The attached patch fixes a bug in KRB5PrincipalName / UPN SAN validation. Thanks, Fraser
From 5f2b87fb4a5b6d93bd8e946e53e27137280682c1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Sun, 9 Aug 2015 05:55:04 -0400 Subject: [PATCH] Fix KRB5PrincipalName / UPN SAN comparison
Depending on how the target principal name is conveyed to the command (i.e. with / without realm), the KRB5PrincipalName / UPN subjectAltName validation could be comparing unequal strings and erroneously rejecting a valid request. Normalise both side of the comparison to ensure that the principal names contain realm information. Fixes: https://fedorahosted.org/freeipa/ticket/5191 --- ipalib/plugins/cert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 341bdd01766d50ba18ce7147d4408851e6f95487..f8a11ca2c5a3688f57c6c3839438fbd426369ecc 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -473,7 +473,7 @@ class cert_request(VirtualCommand): principal_type, alt_principal_string, ca, profile_id) elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME, pkcs10.SAN_OTHERNAME_UPN): - if name != principal_string: + if split_any_principal(name) != principal: raise errors.ACIError( info=_("Principal '%s' in subject alt name does not " "match requested principal") % name) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code