URL: https://github.com/freeipa/freeipa/pull/228 Author: frasertweedale Title: #228: cert-request: allow directoryName in SAN extension Action: opened
PR body: """ Allow directoryName in SAN extension if the value matches the subject principal's DN in the IPA directory. Fixes: https://fedorahosted.org/freeipa/ticket/6112 --- A bit of commentary about this feature: it was just a drive-by case of "hey I could implement this in a way that I think makes sense". Noone actually asked for it (yet). Also, there is not agreement that using directoryName to carry the DN of the subject is valid. On my part, I think it is obviously valid, but see the original review thread for discussion: https://www.redhat.com/archives/freeipa-devel/2016-August/msg00714.html I had to rebase this commit and resolve conflicts, so now it is a PR and it can age in oak on GitHub instead of the mailing list :) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/228/head:pr228 git checkout pr228
From c8fbd658f3341fc54af2b26e5ee844e5bcfc3784 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 14 Jul 2016 21:36:33 +1000 Subject: [PATCH] cert-request: allow directoryName in SAN extension Allow directoryName in SAN extension if the value matches the subject principal's DN in the IPA directory. Fixes: https://fedorahosted.org/freeipa/ticket/6112 --- ipaserver/plugins/cert.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 4362d82..024d541 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -427,6 +427,7 @@ def _add_san_attribute(self, obj, full, gn): } default_attrs = { 'san_rfc822name', 'san_dnsname', 'san_other_upn', 'san_other_kpn', + 'san_directoryname', } if type(gn) not in name_type_map: @@ -743,6 +744,12 @@ def execute(self, csr, all=False, raw=False, **kw): "subject alt name type %s is forbidden " "for non-user principals") % "RFC822Name" ) + elif isinstance(gn, cryptography.x509.general_name.DirectoryName): + if DN(gn.value) != principal_obj['dn']: + raise errors.ValidationError( + name='csr', + error=_("Directory Name does not match principal's DN") + ) else: raise errors.ACIError( info=_("Subject alt name type %s is forbidden")
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code