URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: opened

PR body:
"""
The code is obviously is not the final version, however, I would like to know 
if I'm on the right path. 

AFAIK we should check if the SAN extension is provided and if it has DNSName 
info.

Fix: https://pagure.io/freeipa/issue/6663
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773
From caddd601c9f03af5d1aff7732bca566f6391703f Mon Sep 17 00:00:00 2001
From: Felipe Volpone <felipevolp...@gmail.com>
Date: Tue, 9 May 2017 17:06:55 -0300
Subject: [PATCH] warn in cert-request if CSR doesn't contain SAN

---
 ipaserver/plugins/cert.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..aa960ab 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,18 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
         cn = cns[-1].value  # "most specific" is end of list
 
         if principal_type in (SERVICE, HOST):
+
+            has_dns_in_san_ext = False
+            if ext_san:
+                for gn in x509.process_othernames(ext_san.value):
+                    if isinstance(gn, cryptography.x509.general_name.DNSName):
+                        has_dns_in_san_ext = True
+
+            if not ext_san or not has_dns_in_san_ext:
+                print('Warning: The SAN extension '
+                      'should be provided. Please, check the RFC 2818.')
+
+
             if not _dns_name_matches_principal(cn, principal, principal_obj):
                 raise errors.ValidationError(
                     name='csr',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to