[Freeipa-devel] [PATCH] 0036 Fix KRB5PrincipalName / UPN SAN comparison
Fraser Tweedale
ftweedal at redhat.com
Sun Aug 9 10:03:47 UTC 2015
The attached patch fixes a bug in KRB5PrincipalName / UPN SAN
validation.
Thanks,
Fraser
-------------- next part --------------
From 5f2b87fb4a5b6d93bd8e946e53e27137280682c1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Sun, 9 Aug 2015 05:55:04 -0400
Subject: [PATCH] Fix KRB5PrincipalName / UPN SAN comparison
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.
Normalise both side of the comparison to ensure that the principal
names contain realm information.
Fixes: https://fedorahosted.org/freeipa/ticket/5191
---
ipalib/plugins/cert.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 341bdd01766d50ba18ce7147d4408851e6f95487..f8a11ca2c5a3688f57c6c3839438fbd426369ecc 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -473,7 +473,7 @@ class cert_request(VirtualCommand):
principal_type, alt_principal_string, ca, profile_id)
elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
pkcs10.SAN_OTHERNAME_UPN):
- if name != principal_string:
+ if split_any_principal(name) != principal:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
"match requested principal") % name)
--
2.4.3
More information about the Freeipa-devel
mailing list