Re: [Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension
On Tue, Aug 30, 2016 at 08:48:58AM +0200, Jan Cholasta wrote: > On 29.8.2016 07:57, Fraser Tweedale wrote: > > On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote: > > > Hi, > > > > > > On 22.7.2016 07:18, Fraser Tweedale wrote: > > > > While I was poking around SAN-processing code, I decided to > > > > implement a small enhancement: allowing the subject principal's DN > > > > to appear in SAN. > > > > > > > > https://fedorahosted.org/freeipa/ticket/6112 > > > > > > > > Patch depends on my other patches 0090, 0092, 0093, 0094. > > > > > > I don't think this is how DN SANs are supposed to be handled. For example, > > > see this bit about DN name constraints in RFC 5280 section 4.2.1.10: > > > > > >Restrictions of the form directoryName MUST be applied to the subject > > >field in the certificate (when the certificate includes a non-empty > > >subject field) and to any names of type directoryName in the > > >subjectAltName extension. > > > > > > It would appear to me that DN SANs only provide additional values to the > > > subject name of the certificate and thus should be treated the same way as > > > the subject name. > > > > > > We don't impose any restrictions on subject names with regard to DN of the > > > subject LDAP entry, so I think we should not do it for DN SANs as well. > > > Or, > > > alternatively, we should do it for both. > > > > > I disagree. Supporting an altname containing the LDAP DN is a valid > > use case. There is no need to apply the same rules to Subject DN > > and Directory Name altname > > Nowhere in the RFC is it stated that there is any semantic difference > between the subject name and DN SANs, so I don't see why should we make DN > SANs special. > > > (otherwise, why would the Directory Name > > altname type even exist?). > > To allow multiple subject DNs. > > > There are other possible values but this > > one is trivial to validate so why not? > > I have no issue with validation per se, I just find it very odd that the > code would allow me to request a cert with any LDAP entry DN in subject name > but only one specific LDAP entry DN in DN SAN. > > > > > As for the RFC excerpt, this is about the Name Constraints > > extension. In the unlikely case that a superior certificate has a > > Name Constraints extension that applies to DNs, the way we construct > > the Subject DN is probably the bigger problem ;) > > Yes, this particular excerpt is about name constraints, but I doubt that if > you looked anywhere else, it would say something different about the > relationship of subject name and DN SANs. > RFC 5280 doesn't say anything about the relationship between SDN and DN SAN. All it says is that if there is a name constraint, all the names must satisfy the constraint. A name constraint *could* imply some "shared ancestry" relationships across all DNs on a cert, but this is is not necessarily the case, e.g. if the name constraint only has excludedSubtrees. > > > > Take the feature or leave it (after all, noone has asked for it yet) > > but IMO the usage is valid. > > > > Cheers, > > Fraser > > > > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension
On 29.8.2016 07:57, Fraser Tweedale wrote: On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote: Hi, On 22.7.2016 07:18, Fraser Tweedale wrote: While I was poking around SAN-processing code, I decided to implement a small enhancement: allowing the subject principal's DN to appear in SAN. https://fedorahosted.org/freeipa/ticket/6112 Patch depends on my other patches 0090, 0092, 0093, 0094. I don't think this is how DN SANs are supposed to be handled. For example, see this bit about DN name constraints in RFC 5280 section 4.2.1.10: Restrictions of the form directoryName MUST be applied to the subject field in the certificate (when the certificate includes a non-empty subject field) and to any names of type directoryName in the subjectAltName extension. It would appear to me that DN SANs only provide additional values to the subject name of the certificate and thus should be treated the same way as the subject name. We don't impose any restrictions on subject names with regard to DN of the subject LDAP entry, so I think we should not do it for DN SANs as well. Or, alternatively, we should do it for both. I disagree. Supporting an altname containing the LDAP DN is a valid use case. There is no need to apply the same rules to Subject DN and Directory Name altname Nowhere in the RFC is it stated that there is any semantic difference between the subject name and DN SANs, so I don't see why should we make DN SANs special. (otherwise, why would the Directory Name altname type even exist?). To allow multiple subject DNs. There are other possible values but this one is trivial to validate so why not? I have no issue with validation per se, I just find it very odd that the code would allow me to request a cert with any LDAP entry DN in subject name but only one specific LDAP entry DN in DN SAN. As for the RFC excerpt, this is about the Name Constraints extension. In the unlikely case that a superior certificate has a Name Constraints extension that applies to DNs, the way we construct the Subject DN is probably the bigger problem ;) Yes, this particular excerpt is about name constraints, but I doubt that if you looked anywhere else, it would say something different about the relationship of subject name and DN SANs. Take the feature or leave it (after all, noone has asked for it yet) but IMO the usage is valid. Cheers, Fraser -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension
