diff options
author | Simo Sorce <simo@redhat.com> | 2016-07-26 11:25:27 -0400 |
---|---|---|
committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-08-31 10:11:48 +0200 |
commit | 25ed36fda14b30d6a50746a536939e3b428993cb (patch) | |
tree | 95707a01e8e0804ed21eaedb8059377ba647d88f /ipaserver/plugins/cert.py | |
parent | 2c7b7b3acc0a7131ea14cc43acb571150b585171 (diff) | |
download | freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.tar.gz freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.tar.xz freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.zip |
Fix CA ACL Check on SubjectAltNames
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver/plugins/cert.py')
-rw-r--r-- | ipaserver/plugins/cert.py | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 2e8aa9417..6195a6b1e 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -688,14 +688,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): for name_type, desc, name, der_name in subjectaltname: if name_type == nss.certDNSName: name = unicode(name) + alt_principal = None alt_principal_obj = None - alt_principal_string = unicode(principal) try: if principal_type == HOST: + alt_principal = kerberos.Principal( + (u'host', name), principal.realm) alt_principal_obj = api.Command['host_show'](name, all=True) elif principal_type == SERVICE: + alt_principal = kerberos.Principal( + (principal.service_name, name), principal.realm) alt_principal_obj = api.Command['service_show']( - alt_principal_string, all=True) + alt_principal, all=True) elif principal_type == USER: raise errors.ValidationError( name='csr', @@ -715,8 +719,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): raise errors.ACIError(info=_( "Insufficient privilege to create a certificate " "with subject alt name '%s'.") % name) - if alt_principal_string is not None and not bypass_caacl: - caacl_check(principal_type, principal, ca, profile_id) + if alt_principal is not None and not bypass_caacl: + caacl_check(principal_type, alt_principal, ca, profile_id) elif name_type in [ (nss.certOtherName, x509.SAN_UPN), (nss.certOtherName, x509.SAN_KRB5PRINCIPALNAME), |