backport of commit 072f0dd7c85be8d4e4390cf417900efce5e38d56 (#21656)

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

builtin/logical/pki/acme_billing_test.go

@@ -240,6 +240,10 @@ func doACMEForDomainWithDNS(t *testing.T, dns *dnstest.TestServer, acmeClient *a
 		DNSNames: domains,
 	}
 
+	return doACMEForCSRWithDNS(t, dns, acmeClient, domains, cr)
+}
+
+func doACMEForCSRWithDNS(t *testing.T, dns *dnstest.TestServer, acmeClient *acme.Client, domains []string, cr *x509.CertificateRequest) *x509.Certificate {
 	accountKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err, "failed to generate account key")
 	acmeClient.Key = accountKey

builtin/logical/pki/path_acme_test.go

@@ -995,8 +995,53 @@ func TestIssuerRoleDirectoryAssociations(t *testing.T) {
 		require.Contains(t, leafCert.Subject.OrganizationalUnit, "IT Security", "on directory: %v", directory)
 		requireSignedByAtPath(t, client, leafCert, issuerPath)
 	}
+}
 
-	// 5.
+func TestACMESubjectFieldsAndExtensionsIgnored(t *testing.T) {
+	t.Parallel()
+
+	// This creates two issuers for us (root-ca, int-ca) and two
+	// roles (test-role, acme) that we can use with various directory
+	// configurations.
+	cluster, client, _ := setupAcmeBackend(t)
+	defer cluster.Cleanup()
+
+	// Setup DNS for validations.
+	testCtx := context.Background()
+	dns := dnstest.SetupResolver(t, "dadgarcorp.com")
+	defer dns.Cleanup()
+	_, err := client.Logical().WriteWithContext(testCtx, "pki/config/acme", map[string]interface{}{
+		"dns_resolver": dns.GetLocalAddr(),
+	})
+	require.NoError(t, err, "failed to specify dns resolver")
+
+	// Use the default sign-verbatim policy and ensure OU does not get set.
+	directory := "/v1/pki/acme/"
+	domains := []string{"no-ou.dadgarcorp.com"}
+	acmeClient := getAcmeClientForCluster(t, cluster, directory, nil)
+	cr := &x509.CertificateRequest{
+		Subject:  pkix.Name{CommonName: domains[0], OrganizationalUnit: []string{"DadgarCorp IT"}},
+        DNSNames: domains,
+    }
+	cert := doACMEForCSRWithDNS(t, dns, acmeClient, domains, cr)
+	t.Logf("Got certificate: %v", cert)
+	require.Empty(t, cert.Subject.OrganizationalUnit)
+
+    // Use the default sign-verbatim policy and ensure extension does not get set.
+    domains = []string{"no-ext.dadgarcorp.com"}
+	extension, err := certutil.CreateDeltaCRLIndicatorExt(12345)
+	require.NoError(t, err)
+    cr = &x509.CertificateRequest{
+        Subject:  pkix.Name{CommonName: domains[0]},
+        DNSNames: domains,
+		ExtraExtensions: []pkix.Extension{extension},
+    }
+    cert = doACMEForCSRWithDNS(t, dns, acmeClient, domains, cr)
+    t.Logf("Got certificate: %v", cert)
+	for _, ext := range cert.Extensions {
+		require.False(t, ext.Id.Equal(certutil.DeltaCRLIndicatorOID))
+	}
+	require.NotEmpty(t, cert.Extensions)
 }
 
 // TestAcmeWithCsrIncludingBasicConstraintExtension verify that we error out for a CSR that is requesting a
@@ -1242,7 +1287,7 @@ func setupAcmeBackendOnClusterAtPath(t *testing.T, cluster *vault.TestCluster, c
 			"issuer_name": "root-ca",
 			"key_name":    "root-key",
 			"key_type":    "ec",
-			"common_name": "root.com",
+			"common_name": "Test Root R1 " + mount,
 			"ttl":         "7200h",
 			"max_ttl":     "920000h",
 		})
@@ -1252,7 +1297,7 @@ func setupAcmeBackendOnClusterAtPath(t *testing.T, cluster *vault.TestCluster, c
 		map[string]interface{}{
 			"key_name":    "int-key",
 			"key_type":    "ec",
-			"common_name": "test.com",
+			"common_name": "Test Int X1 " + mount,
 		})
 	require.NoError(t, err, "failed creating intermediary CSR")
 	intermediateCSR := resp.Data["csr"].(string)