Blob Blame History Raw
From 645ddb282a5b75cc17a80c97445cf61806b53cb4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 26 Jul 2016 11:25:27 -0400
Subject: [PATCH] Fix CA ACL Check on SubjectAltNames

The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/cert.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 67eaeba33610321bf88143dc4ac06a94887427cd..6495bf1491f939a032fad03fe4ef86839c0575ef 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -565,14 +565,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
         for name_type, name in subjectaltname:
             if name_type == pkcs10.SAN_DNSNAME:
                 name = unicode(name)
+                alt_principal = None
                 alt_principal_obj = None
-                alt_principal_string = unicode(principal)
                 try:
                     if principal_type == HOST:
+                        alt_principal = kerberos.Principal(
+                            (u'host', name), principal.realm)
                         alt_principal_obj = api.Command['host_show'](name, all=True)
                     elif principal_type == SERVICE:
+                        alt_principal = kerberos.Principal(
+                            (principal.service_name, name), principal.realm)
                         alt_principal_obj = api.Command['service_show'](
-                            alt_principal_string, all=True)
+                            alt_principal, all=True)
                     elif principal_type == USER:
                         raise errors.ValidationError(
                             name='csr',
@@ -592,8 +596,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                         raise errors.ACIError(info=_(
                             "Insufficient privilege to create a certificate "
                             "with subject alt name '%s'.") % name)
-                if alt_principal_string is not None and not bypass_caacl:
-                    caacl_check(principal_type, principal, ca, profile_id)
+                if alt_principal is not None and not bypass_caacl:
+                    caacl_check(principal_type, alt_principal, ca, profile_id)
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
                                pkcs10.SAN_OTHERNAME_UPN):
                 if name != principal_string:
-- 
2.7.4