 5 1 4) 380 1516: [0] { 384 1512: SEQUENCE { 388 20: [1] { 390 8: OBJECT IDENTIFIER '1 2 840 113549 3 7' 400 8: OCTET STRING 01 01 01 01 01 01 01 01 : } 410 257: [2] : 00 09 B6 35 B0 C5 23 AF F7 77 CD 41 AD C4 7D 53 : 02 D0 29 7E 03 DE A7 56 06 90 8D CB 2C 16 83 47 : 87 7C C7 11 CC 84 AD EA 0C F1 42 36 18 D9 A9 4D : 6D F2 F5 74 07 4B 17 08 1B F2 A9 C9 31 30 59 5D : 1C B6 57 C9 B0 E5 9F A5 AD 25 0F 63 F1 65 65 EC : B8 31 AE 0A B0 AB C6 72 DA 47 88 4F 18 06 4B 62 : 77 C9 0D 82 76 9A 3C 2E 21 67 AE 24 91 BF 0B 93 : B3 B3 18 29 67 91 85 5D F5 20 35 DE F2 23 86 44 : [ Another 129 bytes skipped ] 671 1225: BIT STRING : E4 9A 91 78 38 38 F1 23 B2 53 DB 0D CC 0B AD 1C : 46 6E AE F0 04 8D 36 A8 42 BD 7C B3 BE AE D4 F6 : 18 EC 8F F1 0A AE B3 5B A0 5C 4F 41 85 86 62 C7 : 3D 23 D4 96 C1 6D B6 76 FA FE 83 8F D2 F4 11 F5 : DE 77 C6 0C AB 95 03 79 F0 64 67 83 EF 00 72 AE : EC 03 0E 03 8D F5 9A AD AF A2 2E AD 0F 8F 94 53 : 3F B9 3C B8 E5 89 80 88 CE DC E7 DE 0D 50 E9 22 : 1D 62 6B AB 01 2C 7E BB 1B 66 0E 78 C3 1B BD 43 : [ Another 1096 bytes skipped ] : } : } : } 1900 32: SEQUENCE { 1902 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 7 23' 1912 20: OCTET STRING : E6 69 C9 5F 2E FF A4 90 AE 73 E6 44 CC 3F 9E 1D : 96 77 9C 50 : } : } : } 1934 276: [1] { 1938 13: SEQUENCE { 1940 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 4' 1951 0: NULL : } 1953 257: BIT STRING : 22 9F 75 37 DD BC B0 0C 5C 53 5A 85 D4 0A 51 9A : F6 0E 90 42 55 CC 45 58 29 B0 B0 92 D3 B1 68 14 : 95 B3 99 16 6C 30 1A 08 92 40 F9 2E 13 74 5A CA : D9 E3 54 FA F7 3B B9 36 46 FE 6A C1 0C 98 41 91 : 76 26 E1 7E E1 BD D9 4B 88 D0 02 81 01 67 21 A6 : 5E 2F 19 67 BC 12 8D FC 0E 63 47 AB EB 70 BE 6E : 59 D4 DB 48 E5 93 F5 CC 1A 7F 9F 2B FC 44 46 2A : C8 C3 6D 7F 67 C2 DD 03 95 2A BD D7 57 05 63 91 : [ Another 128 bytes skipped ] : } : } : }
git push Counting objects: 17, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (9/9), 1.75 KiB, done. Total 9 (delta 5), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git b60f640..8c635c6 master -> master
attachment CRMFPopClient-update.patch
Metadata Update from @awnuk: - Issue assigned to awnuk - Issue set to the milestone: 10.1 - 08/13 (August)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1245
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.