While I was poking around SAN-processing code, I decided to
implement a small enhancement: allowing the subject principal's DN
to appear in SAN.

https://fedorahosted.org/freeipa/ticket/6112

Patch depends on my other patches 0090, 0092, 0093, 0094.

Thanks,
Fraser
From 6a2ab7165c0ae600402c1c2794f2b10c9e38da05 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 22 Jul 2016 13:07:09 +1000
Subject: [PATCH] cert-request: allow directoryName in SAN extension

Allow directoryName in SAN extension if the value matches the
subject principal's DN in the IPA directory.

Fixes: https://fedorahosted.org/freeipa/ticket/6112
---
 ipaserver/plugins/cert.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 
606d6cdbc28d30892ab60ad4aeb41ecbbd646589..605fd321f00304f69347aae633f935dde8e59bdc
 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -667,6 +667,12 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                         error=_("subject alt name type %s is forbidden "
                             "for non-user principals") % desc
                     )
+            elif name_type == nss.certDirectoryName:
+                if DN(name) != principal_obj['dn']:
+                    raise errors.ValidationError(
+                        name='csr',
+                        error=_("Directory Name does not match principal's DN")
+                    )
             else:
                 raise errors.ACIError(
                     info=_("Subject alt name type %s is forbidden") % desc)
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to