-
Notifications
You must be signed in to change notification settings - Fork 4.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix broken interactions between glob_domains and wildcards (#14241)
* Allow issuance of wildcard via glob match From Vault v1.8.0 onwards, we would incorrectly disallow issuance of a wildcard certificate when allow_glob_domain was enabled with a multi-part glob domain in allowed_domains (such as *.*.foo) when attempting to issue a wildcard for a subdomain (such as *.bar.foo). This fixes that by reverting an errant change in the case insensitivity patch. Here, when validating against a very powerful glob construct, we leave the wildcard prefix (*.) from the raw common_name element, to allow multi-part globs to match wildcard entries. It is important to note that "sanitizedName" is an incorrect variable naming here. Wildcard parsing (per RFC 6125 which supercedes RFC 2818) must be in the left-most segment of the domain, but we lack validation to ensure no internal wildcards exist. Additionally per item 3 of section 6.4.3 of RFC 6125, wildcards MAY be internal to a domain segment, in which case sanitizedName again leaves the wildcard in place. Resolves: #13530 Signed-off-by: Alexander Scheel <[email protected]> * Remove duplicate email address check As pointed out by Steven Clark (author of the removed conditional in 70012cd), this is duplicate from the now-reintroduced comparison against name (versus the erroneous sanitizedName at the time of his commit). This is a reversion of the changes to builtin/logical/pki/cert_util.go, but keeping the additional valuable test cases. Co-authored-by: Steven Clark <[email protected]> Signed-off-by: Alexander Scheel <[email protected]> * Add multi-dimensional PKI role issuance tests This commit introduces multi-dimensional testing of PKI secrets engine's role-based certificate issuance with the intent of preventing future regressions. Here, dimensions of testing include: - AllowedDomains to decide which domains are approved for issuance, - AllowBareDomains to decide if raw entries of AllowedDomains are permitted, - AllowGlobDomains to decide if glob patterns in AllowedDomains are parsed, - AllowSubdomains to decide if subdomains of AllowedDomains are permitted, - AllowLocalhost to decide if localhost identifiers are permitted, and - CommonName of the certificate to request. Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]> Co-authored-by: Steven Clark <[email protected]> Co-authored-by: Steven Clark <[email protected]>
- Loading branch information
1 parent
56619cf
commit 850981d
Showing
3 changed files
with
275 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:bug | ||
secrets/pki: Fix issuance of wildcard certificates matching glob patterns | ||
``` |