scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Warn on empty Subject field for issuers (#15494)

Browse Source 
* Warn on empty Subject field for issuers

When generating a root or signing an intermediate certificate, it is
possible to have Vault generate a certificate with an empty Subject.
These don't validate in most TLS implementations well, so add a warning.
Note that non-Common Name fields could be present to make a non-empty
subject, so simply requiring a CommonName isn't strictly the best.

For example:

    $ vault write pki/root/generate/exported common_name=""
    WARNING! The following warnings were returned from Vault:
      * This issuer certificate was generated without a Subject; this makes
      it likely that issuing leaf certs with this certificate will cause TLS
      validation libraries to reject this certificate.
    ....

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel
2022-05-18 10:15:37 -04:00
committed by GitHub
parent 065ace5610
commit ad18cc2f34
2 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
builtin/logical/pki/path_root.go
View File

@@ -165,6 +165,19 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
},
}
if len(parsedBundle.Certificate.RawSubject) <= 2 {
// Strictly a subject is a SEQUENCE of SETs of SEQUENCES.
//
// The outer SEQUENCE is preserved, having byte value 30 00.
//
// Because of the tag and the length encoding each taking up
// at least one byte, it is impossible to have a non-empty
// subject in two or fewer bytes. We're also not here to validate
// our certificate's ASN.1 content, so let's just assume it holds
// and move on.
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
}
switch format {
case "pem":
resp.Data["certificate"] = cb.Certificate
@@ -342,6 +355,19 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
resp.AddWarning("The expiration time for the signed certificate is after the CA's expiration time. If the new certificate is not treated as a root, validation paths with the certificate past the issuing CA's expiration time will fail.")
}
if len(parsedBundle.Certificate.RawSubject) <= 2 {
// Strictly a subject is a SEQUENCE of SETs of SEQUENCES.
//
// The outer SEQUENCE is preserved, having byte value 30 00.
//
// Because of the tag and the length encoding each taking up
// at least one byte, it is impossible to have a non-empty
// subject in two or fewer bytes. We're also not here to validate
// our certificate's ASN.1 content, so let's just assume it holds
// and move on.
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
}
switch format {
case "pem":
resp.Data["certificate"] = cb.Certificate