luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Allow all other_sans in sign-intermediate and sign-verbatim (#13958) 

* Allow all other_sans in sign-intermediate and sign-verbatim

/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.

Resolves: #13157

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2022-02-09 10:09:19 -05:00 committed by GitHub
parent 89b8c84928
commit 26c993107d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
builtin/logical/pki/backend_test.go
View File

@ -2308,6 +2308,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
_, err = client.Logical().Write("root/sign-verbatim/test", map[string]interface{}{ _, err = client.Logical().Write("root/sign-verbatim/test", map[string]interface{}{
"common_name": "myint.com", "common_name": "myint.com",
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
"csr": csr, "csr": csr,
"ttl": "60h", "ttl": "60h",
}) })
@ -2317,6 +2318,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
resp, err = client.Logical().Write("root/root/sign-intermediate", map[string]interface{}{ resp, err = client.Logical().Write("root/root/sign-intermediate", map[string]interface{}{
"common_name": "myint.com", "common_name": "myint.com",
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
"csr": csr, "csr": csr,
"ttl": "60h", "ttl": "60h",
}) })

3
builtin/logical/pki/path_issue_sign.go
View File

@ -131,8 +131,9 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da
KeyType: "any", KeyType: "any",
UseCSRCommonName: true, UseCSRCommonName: true,
UseCSRSANs: true, UseCSRSANs: true,
AllowedURISANs: []string{"*"}, AllowedOtherSANs: []string{"*"},
AllowedSerialNumbers: []string{"*"}, AllowedSerialNumbers: []string{"*"},
AllowedURISANs: []string{"*"},
GenerateLease: new(bool), GenerateLease: new(bool),
KeyUsage: data.Get("key_usage").([]string), KeyUsage: data.Get("key_usage").([]string),
ExtKeyUsage: data.Get("ext_key_usage").([]string), ExtKeyUsage: data.Get("ext_key_usage").([]string),

3
builtin/logical/pki/path_root.go
View File

@ -283,8 +283,9 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
AllowIPSANs: true, AllowIPSANs: true,
EnforceHostnames: false, EnforceHostnames: false,
KeyType: "any", KeyType: "any",
AllowedURISANs: []string{"*"}, AllowedOtherSANs: []string{"*"},
AllowedSerialNumbers: []string{"*"}, AllowedSerialNumbers: []string{"*"},
AllowedURISANs: []string{"*"},
AllowExpirationPastCA: true, AllowExpirationPastCA: true,
NotAfter: data.Get("not_after").(string), NotAfter: data.Get("not_after").(string),
} }

3
changelog/13958.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Allow other_sans in sign-intermediate and sign-verbatim
```