From 8dc5a835b324f5b4b177427d74e1e256ef545871 Mon Sep 17 00:00:00 2001 From: Derek Menteer Date: Tue, 13 Sep 2022 13:19:33 -0500 Subject: [PATCH] Add CSR SAN-URI length validation. --- agent/consul/leader_connect_ca.go | 9 +++++++++ agent/consul/leader_connect_ca_test.go | 5 +++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index c084ae38e51b..30bcb937d7ef 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -1397,6 +1397,15 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne return nil, fmt.Errorf("CA is uninitialized and unable to sign certificates yet: no root certificate") } + // Note that only one spiffe id is allowed currently. If more than one is desired + // in future implmentations, then each ID should have authorization checks. + if len(csr.URIs) != 1 { + return nil, fmt.Errorf("CSR SAN contains an invalid number of URIs: %v", len(csr.URIs)) + } + if len(csr.EmailAddresses) > 0 { + return nil, fmt.Errorf("CSR SAN does not allow specifying email addresses") + } + // Verify that the CSR entity is in the cluster's trust domain state := c.delegate.State() _, config, err := state.CAConfig(nil) diff --git a/agent/consul/leader_connect_ca_test.go b/agent/consul/leader_connect_ca_test.go index 808d120ad9c8..10cef5c2c483 100644 --- a/agent/consul/leader_connect_ca_test.go +++ b/agent/consul/leader_connect_ca_test.go @@ -481,8 +481,9 @@ func TestCAManager_SignCertificate_WithExpiredCert(t *testing.T) { // Call RenewIntermediate and then confirm the RPCs and provider calls // happen in the expected order. - - _, err := manager.SignCertificate(&x509.CertificateRequest{}, &connect.SpiffeIDAgent{}) + _, err := manager.SignCertificate(&x509.CertificateRequest{ + URIs: []*url.URL{connect.SpiffeIDAgent{}.URI()}, + }, &connect.SpiffeIDAgent{}) if arg.isError { require.Error(t, err) require.Contains(t, err.Error(), arg.errorMsg)