Add CSR SAN-URI length validation.

hashicorp · Sep 13, 2022 · 8dc5a83 · 8dc5a83
1 parent 4a818a1
commit 8dc5a83
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go
@@ -1397,6 +1397,15 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne
 		return nil, fmt.Errorf("CA is uninitialized and unable to sign certificates yet: no root certificate")
 	}
 
+	// Note that only one spiffe id is allowed currently. If more than one is desired
+	// in future implmentations, then each ID should have authorization checks.
+	if len(csr.URIs) != 1 {
+		return nil, fmt.Errorf("CSR SAN contains an invalid number of URIs: %v", len(csr.URIs))
+	}
+	if len(csr.EmailAddresses) > 0 {
+		return nil, fmt.Errorf("CSR SAN does not allow specifying email addresses")
+	}
+
 	// Verify that the CSR entity is in the cluster's trust domain
 	state := c.delegate.State()
 	_, config, err := state.CAConfig(nil)

diff --git a/agent/consul/leader_connect_ca_test.go b/agent/consul/leader_connect_ca_test.go
@@ -481,8 +481,9 @@ func TestCAManager_SignCertificate_WithExpiredCert(t *testing.T) {
 
 			// Call RenewIntermediate and then confirm the RPCs and provider calls
 			// happen in the expected order.
-
-			_, err := manager.SignCertificate(&x509.CertificateRequest{}, &connect.SpiffeIDAgent{})
+			_, err := manager.SignCertificate(&x509.CertificateRequest{
+				URIs: []*url.URL{connect.SpiffeIDAgent{}.URI()},
+			}, &connect.SpiffeIDAgent{})
 			if arg.isError {
 				require.Error(t, err)
 				require.Contains(t, err.Error(), arg.errorMsg)