URL: https://github.com/freeipa/freeipa/pull/5495 Author: tiran Title: #5495: Ensure that KDC cert has SAN DNS entry Action: opened
PR body: """ The dns parameter of request_and_wait_for_cert() must be a string of hostnames. * Enforce list/tuple type so that API misuse no longer passes silently. * Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile * Explicitly pass hostname for service certs Fixes: https://pagure.io/freeipa/issue/8685 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5495/head:pr5495 git checkout pr5495
From 98392b1bdfabc68a0ad7193d44456b9a401436ff Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Fri, 29 Jan 2021 09:16:28 +0100 Subject: [PATCH] Ensure that KDC cert has SAN DNS entry The dns parameter of request_and_wait_for_cert() must be a string of hostnames. * Enforce list/tuple type so that API misuse no longer passes silently. * Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile * Explicitly pass hostname for service certs Fixes: https://pagure.io/freeipa/issue/8685 Signed-off-by: Christian Heimes <chei...@redhat.com> --- install/share/profiles/KDCs_PKINIT_Certs.cfg | 6 +++++- ipalib/install/certmonger.py | 4 +++- ipaserver/install/certs.py | 1 + ipaserver/install/krbinstance.py | 2 +- ipatests/test_integration/test_pkinit_manage.py | 4 ++++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg index c5e412b001b..5993520cb43 100644 --- a/install/share/profiles/KDCs_PKINIT_Certs.cfg +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -12,7 +12,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=serverCertSet -policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.serverCertSet.1.constraint.name=Subject Name Constraint policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ @@ -107,3 +107,7 @@ policyset.serverCertSet.11.constraint.name=No Constraint policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl policyset.serverCertSet.11.default.name=User Supplied Extension Default policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index a5d410cf838..fae2c71ce01 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -450,7 +450,9 @@ def request_cert( request_parameters["KEY_NICKNAME"] = nickname if principal: request_parameters['PRINCIPAL'] = [principal] - if dns is not None and len(dns) > 0: + if dns: + if not isinstance(dns, (list, tuple)): + raise TypeError(dns) request_parameters['DNS'] = dns if passwd_fname: request_parameters['KEY_PIN_FILE'] = passwd_fname diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f6b84ade94b..171476c18cb 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -663,6 +663,7 @@ def request_service_cert(self, nickname, principal, host, nickname=nickname, principal=principal, subject=host, + dns=[host], passwd_fname=self.passwd_fname, resubmit_timeout=resubmit_timeout ) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index b5ebfe043c7..216c1032d8a 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -449,7 +449,7 @@ def _call_certmonger(self, certmonger_ca='IPA'): subject=subject, principal=krbtgt, ca=certmonger_ca, - dns=self.fqdn, + dns=[self.fqdn], storage='FILE', profile=KDC_PROFILE, post_command='renew_kdc_cert', diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py index 3371d86f886..eccd777baa2 100644 --- a/ipatests/test_integration/test_pkinit_manage.py +++ b/ipatests/test_integration/test_pkinit_manage.py @@ -46,6 +46,10 @@ def check_pkinit_cert_issuer(host, issuer): pkinit_cert = x509.load_pem_x509_certificate(data) # Make sure that the issuer is the expected one assert DN(pkinit_cert.issuer) == DN(issuer) + # KDC cert must have SAN for KDC hostname + assert host.hostname in pkinit_cert.san_a_label_dns_names + # at least three SANs, profile adds UPN and KRB principal name + assert len(pkinit_cert.san_general_names) >= 3 def check_pkinit(host, enabled=True):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
