mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Fix CA ACL Check on SubjectAltNames
The code is supposed to check that the SAN name is also authorized to be used with the specified profile id. The original principal has already been checked. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
parent
2c7b7b3acc
commit
25ed36fda1
@ -688,14 +688,18 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
||||
for name_type, desc, name, der_name in subjectaltname:
|
||||
if name_type == nss.certDNSName:
|
||||
name = unicode(name)
|
||||
alt_principal = None
|
||||
alt_principal_obj = None
|
||||
alt_principal_string = unicode(principal)
|
||||
try:
|
||||
if principal_type == HOST:
|
||||
alt_principal = kerberos.Principal(
|
||||
(u'host', name), principal.realm)
|
||||
alt_principal_obj = api.Command['host_show'](name, all=True)
|
||||
elif principal_type == SERVICE:
|
||||
alt_principal = kerberos.Principal(
|
||||
(principal.service_name, name), principal.realm)
|
||||
alt_principal_obj = api.Command['service_show'](
|
||||
alt_principal_string, all=True)
|
||||
alt_principal, all=True)
|
||||
elif principal_type == USER:
|
||||
raise errors.ValidationError(
|
||||
name='csr',
|
||||
@ -715,8 +719,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
||||
raise errors.ACIError(info=_(
|
||||
"Insufficient privilege to create a certificate "
|
||||
"with subject alt name '%s'.") % name)
|
||||
if alt_principal_string is not None and not bypass_caacl:
|
||||
caacl_check(principal_type, principal, ca, profile_id)
|
||||
if alt_principal is not None and not bypass_caacl:
|
||||
caacl_check(principal_type, alt_principal, ca, profile_id)
|
||||
elif name_type in [
|
||||
(nss.certOtherName, x509.SAN_UPN),
|
||||
(nss.certOtherName, x509.SAN_KRB5PRINCIPALNAME),
|
||||
|
Loading…
Reference in New Issue
Block a user