From a7532af44e518994b8124b09e32fb3f494150ba6 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Sun, 9 Aug 2015 03:25:58 -0400

Subject: [PATCH] Allow SAN extension for cert-request self-service

Users cannot self-issue a certificate with a subjectAltName

extension (e.g. with rfc822Name altNames).  Suppress the

cert-request "request certificate with subjectaltname" permission

check when the bind principal is the target principal (i.e.

cert-request self-service).

Fixes: https://fedorahosted.org/freeipa/ticket/5190

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 ipalib/plugins/cert.py | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py

index 341bdd01766d50ba18ce7147d4408851e6f95487..d612e9d38da44e4fd4768d286f930e51c71a1031 100644

--- a/ipalib/plugins/cert.py

+++ b/ipalib/plugins/cert.py

@@ -369,7 +369,7 @@ class cert_request(VirtualCommand):

                 error=_("Failure decoding Certificate Signing Request: %s") % e)

         # host principals may bypass allowed ext check

-        if bind_principal_type != HOST:

+        if bind_principal != principal and bind_principal_type != HOST:

             for ext in extensions:

                 operation = self._allowed_extensions.get(ext)

                 if operation:

-- 

2.4.3