luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Properly validate int ca lifetime error, add warning on leaf cert with basic constraints (#20654) 

* Ensure proper error message from CA validity period

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning to issuance of leaf cert with basic constraints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-05-19 15:52:16 -04:00 committed by GitHub
parent 8928b30224
commit e552c06173
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
builtin/logical/pki/backend_test.go
View File

@ -2532,7 +2532,7 @@ func TestBackend_Root_Idempotency(t *testing.T) {
}
}
func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
func TestBackend_SignIntermediate_AllowedPastCAValidity(t *testing.T) {
t.Parallel()
b_root, s_root := CreateBackendWithStorage(t)
b_int, s_int := CreateBackendWithStorage(t)
@ -2550,6 +2550,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
"allow_bare_domains": true,
"allow_subdomains": true,
"allow_any_name": true,
})
if err != nil {
t.Fatal(err)
@ -2577,9 +2578,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
"csr": csr,
"ttl": "60h",
})
if err == nil {
t.Fatal("expected error")
}
require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
"common_name": "myint.com",
@ -2587,9 +2586,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
"csr": csr,
"ttl": "60h",
})
if err == nil {
t.Fatal("expected error")
}
require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
"common_name": "myint.com",

6
builtin/logical/pki/cert_util.go
View File

@ -1002,6 +1002,12 @@ func signCert(b *backend,
if isCA {
creation.Params.PermittedDNSDomains = data.apiData.Get("permitted_dns_domains").([]string)
} else {
for _, ext := range csr.Extensions {
if ext.Id.Equal(certutil.ExtensionBasicConstraintsOID) {
warnings = append(warnings, "specified CSR contained a Basic Constraints extension that was ignored during issuance")
}
}
}
parsedBundle, err := certutil.SignCertificate(creation)

3
changelog/20654.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:change
secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited.
```