From 88b4a54e6b40c6c71882a0f20fd1797c93904d5a Mon Sep 17 00:00:00 2001
From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Wed, 6 Sep 2017 10:54:39 +0200
Subject: [PATCH] Fix ticket hash calculation for indirectly connected clients

refs #5450
---
 lib/remote/jsonrpcconnection-pki.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 2d5ee5edb..1bd68633f 100644
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -118,11 +118,14 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	boost::shared_ptr<X509> newcert;
 	boost::shared_ptr<EVP_PKEY> pubkey;
 	X509_NAME *subject;
+	String cn;
 	Dictionary::Ptr message;
 
 	if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
 		goto delayed_request;
 
+	cn = GetCertificateCN(cert);
+
 	if (!signedByCA) {
 		String salt = listener->GetTicketSalt();
 
@@ -131,9 +134,12 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 		if (salt.IsEmpty() || ticket.IsEmpty())
 			goto delayed_request;
 
-		String realTicket = PBKDF2_SHA1(origin->FromClient->GetIdentity(), salt, 50000);
+		String realTicket = PBKDF2_SHA1(cn, salt, 50000);
 
 		if (ticket != realTicket) {
+			Log(LogWarning, "JsonRpcConnection")
+			    << "Ticket for identity '" << cn << "' is invalid.";
+
 			result->Set("status_code", 1);
 			result->Set("error", "Invalid ticket.");
 			return result;