|
 |
590d18 |
From 34be9a7cd6eb4f379f09fd40d723fa83317f2b61 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
590d18 |
Date: Sun, 9 Aug 2015 05:55:04 -0400
|
|
|
590d18 |
Subject: [PATCH] Fix KRB5PrincipalName / UPN SAN comparison
|
|
|
590d18 |
|
|
|
590d18 |
Depending on how the target principal name is conveyed to the
|
|
|
590d18 |
command (i.e. with / without realm), the KRB5PrincipalName / UPN
|
|
|
590d18 |
subjectAltName validation could be comparing unequal strings and
|
|
|
590d18 |
erroneously rejecting a valid request.
|
|
|
590d18 |
|
|
|
590d18 |
Normalise both side of the comparison to ensure that the principal
|
|
|
590d18 |
names contain realm information.
|
|
|
590d18 |
|
|
|
590d18 |
Fixes: https://fedorahosted.org/freeipa/ticket/5191
|
|
|
590d18 |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipalib/plugins/cert.py | 2 +-
|
|
|
590d18 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
|
|
|
590d18 |
index b6e6d7981846778896eabce1a29a88fdf9a639e1..610f2149363eaa74180e9de5c9ee1439446ef409 100644
|
|
|
590d18 |
--- a/ipalib/plugins/cert.py
|
|
|
590d18 |
+++ b/ipalib/plugins/cert.py
|
|
|
590d18 |
@@ -474,7 +474,7 @@ class cert_request(VirtualCommand):
|
|
|
590d18 |
principal_type, alt_principal_string, ca, profile_id)
|
|
|
590d18 |
elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
|
|
|
590d18 |
pkcs10.SAN_OTHERNAME_UPN):
|
|
|
590d18 |
- if name != principal_string:
|
|
|
590d18 |
+ if split_any_principal(name) != principal:
|
|
|
590d18 |
raise errors.ACIError(
|
|
|
590d18 |
info=_("Principal '%s' in subject alt name does not "
|
|
|
590d18 |
"match requested principal") % name)
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|