[Freeipa-devel] [PATCH] 210 Allow SAN in IPA certificate profile
Jan Cholasta
jcholast at redhat.com
Fri Jun 6 10:50:49 UTC 2014
On 23.1.2014 14:34, Jan Cholasta wrote:
> On 22.1.2014 16:43, Simo Sorce wrote:
>> On Wed, 2014-01-22 at 16:05 +0100, Jan Cholasta wrote:
>>> On 22.1.2014 15:34, Simo Sorce wrote:
>>>> On Wed, 2014-01-22 at 10:40 +0100, Jan Cholasta wrote:
>>>>> On 21.1.2014 17:12, Simo Sorce wrote:
>>>>>> Later in the patch you seem to be changing from needing
>>>>>> managedby_host
>>>>>> to needing write access to an entry, I am not sure I understand
>>>>>> why that
>>>>>> was changed. not saying it is necessarily wrong, but why the
>>>>>> original
>>>>>> check is not right anymore ?
>>>>>
>>>>> The original check is wrong, see
>>>>> <https://fedorahosted.org/freeipa/ticket/3977#comment:23>.
>>>>>
>>>>> The check in my patch allows SAN only if the requesting host has write
>>>>> access to all of the SAN services. I'm not entirely sure if this is
>>>>> right, but even if it is not, I think we should still check for write
>>>>> access to the SAN services, so that access control can be (partially)
>>>>> handled by ACIs.
>>>>
>>>> Right, I remembered that comment, but it just says to check the right
>>>> object's managed-by, here instead you changed it to check if you can
>>>> write the usercertificate.
>>>>
>>>> I guess it is the same *if* there is an ACI that gives write permission
>>>> when the host is in the managed-by attribute, is that the reasoning ?
>>>
>>> Exactly. The ACIs that allow this by default are named "Hosts can manage
>>> service Certificates and kerberos keys" and "Hosts can manage other host
>>> Certificates and kerberos keys".
>>>
>>> I think the check can be extended to users as well, so that requesting
>>> certificate with SAN is allowed only to users which have write access to
>>> the SAN services.
>
> I have done the modification, see attached patches.
>
>>
>> Sounds good to me then, thanks for explaining.
>>
>> The patches also look good, but I would like someone to give them a try
>> for a formal ack.
>
> OK, thanks.
>
Bump.
I have added stricter validation of subject alt names as well as
certificate extensions in general to the second patch.
Updated patches attached.
Note that you will need python-nss 0.15 in order to test, you can get a
RPM for Fedora here:
<http://koji.fedoraproject.org/koji/buildinfo?buildID=514739>.
Also, resubmitting HTTP and LDAP Server-Cert certmonger requests does
not work, because <https://fedorahosted.org/freeipa/ticket/4370>.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-210.4-Allow-SAN-in-IPA-certificate-profile.patch
Type: text/x-patch
Size: 5003 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140606/a0df9717/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-234.4-Support-requests-with-SAN-in-cert-request.patch
Type: text/x-patch
Size: 11151 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140606/a0df9717/attachment-0001.bin>
More information about the Freeipa-devel
mailing list