URL: https://github.com/freeipa/freeipa/pull/736
Title: #736: Fixing the cert-request command comparing whole email address
case-sensitively.
felipevolpone commented:
"""
@frasertweedale I did the check in SAN extension.
However, I'm not sure if these are valid situations:
Case 1)
The principal email is a...@email.com
The email in the certificate is b...@email.com
The emails in the SAN extensions are: a...@email.com, c...@email.com
or this:
Case 2)
The principal email is a...@email.com
The email in the certificate is b...@email.com, a...@email.com
The email in the SAN extensions is: c...@email.com
If the case 1 is valid, the check in line 799 (below) is not right, because it
expects that all emails in SAN extension are in the principal.
```python
elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
if principal_type == USER:
if principal_obj and gn.value not in principal_obj.get(
'mail', []):
raise errors.ValidationError(
name='csr',
error=_(
"RFC822Name does not match "
"any of user's email addresses")
)
else:
raise errors.ValidationError(
name='csr',
error=_(
"subject alt name type %s is forbidden "
"for non-user principals") % "RFC822Name"
```
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/736#issuecomment-298673966
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
