[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile
Jan Cholasta
jcholast at redhat.com
Wed Jan 22 15:05:47 UTC 2014
On 22.1.2014 15:34, Simo Sorce wrote:
> On Wed, 2014-01-22 at 10:40 +0100, Jan Cholasta wrote:
>> On 21.1.2014 17:12, Simo Sorce wrote:
>>> On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote:
>>>> + request = None
>>>> + try:
>>>> + request = pkcs10.load_certificate_request(csr)
>>>> + subject = pkcs10.get_subject(request)
>>>> + subjectaltname = pkcs10.get_subjectaltname(request)
>>>
>>> Will this make the request fail if there is no subjectaltname ?
>>
>> No.
>
> Good.
>
>>> Later in the patch you seem to be changing from needing managedby_host
>>> to needing write access to an entry, I am not sure I understand why that
>>> was changed. not saying it is necessarily wrong, but why the original
>>> check is not right anymore ?
>>
>> The original check is wrong, see
>> <https://fedorahosted.org/freeipa/ticket/3977#comment:23>.
>>
>> The check in my patch allows SAN only if the requesting host has write
>> access to all of the SAN services. I'm not entirely sure if this is
>> right, but even if it is not, I think we should still check for write
>> access to the SAN services, so that access control can be (partially)
>> handled by ACIs.
>
> Right, I remembered that comment, but it just says to check the right
> object's managed-by, here instead you changed it to check if you can
> write the usercertificate.
>
> I guess it is the same *if* there is an ACI that gives write permission
> when the host is in the managed-by attribute, is that the reasoning ?
Exactly. The ACIs that allow this by default are named "Hosts can manage
service Certificates and kerberos keys" and "Hosts can manage other host
Certificates and kerberos keys".
I think the check can be extended to users as well, so that requesting
certificate with SAN is allowed only to users which have write access to
the SAN services.
>
> Simo.
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list