Correctly distinguish empty issuer names in PKI (#18466)

* Correctly distinguish empty issuer names

When using client.Logical().JSONMergePatch(...) with an empty issuer
name, patch incorrectly reports:

> issuer name contained invalid characters

In this case, both the error in getIssuerName(...) is incorrect and
patch should allow setting an empty issuer name explicitly.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-01-10 10:04:30 -05:00 committed by GitHub
parent 38de21468e
commit a18187c643
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 6 deletions

View File

@ -5082,6 +5082,16 @@ func TestPerIssuerAIA(t *testing.T) {
require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://example.com/ca", "https://backup.example.com/ca"}) require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://example.com/ca", "https://backup.example.com/ca"})
require.Equal(t, leafCert.OCSPServer, []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"}) require.Equal(t, leafCert.OCSPServer, []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"})
require.Equal(t, leafCert.CRLDistributionPoints, []string{"https://example.com/crl", "https://backup.example.com/crl"}) require.Equal(t, leafCert.CRLDistributionPoints, []string{"https://example.com/crl", "https://backup.example.com/crl"})
// Validate that we can set an issuer name and remove it.
_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
"issuer_name": "my-issuer",
})
require.NoError(t, err)
_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
"issuer_name": "",
})
require.NoError(t, err)
} }
func TestIssuersWithoutCRLBits(t *testing.T) { func TestIssuersWithoutCRLBits(t *testing.T) {

View File

@ -550,7 +550,7 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
var newName string var newName string
if ok { if ok {
newName, err = getIssuerName(sc, data) newName, err = getIssuerName(sc, data)
if err != nil && err != errIssuerNameInUse { if err != nil && err != errIssuerNameInUse && err != errIssuerNameIsEmpty {
// If the error is name already in use, and the new name is the // If the error is name already in use, and the new name is the
// old name for this issuer, we're not actually updating the // old name for this issuer, we're not actually updating the
// issuer name (or causing a conflict) -- so don't err out. Other // issuer name (or causing a conflict) -- so don't err out. Other

View File

@ -28,9 +28,10 @@ const (
) )
var ( var (
nameMatcher = regexp.MustCompile("^" + framework.GenericNameRegex(issuerRefParam) + "$") nameMatcher = regexp.MustCompile("^" + framework.GenericNameRegex(issuerRefParam) + "$")
errIssuerNameInUse = errutil.UserError{Err: "issuer name already in use"} errIssuerNameInUse = errutil.UserError{Err: "issuer name already in use"}
errKeyNameInUse = errutil.UserError{Err: "key name already in use"} errIssuerNameIsEmpty = errutil.UserError{Err: "expected non-empty issuer name"}
errKeyNameInUse = errutil.UserError{Err: "key name already in use"}
) )
func serialFromCert(cert *x509.Certificate) string { func serialFromCert(cert *x509.Certificate) string {
@ -159,11 +160,12 @@ func getIssuerName(sc *storageContext, data *framework.FieldData) (string, error
issuerNameIface, ok := data.GetOk("issuer_name") issuerNameIface, ok := data.GetOk("issuer_name")
if ok { if ok {
issuerName = strings.TrimSpace(issuerNameIface.(string)) issuerName = strings.TrimSpace(issuerNameIface.(string))
if len(issuerName) == 0 {
return issuerName, errIssuerNameIsEmpty
}
if strings.ToLower(issuerName) == defaultRef { if strings.ToLower(issuerName) == defaultRef {
return issuerName, errutil.UserError{Err: "reserved keyword 'default' can not be used as issuer name"} return issuerName, errutil.UserError{Err: "reserved keyword 'default' can not be used as issuer name"}
} }
if !nameMatcher.MatchString(issuerName) { if !nameMatcher.MatchString(issuerName) {
return issuerName, errutil.UserError{Err: "issuer name contained invalid characters"} return issuerName, errutil.UserError{Err: "issuer name contained invalid characters"}
} }

3
changelog/18466.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
secrets/pki: Allow patching issuer to set an empty issuer name.
```