[Freeipa-devel] [PATCH] 0038 cert-request: remove allowed extensions check

Ade Lee alee at redhat.com
Thu Aug 13 14:21:49 UTC 2015


Fraser, 

Continuing the discussion started previously, the question is whether
IPA should check for the presence of certain extensions.

There seem to be two kinds of problems which could be encountered here:

1. User could include a CSR which includes an extension that is not
valid for the profile.

2. User could include data for an extension that is invalid.

The original allowed extensions check attempted to address problem (1)
by allowing only extensions that were valid for the small set of
profiles used by IPA.  Now that custom profiles are available, though,
this is no longer sufficient.

I do believe that it would be useful to provide the user with feedback
if a particular extension is not supported by the profile when the CSR
is submitted to IPA.  This should most likely be a non-fatal
notification, because the CA will end up ignoring the extension.

With the Dogtag profile API, it is possible to enumerate the extensions
that are included in a cert for a particular profile.  Couldn't this
data be used as the basis for this check?

For problem (2), although some validation could be done in IPA, this is
most probably something that should be left to Dogtag itself.  I believ
e the error reporting from Dogtag has been sufficiently improved so
that these types of validation errors would be reported back to IPA.

Ade
  
On Thu, 2015-08-13 at 15:54 +1000, Fraser Tweedale wrote:
> The attached patch fixes
> https://fedorahosted.org/freeipa/ticket/5205
> 
> Thanks,
> Fraser
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code




More information about the Freeipa-devel mailing list