Warn on empty Subject field for issuers (#15494)

* Warn on empty Subject field for issuers When generating a root or signing an intermediate certificate, it is possible to have Vault generate a certificate with an empty Subject. These don't validate in most TLS implementations well, so add a warning. Note that non-Common Name fields could be present to make a non-empty subject, so simply requiring a CommonName isn't strictly the best. For example: $ vault write pki/root/generate/exported common_name="" WARNING! The following warnings were returned from Vault: * This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate. .... Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 10:15:37 -04:00 · 2022-05-18 10:15:37 -04:00 · 5ca7065bda
parent 2518cd1d6c
commit 5ca7065bda
2 changed files with 29 additions and 0 deletions
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@ -165,6 +165,19 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		},
 	}

+	if len(parsedBundle.Certificate.RawSubject) <= 2 {
+		// Strictly a subject is a SEQUENCE of SETs of SEQUENCES.
+		//
+		// The outer SEQUENCE is preserved, having byte value 30 00.
+		//
+		// Because of the tag and the length encoding each taking up
+		// at least one byte, it is impossible to have a non-empty
+		// subject in two or fewer bytes. We're also not here to validate
+		// our certificate's ASN.1 content, so let's just assume it holds
+		// and move on.
+		resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
+	}
+
 	switch format {
 	case "pem":
 		resp.Data["certificate"] = cb.Certificate
@ -342,6 +355,19 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 		resp.AddWarning("The expiration time for the signed certificate is after the CA's expiration time. If the new certificate is not treated as a root, validation paths with the certificate past the issuing CA's expiration time will fail.")
 	}

+	if len(parsedBundle.Certificate.RawSubject) <= 2 {
+		// Strictly a subject is a SEQUENCE of SETs of SEQUENCES.
+		//
+		// The outer SEQUENCE is preserved, having byte value 30 00.
+		//
+		// Because of the tag and the length encoding each taking up
+		// at least one byte, it is impossible to have a non-empty
+		// subject in two or fewer bytes. We're also not here to validate
+		// our certificate's ASN.1 content, so let's just assume it holds
+		// and move on.
+		resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
+	}
+
 	switch format {
 	case "pem":
 		resp.Data["certificate"] = cb.Certificate
--- a/changelog/15494.txt
+++ b/changelog/15494.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Warn on empty Subject field during issuer generation (root/generate and root/sign-intermediate).
+```