URL: https://github.com/freeipa/freeipa/pull/781
Author: felipevolpone
Title: #781: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: opened
PR body:
"""
The code is not "production-ready", however, I would like to know if I'm on the
right path.
AFAIK we should check if the SAN extension is provided and if it has DNSName
info.
Fix: https://pagure.io/freeipa/issue/6663
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/781/head:pr781
git checkout pr781
From 0bea2f6601915dc4f194953ebfe450bef5ae70b2 Mon Sep 17 00:00:00 2001
From: Felipe Volpone <felipevolp...@gmail.com>
Date: Thu, 11 May 2017 20:21:57 -0300
Subject: [PATCH] warn in cert-request if CSR doesn't contain SAN
---
ipaserver/plugins/cert.py | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..09d3dba 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,17 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
cn = cns[-1].value # "most specific" is end of list
if principal_type in (SERVICE, HOST):
+
+ has_dns_in_san_ext = False
+ if ext_san:
+ for gn in x509.process_othernames(ext_san.value):
+ if isinstance(gn, cryptography.x509.general_name.DNSName):
+ has_dns_in_san_ext = True
+
+ if not ext_san or not has_dns_in_san_ext:
+ print('Warning: The SAN extension '
+ 'should be provided. Please, check the RFC 2818.')
+
if not _dns_name_matches_principal(cn, principal, principal_obj):
raise errors.ValidationError(
name='csr',
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
