Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support other names in SANs #3889

Merged
merged 22 commits into from
Feb 16, 2018
Merged

Support other names in SANs #3889

merged 22 commits into from
Feb 16, 2018

Conversation

jefferai
Copy link
Member

@jefferai jefferai commented Feb 1, 2018

Allows specifying custom OID/UTF8 string SANs. This was harder than expected because Go's built-in asn1 library is, in the words of its author, too magical. So instead this pulls in cryptobytes, which the asn1 library's author wrote after writing something similar for BoringSSL.

If other and non-other SANs are specified we encode them all with cryptobytes (we have to) but we fall back to normal stdlib handling of SANs if not. I'm not sure if we should just always use cryptobytes or not, but we can always switch it later; all tests currently point to it working fine either way.

Because things were getting rather out of hand, this also bundles in a fairly significant refactor of cert_util.go, which is much of the actual diff in this PR.

@jefferai jefferai added this to the 0.9.4 milestone Feb 1, 2018
@jefferai jefferai changed the title [WIP] Support other names in SANs Support other names in SANs Feb 13, 2018
Copy link
Member

@vishalnayak vishalnayak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some superficial comments. This is mostly looking good!

// checks to verify that the OID SAN logic doesn't screw up other SANs, then
// will spit out the PEM. This can be validated independently.
//
// You want the hex dump of the octet string corresponding tot he X509v3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/tot he/to the

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

cert.DNSNames[2] != "foo.foobar.com" {
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
}
t.Logf("certificate 1 to check:\n%s", certStr)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder to remove.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You didn't read the comment carefully enough :-)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did now :-) 👍

cert.DNSNames[2] != "foo.foobar.com" {
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
}
t.Logf("certificate 2 to check:\n%s", certStr)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder to remove.

case len(badName) != 0:
return errutil.UserError{Err: fmt.Sprintf(
"other SAN %s not allowed for OID %s by this role", badName, badOID)}
case len(badOID) > 0:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have len(badOID) !=0 here as well, just for readability consistency with the previous case statement?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.


func stringToOid(in string) (asn1.ObjectIdentifier, error) {
ret := []int{}
split := strings.Split(in, ".")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do a make([]int,0,len(split)) after this line to avoid resizing of ret during append?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@@ -432,31 +444,84 @@ func validateNames(req *logical.Request, names []string, role *roleEntry) string
return ""
}

func validateOtherSANs(data *dataBundle, requested map[string][]string) (string, string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have a comment for this method mentioning that this will performing the regex check on the allowed names on the role?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionally it wasn't clear, until looking at the caller, what the return values represent. Could you document that?


// Marshal and add to ExtraExtensions
ext := pkix.Extension{
Id: []int{2, 5, 29, 17},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this asn1.ObjectIdentifier{2, 5, 29, 17}?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.


// Marshal and add to ExtraExtensions
ext := pkix.Extension{
Id: asn1.ObjectIdentifier{2, 5, 29, 17},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can your provide some context in a comment where these values are coming from?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or alternatively use the constant values https://golang.org/pkg/encoding/asn1/#pkg-constants

briankassouf
briankassouf previously approved these changes Feb 16, 2018
Copy link
Contributor

@briankassouf briankassouf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks Good!

vishalnayak
vishalnayak previously approved these changes Feb 16, 2018
Copy link
Member

@vishalnayak vishalnayak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jefferai jefferai dismissed stale reviews from vishalnayak and briankassouf via a8d62af February 16, 2018 22:08
@jefferai jefferai merged commit a43a854 into master Feb 16, 2018
@jefferai jefferai deleted the oid-sans branch February 16, 2018 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants