Properly validate int ca lifetime error, add warning on leaf cert with basic constraints (#20654)
* Ensure proper error message from CA validity period Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add warning to issuance of leaf cert with basic constraints Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
parent
8928b30224
commit
e552c06173
|
@ -2532,7 +2532,7 @@ func TestBackend_Root_Idempotency(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
|
func TestBackend_SignIntermediate_AllowedPastCAValidity(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
b_root, s_root := CreateBackendWithStorage(t)
|
b_root, s_root := CreateBackendWithStorage(t)
|
||||||
b_int, s_int := CreateBackendWithStorage(t)
|
b_int, s_int := CreateBackendWithStorage(t)
|
||||||
|
@ -2550,6 +2550,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
|
||||||
_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
|
_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
|
||||||
"allow_bare_domains": true,
|
"allow_bare_domains": true,
|
||||||
"allow_subdomains": true,
|
"allow_subdomains": true,
|
||||||
|
"allow_any_name": true,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
@ -2577,9 +2578,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
|
||||||
"csr": csr,
|
"csr": csr,
|
||||||
"ttl": "60h",
|
"ttl": "60h",
|
||||||
})
|
})
|
||||||
if err == nil {
|
require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
|
||||||
t.Fatal("expected error")
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
|
_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
|
||||||
"common_name": "myint.com",
|
"common_name": "myint.com",
|
||||||
|
@ -2587,9 +2586,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
|
||||||
"csr": csr,
|
"csr": csr,
|
||||||
"ttl": "60h",
|
"ttl": "60h",
|
||||||
})
|
})
|
||||||
if err == nil {
|
require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate")
|
||||||
t.Fatal("expected error")
|
|
||||||
}
|
|
||||||
|
|
||||||
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
|
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
|
||||||
"common_name": "myint.com",
|
"common_name": "myint.com",
|
||||||
|
|
|
@ -1002,6 +1002,12 @@ func signCert(b *backend,
|
||||||
|
|
||||||
if isCA {
|
if isCA {
|
||||||
creation.Params.PermittedDNSDomains = data.apiData.Get("permitted_dns_domains").([]string)
|
creation.Params.PermittedDNSDomains = data.apiData.Get("permitted_dns_domains").([]string)
|
||||||
|
} else {
|
||||||
|
for _, ext := range csr.Extensions {
|
||||||
|
if ext.Id.Equal(certutil.ExtensionBasicConstraintsOID) {
|
||||||
|
warnings = append(warnings, "specified CSR contained a Basic Constraints extension that was ignored during issuance")
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
parsedBundle, err := certutil.SignCertificate(creation)
|
parsedBundle, err := certutil.SignCertificate(creation)
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:change
|
||||||
|
secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited.
|
||||||
|
```
|
Loading…
Reference in New Issue