On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote: > Hi, > > On 22.7.2016 07:18, Fraser Tweedale wrote: > > While I was poking around SAN-processing code, I decided to > > implement a small enhancement: allowing the subject principal's DN > > to appear in SAN. > > > > https://fedorahosted.org/freeipa/ticket/6112 > > > > Patch depends on my other patches 0090, 0092, 0093, 0094. > > I don't think this is how DN SANs are supposed to be handled. For example, > see this bit about DN name constraints in RFC 5280 section 4.2.1.10: > >Restrictions of the form directoryName MUST be applied to the subject >field in the certificate (when the certificate includes a non-empty >subject field) and to any names of type directoryName in the >subjectAltName extension. > > It would appear to me that DN SANs only provide additional values to the > subject name of the certificate and thus should be treated the same way as > the subject name. > > We don't impose any restrictions on subject names with regard to DN of the > subject LDAP entry, so I think we should not do it for DN SANs as well. Or, > alternatively, we should do it for both. > I disagree. Supporting an altname containing the LDAP DN is a valid use case. There is no need to apply the same rules to Subject DN and Directory Name altname (otherwise, why would the Directory Name altname type even exist?). There are other possible values but this one is trivial to validate so why not? As for the RFC excerpt, this is about the Name Constraints extension. In the unlikely case that a superior certificate has a Name Constraints extension that applies to DNs, the way we construct the Subject DN is probably the bigger problem ;) Take the feature or leave it (after all, noone has asked for it yet) but IMO the usage is valid. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension
Hi, On 22.7.2016 07:18, Fraser Tweedale wrote: While I was poking around SAN-processing code, I decided to implement a small enhancement: allowing the subject principal's DN to appear in SAN. https://fedorahosted.org/freeipa/ticket/6112 Patch depends on my other patches 0090, 0092, 0093, 0094. I don't think this is how DN SANs are supposed to be handled. For example, see this bit about DN name constraints in RFC 5280 section 4.2.1.10: Restrictions of the form directoryName MUST be applied to the subject field in the certificate (when the certificate includes a non-empty subject field) and to any names of type directoryName in the subjectAltName extension. It would appear to me that DN SANs only provide additional values to the subject name of the certificate and thus should be treated the same way as the subject name. We don't impose any restrictions on subject names with regard to DN of the subject LDAP entry, so I think we should not do it for DN SANs as well. Or, alternatively, we should do it for both. Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension
While I was poking around SAN-processing code, I decided to implement a small enhancement: allowing the subject principal's DN to appear in SAN. https://fedorahosted.org/freeipa/ticket/6112 Patch depends on my other patches 0090, 0092, 0093, 0094. Thanks, Fraser From 6a2ab7165c0ae600402c1c2794f2b10c9e38da05 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 22 Jul 2016 13:07:09 +1000 Subject: [PATCH] cert-request: allow directoryName in SAN extension Allow directoryName in SAN extension if the value matches the subject principal's DN in the IPA directory. Fixes: https://fedorahosted.org/freeipa/ticket/6112 --- ipaserver/plugins/cert.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 606d6cdbc28d30892ab60ad4aeb41ecbbd646589..605fd321f00304f69347aae633f935dde8e59bdc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -667,6 +667,12 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): error=_("subject alt name type %s is forbidden " "for non-user principals") % desc ) +elif name_type == nss.certDirectoryName: +if DN(name) != principal_obj['dn']: +raise errors.ValidationError( +name='csr', +error=_("Directory Name does not match principal's DN") +) else: raise errors.ACIError( info=_("Subject alt name type %s is forbidden") % desc) -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code