Skip to content

Commit

Permalink
Don't allow duplicate SAN names in PKI-issued certs (#7605)
Browse files Browse the repository at this point in the history
* fix #6571

* fix test TestBackend_OID_SANs because now SANs are alphabetic sorted
  • Loading branch information
mr-tron authored and jefferai committed Oct 28, 2019
1 parent 026ada0 commit a1835a2
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 15 deletions.
30 changes: 17 additions & 13 deletions builtin/logical/pki/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2170,7 +2170,7 @@ func TestBackend_OID_SANs(t *testing.T) {
resp, err = client.Logical().Write("root/issue/test", map[string]interface{}{
"common_name": "foobar.com",
"ip_sans": "1.2.3.4",
"alt_names": "foo.foobar.com,bar.foobar.com",
"alt_names": "foobar.com,foo.foobar.com,bar.foobar.com",
"ttl": "1h",
})
if err != nil {
Expand All @@ -2185,9 +2185,10 @@ func TestBackend_OID_SANs(t *testing.T) {
if cert.IPAddresses[0].String() != "1.2.3.4" {
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
}
if cert.DNSNames[0] != "foobar.com" ||
cert.DNSNames[1] != "bar.foobar.com" ||
cert.DNSNames[2] != "foo.foobar.com" {
if len(cert.DNSNames) != 3 ||
cert.DNSNames[0] != "bar.foobar.com" ||
cert.DNSNames[1] != "foo.foobar.com" ||
cert.DNSNames[2] != "foobar.com" {
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
}

Expand Down Expand Up @@ -2272,9 +2273,10 @@ func TestBackend_OID_SANs(t *testing.T) {
if cert.IPAddresses[0].String() != "1.2.3.4" {
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
}
if cert.DNSNames[0] != "foobar.com" ||
cert.DNSNames[1] != "bar.foobar.com" ||
cert.DNSNames[2] != "foo.foobar.com" {
if len(cert.DNSNames) != 3 ||
cert.DNSNames[0] != "bar.foobar.com" ||
cert.DNSNames[1] != "foo.foobar.com" ||
cert.DNSNames[2] != "foobar.com" {
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
}
t.Logf("certificate 1 to check:\n%s", certStr)
Expand All @@ -2299,9 +2301,10 @@ func TestBackend_OID_SANs(t *testing.T) {
if cert.IPAddresses[0].String() != "1.2.3.4" {
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
}
if cert.DNSNames[0] != "foobar.com" ||
cert.DNSNames[1] != "bar.foobar.com" ||
cert.DNSNames[2] != "foo.foobar.com" {
if len(cert.DNSNames) != 3 ||
cert.DNSNames[0] != "bar.foobar.com" ||
cert.DNSNames[1] != "foo.foobar.com" ||
cert.DNSNames[2] != "foobar.com" {
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
}
t.Logf("certificate 2 to check:\n%s", certStr)
Expand All @@ -2326,9 +2329,10 @@ func TestBackend_OID_SANs(t *testing.T) {
if cert.IPAddresses[0].String() != "1.2.3.4" {
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
}
if cert.DNSNames[0] != "foobar.com" ||
cert.DNSNames[1] != "bar.foobar.com" ||
cert.DNSNames[2] != "foo.foobar.com" {
if len(cert.DNSNames) != 3 ||
cert.DNSNames[0] != "bar.foobar.com" ||
cert.DNSNames[1] != "foo.foobar.com" ||
cert.DNSNames[2] != "foobar.com" {
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
}
t.Logf("certificate 3 to check:\n%s", certStr)
Expand Down
4 changes: 2 additions & 2 deletions builtin/logical/pki/cert_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -906,8 +906,8 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
creation := &certutil.CreationBundle{
Params: &certutil.CreationParameters{
Subject: subject,
DNSNames: dnsNames,
EmailAddresses: emailAddresses,
DNSNames: strutil.RemoveDuplicates(dnsNames, false),
EmailAddresses: strutil.RemoveDuplicates(emailAddresses, false),
IPAddresses: ipAddresses,
URIs: URIs,
OtherSANs: otherSANs,
Expand Down

0 comments on commit a1835a2

Please sign in to comment.