The Identity, Policy and Audit system
CentOS Sources
2016-11-03 403b09ab980c02ef36095973349a13e0181c794a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
From 645ddb282a5b75cc17a80c97445cf61806b53cb4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 26 Jul 2016 11:25:27 -0400
Subject: [PATCH] Fix CA ACL Check on SubjectAltNames
 
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/cert.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)
 
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 67eaeba33610321bf88143dc4ac06a94887427cd..6495bf1491f939a032fad03fe4ef86839c0575ef 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -565,14 +565,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
         for name_type, name in subjectaltname:
             if name_type == pkcs10.SAN_DNSNAME:
                 name = unicode(name)
+                alt_principal = None
                 alt_principal_obj = None
-                alt_principal_string = unicode(principal)
                 try:
                     if principal_type == HOST:
+                        alt_principal = kerberos.Principal(
+                            (u'host', name), principal.realm)
                         alt_principal_obj = api.Command['host_show'](name, all=True)
                     elif principal_type == SERVICE:
+                        alt_principal = kerberos.Principal(
+                            (principal.service_name, name), principal.realm)
                         alt_principal_obj = api.Command['service_show'](
-                            alt_principal_string, all=True)
+                            alt_principal, all=True)
                     elif principal_type == USER:
                         raise errors.ValidationError(
                             name='csr',
@@ -592,8 +596,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                         raise errors.ACIError(info=_(
                             "Insufficient privilege to create a certificate "
                             "with subject alt name '%s'.") % name)
-                if alt_principal_string is not None and not bypass_caacl:
-                    caacl_check(principal_type, principal, ca, profile_id)
+                if alt_principal is not None and not bypass_caacl:
+                    caacl_check(principal_type, alt_principal, ca, profile_id)
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
                                pkcs10.SAN_OTHERNAME_UPN):
                 if name != principal_string:
-- 
2.7.4