> Agreed.  The corresponding checks for certificate issuance via
> cert-request, where the bind principal is a host, check that the
> subject host (and SAN dNSNames) is "managed by" the bind host.
> This is checked via `ldap.can_write(dn_of_subject_principal)'.
>
> 1. retrieve cert
> 2. read CN
> 3. ensure CN refers to a known host principal
>    and call ldap.can_write(...) to ensure bind principal
>    manages it.
>

Thanks for the feedback. Attaching new patch.
From f75c5a3c297c4639645f53c973e5ba91eff46315 Mon Sep 17 00:00:00 2001
From: Jan Orel <jan.o...@gooddata.com>
Date: Mon, 12 Oct 2015 17:07:24 +0200
Subject: [PATCH] cert-show: verify write access to userCertificate

---
 ipalib/plugins/cert.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index e459320..286e05c 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -606,7 +606,6 @@ class cert_show(VirtualCommand):
 
     def execute(self, serial_number, **options):
         ca_enabled_check()
-        hostname = None
         try:
             self.check_access()
         except errors.ACIError as acierr:
@@ -614,7 +613,6 @@ class cert_show(VirtualCommand):
             bind_principal = getattr(context, 'principal')
             if not bind_principal.startswith('host/'):
                 raise acierr
-            hostname = get_host_from_principal(bind_principal)
 
         result=self.Backend.ra.get_certificate(serial_number)
         cert = x509.load_certificate(result['certificate'])
@@ -624,11 +622,13 @@ class cert_show(VirtualCommand):
         result['valid_not_after'] = unicode(cert.valid_not_after_str)
         result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
         result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
-        if hostname:
-            # If we have a hostname we want to verify that the subject
-            # of the certificate matches it, otherwise raise an error
-            if hostname != cert.subject.common_name:    #pylint: disable=E1101
-                raise acierr
+
+        # verify we can write to userCertificate attribute of the target
+        ldap = self.api.Backend.ldap2
+        entry = ldap.find_entry_by_attr("cn", cert.subject.common_name,
+            "krbPrincipalAux", base_dn=api.env.basedn)
+        if not ldap.can_write(entry.dn, 'usercertificate'):
+            raise acierr
 
         return dict(result=result)
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to