[Freeipa-devel] [PATCH] 0095 cert-request: allow directoryName in SAN extension
Fraser Tweedale
ftweedal at redhat.com
Fri Jul 22 05:18:07 UTC 2016
While I was poking around SAN-processing code, I decided to
implement a small enhancement: allowing the subject principal's DN
to appear in SAN.
https://fedorahosted.org/freeipa/ticket/6112
Patch depends on my other patches 0090, 0092, 0093, 0094.
Thanks,
Fraser
-------------- next part --------------
From 6a2ab7165c0ae600402c1c2794f2b10c9e38da05 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 22 Jul 2016 13:07:09 +1000
Subject: [PATCH] cert-request: allow directoryName in SAN extension
Allow directoryName in SAN extension if the value matches the
subject principal's DN in the IPA directory.
Fixes: https://fedorahosted.org/freeipa/ticket/6112
---
ipaserver/plugins/cert.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 606d6cdbc28d30892ab60ad4aeb41ecbbd646589..605fd321f00304f69347aae633f935dde8e59bdc 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -667,6 +667,12 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
error=_("subject alt name type %s is forbidden "
"for non-user principals") % desc
)
+ elif name_type == nss.certDirectoryName:
+ if DN(name) != principal_obj['dn']:
+ raise errors.ValidationError(
+ name='csr',
+ error=_("Directory Name does not match principal's DN")
+ )
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") % desc)
--
2.5.5
More information about the Freeipa-devel
mailing list