Allow all other_sans in sign-intermediate and sign-verbatim (#13958)

* Allow all other_sans in sign-intermediate and sign-verbatim /sign-verbatim and /sign-intermediate are more dangerous endpoints in that they (usually) do not have an associated role. In this case, a permissive role is constructed during execution of these tests. However, the AllowedOtherSANs field was missing from this, prohibiting its use when issuing certificates. Resolves: #13157 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2025-10-29 17:52:32 +00:00 · 2022-02-09 10:09:19 -05:00
parent 3dc8ef76b6
commit 4f841f6a06
4 changed files with 9 additions and 2 deletions
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -2308,6 +2308,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {

 	_, err = client.Logical().Write("root/sign-verbatim/test", map[string]interface{}{
 		"common_name": "myint.com",
+		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
 		"csr":         csr,
 		"ttl":         "60h",
 	})
@@ -2317,6 +2318,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {

 	resp, err = client.Logical().Write("root/root/sign-intermediate", map[string]interface{}{
 		"common_name": "myint.com",
+		"other_sans":  "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
 		"csr":         csr,
 		"ttl":         "60h",
 	})
--- a/builtin/logical/pki/path_issue_sign.go
+++ b/builtin/logical/pki/path_issue_sign.go
@@ -131,8 +131,9 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da
 		KeyType:              "any",
 		UseCSRCommonName:     true,
 		UseCSRSANs:           true,
-		AllowedURISANs:       []string{"*"},
+		AllowedOtherSANs:     []string{"*"},
 		AllowedSerialNumbers: []string{"*"},
+		AllowedURISANs:       []string{"*"},
 		GenerateLease:        new(bool),
 		KeyUsage:             data.Get("key_usage").([]string),
 		ExtKeyUsage:          data.Get("ext_key_usage").([]string),
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -283,8 +283,9 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
 		AllowIPSANs:           true,
 		EnforceHostnames:      false,
 		KeyType:               "any",
-		AllowedURISANs:        []string{"*"},
+		AllowedOtherSANs:      []string{"*"},
 		AllowedSerialNumbers:  []string{"*"},
+		AllowedURISANs:        []string{"*"},
 		AllowExpirationPastCA: true,
 		NotAfter:              data.Get("not_after").(string),
 	}
--- a/changelog/13958.txt
+++ b/changelog/13958.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Allow other_sans in sign-intermediate and sign-verbatim
+```