[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile

Jan Cholasta jcholast at redhat.com
Wed Jan 22 15:05:47 UTC 2014


On 22.1.2014 15:34, Simo Sorce wrote:
> On Wed, 2014-01-22 at 10:40 +0100, Jan Cholasta wrote:
>> On 21.1.2014 17:12, Simo Sorce wrote:
>>> On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote:
>>>> +        request = None
>>>> +        try:
>>>> +            request = pkcs10.load_certificate_request(csr)
>>>> +            subject = pkcs10.get_subject(request)
>>>> +            subjectaltname = pkcs10.get_subjectaltname(request)
>>>
>>> Will this make the request fail if there is no subjectaltname ?
>>
>> No.
>
> Good.
>
>>> Later in the patch you seem to be changing from needing managedby_host
>>> to needing write access to an entry, I am not sure I understand why that
>>> was changed. not saying it is necessarily wrong,  but why the original
>>> check is not right anymore ?
>>
>> The original check is wrong, see
>> <https://fedorahosted.org/freeipa/ticket/3977#comment:23>.
>>
>> The check in my patch allows SAN only if the requesting host has write
>> access to all of the SAN services. I'm not entirely sure if this is
>> right, but even if it is not, I think we should still check for write
>> access to the SAN services, so that access control can be (partially)
>> handled by ACIs.
>
> Right, I remembered that comment, but it just says to check the right
> object's managed-by, here instead you changed it to check if you can
> write the usercertificate.
>
> I guess it is the same *if* there is an ACI that gives write permission
> when the host is in the managed-by attribute, is that the reasoning ?

Exactly. The ACIs that allow this by default are named "Hosts can manage 
service Certificates and kerberos keys" and "Hosts can manage other host 
Certificates and kerberos keys".

I think the check can be extended to users as well, so that requesting 
certificate with SAN is allowed only to users which have write access to 
the SAN services.

>
> Simo.
>


-- 
Jan Cholasta




More information about the Freeipa-devel mailing list