rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0112-Fix-CA-ACL-Check-on-SubjectAltNames.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   403b09ab980c02ef36095973349a13e0181c794a
  2.   SOURCES
  3.   0112-Fix-CA-ACL-Check-on-SubjectAltNames.patch
Blob History Raw
403b09 
From 645ddb282a5b75cc17a80c97445cf61806b53cb4 Mon Sep 17 00:00:00 2001
403b09 
From: Simo Sorce <simo@redhat.com>
403b09 
Date: Tue, 26 Jul 2016 11:25:27 -0400
403b09 
Subject: [PATCH] Fix CA ACL Check on SubjectAltNames
403b09
403b09 
The code is supposed to check that the SAN name is also authorized to be used
403b09 
with the specified profile id.
403b09 
The original principal has already been checked.
403b09
403b09 
Signed-off-by: Simo Sorce <simo@redhat.com>
403b09 
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
403b09 
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
403b09 
---
403b09 
 ipaserver/plugins/cert.py | 12 ++++++++----
403b09 
 1 file changed, 8 insertions(+), 4 deletions(-)
403b09
403b09 
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
403b09 
index 67eaeba33610321bf88143dc4ac06a94887427cd..6495bf1491f939a032fad03fe4ef86839c0575ef 100644
403b09 
--- a/ipaserver/plugins/cert.py
403b09 
+++ b/ipaserver/plugins/cert.py
403b09 
@@ -565,14 +565,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
403b09 
         for name_type, name in subjectaltname:
403b09 
             if name_type == pkcs10.SAN_DNSNAME:
403b09 
                 name = unicode(name)
403b09 
+                alt_principal = None
403b09 
                 alt_principal_obj = None
403b09 
-                alt_principal_string = unicode(principal)
403b09 
                 try:
403b09 
                     if principal_type == HOST:
403b09 
+                        alt_principal = kerberos.Principal(
403b09 
+                            (u'host', name), principal.realm)
403b09 
                         alt_principal_obj = api.Command['host_show'](name, all=True)
403b09 
                     elif principal_type == SERVICE:
403b09 
+                        alt_principal = kerberos.Principal(
403b09 
+                            (principal.service_name, name), principal.realm)
403b09 
                         alt_principal_obj = api.Command['service_show'](
403b09 
-                            alt_principal_string, all=True)
403b09 
+                            alt_principal, all=True)
403b09 
                     elif principal_type == USER:
403b09 
                         raise errors.ValidationError(
403b09 
                             name='csr',
403b09 
@@ -592,8 +596,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
403b09 
                         raise errors.ACIError(info=_(
403b09 
                             "Insufficient privilege to create a certificate "
403b09 
                             "with subject alt name '%s'.") % name)
403b09 
-                if alt_principal_string is not None and not bypass_caacl:
403b09 
-                    caacl_check(principal_type, principal, ca, profile_id)
403b09 
+                if alt_principal is not None and not bypass_caacl:
403b09 
+                    caacl_check(principal_type, alt_principal, ca, profile_id)
403b09 
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
403b09 
                                pkcs10.SAN_OTHERNAME_UPN):
403b09 
                 if name != principal_string:
403b09 
--
403b09 
2.7.4
403b09

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation