-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKI: Support explicit Basic Constraints isCA=False #81
Comments
Hi Nathan, I will take this issue, could you assign it to me ? Thank you, |
Hi Alex, After a few changes in the code, I’m able now to issue a certificate containing the expected extension: X509v3 Basic Constraints critical: However, I have doubts about the original intention of the initial code: should I just remove the code raising the warning (lines 1050 - 1052 in pki/cert_util.go) , or there are some other (subtle) use-cases where this kind of warning is still necessary ? |
@DanGhita I'd remove the warning, if the end certificate has the basic constraint marked valid. If there is no basic constraint extension, I'd still warn as it was still ignored. My 2c. |
@naphelps I have pushed my branch and created my Pull Request. |
...Oops, the DCO (signed-off) didn’t work, I will try to fix this. |
@DanGhita said:
When:
HTH! |
…o#81 Signed-off-by: DanGhita <dan.ghita@viaccess-orca.com>
@cipherboy : Sorry, but I don't understand what you mean by "Role var is asserted" and "Role var is not asserted". If yes, your option #1 (Role var is asserted) means calling sign-verbatim without a role ? (basically, the initial scope of the current issue ?). Furthermore, the option #2 corresponds to a call to sign-verbatim with a specified role ? Many thanks! |
@DanGhita Sorry, role as in the context of the internal data structure used to process requests. The default version of this path did not have it and thus it was missing from the role. But if you add this parameter to the request (set the boolean variable to true == assert it), the role variable also becomes asserted (set to true), and thus behavior 1 applies. Or if its missing from the request (or set to false explicitly in the request) behavior 2 applies. Sorry about any confusion! |
@cipherboy Sorry, in order to avoid any confusion, we should speak on both public API level and low level source code. On the other hand, on the API level, your point is to add a new option to Sign Verbatim, something similar to However, while it is true that sign-verbatim does support some extra parameters (https://developer.hashicorp.com/vault/api-docs/secret/pki#sign-verbatim), it seems to me that the initial intention of the endpoint was to use the provided CSR as it is ("verbatim"). The additional parameters are just to specify the behavior when the CSR does not contain explicit information about them. So maybe the right solution is just to take into account the basicConstraints from the provided CSR, with the following behavior (and no new option in the public API):
Please also have a look to my PR . |
@DanGhita From a high-level, external API perspective then, my original three points stand I believe. Look at the docs for the request parameter here: https://developer.hashicorp.com/vault/api-docs/secret/pki#basic_constraints_valid_for_non_ca for the role-based issuance. Scenario 1 above, if you call:
It should issue a leaf certificate with the extension and with no warning. Similarly, scenario 2(a) above:
this will issue a leaf certificate without the extension, but with a warning saying that the CSR contained an extension we ignored. For scenario 2(b) above:
again, the leaf will be issued without the extension, and no warning will occur because the CSR did not contain the extension. AFAIK, this is exactly what your PR is doing. :-) Now I think you just need to write the tests. CSRs I generated for testingWith extension asserted to false:
With extension asserted to true:
Without extension:
Generated via:
&co. |
@cipherboy Thank you for having taken the time to explain the expected behavior from the public API point of view, I really appreciate, it is much easier to understand the "end-user" expected input/result. However, I still have some doubts: the first one is related to the openssl command that you have used for generating the CSR. Secondly (and my main concern) is the (expected) behavior that you describe in 2(a):
for which you are expecting "this will issue a leaf certificate without the extension, but with a warning saying that the CSR contained an extension we ignored". This is strange, because, if I'm not wrong, this is already the original behavior that Vault always had and that we wanted to fix through the current PR ! I will test your scenarios against a "regular" Vault (without my changes from the current PR) in order to verify which scenario does not fulfill the behavior that you have described in your last post. |
Hi @DanGhita, You can test with both TRUE and FALSE and see that OpenBao ignores the value of the IsCA value and always sets it to false on issuance. :-) Command was given for example only, I included both TRUE and FALSE CSRs in my snippet above. Because we know we're issuing a leaf, we overwrite the value on the extension. Perhaps better behavior would be to err out, but we cannot now... Regarding your new query... We don't want to change the behavior for existing callers of the API :-) If we were to default We only want to change this behavior when the caller opts in by specifying the parameter. The behavior will not pass with upstream presently, because it doesn't implement 1 -- the parameter is unknown by the endpoint. Scenario 2 should pass completely, with a warning about the parameter not existing and thus defaulting to false on the backend system. HTH,
|
Hi @cipherboy, I think we are aligned now and I would summarize the goal of the issue/PR as following: Add a new parameter ( Note: the parameter Concerning the current status of the PR: the code evolution seems to be already OK. |
…o#81 Signed-off-by: DanGhita <dan.ghita@viaccess-orca.com>
Signed-off-by: DanGhita <dan.ghita@viaccess-orca.com>
As reported by @mvkonovalov on hashicorp/vault#24817:
This likely warrants a new set of parameters on
sign-verbatim
mirroring what is on the role:basic_constraints_valid_for_non_ca
. Since it is already on the role, this should be fairly easy to add and thus a good first issue.Note that, from memory, I believe
use_csr_values=true
is already set, though whether or not this should apply to the basic constraints isn't immediately clear.The text was updated successfully, but these errors were encountered: