Properly validate int ca lifetime error, add warning on leaf cert with basic constraints (#20654)

* Ensure proper error message from CA validity period

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning to issuance of leaf cert with basic constraints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-05-19 15:52:16 -04:00 committed by GitHub
parent 8928b30224
commit e552c06173
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 7 deletions

View File

@ -2532,7 +2532,7 @@ func TestBackend_Root_Idempotency(t *testing.T) {
} }
} }
func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { func TestBackend_SignIntermediate_AllowedPastCAValidity(t *testing.T) {
t.Parallel() t.Parallel()
b_root, s_root := CreateBackendWithStorage(t) b_root, s_root := CreateBackendWithStorage(t)
b_int, s_int := CreateBackendWithStorage(t) b_int, s_int := CreateBackendWithStorage(t)
@ -2550,6 +2550,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{ _, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
"allow_bare_domains": true, "allow_bare_domains": true,
"allow_subdomains": true, "allow_subdomains": true,
"allow_any_name": true,
}) })
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -2577,9 +2578,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
"csr": csr, "csr": csr,
"ttl": "60h", "ttl": "60h",
}) })
if err == nil { require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
t.Fatal("expected error")
}
_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{ _, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
"common_name": "myint.com", "common_name": "myint.com",
@ -2587,9 +2586,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
"csr": csr, "csr": csr,
"ttl": "60h", "ttl": "60h",
}) })
if err == nil { require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
t.Fatal("expected error")
}
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{ resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
"common_name": "myint.com", "common_name": "myint.com",

View File

@ -1002,6 +1002,12 @@ func signCert(b *backend,
if isCA { if isCA {
creation.Params.PermittedDNSDomains = data.apiData.Get("permitted_dns_domains").([]string) creation.Params.PermittedDNSDomains = data.apiData.Get("permitted_dns_domains").([]string)
} else {
for _, ext := range csr.Extensions {
if ext.Id.Equal(certutil.ExtensionBasicConstraintsOID) {
warnings = append(warnings, "specified CSR contained a Basic Constraints extension that was ignored during issuance")
}
}
} }
parsedBundle, err := certutil.SignCertificate(creation) parsedBundle, err := certutil.SignCertificate(creation)

3
changelog/20654.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:change
secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited.
```