|
|
590d18 |
From cfd3cbe627870f6a575e1fbdc52896c22bce4dcd Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
590d18 |
Date: Fri, 24 Jul 2015 09:32:51 -0400
|
|
|
590d18 |
Subject: [PATCH] Add profile for DNP3 / IEC 62351-8 certificates
|
|
|
590d18 |
|
|
|
590d18 |
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
|
|
|
590d18 |
IECUserRoles extension. Add a profile for DNP3 certificates which
|
|
|
590d18 |
copies the IECUserRoles extension from the CSR, if present.
|
|
|
590d18 |
|
|
|
590d18 |
Also update cert-request to accept CSRs containing this extension.
|
|
|
590d18 |
|
|
|
590d18 |
Fixes: https://fedorahosted.org/freeipa/ticket/4752
|
|
|
590d18 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
install/share/profiles/IECUserRoles.cfg | 114 ++++++++++++++++++++++++++++++++
|
|
|
590d18 |
install/share/profiles/Makefile.am | 1 +
|
|
|
590d18 |
ipalib/plugins/cert.py | 1 +
|
|
|
590d18 |
ipapython/dogtag.py | 1 +
|
|
|
590d18 |
4 files changed, 117 insertions(+)
|
|
|
590d18 |
create mode 100644 install/share/profiles/IECUserRoles.cfg
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/install/share/profiles/IECUserRoles.cfg b/install/share/profiles/IECUserRoles.cfg
|
|
|
590d18 |
new file mode 100644
|
|
|
590d18 |
index 0000000000000000000000000000000000000000..9d2b4bb7932db42f6fc1f4e8edbc2bb741d8d8b6
|
|
|
590d18 |
--- /dev/null
|
|
|
590d18 |
+++ b/install/share/profiles/IECUserRoles.cfg
|
|
|
590d18 |
@@ -0,0 +1,114 @@
|
|
|
590d18 |
+profileId=IECUserRoles
|
|
|
590d18 |
+classId=caEnrollImpl
|
|
|
590d18 |
+desc=Enroll user certificates with IECUserRoles extension via IPA-RA agent authentication.
|
|
|
590d18 |
+visible=false
|
|
|
590d18 |
+enable=true
|
|
|
590d18 |
+enableBy=admin
|
|
|
590d18 |
+auth.instance_id=raCertAuth
|
|
|
590d18 |
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
|
|
|
590d18 |
+input.list=i1,i2
|
|
|
590d18 |
+input.i1.class_id=certReqInputImpl
|
|
|
590d18 |
+input.i2.class_id=submitterInfoInputImpl
|
|
|
590d18 |
+output.list=o1
|
|
|
590d18 |
+output.o1.class_id=certOutputImpl
|
|
|
590d18 |
+policyset.list=serverCertSet
|
|
|
590d18 |
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
|
|
|
590d18 |
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
|
|
|
590d18 |
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
|
|
|
590d18 |
+policyset.serverCertSet.1.constraint.params.accept=true
|
|
|
590d18 |
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.1.default.name=Subject Name Default
|
|
|
590d18 |
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
|
|
|
590d18 |
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.2.constraint.name=Validity Constraint
|
|
|
590d18 |
+policyset.serverCertSet.2.constraint.params.range=740
|
|
|
590d18 |
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
|
|
|
590d18 |
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
|
|
|
590d18 |
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.2.default.name=Validity Default
|
|
|
590d18 |
+policyset.serverCertSet.2.default.params.range=731
|
|
|
590d18 |
+policyset.serverCertSet.2.default.params.startTime=0
|
|
|
590d18 |
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.3.constraint.name=Key Constraint
|
|
|
590d18 |
+policyset.serverCertSet.3.constraint.params.keyType=RSA
|
|
|
590d18 |
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
|
|
|
590d18 |
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.3.default.name=Key Default
|
|
|
590d18 |
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.4.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
|
|
|
590d18 |
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.5.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.5.default.name=AIA Extension Default
|
|
|
590d18 |
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
|
|
|
590d18 |
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
590d18 |
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
|
|
|
