From 25ed36fda14b30d6a50746a536939e3b428993cb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:25:27 -0400 Subject: Fix CA ACL Check on SubjectAltNames The code is supposed to check that the SAN name is also authorized to be used with the specified profile id. The original principal has already been checked. Signed-off-by: Simo Sorce Reviewed-By: Fraser Tweedale Reviewed-By: Martin Babinsky --- ipaserver/plugins/cert.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 2e8aa9417..6195a6b1e 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -688,14 +688,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): for name_type, desc, name, der_name in subjectaltname: if name_type == nss.certDNSName: name = unicode(name) + alt_principal = None alt_principal_obj = None - alt_principal_string = unicode(principal) try: if principal_type == HOST: + alt_principal = kerberos.Principal( + (u'host', name), principal.realm) alt_principal_obj = api.Command['host_show'](name, all=True) elif principal_type == SERVICE: + alt_principal = kerberos.Principal( + (principal.service_name, name), principal.realm) alt_principal_obj = api.Command['service_show']( - alt_principal_string, all=True) + alt_principal, all=True) elif principal_type == USER: raise errors.ValidationError( name='csr', @@ -715,8 +719,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): raise errors.ACIError(info=_( "Insufficient privilege to create a certificate " "with subject alt name '%s'.") % name) - if alt_principal_string is not None and not bypass_caacl: - caacl_check(principal_type, principal, ca, profile_id) + if alt_principal is not None and not bypass_caacl: + caacl_check(principal_type, alt_principal, ca, profile_id) elif name_type in [ (nss.certOtherName, x509.SAN_UPN), (nss.certOtherName, x509.SAN_KRB5PRINCIPALNAME), -- cgit