Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow all other_sans in sign-intermediate and sign-verbatim #13958

Merged
merged 2 commits into from
Feb 9, 2022
Merged

Allow all other_sans in sign-intermediate and sign-verbatim #13958

merged 2 commits into from
Feb 9, 2022

Conversation

cipherboy
Copy link
Contributor

/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.

Resolves: #13157

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

--

/sign-verbatim actually takes an optional name parameter, which then uses the role's restrictions. This doesn't impact that case at all.

@cipherboy
Allow all other_sans in sign-intermediate and sign-verbatim
5e1b787 
/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.

Resolves: #13157

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy requested a review from a team February 8, 2022 20:01
@cipherboy
Add changelog
79971d9 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@vercel vercel bot temporarily deployed to Preview – vault February 8, 2022 20:02 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 8, 2022 20:02 Inactive
stevendpclark
stevendpclark approved these changes Feb 8, 2022
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@cipherboy
Copy link
Contributor Author

Thanks @stevendpclark for the review :)

@cipherboy cipherboy merged commit 4f841f6 into main Feb 9, 2022
@cipherboy cipherboy deleted the cipherboy-allow-other-sans-verbatim-intermediate branch February 9, 2022 21:41
fairclothjm pushed a commit that referenced this pull request Feb 12, 2022
@cipherboy @fairclothjm
Allow all other_sans in sign-intermediate and sign-verbatim (#13958)
6f67ce7 
* Allow all other_sans in sign-intermediate and sign-verbatim

/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.

Resolves: #13157

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy added this to the 1.10 milestone Feb 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

Assignees
No one assigned
Labels
cryptosec secret/pki
Projects
None yet
Milestone
1.10
Development

Successfully merging this pull request may close these issues.

An error if specify other_sans In the sign-intermediate endpoint
2 participants
@cipherboy @stevendpclark