[Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension

Jan Cholasta jcholast at redhat.com
Tue Aug 30 06:48:58 UTC 2016 

On 29.8.2016 07:57, Fraser Tweedale wrote:
> On Fri, Aug 26, 2016 at 10:41:37AM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 22.7.2016 07:18, Fraser Tweedale wrote:
>>> While I was poking around SAN-processing code, I decided to
>>> implement a small enhancement: allowing the subject principal's DN
>>> to appear in SAN.
>>>
>>> https://fedorahosted.org/freeipa/ticket/6112
>>>
>>> Patch depends on my other patches 0090, 0092, 0093, 0094.
>>
>> I don't think this is how DN SANs are supposed to be handled. For example,
>> see this bit about DN name constraints in RFC 5280 section 4.2.1.10:
>>
>>    Restrictions of the form directoryName MUST be applied to the subject
>>    field in the certificate (when the certificate includes a non-empty
>>    subject field) and to any names of type directoryName in the
>>    subjectAltName extension.
>>
>> It would appear to me that DN SANs only provide additional values to the
>> subject name of the certificate and thus should be treated the same way as
>> the subject name.
>>
>> We don't impose any restrictions on subject names with regard to DN of the
>> subject LDAP entry, so I think we should not do it for DN SANs as well. Or,
>> alternatively, we should do it for both.
>>
> I disagree.  Supporting an altname containing the LDAP DN is a valid
> use case.  There is no need to apply the same rules to Subject DN
> and Directory Name altname

Nowhere in the RFC is it stated that there is any semantic difference 
between the subject name and DN SANs, so I don't see why should we make 
DN SANs special.

> (otherwise, why would the Directory Name
> altname type even exist?).

To allow multiple subject DNs.

> There are other possible values but this
> one is trivial to validate so why not?

I have no issue with validation per se, I just find it very odd that the 
code would allow me to request a cert with any LDAP entry DN in subject 
name but only one specific LDAP entry DN in DN SAN.

>
> As for the RFC excerpt, this is about the Name Constraints
> extension.  In the unlikely case that a superior certificate has a
> Name Constraints extension that applies to DNs, the way we construct
> the Subject DN is probably the bigger problem ;)

Yes, this particular excerpt is about name constraints, but I doubt that 
if you looked anywhere else, it would say something different about the 
relationship of subject name and DN SANs.

>
> Take the feature or leave it (after all, noone has asked for it yet)
> but IMO the usage is valid.
>
> Cheers,
> Fraser
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list