vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Fix for duplicate SANs in signed certificates

Open rubendv opened this issue 3 years ago • 1 comments

When UseCSRValues is true (as is the case on the sign-verbatim endpoint), all extensions including Subject Alternative Names are copied from the CSR to the final certificate.

If the Subject Alternative Name in question contains any othernames (such as a Microsoft UPN) the SAN extension is added again a few lines later as a workaround for an encoding issue (by function HandleOtherSANs). This way you end up with two copies of the SAN extension in the final certificate.

Having duplicate x509v3 extensions is invalid and is rejected by openssl on Ubuntu 20.04 (but not on Ubuntu 18.04), and is also rejected by Go in x509.ParseCertificate since https://github.com/golang/go/issues/50988 (part of Go 1.19).

In this fix I do not copy the extension from the CSR if it will already be added by HandleOtherSANs.

rubendv avatar Aug 12 '22 09:08 rubendv

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Aug 12 '22 09:08 hashicorp-cla

\o Hey @rubendv, thanks for the PR! :-) Do you mind adding a test for this? It'd be great to make sure we don't break this again in the future.

cipherboy avatar Sep 22 '22 13:09 cipherboy

\o Hey @rubendv, thanks for the PR! :-) Do you mind adding a test for this? It'd be great to make sure we don't break this again in the future.

Sure! I will look into it.

rubendv avatar Sep 22 '22 15:09 rubendv

I added tests @cipherboy. I noticed in the contributing guide it says that PRs should reference issues, would you like me to still create an issue for this PR?

rubendv avatar Oct 07 '22 09:10 rubendv

@rubendv Nah, no point IMO. I understand the problem well enough. Thank you!

cipherboy avatar Oct 07 '22 15:10 cipherboy

@rubendv Actually, could I bother you to rebase this on top of a newer main? I think test-go-remote-docker failed because you happened to base it off the point in time where we were trying to fix the CI's container network provisioning.

Looks like rerunning it didn't help:

+ docker exec -w /home/circleci/go/src/github.com/hashicorp/vault/ -e CIRCLECI -e VAULT_CI_GO_TEST_RACE -e GOCACHE=/tmp/gocache -e GO_TAGS -e GOPROXY=off -e VAULT_LICENSE_CI -e GOARCH=amd64 testcontainer gotestsum --format=short-verbose --junitfile test-results/go-test/results.xml --jsonfile test-results/go-test/results.json -- -tags ' deadlock' -timeout=60m -parallel=20 github.com/hashicorp/vault/plugins/database/mongodb
=== RUN   TestMongoDB_Initialize
    mongodbhelper.go:68: could not start docker mongo: no reachable servers
--- FAIL: TestMongoDB_Initialize (135.77s)
FAIL plugins/database/mongodb.TestMongoDB_Initialize (135.77s)

cipherboy avatar Oct 07 '22 15:10 cipherboy

Thanks @rubendv, that worked!

cipherboy avatar Oct 07 '22 16:10 cipherboy