Issue #5096: cert-request: enforce caacl for subjectAltName principals - freeipa

freeipa

#5096 cert-request: enforce caacl for subjectAltName principals

Closed: Fixed None Opened 8 years ago by ftweedal.

cert-request ensures that any dNSName values in a CSR subjectAltName
requestExtension have a corresponding service/host principal in
FreeIPA and that their entries are writable by the bind principal.

It currently DOES NOT enforce CA ACLs for these alternative
principals, i.e. it does not check that there is a caacl rule
allowing issuance of certificates to each alt-principal (using the
chosen profile).

pspacek:
From my point of view, subjectAltName allows the entity possessing the private
key for the the certificate to impersonate anything mentioned in
SubjectAltName and CN ...

Therefore, enforce the caacl for all principals indicated in the
subjectAltName request extension.

ftweedal commented 8 years ago

attachment
freeipa-ftweedal-0027-cert-request-enforce-caacl-for-principals-in-SAN.patch

tbabej commented 8 years ago

master:

e3c2253 caacl: fix incorrect construction of HbacRequest for hosts
ec7e5e0 cert-request: enforce caacl for principals in SAN

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.2

7 years ago

Metadata

Assignee

ftweedal

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.2

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Certificate management

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

dkupka, mbasti

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#5096 cert-request: enforce caacl for subjectAltName principals Closed: Fixed None Opened 8 years ago by ftweedal.

Metadata

#5096 cert-request: enforce caacl for subjectAltName principals

Closed: Fixed None Opened 8 years ago by ftweedal.