URL: https://github.com/freeipa/freeipa/pull/736
Title: #736: Fixing the cert-request command comparing whole email address 

felipevolpone commented:
@frasertweedale I did the check in SAN extension. 

However, I'm not sure if these are valid situations:
Case 1)
The principal email is a...@email.com
The email in the certificate is b...@email.com
The emails in the SAN extensions are: a...@email.com, c...@email.com

or this:

Case 2)
The principal email is a...@email.com
The email in the certificate is b...@email.com, a...@email.com
The email in the SAN extensions is: c...@email.com

If the case 1 is valid, the check in line 799 (below) is not right, because it 
expects that all emails in SAN extension are in the principal.
elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
    if principal_type == USER:
        if principal_obj and gn.value not in principal_obj.get(
                'mail', []):
            raise errors.ValidationError(
                    "RFC822Name does not match "
                    "any of user's email addresses")
        raise errors.ValidationError(
                "subject alt name type %s is forbidden "
                "for non-user principals") % "RFC822Name"

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to