forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Properly validate int ca lifetime error, add warning on leaf cert wit…
…h basic constraints (hashicorp#20654) * Ensure proper error message from CA validity period Signed-off-by: Alexander Scheel <[email protected]> * Add warning to issuance of leaf cert with basic constraints Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]> --------- Signed-off-by: Alexander Scheel <[email protected]>
- Loading branch information
Showing
3 changed files
with
13 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2532,7 +2532,7 @@ func TestBackend_Root_Idempotency(t *testing.T) { | |
| } | ||
| } | ||
|
|
||
| func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { | ||
| func TestBackend_SignIntermediate_AllowedPastCAValidity(t *testing.T) { | ||
| t.Parallel() | ||
| b_root, s_root := CreateBackendWithStorage(t) | ||
| b_int, s_int := CreateBackendWithStorage(t) | ||
|
|
@@ -2550,6 +2550,7 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { | |
| _, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{ | ||
| "allow_bare_domains": true, | ||
| "allow_subdomains": true, | ||
| "allow_any_name": true, | ||
| }) | ||
| if err != nil { | ||
| t.Fatal(err) | ||
|
|
@@ -2577,19 +2578,15 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) { | |
| "csr": csr, | ||
| "ttl": "60h", | ||
| }) | ||
| if err == nil { | ||
| t.Fatal("expected error") | ||
| } | ||
| require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate") | ||
|
|
||
| _, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{ | ||
| "common_name": "myint.com", | ||
| "other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:[email protected]", | ||
| "csr": csr, | ||
| "ttl": "60h", | ||
| }) | ||
| if err == nil { | ||
| t.Fatal("expected error") | ||
| } | ||
| require.ErrorContains(t, err, "that is beyond the expiration of the CA certificate") | ||
|
|
||
| resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{ | ||
| "common_name": "myint.com", | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| ```release-note:change | ||
| secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. | ||
| ``` |