[Freeipa-devel] Re: IP addresses in Subject Alt Name
On 03/14/2018 06:48 PM, Fraser Tweedale wrote: Looks like you have not created a "fork" on GitHub yet. Go to https://github.com/freeipa/freeipa and hit the "Fork" button (top right). Then do the `git remote add', push your feature branch to your freeipa repo (the fork), and return to GitHub.com to create the pull request. Done. (I think.) https://github.com/freeipa/freeipa/pull/1700 (My mistake was trying to start from the pagure repository.) -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IP addresses in Subject Alt Name
On Wed, Mar 14, 2018 at 09:11:20AM -0500, Ian Pilcher via FreeIPA-devel wrote: > On 03/11/2018 09:31 PM, Fraser Tweedale wrote: > > Thanks Ian! I'll try and review this in the next couple of days? > > No rush. I'm traveling this week, so I won't be to do anything with > this anyway. > > > Do you use GitHub? If so, you could create a pull request there, > > which will make it more visible, easier to review, and cause CI to > > run on your patch. If not, that's OK. We are happy to receive your > > contribution by any means! > > Define use. ;-) > > I have an ID, but my git usage has been limited to basic clone/pull/ > push stuff. Learning how to do a pull request would not be a bad thing, > though. > > To that end, I've tried to follow/adapt this page: > > https://www.freeipa.org/page/Pull_request_on_Github > > But I haven't been able to push anything to my new github repo. I > keep getting "The remote end hung up unexpectedly" errors. > > Is there updated/better documentation anywhere? > Hi Ian, Looks like you have not created a "fork" on GitHub yet. Go to https://github.com/freeipa/freeipa and hit the "Fork" button (top right). Then do the `git remote add', push your feature branch to your freeipa repo (the fork), and return to GitHub.com to create the pull request. Let me know if you still get stuck. Cheers, Fraser ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IP addresses in Subject Alt Name
On 03/11/2018 09:31 PM, Fraser Tweedale wrote: Thanks Ian! I'll try and review this in the next couple of days? No rush. I'm traveling this week, so I won't be to do anything with this anyway. Do you use GitHub? If so, you could create a pull request there, which will make it more visible, easier to review, and cause CI to run on your patch. If not, that's OK. We are happy to receive your contribution by any means! Define use. ;-) I have an ID, but my git usage has been limited to basic clone/pull/ push stuff. Learning how to do a pull request would not be a bad thing, though. To that end, I've tried to follow/adapt this page: https://www.freeipa.org/page/Pull_request_on_Github But I haven't been able to push anything to my new github repo. I keep getting "The remote end hung up unexpectedly" errors. Is there updated/better documentation anywhere? -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IP addresses in Subject Alt Name
Thanks Ian! I'll try and review this in the next couple of days?
Do you use GitHub? If so, you could create a pull request there,
which will make it more visible, easier to review, and cause CI to
run on your patch. If not, that's OK. We are happy to receive your
contribution by any means!
Cheers,
Fraser
On Fri, Mar 09, 2018 at 05:10:52PM -0600, Ian Pilcher via FreeIPA-devel wrote:
> On 03/01/2018 08:52 AM, Rob Crittenden wrote:
> > Ian Pilcher via FreeIPA-devel wrote:
> >
> > You'd need to ensure that the IP address exists in IPA but that it is
> > owned/managed by the user/host/service making the request.
>
> Any hints on how to do that? I don't see any ownership information
> associated with DNS records or IP addresses, but I don't really know
> where I should be looking
>
> > > FYI, I've been working on the logic for validating the IP addresses in
> > > my not-copious-spare time, and I hope to have something worth discussing
> > > in the next week or so.
> >
> > Thanks, I look forward to it.
>
> First draft below. Looking forward to y'alls' comments.
>
> From 9e64ec302ad5370a22437d53876ab31f2a237033 Mon Sep 17 00:00:00 2001
> From: Ian Pilcher
> Date: Fri, 9 Mar 2018 12:33:55 -0600
> Subject: [PATCH] Allow issuing certificates with IP addresses in
> subjectAltName
>
> Allow issuing certificates with IP addresses in the subject
> alternative name (SAN), if all of the following are true.
>
> * One of the DNS names in the SAN resolves to the IP address
> (possibly through a CNAME).
> * All of the DNS entries in the resolution chain are managed by
> this IPA instance.
