Dogtag CA complies with standards by evaluating issuer and subject names in their canonical forms. Unfortunately most of the cryptographic libraries are validating certificates by processing encoded names instead of names in their canonical forms. This information has been confirmed with our crypto group. Lack of proper name processing by cryptographic libraries during certificate validation resulted in CA cross signing issue reported in ticket #448.
To solve this issue Dogtag CA has two options:
Dogtag CA:
This ticket is designated to cover work associated with building new profile plug-in preserving subject name with its encoding included in CA cross signing certificate request.
attachment UserSubjectNameConstraint-plug-in.patch
attachment Pre-registration-of-UserSubjectNameConstraint-plug-in.patch
git push Counting objects: 22, done. Delta compression using up to 4 threads. Compressing objects: 100% (11/11), done. Writing objects: 100% (12/12), 2.19 KiB, done. Total 12 (delta 8), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git 8c635c6..0ae2e90 master -> master
git push Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (7/7), 698 bytes, done. Total 7 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/pki.git 0ae2e90..b76fddf master -> master
Testing procedure is provided in https://fedorahosted.org/pki/ticket/448#comment:11
Metadata Update from @awnuk: - Issue assigned to awnuk - Issue set to the milestone: 10.1 - 08/13 (August)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1251
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.