From 5a39de97688f517acf5dea952c82b6535352744b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 13 Aug 2015 01:42:06 -0400 Subject: [PATCH] cert-request: remove allowed extensions check cert-request currently permits a limited number of request extensions; uncommon and esoteric extensions are prohibited and this limits the usefulness of custom profiles. The Dogtag profile has total control over what goes into the final certificate and has the option to reject request based on the request extensions present or their values, so there is little reason to restrict what extensions can be used in FreeIPA. Remove the check. Fixes: https://fedorahosted.org/freeipa/ticket/5205 Reviewed-By: Jan Cholasta --- ipalib/plugins/cert.py | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index daa698b54f2cc1b645245d312fae0f0500239ea2..7a07039a8488cc11d9bf05ef23642b8059d5921e 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -306,15 +306,6 @@ class cert_request(VirtualCommand): ), ) - _allowed_extensions = { - '2.5.29.14': None, # Subject Key Identifier - '2.5.29.15': None, # Key Usage - '2.5.29.17': 'request certificate with subjectaltname', - '2.5.29.19': None, # Basic Constraints - '2.5.29.37': None, # Extended Key Usage - '1.2.840.10070.8.1': None, # IECUserRoles (DNP3 / IEC 62351-8) - } - def execute(self, csr, **kw): ca_enabled_check() @@ -376,12 +367,10 @@ class cert_request(VirtualCommand): raise errors.CertificateOperationError( error=_("Failure decoding Certificate Signing Request: %s") % e) - # host principals may bypass allowed ext check + # self-service and host principals may bypass SAN permission check if bind_principal != principal and bind_principal_type != HOST: - for ext in extensions: - operation = self._allowed_extensions.get(ext) - if operation: - self.check_access(operation) + if '2.5.29.17' in extensions: + self.check_access('request certificate with subjectaltname') dn = None principal_obj = None @@ -433,11 +422,6 @@ class cert_request(VirtualCommand): "any of user's email addresses") ) - for ext in extensions: - if ext not in self._allowed_extensions: - raise errors.ValidationError( - name='csr', error=_("extension %s is forbidden") % ext) - # We got this far so the principal entry exists, can we write it? if not ldap.can_write(dn, "usercertificate"): raise errors.ACIError(info=_("Insufficient 'write' privilege " -- 2.4.3