Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate CSR CN and provided certname before signing
This adds a few new checks when signing CSRs, to validate the CN. First, it must conform to a small set of characters, which are the printable ASCII characters, except for '/' (because we store these in files). This prevents attacks such as a CN "foo^H^H^Hbar", which appears as "bar" to "puppet cert list". The other check is that the certname for the SSL::Host that we think we're signing must match the CN. This prevents a CSR with the CN "foo" from being submitted as a CSR for "bar", which would cause it to appear as "bar" to "puppet cert list", but to issue a certificate for "foo".
- Loading branch information
Showing
2 changed files
with
87 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters