Bug 1391799 - cert-request rejects request with correct krb5PrincipalName SAN
Summary: cert-request rejects request with correct krb5PrincipalName SAN
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On: 1252517
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-04 05:17 UTC by Abhijeet Kasurde
Modified: 2016-11-15 04:04 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1252517
Environment:
Last Closed: 2016-11-15 04:04:38 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Abhijeet Kasurde 2016-11-04 05:20:10 UTC 
Fix is not available in RHEL 7.3 ::

# grep " principal_string:" . -ir
./ipaserver/plugins/cert.py:                if name != principal_string:
# rpm -q ipa-server
ipa-server-4.4.0-12.el7.x86_64
Comment 3 Martin Babinsky 2016-11-14 09:39:23 UTC 
I have repeated the steps to reproduce on my VM and was able to succesfully request a certificate containing valid KRBPrincipalName SAN.

1.)
 cat tuser-krb5p.cnf 
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "tuser"

[ exts ]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:krb5principal

[ krb5principal ]
realm = EXPLICIT:0,GeneralString:IPA.TEST
principalname = EXPLICIT:1,SEQUENCE:principalname

[ principalname ]
nametype = EXPLICIT:0,INT:0
namestring = EXPLICIT:1,SEQUENCE:namestring

[ namestring ]
part1 = GeneralString:tuser

2.) ]# ipa caacl_add all_users --usercat=all --profilecat=all
------------------------
Added CA ACL "all_users"
------------------------
  ACL name: all_users
  Enabled: TRUE
  Profile category: all
  User category: all

3.) # openssl req -out tuser.csr -new -newkey rsa:2048 -nodes -keyout tuser.key -config tuser-krb5p.cnf 
Generating a 2048 bit RSA private key

4.) 
# kinit 
# ipa cert-request tuser.csr --principal tuser
 Issuing CA: ipa
  Certificate: MIIE...
  Subject: CN=tuser,O=IPA.TEST
  Subject Kerberos principal name: tuser
  Issuer: CN=Certificate Authority,O=IPA.TEST
  Serial number: 12
  Serial number (hex): 0xC

Is there a real regression in this use-case? If yes, then please provide a recent reproducer. Otherwise I will close the BZ as INSUFFICIENT_INFO.

(Also grepping for some boolean in the code is not a indication of the presence of a fix. In this case there was an extensive refactoring because of changes in principal processing in the framework. The passing testcase determines whether the fix is in place, not the code.)
Comment 4 Abhijeet Kasurde 2016-11-15 04:04:38 UTC 
Hi Martin,

Cerprofile operations are working in my environment. The only difference was in cert profile configuration file. 

I am sorry that I searched a boolean value related in the code and not seen the code behind it. I will debug the code before putting BZ. 

Closing issues with status - NOT-A-BUG

Thanks.
Note You need to log in before you can comment on or make changes to this bug.