mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-27 13:41:10 +01:00
Code Issues Projects Releases Wiki Activity

Fix logic around zero path length -- only restrict issuing intermediate CAs in this case

Browse Source
This commit is contained in:
Jeff Mitchell 2015-11-16 10:42:45 -05:00
parent 237285e822
commit 636fad0180
2 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
builtin/logical/pki/cert_util.go
View File

@ -483,9 +483,6 @@ func generateCreationBundle(b *backend,
} }
if signingBundle != nil { if signingBundle != nil {
if signingBundle.Certificate.MaxPathLen == 0 {
return nil, certutil.UserError{Err: "signing CA has a max path length of zero"}
}
creationBundle.URLs = signingBundle.URLs creationBundle.URLs = signingBundle.URLs
if role.MaxPathLength != nil { if role.MaxPathLength != nil {
creationBundle.MaxPathLength = *role.MaxPathLength creationBundle.MaxPathLength = *role.MaxPathLength
@ -493,8 +490,10 @@ func generateCreationBundle(b *backend,
switch { switch {
case signingBundle.Certificate.MaxPathLen < 0: case signingBundle.Certificate.MaxPathLen < 0:
creationBundle.MaxPathLength = -1 creationBundle.MaxPathLength = -1
case signingBundle.Certificate.MaxPathLen == 0: case signingBundle.Certificate.MaxPathLen == 0 &&
return nil, certutil.UserError{Err: "signing CA has a max path length of zero"} signingBundle.Certificate.MaxPathLenZero:
// The signing function will ensure that we do not issue a CA cert
creationBundle.MaxPathLength = 0
default: default:
// If this takes it to zero, we handle this case later if // If this takes it to zero, we handle this case later if
// necessary // necessary
@ -847,6 +846,11 @@ func signCertificate(creationInfo *certCreationBundle,
if creationInfo.IsCA { if creationInfo.IsCA {
certTemplate.IsCA = true certTemplate.IsCA = true
if creationInfo.SigningBundle.Certificate.MaxPathLen == 0 &&
creationInfo.SigningBundle.Certificate.MaxPathLenZero {
return nil, certutil.UserError{Err: "signing certificate has a max path length of zero, and cannot issue further CA certificates"}
}
certTemplate.MaxPathLen = creationInfo.MaxPathLength certTemplate.MaxPathLen = creationInfo.MaxPathLength
if certTemplate.MaxPathLen == 0 { if certTemplate.MaxPathLen == 0 {
certTemplate.MaxPathLenZero = true certTemplate.MaxPathLenZero = true

4
builtin/logical/pki/path_config_ca.go
View File

@ -288,7 +288,7 @@ func (b *backend) pathCAGenerateRoot(
} }
if parsedBundle.Certificate.MaxPathLen == 0 { if parsedBundle.Certificate.MaxPathLen == 0 {
resp.AddWarning("Max path length of the generated certificate is zero") resp.AddWarning("Max path length of the generated certificate is zero. This certificate cannot be used to issue intermediate CA certificates.")
} }
return resp, nil return resp, nil
@ -444,7 +444,7 @@ func (b *backend) pathCASignIntermediate(
} }
if parsedBundle.Certificate.MaxPathLen == 0 { if parsedBundle.Certificate.MaxPathLen == 0 {
resp.AddWarning("Max path length of the signed certificate is zero") resp.AddWarning("Max path length of the signed certificate is zero. This certificate cannot be used to issue intermediate CA certificates.")
} }
return resp, nil return resp, nil