scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 19:47:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Warn on empty Subject field for issuers (#15494)

Browse Source 
* Warn on empty Subject field for issuers

When generating a root or signing an intermediate certificate, it is
possible to have Vault generate a certificate with an empty Subject.
These don't validate in most TLS implementations well, so add a warning.
Note that non-Common Name fields could be present to make a non-empty
subject, so simply requiring a CommonName isn't strictly the best.

For example:

    $ vault write pki/root/generate/exported common_name=""
    WARNING! The following warnings were returned from Vault:
      * This issuer certificate was generated without a Subject; this makes
      it likely that issuing leaf certs with this certificate will cause TLS
      validation libraries to reject this certificate.
    ....

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel
2022-05-18 10:15:37 -04:00
committed by GitHub
parent 065ace5610
commit ad18cc2f34
2 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
builtin/logical/pki/path_root.go
View File

@@ -165,6 +165,19 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
}, },
} }
if len(parsedBundle.Certificate.RawSubject) <= 2 {
// Strictly a subject is a SEQUENCE of SETs of SEQUENCES.
//
// The outer SEQUENCE is preserved, having byte value 30 00.
//
// Because of the tag and the length encoding each taking up
// at least one byte, it is impossible to have a non-empty
// subject in two or fewer bytes. We're also not here to validate
// our certificate's ASN.1 content, so let's just assume it holds
// and move on.
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
}
switch format { switch format {
case "pem": case "pem":
resp.Data["certificate"] = cb.Certificate resp.Data["certificate"] = cb.Certificate
@@ -342,6 +355,19 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
resp.AddWarning("The expiration time for the signed certificate is after the CA's expiration time. If the new certificate is not treated as a root, validation paths with the certificate past the issuing CA's expiration time will fail.") resp.AddWarning("The expiration time for the signed certificate is after the CA's expiration time. If the new certificate is not treated as a root, validation paths with the certificate past the issuing CA's expiration time will fail.")
} }
if len(parsedBundle.Certificate.RawSubject) <= 2 {
// Strictly a subject is a SEQUENCE of SETs of SEQUENCES.
//
// The outer SEQUENCE is preserved, having byte value 30 00.
//
// Because of the tag and the length encoding each taking up
// at least one byte, it is impossible to have a non-empty
// subject in two or fewer bytes. We're also not here to validate
// our certificate's ASN.1 content, so let's just assume it holds
// and move on.
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
}
switch format { switch format {
case "pem": case "pem":
resp.Data["certificate"] = cb.Certificate resp.Data["certificate"] = cb.Certificate

3
changelog/15494.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Warn on empty Subject field during issuer generation (root/generate and root/sign-intermediate).
```