From e552c06173dc6649eeae4b23e018b504cba322fb Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 19 May 2023 15:52:16 -0400 Subject: [PATCH] Properly validate int ca lifetime error, add warning on leaf cert with basic constraints (#20654) * Ensure proper error message from CA validity period Signed-off-by: Alexander Scheel * Add warning to issuance of leaf cert with basic constraints Signed-off-by: Alexander Scheel * Add changelog entry Signed-off-by: Alexander Scheel --------- Signed-off-by: Alexander Scheel --- builtin/logical/pki/backend_test.go | 11 ++++------- builtin/logical/pki/cert_util.go | 6 ++++++ changelog/20654.txt | 3 +++ 3 files changed, 13 insertions(+), 7 deletions(-) create mode 100644 changelog/20654.txt diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index ec65ab237..a4a214279 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -2532,7 +2532,7 @@ func TestBackend_Root_Idempotency(t *testing.T) { } } -func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { +func TestBackend_SignIntermediate_AllowedPastCAValidity(t *testing.T) { t.Parallel() b_root, s_root := CreateBackendWithStorage(t) b_int, s_int := CreateBackendWithStorage(t) @@ -2550,6 +2550,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { _, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{ "allow_bare_domains": true, "allow_subdomains": true, + "allow_any_name": true, }) if err != nil { t.Fatal(err) @@ -2577,9 +2578,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { "csr": csr, "ttl": "60h", }) - if err == nil { - t.Fatal("expected error") - } + require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate") _, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{ "common_name": "myint.com", @@ -2587,9 +2586,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { "csr": csr, "ttl": "60h", }) - if err == nil { - t.Fatal("expected error") - } + require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate") resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{ "common_name": "myint.com", diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index 0d5c6d421..990fdea4e 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -1002,6 +1002,12 @@ func signCert(b *backend, if isCA { creation.Params.PermittedDNSDomains = data.apiData.Get("permitted_dns_domains").([]string) + } else { + for _, ext := range csr.Extensions { + if ext.Id.Equal(certutil.ExtensionBasicConstraintsOID) { + warnings = append(warnings, "specified CSR contained a Basic Constraints extension that was ignored during issuance") + } + } } parsedBundle, err := certutil.SignCertificate(creation) diff --git a/changelog/20654.txt b/changelog/20654.txt new file mode 100644 index 000000000..91e567477 --- /dev/null +++ b/changelog/20654.txt @@ -0,0 +1,3 @@ +```release-note:change +secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. +```