#6432 cert-request: check SAN dnsNames against principal aliases
Closed: Duplicate None Opened 7 years ago by ftweedal.

FreeIPA v4.4 added kerberos principal aliases, but cert-request
does not check principal alises when looking for a match for
dns names in the subjectAltName extension.


From mailing list discussion:

Certainly principal aliases should be checked if they were asked to be
in SAN. The question is what type of the SAN extension should be
considered for them in addition to Kerberos principal. The aliases are
stored in their full format (alias@REALM), so either you need to do full
match or consider dropping the realm for some types. This needs to be
clarified before any implementation happens.

Right, UPN and KR5PrincipalName can be checked as-is.

We should check dnsNames by affixing around the dnsName the same
service type (e.g. HTTP) and realm as the nominated principal, and
looking for that in the aliases. e.g. for nominated principal
HTTP/web.example.com@EXAMPLE.COM, if there is a SAN dnsName
www.example.com, we look for HTTP/www.example.com@EXAMPLE.COM in
its aliases.

Does this sound reasonable?

No other GeneralName types shall be checked against principal
aliases, unless/until we support SRVName.
Sounds reasonable for me, thanks.

Metadata Update from @ftweedal:
- Issue assigned to ftweedal
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Login to comment on this ticket.

Metadata