From 34be9a7cd6eb4f379f09fd40d723fa83317f2b61 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Sun, 9 Aug 2015 05:55:04 -0400
Subject: [PATCH] Fix KRB5PrincipalName / UPN SAN comparison

Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.

Normalise both side of the comparison to ensure that the principal
names contain realm information.

Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipalib/plugins/cert.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index b6e6d7981846778896eabce1a29a88fdf9a639e1..610f2149363eaa74180e9de5c9ee1439446ef409 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -474,7 +474,7 @@ class cert_request(VirtualCommand):
                         principal_type, alt_principal_string, ca, profile_id)
             elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
                                pkcs10.SAN_OTHERNAME_UPN):
-                if name != principal_string:
+                if split_any_principal(name) != principal:
                     raise errors.ACIError(
                         info=_("Principal '%s' in subject alt name does not "
                                "match requested principal") % name)
-- 
2.4.3