Fix CA ACL Check on SubjectAltNames

The code is supposed to check that the SAN name is also authorized to be used with the specified profile id. The original principal has already been checked. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
author: Simo Sorce <simo@redhat.com> 2016-07-26 11:25:27 -0400
committer: Martin Babinsky <mbabinsk@redhat.com> 2016-08-31 10:11:48 +0200
commit: 25ed36fda14b30d6a50746a536939e3b428993cb (patch)
tree: 95707a01e8e0804ed21eaedb8059377ba647d88f /ipaserver/plugins/cert.py
parent: 2c7b7b3acc0a7131ea14cc43acb571150b585171 (diff)
download: freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.tar.gz
freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.tar.xz
freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.zip
1 files changed, 8 insertions, 4 deletions
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 2e8aa9417..6195a6b1e 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -688,14 +688,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
         for name_type, desc, name, der_name in subjectaltname:
             if name_type == nss.certDNSName:
                 name = unicode(name)
+                alt_principal = None
                 alt_principal_obj = None
-                alt_principal_string = unicode(principal)
                 try:
                     if principal_type == HOST:
+                        alt_principal = kerberos.Principal(
+                            (u'host', name), principal.realm)
                         alt_principal_obj = api.Command['host_show'](name, all=True)
                     elif principal_type == SERVICE:
+                        alt_principal = kerberos.Principal(
+                            (principal.service_name, name), principal.realm)
                         alt_principal_obj = api.Command['service_show'](
-                            alt_principal_string, all=True)
+                            alt_principal, all=True)
                     elif principal_type == USER:
                         raise errors.ValidationError(
                             name='csr',
@@ -715,8 +719,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                         raise errors.ACIError(info=_(
                             "Insufficient privilege to create a certificate "
                             "with subject alt name '%s'.") % name)
-                if alt_principal_string is not None and not bypass_caacl:
-                    caacl_check(principal_type, principal, ca, profile_id)
+                if alt_principal is not None and not bypass_caacl:
+                    caacl_check(principal_type, alt_principal, ca, profile_id)
             elif name_type in [
                 (nss.certOtherName, x509.SAN_UPN),
                 (nss.certOtherName, x509.SAN_KRB5PRINCIPALNAME),
author	Simo Sorce <simo@redhat.com>	2016-07-26 11:25:27 -0400
committer	Martin Babinsky <mbabinsk@redhat.com>	2016-08-31 10:11:48 +0200
commit	25ed36fda14b30d6a50746a536939e3b428993cb (patch)
tree	95707a01e8e0804ed21eaedb8059377ba647d88f /ipaserver/plugins/cert.py
parent	2c7b7b3acc0a7131ea14cc43acb571150b585171 (diff)
download	freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.tar.gz freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.tar.xz freeipa-25ed36fda14b30d6a50746a536939e3b428993cb.zip