Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove duplicated certificates from chains #14348

Merged
merged 1 commit into from
Mar 3, 2022
Merged

Remove duplicated certificates from chains #14348

merged 1 commit into from
Mar 3, 2022

Conversation

cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Mar 2, 2022
edited
Loading

As reported by Steve Clark, building an intermediate mount in PKI (and
calling /intermediate/set-signed) results in a duplicate intermediate CA
certificate in the full chain output (ca_chain field of the
/cert/ca_chain API endpoint response).

While ideally we'd use proper chain building (and return a sorted
chain), for the time being, return certs in the order they appear and
remove any duplicate certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

--

This was for the new full chain feature introduced in #13935.

Reproducer:

vault secrets enable -path=pki pki
vault write -field=certificate pki/root/generate/internal \
    common_name=root-kms.com \
    ttl=8760h > /tmp/CA_cert.crt
vault secrets enable -path=pki_int pki
vault write -format=json pki_int/intermediate/generate/internal \
    common_name="example.com Intermediate Authority" \
     | jq -r '.data.csr' > /tmp/pki_intermediate.csr
vault write -format=json pki/root/sign-intermediate csr=@/tmp/pki_intermediate.csr \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > /tmp/intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@/tmp/intermediate.cert.pem
vault read /pki_int/cert/ca_chain

@cipherboy cipherboy added this to the 1.10 milestone Mar 2, 2022
@cipherboy cipherboy requested review from stevendpclark and a team March 2, 2022 21:57
@cipherboy cipherboy marked this pull request as draft March 2, 2022 22:00
@cipherboy
Remove duplicated certificates from chains
adfa09a 
As reported by Steve Clark, building an intermediate mount in PKI (and
calling /intermediate/set-signed) results in a duplicate intermediate CA
certificate in the full chain output (ca_chain field of the
/cert/ca_chain API endpoint response).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy force-pushed the cipherboy-fix-duplicate-certs-in-chains branch from 6663379 to adfa09a Compare March 2, 2022 22:12
@vercel vercel bot temporarily deployed to Preview – vault March 2, 2022 22:12 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook March 2, 2022 22:12 Inactive
@cipherboy cipherboy marked this pull request as ready for review March 2, 2022 22:12
stevendpclark
stevendpclark approved these changes Mar 2, 2022
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@cipherboy cipherboy modified the milestones: 1.10, 1.11 Mar 3, 2022
@cipherboy cipherboy merged commit 5a8c389 into main Mar 3, 2022
Merged
@cipherboy cipherboy deleted the cipherboy-fix-duplicate-certs-in-chains branch March 7, 2022 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

Assignees
No one assigned
Labels
bug Used to indicate a potential bug pr/no-changelog secret/pki
Projects
None yet
Milestone
1.11.0-rc1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cipherboy @stevendpclark