Prevent creation of empty SubjAltNames extension in CSR (#883)
This commit is contained in:
parent
c6d76f580e
commit
e7efaf4365
|
@ -353,7 +353,8 @@ def create_csr(**csr_config):
|
||||||
if k in critical_extensions:
|
if k in critical_extensions:
|
||||||
current_app.logger.debug('Adding Critical Extension: {0} {1}'.format(k, v))
|
current_app.logger.debug('Adding Critical Extension: {0} {1}'.format(k, v))
|
||||||
if k == 'sub_alt_names':
|
if k == 'sub_alt_names':
|
||||||
builder = builder.add_extension(v['names'], critical=True)
|
if v['names']:
|
||||||
|
builder = builder.add_extension(v['names'], critical=True)
|
||||||
else:
|
else:
|
||||||
builder = builder.add_extension(v, critical=True)
|
builder = builder.add_extension(v, critical=True)
|
||||||
|
|
||||||
|
|
|
@ -6,9 +6,11 @@ import json
|
||||||
import arrow
|
import arrow
|
||||||
import pytest
|
import pytest
|
||||||
from cryptography import x509
|
from cryptography import x509
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
from marshmallow import ValidationError
|
from marshmallow import ValidationError
|
||||||
from freezegun import freeze_time
|
from freezegun import freeze_time
|
||||||
|
|
||||||
|
from lemur.certificates.service import create_csr
|
||||||
from lemur.certificates.views import * # noqa
|
from lemur.certificates.views import * # noqa
|
||||||
from lemur.domains.models import Domain
|
from lemur.domains.models import Domain
|
||||||
|
|
||||||
|
@ -329,9 +331,6 @@ def test_certificate_sensitive_name(client, authority, session, logged_in_user):
|
||||||
|
|
||||||
|
|
||||||
def test_create_basic_csr(client):
|
def test_create_basic_csr(client):
|
||||||
from cryptography import x509
|
|
||||||
from cryptography.hazmat.backends import default_backend
|
|
||||||
from lemur.certificates.service import create_csr
|
|
||||||
csr_config = dict(
|
csr_config = dict(
|
||||||
common_name='example.com',
|
common_name='example.com',
|
||||||
organization='Example, Inc.',
|
organization='Example, Inc.',
|
||||||
|
@ -350,9 +349,27 @@ def test_create_basic_csr(client):
|
||||||
assert name.value in csr_config.values()
|
assert name.value in csr_config.values()
|
||||||
|
|
||||||
|
|
||||||
|
def test_csr_empty_san(client):
|
||||||
|
"""Test that an empty "names" list does not produce a CSR with empty SubjectAltNames extension.
|
||||||
|
|
||||||
|
The Lemur UI always submits this extension even when no alt names are defined.
|
||||||
|
"""
|
||||||
|
|
||||||
|
csr_text, pkey = create_csr(
|
||||||
|
common_name='daniel-san.example.com',
|
||||||
|
owner='daniel-san@example.com',
|
||||||
|
key_type='RSA2048',
|
||||||
|
extensions={'sub_alt_names': {'names': x509.SubjectAlternativeName([])}}
|
||||||
|
)
|
||||||
|
|
||||||
|
csr = x509.load_pem_x509_csr(csr_text.encode('utf-8'), default_backend())
|
||||||
|
|
||||||
|
with pytest.raises(x509.ExtensionNotFound):
|
||||||
|
csr.extensions.get_extension_for_class(x509.SubjectAlternativeName)
|
||||||
|
|
||||||
|
|
||||||
def test_csr_disallowed_cn(client, logged_in_user):
|
def test_csr_disallowed_cn(client, logged_in_user):
|
||||||
"""Domain name CN is disallowed via LEMUR_WHITELISTED_DOMAINS."""
|
"""Domain name CN is disallowed via LEMUR_WHITELISTED_DOMAINS."""
|
||||||
from lemur.certificates.service import create_csr
|
|
||||||
from lemur.common import validators
|
from lemur.common import validators
|
||||||
|
|
||||||
request, pkey = create_csr(
|
request, pkey = create_csr(
|
||||||
|
@ -367,7 +384,6 @@ def test_csr_disallowed_cn(client, logged_in_user):
|
||||||
|
|
||||||
def test_csr_disallowed_san(client, logged_in_user):
|
def test_csr_disallowed_san(client, logged_in_user):
|
||||||
"""SAN name is disallowed by LEMUR_WHITELISTED_DOMAINS."""
|
"""SAN name is disallowed by LEMUR_WHITELISTED_DOMAINS."""
|
||||||
from lemur.certificates.service import create_csr
|
|
||||||
from lemur.common import validators
|
from lemur.common import validators
|
||||||
|
|
||||||
request, pkey = create_csr(
|
request, pkey = create_csr(
|
||||||
|
@ -418,8 +434,6 @@ def test_reissue_certificate(issuer_plugin, authority, certificate):
|
||||||
|
|
||||||
|
|
||||||
def test_create_csr():
|
def test_create_csr():
|
||||||
from lemur.certificates.service import create_csr
|
|
||||||
|
|
||||||
csr, private_key = create_csr(owner='joe@example.com', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
|
csr, private_key = create_csr(owner='joe@example.com', common_name='ACommonName', organization='test', organizational_unit='Meters', country='US',
|
||||||
state='CA', location='Here', key_type='RSA2048')
|
state='CA', location='Here', key_type='RSA2048')
|
||||||
assert csr
|
assert csr
|
||||||
|
|
Loading…
Reference in New Issue