> * The IP address has a (correct) reverse DNS entry that is managed
> by this IPA instance
> ---
> ipaserver/plugins/cert.py | 92
> +--
> 1 file changed, 89 insertions(+), 3 deletions(-)
>
> diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
> index db624357a..452728d21 100644
> --- a/ipaserver/plugins/cert.py
> +++ b/ipaserver/plugins/cert.py
> @@ -22,11 +22,13 @@
> import base64
> import collections
> import datetime
> +import itertools
> import logging
> from operator import attrgetter
>
> import cryptography.x509
> from cryptography.hazmat.primitives import hashes, serialization
> +from dns import resolver, reversename
> import six
>
> from ipalib import Command, Str, Int, Flag
> @@ -48,7 +50,7 @@ from .certprofile import validate_profile_id
> from ipalib.text import _
> from ipalib.request import context
> from ipalib import output
> -from ipapython import kerberos
> +from ipapython import dnsutil, kerberos
> from ipapython.dn import DN
> from ipaserver.plugins.service import normalize_principal, validate_realm
>
> @@ -773,9 +775,10 @@ class cert_request(Create, BaseCertMethod,
> VirtualCommand):
> "'userCertificate' attribute of entry '%s'.") %
> dn)
>
> # Validate the subject alt name, if any
> -generalnames = []
> +san_has_ipaddrs = False
> +generalnames = ()
> if ext_san is not None:
> -generalnames = x509.process_othernames(ext_san.value)
> +generalnames = tuple(x509.process_othernames(ext_san.value))
> for gn in generalnames:
> if isinstance(gn, cryptography.x509.general_name.DNSName):
> if principal.is_user:
> @@ -858,11 +861,16 @@ class cert_request(Create, BaseCertMethod,
> VirtualCommand):
> "subject alt name type %s is forbidden "
> "for non-user principals") % "RFC822Name"
> )
> +elif isinstance(gn, cryptography.x509.general_name.IPAddress):
> +san_has_ipaddrs = True
> else:
> raise errors.ACIError(
> info=_("Subject alt name type %s is forbidden")
> % type(gn).__name__)
>
> +if san_has_ipaddrs:
> +_validate_san_ips(generalnames)
> +
> # Request the certificate
> try:
> # re-serialise to PEM, in case the user-supplied data has
> @@ -1046,6 +1054,84 @@ def _principal_name_matches_principal(name,
> principal_obj):
> return principal in principal_obj.get('krbprincipalname', [])
>
>
> +def _validate_san_ips(generalnames):
> +"""
> +Raise a ValidationError if the subjectAltName in a CSR includes
> +any IP address(es) that do not match a DNS name in the SAN.
> +
> +"""
> +san_dns_ips = set()
> +for name in generalnames:
> +if isinstance(name, cryptography.x509.general_name.DNSName):
> +san_dns_ips.update(_san_dnsname_ips(name.value))
> +for name in generalnames:
> +if isinstance(name, cryptography.x509.general_name.IPAddress):
> +if unicode(name.value) not in san_dns_ips:
> +raise errors.ValidationError(
> +name='csr',
> +error=_(
> +
[Freeipa-devel] Re: IP addresses in Subject Alt Name
On 03/01/2018 08:52 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-devel wrote:
You'd need to ensure that the IP address exists in IPA but that it is
owned/managed by the user/host/service making the request.
Any hints on how to do that? I don't see any ownership information
associated with DNS records or IP addresses, but I don't really know
where I should be looking
FYI, I've been working on the logic for validating the IP addresses in
my not-copious-spare time, and I hope to have something worth discussing
in the next week or so.
Thanks, I look forward to it.
First draft below. Looking forward to y'alls' comments.
From 9e64ec302ad5370a22437d53876ab31f2a237033 Mon Sep 17 00:00:00 2001
From: Ian Pilcher
Date: Fri, 9 Mar 2018 12:33:55 -0600
Subject: [PATCH] Allow issuing certificates with IP addresses in
subjectAltName
Allow issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true.
* One of the DNS names in the SAN resolves to the IP address
(possibly through a CNAME).
* All of the DNS entries in the resolution chain are managed by
this IPA instance.
* The IP address has a (correct) reverse DNS entry that is managed
by this IPA instance
---
ipaserver/plugins/cert.py | 92
+--
1 file changed, 89 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index db624357a..452728d21 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -22,11 +22,13 @@
import base64
import collections
import datetime
+import itertools
import logging
from operator import attrgetter
import cryptography.x509
from cryptography.hazmat.primitives import hashes, serialization
+from dns import resolver, reversename
import six
from ipalib import Command, Str, Int, Flag
@@ -48,7 +50,7 @@ from .certprofile import validate_profile_id
from ipalib.text import _
from ipalib.request import context
from ipalib import output
-from ipapython import kerberos
+from ipapython import dnsutil, kerberos
from ipapython.dn import DN
from ipaserver.plugins.service import normalize_principal, validate_realm
@@ -773,9 +775,10 @@ class cert_request(Create, BaseCertMethod,
VirtualCommand):
"'userCertificate' attribute of entry
'%s'.") % dn)
# Validate the subject alt name, if any
-generalnames = []
+san_has_ipaddrs = False
+generalnames = ()
if ext_san is not None:
-generalnames = x509.process_othernames(ext_san.value)
+generalnames = tuple(x509.process_othernames(ext_san.value))
for gn in generalnames:
if isinstance(gn, cryptography.x509.general_name.DNSName):
if principal.is_user:
@@ -858,11 +861,16 @@ class cert_request(Create, BaseCertMethod,
VirtualCommand):
"subject alt name type %s is forbidden "
"for non-user principals") % "RFC822Name"
)
+elif isinstance(gn, cryptography.x509.general_name.IPAddress):
+san_has_ipaddrs = True
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden")
% type(gn).__name__)
+if san_has_ipaddrs:
+_validate_san_ips(generalnames)
+
# Request the certificate
try:
# re-serialise to PEM, in case the user-supplied data has
@@ -1046,6 +1054,84 @@ def _principal_name_matches_principal(name,
principal_obj):
return principal in principal_obj.get('krbprincipalname', [])
+def _validate_san_ips(generalnames):
+"""
+Raise a ValidationError if the subjectAltName in a CSR includes
+any IP address(es) that do not match a DNS name in the SAN.
