From 8ec4868a64a193917ee2c424ba5fdbf17f14b4ad Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 23 Apr 2018 15:02:36 +1000
Subject: [PATCH] cert-request: restrict IPAddress SAN to host/service
 principals

Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaserver/plugins/cert.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index db122e8a0..41b992a0c 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -864,6 +864,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                             "for non-user principals") % "RFC822Name"
                     )
             elif isinstance(gn, cryptography.x509.general_name.IPAddress):
+                if principal.is_user:
+                    raise errors.ValidationError(
+                        name='csr',
+                        error=_(
+                            "subject alt name type %s is forbidden "
+                            "for user principals") % "IPAddress"
+                    )
                 san_ipaddrs.add(gn.value)
             else:
                 raise errors.ACIError(