590d18
From 5a39de97688f517acf5dea952c82b6535352744b Mon Sep 17 00:00:00 2001
590d18
From: Fraser Tweedale <ftweedal@redhat.com>
590d18
Date: Thu, 13 Aug 2015 01:42:06 -0400
590d18
Subject: [PATCH] cert-request: remove allowed extensions check
590d18
590d18
cert-request currently permits a limited number of request
590d18
extensions; uncommon and esoteric extensions are prohibited and this
590d18
limits the usefulness of custom profiles.
590d18
590d18
The Dogtag profile has total control over what goes into the final
590d18
certificate and has the option to reject request based on the
590d18
request extensions present or their values, so there is little
590d18
reason to restrict what extensions can be used in FreeIPA.  Remove
590d18
the check.
590d18
590d18
Fixes: https://fedorahosted.org/freeipa/ticket/5205
590d18
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
590d18
---
590d18
 ipalib/plugins/cert.py | 22 +++-------------------
590d18
 1 file changed, 3 insertions(+), 19 deletions(-)
590d18
590d18
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
590d18
index daa698b54f2cc1b645245d312fae0f0500239ea2..7a07039a8488cc11d9bf05ef23642b8059d5921e 100644
590d18
--- a/ipalib/plugins/cert.py
590d18
+++ b/ipalib/plugins/cert.py
590d18
@@ -306,15 +306,6 @@ class cert_request(VirtualCommand):
590d18
         ),
590d18
     )
590d18
 
590d18
-    _allowed_extensions = {
590d18
-        '2.5.29.14': None,      # Subject Key Identifier
590d18
-        '2.5.29.15': None,      # Key Usage
590d18
-        '2.5.29.17': 'request certificate with subjectaltname',
590d18
-        '2.5.29.19': None,      # Basic Constraints
590d18
-        '2.5.29.37': None,      # Extended Key Usage
590d18
-        '1.2.840.10070.8.1': None, # IECUserRoles (DNP3 / IEC 62351-8)
590d18
-    }
590d18
-
590d18
     def execute(self, csr, **kw):
590d18
         ca_enabled_check()
590d18
 
590d18
@@ -376,12 +367,10 @@ class cert_request(VirtualCommand):
590d18
             raise errors.CertificateOperationError(
590d18
                 error=_("Failure decoding Certificate Signing Request: %s") % e)
590d18
 
590d18
-        # host principals may bypass allowed ext check
590d18
+        # self-service and host principals may bypass SAN permission check
590d18
         if bind_principal != principal and bind_principal_type != HOST:
590d18
-            for ext in extensions:
590d18
-                operation = self._allowed_extensions.get(ext)
590d18
-                if operation:
590d18
-                    self.check_access(operation)
590d18
+            if '2.5.29.17' in extensions:
590d18
+                self.check_access('request certificate with subjectaltname')
590d18
 
590d18
         dn = None
590d18
         principal_obj = None
590d18
@@ -433,11 +422,6 @@ class cert_request(VirtualCommand):
590d18
                         "any of user's email addresses")
590d18
                 )
590d18
 
590d18
-        for ext in extensions:
590d18
-            if ext not in self._allowed_extensions:
590d18
-                raise errors.ValidationError(
590d18
-                    name='csr', error=_("extension %s is forbidden") % ext)
590d18
-
590d18
         # We got this far so the principal entry exists, can we write it?
590d18
         if not ldap.can_write(dn, "usercertificate"):
590d18
             raise errors.ACIError(info=_("Insufficient 'write' privilege "
590d18
-- 
590d18
2.4.3
590d18