+
+"""
+san_dns_ips = set()
+for name in generalnames:
+if isinstance(name, cryptography.x509.general_name.DNSName):
+san_dns_ips.update(_san_dnsname_ips(name.value))
+for name in generalnames:
+if isinstance(name, cryptography.x509.general_name.IPAddress):
+if unicode(name.value) not in san_dns_ips:
+raise errors.ValidationError(
+name='csr',
+error=_(
+"IP address in subjectAltName (%s) does not "
+"match any DNS name"
+) % name.value
+)
+
+
+def _san_dnsname_ips(dnsname, dnsname_is_cname=False):
+"""
+Returns a set of IP addresses, managed by this IPa instance,
+that correspond to the DNS name (from the subjectAltName).
+
+"""
+fqdn = dnsutil.DNSName(dnsname).make_absolute()
+if fqdn.__len__() < 4:
+logger.debug("Skipping IPs for %s: hostname too short" % dnsname)
+return ()
+zone = dnsutil.DNSName(resolver.zone_for_name(fqdn))
+name = fqdn.relativize(zone)
+
[Freeipa-devel] Re: IP addresses in Subject Alt Name
Ian Pilcher via FreeIPA-devel wrote: > On 02/18/2018 07:22 PM, Fraser Tweedale wrote: >> Ultimately, the same problems exist for any kind of subject name and >> the only practical mitigation is short-lived certificates. With >> that in mind, given that Ian's proposal is scoped to only validatate >> IP Address altnames against data that are explicitly managed in >> FreeIPA, I don't object. I'm interested to hear other views. > > Thanks for the positive feedback. Anyone else want to chime in? You'd need to ensure that the IP address exists in IPA but that it is owned/managed by the user/host/service making the request. > FYI, I've been working on the logic for validating the IP addresses in > my not-copious-spare time, and I hope to have something worth discussing > in the next week or so. Thanks, I look forward to it. rob ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IP addresses in Subject Alt Name
On 02/18/2018 07:22 PM, Fraser Tweedale wrote: Ultimately, the same problems exist for any kind of subject name and the only practical mitigation is short-lived certificates. With that in mind, given that Ian's proposal is scoped to only validatate IP Address altnames against data that are explicitly managed in FreeIPA, I don't object. I'm interested to hear other views. Thanks for the positive feedback. Anyone else want to chime in? FYI, I've been working on the logic for validating the IP addresses in my not-copious-spare time, and I hope to have something worth discussing in the next week or so. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: IP addresses in Subject Alt Name
On Fri, Feb 16, 2018 at 12:51:41PM -0600, Ian Pilcher via FreeIPA-devel wrote: > I have an older NETGEAR switch that has annoying habit of using its IP > address in URLs that it sends back to the browser. The result can be > seen here: > > https://www.penurio.us/oops.png > > I would like to add the switch's IP address to the Subject Alt Name > extension of its TLS certificate, which is not currently supported by > FreeIPA. > > I'm interested in trying to add this capability, if there's a chance > that my work will be accepted. My initial thought is that an IP address > should only be accepted if all of the following are true: > > 1. One of the hostnames in the Subject Alt Name (or possibly the Common >Name) ultimately resolves to that IP address, possibly via one or >more CNAMEs. > > 2. All of the DNS records (A, , CNAME) involved in #1 are managed by >this IPA instance. > > 3. The reverse DNS record for the IP address is managed by this IPA >instance, and it points to an A or record that is managed by >this IPA instance (and contains the correct IP address). > > Does this make sense? > We have discussed this many times in the past. Each time it has gone in the "too hard" basket because of concerns around DNS views - the IPA-managed DNS view seen by IPA clients may differ from external DNS views. Also IP addresses may change much more rapidly than the lifetime of a certificate, etc. Ultimately, the same problems exist for any kind of subject name and the only practical mitigation is short-lived certificates. With that in mind, given that Ian's proposal is scoped to only validatate IP Address altnames against data that are explicitly managed in FreeIPA, I don't object. I'm interested to hear other views. Cheers, Fraser ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
