Updates to Validate on Parse PEMBlock, so that a single cert or a sin…

…gle key parses (test fixes).
hashicorp · Jan 22, 2025 · d461c07 · d461c07
1 parent 150756c
commit d461c07
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
@@ -1195,7 +1195,7 @@ func TestVerify_chained_name_constraints(t *testing.T) {
 		resp, err := CBWrite(bRoot, sRoot, "root/generate/internal", map[string]interface{}{
 			"ttl":                   "40h",
 			"common_name":           "myvault.com",
-			"permitted_dns_domains": ".example.com",
+			"permitted_dns_domains": ".example.com,myint.com",
 			"excluded_dns_domains":  "bad.example.com",
 		})
 		require.NoError(t, err)

diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go
@@ -312,8 +312,12 @@ func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
 		}
 	}
 
-	if err := parsedBundle.Verify(); err != nil {
-		return nil, errutil.UserError{Err: fmt.Sprintf("verification of parsed bundle failed: %s", err)}
+	if certPath != nil && len(certPath) > 1 {
+		// Don't validate the certificate chain if no certificate exists eg. only a key is given
+		// And don't validate a chain if it isn't given (eg. only one certificate)
+		if err := parsedBundle.Verify(); err != nil {
+			return nil, errutil.UserError{Err: fmt.Sprintf("verification of parsed bundle failed: %s", err)}
+		}
 	}
 
 	return parsedBundle, nil