While I was poking around SAN-processing code, I decided to implement a small enhancement: allowing the subject principal's DN to appear in SAN.
https://fedorahosted.org/freeipa/ticket/6112 Patch depends on my other patches 0090, 0092, 0093, 0094. Thanks, Fraser
From 6a2ab7165c0ae600402c1c2794f2b10c9e38da05 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <[email protected]> Date: Fri, 22 Jul 2016 13:07:09 +1000 Subject: [PATCH] cert-request: allow directoryName in SAN extension Allow directoryName in SAN extension if the value matches the subject principal's DN in the IPA directory. Fixes: https://fedorahosted.org/freeipa/ticket/6112 --- ipaserver/plugins/cert.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 606d6cdbc28d30892ab60ad4aeb41ecbbd646589..605fd321f00304f69347aae633f935dde8e59bdc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -667,6 +667,12 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): error=_("subject alt name type %s is forbidden " "for non-user principals") % desc ) + elif name_type == nss.certDirectoryName: + if DN(name) != principal_obj['dn']: + raise errors.ValidationError( + name='csr', + error=_("Directory Name does not match principal's DN") + ) else: raise errors.ACIError( info=_("Subject alt name type %s is forbidden") % desc) -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
