[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile
Jan Cholasta
jcholast at redhat.com
Wed Jan 22 09:40:17 UTC 2014
On 21.1.2014 17:12, Simo Sorce wrote:
> On Tue, 2014-01-21 at 14:02 +0100, Jan Cholasta wrote:
>> + request = None
>> + try:
>> + request = pkcs10.load_certificate_request(csr)
>> + subject = pkcs10.get_subject(request)
>> + subjectaltname = pkcs10.get_subjectaltname(request)
>
> Will this make the request fail if there is no subjectaltname ?
No.
>
> Later in the patch you seem to be changing from needing managedby_host
> to needing write access to an entry, I am not sure I understand why that
> was changed. not saying it is necessarily wrong, but why the original
> check is not right anymore ?
The original check is wrong, see
<https://fedorahosted.org/freeipa/ticket/3977#comment:23>.
The check in my patch allows SAN only if the requesting host has write
access to all of the SAN services. I'm not entirely sure if this is
right, but even if it is not, I think we should still check for write
access to the SAN services, so that access control can be (partially)
handled by ACIs.
>
> Simo.
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list