590d18 |
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
590d18 |
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
|
|
|
590d18 |
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
|
|
|
590d18 |
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
|
|
|
590d18 |
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.6.default.name=Key Usage Default
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
590d18 |
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
590d18 |
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.7.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
|
|
|
590d18 |
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
|
|
|
590d18 |
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
|
|
|
590d18 |
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.8.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
|
|
|
590d18 |
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.8.default.name=Signing Alg
|
|
|
590d18 |
+policyset.serverCertSet.8.default.params.signingAlg=-
|
|
|
590d18 |
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.9.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
|
|
|
590d18 |
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
|
|
|
590d18 |
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.10.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
|
|
|
590d18 |
+policyset.serverCertSet.10.default.params.critical=false
|
|
|
590d18 |
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.11.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
|
|
|
590d18 |
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
|
|
|
590d18 |
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
|
|
|
590d18 |
+policyset.serverCertSet.12.constraint.name=No Constraint
|
|
|
590d18 |
+policyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl
|
|
|
590d18 |
+policyset.serverCertSet.12.default.name=IECUserRoles Extension Default
|
|
|
590d18 |
+policyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1
|
|
|
590d18 |
diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am
|
|
|
590d18 |
index 4e6cf975a0f51d02ec29bd07ac8cb9ccc8320818..b5ccb6e9317a93c040b7de0e0bc1ca5cb88c33fc 100644
|
|
|
590d18 |
--- a/install/share/profiles/Makefile.am
|
|
|
590d18 |
+++ b/install/share/profiles/Makefile.am
|
|
|
590d18 |
@@ -3,6 +3,7 @@ NULL =
|
|
|
590d18 |
appdir = $(IPA_DATA_DIR)/profiles
|
|
|
590d18 |
app_DATA = \
|
|
|
590d18 |
caIPAserviceCert.cfg \
|
|
|
590d18 |
+ IECUserRoles.cfg \
|
|
|
590d18 |
$(NULL)
|
|
|
590d18 |
|
|
|
590d18 |
EXTRA_DIST = \
|
|
|
590d18 |
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
|
|
|
590d18 |
index d612e9d38da44e4fd4768d286f930e51c71a1031..b6e6d7981846778896eabce1a29a88fdf9a639e1 100644
|
|
|
590d18 |
--- a/ipalib/plugins/cert.py
|
|
|
590d18 |
+++ b/ipalib/plugins/cert.py
|
|
|
590d18 |
@@ -312,6 +312,7 @@ class cert_request(VirtualCommand):
|
|
|
590d18 |
'2.5.29.17': 'request certificate with subjectaltname',
|
|
|
590d18 |
'2.5.29.19': None, # Basic Constraints
|
|
|
590d18 |
'2.5.29.37': None, # Extended Key Usage
|
|
|
590d18 |
+ '1.2.840.10070.8.1': None, # IECUserRoles (DNP3 / IEC 62351-8)
|
|
|
590d18 |
}
|
|
|
590d18 |
|
|
|
590d18 |
def execute(self, csr, **kw):
|
|
|
590d18 |
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
|
|
|
590d18 |
index 53085f7762fc828ed9fc6621fbf3a0c67ec6a656..0782d360ccf2ce2c90c4e9cfa66b5159e437e77c 100644
|
|
|
590d18 |
--- a/ipapython/dogtag.py
|
|
|
590d18 |
+++ b/ipapython/dogtag.py
|
|
|
590d18 |
@@ -45,6 +45,7 @@ from ipapython.ipa_log_manager import *
|
|
|
590d18 |
INCLUDED_PROFILES = {
|
|
|
590d18 |
# ( profile_id , description , store_issued)
|
|
|
590d18 |
(u'caIPAserviceCert', u'Standard profile for network services', True),
|
|
|
590d18 |
+ (u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
|
|
|
590d18 |
}
|
|
|
590d18 |
|
|
|
590d18 |
DEFAULT_PROFILE = u'caIPAserviceCert'
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|