403b09
From 645ddb282a5b75cc17a80c97445cf61806b53cb4 Mon Sep 17 00:00:00 2001
403b09
From: Simo Sorce <simo@redhat.com>
403b09
Date: Tue, 26 Jul 2016 11:25:27 -0400
403b09
Subject: [PATCH] Fix CA ACL Check on SubjectAltNames
403b09
403b09
The code is supposed to check that the SAN name is also authorized to be used
403b09
with the specified profile id.
403b09
The original principal has already been checked.
403b09
403b09
Signed-off-by: Simo Sorce <simo@redhat.com>
403b09
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
403b09
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
403b09
---
403b09
 ipaserver/plugins/cert.py | 12 ++++++++----
403b09
 1 file changed, 8 insertions(+), 4 deletions(-)
403b09
403b09
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
403b09
index 67eaeba33610321bf88143dc4ac06a94887427cd..6495bf1491f939a032fad03fe4ef86839c0575ef 100644
403b09
--- a/ipaserver/plugins/cert.py
403b09
+++ b/ipaserver/plugins/cert.py
403b09
@@ -565,14 +565,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
403b09
         for name_type, name in subjectaltname:
403b09
             if name_type == pkcs10.SAN_DNSNAME:
403b09
                 name = unicode(name)
403b09
+                alt_principal = None
403b09
                 alt_principal_obj = None
403b09
-                alt_principal_string = unicode(principal)
403b09
                 try:
403b09
                     if principal_type == HOST:
403b09
+                        alt_principal = kerberos.Principal(
403b09
+                            (u'host', name), principal.realm)
403b09
                         alt_principal_obj = api.Command['host_show'](name, all=True)
403b09
                     elif principal_type == SERVICE:
403b09
+                        alt_principal = kerberos.Principal(
403b09
+                            (principal.service_name, name), principal.realm)
403b09
                         alt_principal_obj = api.Command['service_show'](
403b09
-                            alt_principal_string, all=True)
403b09
+                            alt_principal, all=True)
403b09
                     elif principal_type == USER:
403b09
                         raise errors.ValidationError(
403b09
                             name='csr',
403b09
@@ -592,8 +596,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
403b09
                         raise errors.ACIError(info=_(
403b09
                             "Insufficient privilege to create a certificate "
403b09
                             "with subject alt name '%s'.") % name)
403b09
-                if alt_principal_string is not None and not bypass_caacl:
403b09
-                    caacl_check(principal_type, principal, ca, profile_id)
403b09
+                if alt_principal is not None and not bypass_caacl:
403b09
+                    caacl_check(principal_type, alt_principal, ca, profile_id)
403b09
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
403b09
                                pkcs10.SAN_OTHERNAME_UPN):
403b09
                 if name != principal_string:
403b09
-- 
403b09
2.7.4
403b09