Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tidy and revoke error out on certificates with duplicate extension (Vault #27219) #659

Open
fatima2003 opened this issue Oct 27, 2024 · 0 comments · May be fixed by #665
Open

Tidy and revoke error out on certificates with duplicate extension (Vault #27219) #659

fatima2003 opened this issue Oct 27, 2024 · 0 comments · May be fixed by #665
Labels
bug Something isn't working

Comments

@fatima2003
Copy link
Contributor

fatima2003 commented Oct 27, 2024
edited
Loading

This is an issue reported on vault issues/27219 by @Garagoth.

Description
When a certificate with duplicate extensions exists and tidy is run, the process fails:

unable to parse stored certificate with serial \"06-e0-83-88-22-be-91-7f-8d-07-2e-21-35-01-f1-66-95-a0-de-35\": x509: certificate contains duplicate extensions

This is the line catching the failure:

openbao/builtin/logical/pki/path_tidy.go

Line 875 in c920129

return fmt.Errorf("unable to parse stored certificate with serial %q: %w", serial, err)

PR 16700 solved the problem of creating these invalid certificates but there's no way to get rid of them.

To Reproduce

  1. Have a certificate with duplicate extensions.
  2. Run tidy process.

Expected behavior
Since certificates with duplicate extensions are deemed invalid in RFC 5290, Section 4.2, a way to delete these invalid certificates should exist.

If the tidy operation is run with certificates with extra extensions, they should be skipped OR the tidy operation stops and a warning which includes the command to delete them should be thrown.

I'm working on the fix for this :)
@fatima2003 fatima2003 added the bug Something isn't working label Oct 27, 2024
@fatima2003 fatima2003 linked a pull request Oct 28, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Delete invalid certs during tidy operation fatima2003/openbao
1 participant
@fatima2003