From 16665c97f0e8506ddd3c209cf3b6919637575845 Mon Sep 17 00:00:00 2001 From: max furman Date: Thu, 14 Jan 2021 15:26:46 -0600 Subject: [PATCH] Allow empty SAN in CSR for validation ... - The default template will always use the SANs from the token. - If there are any SANs they must be validated against the token. --- authority/provisioner/sign_options.go | 12 ++++++++++++ authority/provisioner/sign_options_test.go | 8 ++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index 9bfe8529..3b52d497 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -154,6 +154,9 @@ type dnsNamesValidator []string // Valid checks that certificate request DNS Names match those configured in // the bootstrap (token) flow. func (v dnsNamesValidator) Valid(req *x509.CertificateRequest) error { + if len(req.DNSNames) == 0 { + return nil + } want := make(map[string]bool) for _, s := range v { want[s] = true @@ -174,6 +177,9 @@ type ipAddressesValidator []net.IP // Valid checks that certificate request IP Addresses match those configured in // the bootstrap (token) flow. func (v ipAddressesValidator) Valid(req *x509.CertificateRequest) error { + if len(req.IPAddresses) == 0 { + return nil + } want := make(map[string]bool) for _, ip := range v { want[ip.String()] = true @@ -194,6 +200,9 @@ type emailAddressesValidator []string // Valid checks that certificate request IP Addresses match those configured in // the bootstrap (token) flow. func (v emailAddressesValidator) Valid(req *x509.CertificateRequest) error { + if len(req.EmailAddresses) == 0 { + return nil + } want := make(map[string]bool) for _, s := range v { want[s] = true @@ -214,6 +223,9 @@ type urisValidator []*url.URL // Valid checks that certificate request IP Addresses match those configured in // the bootstrap (token) flow. func (v urisValidator) Valid(req *x509.CertificateRequest) error { + if len(req.URIs) == 0 { + return nil + } want := make(map[string]bool) for _, u := range v { want[u.String()] = true diff --git a/authority/provisioner/sign_options_test.go b/authority/provisioner/sign_options_test.go index a0d3cde0..cf8f7a54 100644 --- a/authority/provisioner/sign_options_test.go +++ b/authority/provisioner/sign_options_test.go @@ -174,14 +174,15 @@ func Test_emailAddressesValidator_Valid(t *testing.T) { {"ok1", []string{"max@smallstep.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"max@smallstep.com"}}}, false}, {"ok2", []string{"max@step.com", "mike@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"max@step.com", "mike@step.com"}}}, false}, {"ok3", []string{"max@step.com", "mike@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"mike@step.com", "max@step.com"}}}, false}, + {"ok3", []string{"max@step.com", "mike@step.com"}, args{&x509.CertificateRequest{}}, false}, {"fail1", []string{"max@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"mike@step.com"}}}, true}, {"fail2", []string{"mike@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"max@step.com", "mike@step.com"}}}, true}, - {"fail3", []string{"mike@step.com", "max@step.com"}, args{&x509.CertificateRequest{DNSNames: []string{"mike@step.com", "mex@step.com"}}}, true}, + {"fail3", []string{"mike@step.com", "max@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"mike@step.com", "mex@step.com"}}}, true}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { if err := tt.v.Valid(tt.args.req); (err != nil) != tt.wantErr { - t.Errorf("dnsNamesValidator.Valid() error = %v, wantErr %v", err, tt.wantErr) + t.Errorf("emailAddressesValidator.Valid() error = %v, wantErr %v", err, tt.wantErr) } }) } @@ -201,6 +202,7 @@ func Test_dnsNamesValidator_Valid(t *testing.T) { {"ok1", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar"}}}, false}, {"ok2", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar", "bar.zar"}}}, false}, {"ok3", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar", "foo.bar.zar"}}}, false}, + {"ok4", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{}}, false}, {"fail1", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar"}}}, true}, {"fail2", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar", "foo.bar.zar"}}}, true}, {"fail3", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar", "zar.bar"}}}, true}, @@ -232,6 +234,7 @@ func Test_ipAddressesValidator_Valid(t *testing.T) { {"ok1", []net.IP{ip1}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip1}}}, false}, {"ok2", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip1, ip2}}}, false}, {"ok3", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip2, ip1}}}, false}, + {"ok4", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{}}, false}, {"fail1", []net.IP{ip1}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip2}}}, true}, {"fail2", []net.IP{ip1}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip2, ip1}}}, true}, {"fail3", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip1, ip3}}}, true}, @@ -268,6 +271,7 @@ func Test_urisValidator_Valid(t *testing.T) { {"ok1", []*url.URL{u1}, args{&x509.CertificateRequest{URIs: []*url.URL{u1}}}, false}, {"ok2", []*url.URL{u1, u2}, args{&x509.CertificateRequest{URIs: []*url.URL{u2, u1}}}, false}, {"ok3", []*url.URL{u2, u1, u3}, args{&x509.CertificateRequest{URIs: []*url.URL{u3, u2, u1}}}, false}, + {"ok3", []*url.URL{u2, u1, u3}, args{&x509.CertificateRequest{}}, false}, {"fail1", []*url.URL{u1}, args{&x509.CertificateRequest{URIs: []*url.URL{u2}}}, true}, {"fail2", []*url.URL{u1}, args{&x509.CertificateRequest{URIs: []*url.URL{u2, u1}}}, true}, {"fail3", []*url.URL{u1, u2}, args{&x509.CertificateRequest{URIs: []*url.URL{u1, fu}}}, true},