diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-08-09 05:55:04 -0400 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-08-11 17:31:25 +0200 |
commit | 58cf1cd65fc1e8d02a8b5f43fd5157786e232486 (patch) | |
tree | 1ddf8ab38c0d4ceeecd469971d237ad4874f9f59 | |
parent | 8685c0d7b2463d0eef05ff351137afcc291621ec (diff) | |
download | freeipa-58cf1cd65fc1e8d02a8b5f43fd5157786e232486.tar.gz freeipa-58cf1cd65fc1e8d02a8b5f43fd5157786e232486.tar.xz freeipa-58cf1cd65fc1e8d02a8b5f43fd5157786e232486.zip |
Fix KRB5PrincipalName / UPN SAN comparison
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.
Normalise both side of the comparison to ensure that the principal
names contain realm information.
Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | ipalib/plugins/cert.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index b6e6d7981..610f21493 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -474,7 +474,7 @@ class cert_request(VirtualCommand): principal_type, alt_principal_string, ca, profile_id) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, pkcs10.SAN_OTHERNAME_UPN): - if name != principal_string: + if split_any_principal(name) != principal: raise errors.ACIError( info=_("Principal '%s' in subject alt name does not " "match requested principal") % name) |