-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pki: allowed_domains are compared case sensitive if they use glob patterns #20562
Comments
Hmm, I'm thinking we'll have to do a |
I don't see any reference to Punycode, or RFC3492 in RFC5280? It doesn't look as easy to solve to me as "strings.ToLower()". There is an incredibly intricate standard here for matching non-glob things: https://www.rfc-editor.org/rfc/rfc5280#section-7.1 which refers to : https://www.rfc-editor.org/rfc/rfc4518#section-2.2 which refers to: https://www.rfc-editor.org/rfc/rfc3454 As far as the RFCs go, I found very little on matching globs/wildcards, or more, I found ( https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6 ), which effectively gives up:
So, the options I'm seeing are:
|
@kitography In this context, glob is a Vault-specific mechanism that simply says "match anything"; this isn't on the time-of-use cert validation, but time-of-issuance-against-a-policy validation mechanism. (i.e., this isn't a wildcard in the certificate's The reference in RFC 5280 is under section 7.2:
&c. They seem to use IDNs here, rather than punycode. Here, since certs are assumed to be in IDN form for CNs/DNs/... when referring to web addresses, using While I agree nominally that domain names aren't case sensitive, I'm not sure if this is generalizable. E.g., RFC 5280 Section 8 includes:
Notably, RFC 4519 Section 2.3 (from which, I believe RFC 5280 inherits its subject binding typing) has this definition about CN:
Which means it then falls on RFC section 2.18 as that is the superclass (
Which probably means we're probably OK to use My 2c.? Edited to add: #14238 was the PR that added the stricter validation of wildcards that you were mentioning :-) |
Thanks for the valuable insights. My point is that Vault already case-foldes domains without a glob pattern before comparison, so I don't see why it shouldn't do the same for the static part of domains with glob patterns. |
Yes, I think that's a valid observation, hence the Do you want to open a PR using Thinking about this more, and looking at the code for At any rate, I'd take the easy PR now and hopefully that will improve things for the majority of users :-) |
Hello! @cipherboy may I pick this bug ? |
@KushnerykPavel please feel free! |
PR: #22126 |
Just for future me and others: this was merged and should be fine when However, when using certs for client auth with general names, this could still not work as e.g., we'd compare:
we've not made it any worse, and this wouldn't have worked before, but the shortcomings are still there. |
Steps to Reproduce:
I would expect that the last command is successful as well, so that their behaviour is consistent. The domain names in the certificate are not case sensitive.
The text was updated successfully, but these errors were encountered: