[Freeipa-devel] [PATCH] 0038 cert-request: remove allowed extensions check

Fraser Tweedale ftweedal at redhat.com
Thu Aug 13 05:54:01 UTC 2015 

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5205

Thanks,
Fraser
-------------- next part --------------
From 7186acfbf70bb6963b8bb72bbda5fece3fb20dd2 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 13 Aug 2015 01:42:06 -0400
Subject: [PATCH] cert-request: remove allowed extensions check

cert-request currently permits a limited number of request
extensions; uncommon and esoteric extensions are prohibited and this
limits the usefulness of custom profiles.

The Dogtag profile has total control over what goes into the final
certificate and has the option to reject request based on the
request extensions present or their values, so there is little
reason to restrict what extensions can be used in FreeIPA.  Remove
the check.

Fixes: https://fedorahosted.org/freeipa/ticket/5205
---
 ipalib/plugins/cert.py | 22 +++-------------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index c0b459d3817d59d535f70258e9a0da9a784d7094..21093fb936b1da82a5371be8050737d8c79e6f9d 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -306,15 +306,6 @@ class cert_request(VirtualCommand):
         ),
     )
 
-    _allowed_extensions = {
-        '2.5.29.14': None,      # Subject Key Identifier
-        '2.5.29.15': None,      # Key Usage
-        '2.5.29.17': 'request certificate with subjectaltname',
-        '2.5.29.19': None,      # Basic Constraints
-        '2.5.29.37': None,      # Extended Key Usage
-        '1.2.840.10070.8.1': None, # IECUserRoles (DNP3 / IEC 62351-8)
-    }
-
     def execute(self, csr, **kw):
         ca_enabled_check()
 
@@ -369,12 +360,10 @@ class cert_request(VirtualCommand):
             raise errors.CertificateOperationError(
                 error=_("Failure decoding Certificate Signing Request: %s") % e)
 
-        # host principals may bypass allowed ext check
+        # self-service and host principals may bypass SAN permission check
         if bind_principal != principal and bind_principal_type != HOST:
-            for ext in extensions:
-                operation = self._allowed_extensions.get(ext)
-                if operation:
-                    self.check_access(operation)
+            if '2.5.29.17' in extensions:
+                self.check_access('request certificate with subjectaltname')
 
         dn = None
         principal_obj = None
@@ -426,11 +415,6 @@ class cert_request(VirtualCommand):
                         "any of user's email addresses")
                 )
 
-        for ext in extensions:
-            if ext not in self._allowed_extensions:
-                raise errors.ValidationError(
-                    name='csr', error=_("extension %s is forbidden") % ext)
-
         # We got this far so the principal entry exists, can we write it?
         if not ldap.can_write(dn, "usercertificate"):
             raise errors.ACIError(info=_("Insufficient 'write' privilege "
-- 
2.4.3

More information about the Freeipa-devel mailing list