cert-request decodes CSRs and examines the request extensions. It currently only permits the following extensions to appear:
I also have a patch on review that allows the IECUserRoles extension to appear.
I propose removing these checks.
Rationale:
No extension is copied from the CSR or otherwise included in the final certificate unless using a Dogtag profile that is explicitly configured to do so. The mere presence of a request extension does not, on its own, affect the final certificate.
With the current checks, adding a profile to copy a certain esoteric / custom extension from CSR to cert will be ineffective unless cert-request knows about it. This renders custom profiles useless for working with such unknown extensions, unless / until we add support for them.
I am not aware of any reason why we should whitelist request extensions. If there are reasons, please enlighten me!
Objection:
Counterpoint:
We can add support of comparing request and resulted cert, if needed, but I don't think we should really do a favor in pre-check.
We must make difficult things easier, but not at the expense of making other difficult things possible. At the moment, despite custom profiles, it is not possible to use custom profiles to work with extensions other than those listed above, without patching FreeIPA.
attachment freeipa-ftweedal-0038-cert-request-remove-allowed-extensions-check.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1254641
master:
ipa-4-2:
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.