|
 |
590d18 |
From 5a39de97688f517acf5dea952c82b6535352744b Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
590d18 |
Date: Thu, 13 Aug 2015 01:42:06 -0400
|
|
|
590d18 |
Subject: [PATCH] cert-request: remove allowed extensions check
|
|
|
590d18 |
|
|
|
590d18 |
cert-request currently permits a limited number of request
|
|
|
590d18 |
extensions; uncommon and esoteric extensions are prohibited and this
|
|
|
590d18 |
limits the usefulness of custom profiles.
|
|
|
590d18 |
|
|
|
590d18 |
The Dogtag profile has total control over what goes into the final
|
|
|
590d18 |
certificate and has the option to reject request based on the
|
|
|
590d18 |
request extensions present or their values, so there is little
|
|
|
590d18 |
reason to restrict what extensions can be used in FreeIPA. Remove
|
|
|
590d18 |
the check.
|
|
|
590d18 |
|
|
|
590d18 |
Fixes: https://fedorahosted.org/freeipa/ticket/5205
|
|
|
590d18 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipalib/plugins/cert.py | 22 +++-------------------
|
|
|
590d18 |
1 file changed, 3 insertions(+), 19 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
|
|
|
590d18 |
index daa698b54f2cc1b645245d312fae0f0500239ea2..7a07039a8488cc11d9bf05ef23642b8059d5921e 100644
|
|
|
590d18 |
--- a/ipalib/plugins/cert.py
|
|
|
590d18 |
+++ b/ipalib/plugins/cert.py
|
|
|
590d18 |
@@ -306,15 +306,6 @@ class cert_request(VirtualCommand):
|
|
|
590d18 |
),
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
- _allowed_extensions = {
|
|
|
590d18 |
- '2.5.29.14': None, # Subject Key Identifier
|
|
|
590d18 |
- '2.5.29.15': None, # Key Usage
|
|
|
590d18 |
- '2.5.29.17': 'request certificate with subjectaltname',
|
|
|
590d18 |
- '2.5.29.19': None, # Basic Constraints
|
|
|
590d18 |
- '2.5.29.37': None, # Extended Key Usage
|
|
|
590d18 |
- '1.2.840.10070.8.1': None, # IECUserRoles (DNP3 / IEC 62351-8)
|
|
|
590d18 |
- }
|
|
|
590d18 |
-
|
|
|
590d18 |
def execute(self, csr, **kw):
|
|
|
590d18 |
ca_enabled_check()
|
|
|
590d18 |
|
|
|
590d18 |
@@ -376,12 +367,10 @@ class cert_request(VirtualCommand):
|
|
|
590d18 |
raise errors.CertificateOperationError(
|
|
|
590d18 |
error=_("Failure decoding Certificate Signing Request: %s") % e)
|
|
|
590d18 |
|
|
|
590d18 |
- # host principals may bypass allowed ext check
|
|
|
590d18 |
+ # self-service and host principals may bypass SAN permission check
|
|
|
590d18 |
if bind_principal != principal and bind_principal_type != HOST:
|
|
|
590d18 |
- for ext in extensions:
|
|
|
590d18 |
- operation = self._allowed_extensions.get(ext)
|
|
|
590d18 |
- if operation:
|
|
|
590d18 |
- self.check_access(operation)
|
|
|
590d18 |
+ if '2.5.29.17' in extensions:
|
|
|
590d18 |
+ self.check_access('request certificate with subjectaltname')
|
|
|
590d18 |
|
|
|
590d18 |
dn = None
|
|
|
590d18 |
principal_obj = None
|
|
|
590d18 |
@@ -433,11 +422,6 @@ class cert_request(VirtualCommand):
|
|
|
590d18 |
"any of user's email addresses")
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
- for ext in extensions:
|
|
|
590d18 |
- if ext not in self._allowed_extensions:
|
|
|
590d18 |
- raise errors.ValidationError(
|
|
|
590d18 |
- name='csr', error=_("extension %s is forbidden") % ext)
|
|
|
590d18 |
-
|
|
|
590d18 |
# We got this far so the principal entry exists, can we write it?
|
|
|
590d18 |
if not ldap.can_write(dn, "usercertificate"):
|
|
|
590d18 |
raise errors.ACIError(info=_("Insufficient 'write' privilege "
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|