cert-request: report all unmatched SAN IP addresses

During SAN validation, it is possible that more than one iPAddressName does not match a known IP address for the DNS names in the SAN. But only one unmatched IP address is reported. Update the error message to mention all unmatched iPAddressName values. Part of: https://pagure.io/freeipa/issue/7451 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-02-21 13:54:18 +11:00 · 2019-02-21 13:54:18 +11:00 · e37c025dac
commit e37c025dac
parent 9c750f0738
1 changed files with 12 additions and 9 deletions
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@ -1115,18 +1115,21 @@ def _validate_san_ips(san_ipaddrs, san_dnsnames):
        address.

    """
+
+    # Collect the IP addresses for each SAN dNSName
    san_dns_ips = set()
    for name in san_dnsnames:
        san_dns_ips.update(_san_dnsname_ips(name, cname_depth=1))
-    for ip in san_ipaddrs:
-        if unicode(ip) not in san_dns_ips:
-            raise errors.ValidationError(
-                name='csr',
-                error=_(
-                    "IP address in subjectAltName (%s) does not "
-                    "match any DNS name"
-                ) % name.value
-            )
+
+    # Each SAN iPAddressName must appear in the addresses we just collected
+    unmatched_ips = set(unicode(ip) for ip in san_ipaddrs) - san_dns_ips
+    if len(unmatched_ips) > 0:
+        raise errors.ValidationError(
+            name='csr',
+            error=_(
+                "IP address in subjectAltName (%s) does not match any DNS name"
+            ) % ', '.join(unmatched_ips)
+        )


 def _san_dnsname_ips(dnsname, cname_depth):