From 26c993107d0ef731126437f3407631587119b12b Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 9 Feb 2022 10:09:19 -0500 Subject: [PATCH] Allow all other_sans in sign-intermediate and sign-verbatim (#13958) * Allow all other_sans in sign-intermediate and sign-verbatim /sign-verbatim and /sign-intermediate are more dangerous endpoints in that they (usually) do not have an associated role. In this case, a permissive role is constructed during execution of these tests. However, the AllowedOtherSANs field was missing from this, prohibiting its use when issuing certificates. Resolves: #13157 Signed-off-by: Alexander Scheel * Add changelog Signed-off-by: Alexander Scheel --- builtin/logical/pki/backend_test.go | 2 ++ builtin/logical/pki/path_issue_sign.go | 3 ++- builtin/logical/pki/path_root.go | 3 ++- changelog/13958.txt | 3 +++ 4 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 changelog/13958.txt diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 4be56d9cf..2f02ee82b 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -2308,6 +2308,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { _, err = client.Logical().Write("root/sign-verbatim/test", map[string]interface{}{ "common_name": "myint.com", + "other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com", "csr": csr, "ttl": "60h", }) @@ -2317,6 +2318,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { resp, err = client.Logical().Write("root/root/sign-intermediate", map[string]interface{}{ "common_name": "myint.com", + "other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com", "csr": csr, "ttl": "60h", }) diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index cffba8f3c..459052414 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -131,8 +131,9 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da KeyType: "any", UseCSRCommonName: true, UseCSRSANs: true, - AllowedURISANs: []string{"*"}, + AllowedOtherSANs: []string{"*"}, AllowedSerialNumbers: []string{"*"}, + AllowedURISANs: []string{"*"}, GenerateLease: new(bool), KeyUsage: data.Get("key_usage").([]string), ExtKeyUsage: data.Get("ext_key_usage").([]string), diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index 88ae46d01..da9cfc042 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -283,8 +283,9 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque AllowIPSANs: true, EnforceHostnames: false, KeyType: "any", - AllowedURISANs: []string{"*"}, + AllowedOtherSANs: []string{"*"}, AllowedSerialNumbers: []string{"*"}, + AllowedURISANs: []string{"*"}, AllowExpirationPastCA: true, NotAfter: data.Get("not_after").(string), } diff --git a/changelog/13958.txt b/changelog/13958.txt new file mode 100644 index 000000000..3b70069f5 --- /dev/null +++ b/changelog/13958.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/pki: Allow other_sans in sign-intermediate and sign-verbatim +```