Fixed issue PKI: Support explicit Basic Constraints isCA=False openba…

…o#81 Signed-off-by: DanGhita <dan.ghita@viaccess-orca.com>
DanGhita · Mar 11, 2024 · 997c641 · 997c641
1 parent 1e5549d
commit 997c641
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go
@@ -290,11 +290,12 @@ func buildSignVerbatimRole(data *framework.FieldData, role *roleEntry) *roleEntr
 		CNValidations:             []string{"disabled"},
 		GenerateLease:             new(bool),
 		// If adding new fields to be read, update the field list within addSignVerbatimRoleFields
-		KeyUsage:        data.Get("key_usage").([]string),
-		ExtKeyUsage:     data.Get("ext_key_usage").([]string),
-		ExtKeyUsageOIDs: data.Get("ext_key_usage_oids").([]string),
-		SignatureBits:   data.Get("signature_bits").(int),
-		UsePSS:          data.Get("use_pss").(bool),
+		KeyUsage:                      data.Get("key_usage").([]string),
+		ExtKeyUsage:                   data.Get("ext_key_usage").([]string),
+		ExtKeyUsageOIDs:               data.Get("ext_key_usage_oids").([]string),
+		SignatureBits:                 data.Get("signature_bits").(int),
+		UsePSS:                        data.Get("use_pss").(bool),
+		BasicConstraintsValidForNonCA: data.Get("basic_constraints_valid_for_non_ca").(bool),
 	}
 	*entry.AllowWildcardCertificates = true
 	*entry.GenerateLease = false

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
@@ -1047,7 +1047,7 @@ func signCert(b *backend,
 		}
 	} else {
 		for _, ext := range csr.Extensions {
-			if ext.Id.Equal(certutil.ExtensionBasicConstraintsOID) {
+			if ext.Id.Equal(certutil.ExtensionBasicConstraintsOID) && !data.role.BasicConstraintsValidForNonCA {
 				warnings = append(warnings, "specified CSR contained a Basic Constraints extension that was ignored during issuance")
 			}
 		}

diff --git a/builtin/logical/pki/fields.go b/builtin/logical/pki/fields.go
@@ -647,5 +647,11 @@ SHA-2-512. Defaults to 0 to automatically detect based on key length
 RSA key-type issuer. Defaults to false.`,
 	}
 
+	fields["basic_constraints_valid_for_non_ca"] = &framework.FieldSchema{
+		Type:        framework.TypeBool,
+		Default:     false,
+		Description: `Mark Basic Constraints valid when issuing non-CA certificates.`,
+	}
+
 	return fields
 }