[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile
Simo Sorce
simo at redhat.com
Wed Jan 22 15:43:27 UTC 2014
On Wed, 2014-01-22 at 16:05 +0100, Jan Cholasta wrote:
> On 22.1.2014 15:34, Simo Sorce wrote:
> > On Wed, 2014-01-22 at 10:40 +0100, Jan Cholasta wrote:
> >> On 21.1.2014 17:12, Simo Sorce wrote:
> >>> On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote:
> >>>> + request = None
> >>>> + try:
> >>>> + request = pkcs10.load_certificate_request(csr)
> >>>> + subject = pkcs10.get_subject(request)
> >>>> + subjectaltname = pkcs10.get_subjectaltname(request)
> >>>
> >>> Will this make the request fail if there is no subjectaltname ?
> >>
> >> No.
> >
> > Good.
> >
> >>> Later in the patch you seem to be changing from needing managedby_host
> >>> to needing write access to an entry, I am not sure I understand why that
> >>> was changed. not saying it is necessarily wrong, but why the original
> >>> check is not right anymore ?
> >>
> >> The original check is wrong, see
> >> <https://fedorahosted.org/freeipa/ticket/3977#comment:23>.
> >>
> >> The check in my patch allows SAN only if the requesting host has write
> >> access to all of the SAN services. I'm not entirely sure if this is
> >> right, but even if it is not, I think we should still check for write
> >> access to the SAN services, so that access control can be (partially)
> >> handled by ACIs.
> >
> > Right, I remembered that comment, but it just says to check the right
> > object's managed-by, here instead you changed it to check if you can
> > write the usercertificate.
> >
> > I guess it is the same *if* there is an ACI that gives write permission
> > when the host is in the managed-by attribute, is that the reasoning ?
>
> Exactly. The ACIs that allow this by default are named "Hosts can manage
> service Certificates and kerberos keys" and "Hosts can manage other host
> Certificates and kerberos keys".
>
> I think the check can be extended to users as well, so that requesting
> certificate with SAN is allowed only to users which have write access to
> the SAN services.
Sounds good to me then, thanks for explaining.
The patches also look good, but I would like someone to give them a try
for a formal ack.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list