URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: opened
PR body:
"""
The code is obviously is not the final version, however, I would like to know
if I'm on the right path.
AFAIK we should check if the SAN extension is provided and if it has DNSName
info.
Fix: https://pagure.io/freeipa/issue/6663
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773
From caddd601c9f03af5d1aff7732bca566f6391703f Mon Sep 17 00:00:00 2001
From: Felipe Volpone <felipevolp...@gmail.com>
Date: Tue, 9 May 2017 17:06:55 -0300
Subject: [PATCH] warn in cert-request if CSR doesn't contain SAN
---
ipaserver/plugins/cert.py | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..aa960ab 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,18 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
cn = cns[-1].value # "most specific" is end of list
if principal_type in (SERVICE, HOST):
+
+ has_dns_in_san_ext = False
+ if ext_san:
+ for gn in x509.process_othernames(ext_san.value):
+ if isinstance(gn, cryptography.x509.general_name.DNSName):
+ has_dns_in_san_ext = True
+
+ if not ext_san or not has_dns_in_san_ext:
+ print('Warning: The SAN extension '
+ 'should be provided. Please, check the RFC 2818.')
+
+
if not _dns_name_matches_principal(cn, principal, principal_obj):
raise errors.ValidationError(
name='csr',
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
