From: David Mulder <dmulder@suse.com>
Date: Fri, 8 Apr 2022 19:42:55 +0000 (-0600)
Subject: gpo: Correct CA Initilization to obey [MS-CAESO]
X-Git-Tag: talloc-2.3.4~273
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a49a5702ebbedf2d3d5dac973328e9fac1d4ad8c;p=thirdparty%2Fsamba.git

gpo: Correct CA Initilization to obey [MS-CAESO]

fetch_certification_authorities() did not
correctly obey the [MS-CAESO] spec.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index e5c2f2e4394..b05c161fe3a 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -35,27 +35,29 @@ cert_wrap = b"""
 -----END CERTIFICATE-----"""
 global_trust_dir = '/etc/pki/trust/anchors'
 
+'''
+Initializing CAs
+[MS-CAESO] 4.4.5.3.1.2
+'''
 def fetch_certification_authorities(ldb):
     result = []
     basedn = ldb.get_default_basedn()
-    dn = 'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,%s' % basedn
-    expr = '(objectClass=certificationAuthority)'
-    res = ldb.search(dn, SCOPE_SUBTREE, expr, ['cn'])
+    # Autoenrollment MUST do an LDAP search for the CA information
+    # (pKIEnrollmentService) objects under the following container:
+    dn = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,%s' % basedn
+    attrs = ['cACertificate', 'cn', 'certificateTemplates', 'dNSHostName',
+             'msPKI-Enrollment-Servers']
+    expr = '(objectClass=pKIEnrollmentService)'
+    res = ldb.search(dn, SCOPE_SUBTREE, expr, attrs)
     if len(res) == 0:
         return result
-    dn = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,%s' % basedn
-    attrs = ['cACertificate', 'cn', 'certificateTemplates', 'dNSHostName']
-    for ca in res:
-        expr = '(cn=%s)' % ca['cn']
-        res2 = ldb.search(dn, SCOPE_SUBTREE, expr, attrs)
-        if len(res) != 1:
-            continue
+    for es in res:
         templates = {}
-        for template in res2[0]['certificateTemplates']:
+        for template in es['certificateTemplates']:
             templates[template] = fetch_template_attrs(ldb, template)
-        res = dict(res2[0])
-        res['certificateTemplates'] = templates
-        result.append(res)
+        data = dict(es)
+        data['certificateTemplates'] = templates
+        result.append(data)
     return result
 
 def fetch_template_attrs(ldb, name, attrs=['msPKI-Minimal-Key-Size']):