FreeIPA v4.4 added kerberos principal aliases, but cert-request does not check principal alises when looking for a match for dns names in the subjectAltName extension.
From mailing list discussion:
Certainly principal aliases should be checked if they were asked to be in SAN. The question is what type of the SAN extension should be considered for them in addition to Kerberos principal. The aliases are stored in their full format (alias@REALM), so either you need to do full match or consider dropping the realm for some types. This needs to be clarified before any implementation happens. Right, UPN and KR5PrincipalName can be checked as-is. We should check dnsNames by affixing around the dnsName the same service type (e.g. HTTP) and realm as the nominated principal, and looking for that in the aliases. e.g. for nominated principal HTTP/web.example.com@EXAMPLE.COM, if there is a SAN dnsName www.example.com, we look for HTTP/www.example.com@EXAMPLE.COM in its aliases. Does this sound reasonable? No other GeneralName types shall be checked against principal aliases, unless/until we support SRVName. Sounds reasonable for me, thanks.
Certainly principal aliases should be checked if they were asked to be in SAN. The question is what type of the SAN extension should be considered for them in addition to Kerberos principal. The aliases are stored in their full format (alias@REALM), so either you need to do full match or consider dropping the realm for some types. This needs to be clarified before any implementation happens. Right, UPN and KR5PrincipalName can be checked as-is.
Certainly principal aliases should be checked if they were asked to be in SAN. The question is what type of the SAN extension should be considered for them in addition to Kerberos principal. The aliases are stored in their full format (alias@REALM), so either you need to do full match or consider dropping the realm for some types. This needs to be clarified before any implementation happens.
Right, UPN and KR5PrincipalName can be checked as-is.
We should check dnsNames by affixing around the dnsName the same service type (e.g. HTTP) and realm as the nominated principal, and looking for that in the aliases. e.g. for nominated principal HTTP/web.example.com@EXAMPLE.COM, if there is a SAN dnsName www.example.com, we look for HTTP/www.example.com@EXAMPLE.COM in its aliases.
HTTP
HTTP/web.example.com@EXAMPLE.COM
www.example.com
HTTP/www.example.com@EXAMPLE.COM
Does this sound reasonable?
No other GeneralName types shall be checked against principal aliases, unless/until we support SRVName. Sounds reasonable for me, thanks.
dup of #6295
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.