(#2848) Reject unknown (== all) extensions on the CSR.
a729d906482dUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(#2848) Reject unknown (== all) extensions on the CSR.

If we get a CSR with a request extension that we don't recognize, we used to
just ignore those. This can lead to dangerous situations, or at least
surprising behaviour, since we wouldn't copy those extensions into the final
certificate.

This changes that, by establishing an internal policy that we will whitelist
acceptable request extensions, and will hard-reject anything that isn't on
that.

Once something passes the whitelist we will have further policy, which will
enforce sanity in the request => certificate path.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>

Details

Provenance

Daniel Pittman <daniel@puppetlabs.com>	Authored on
Nick Lewis <nick@puppetlabs.com>	Committed on Oct 21 2011, 7:13 PM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPUf4fc11d4e6c8: (#2848) extract the subjectAltName value from the CSR.

Branches

Unknown

Tags

Unknown

Event Timeline

Nick Lewis <nick@puppetlabs.com> committed rPUa729d906482d: (#2848) Reject unknown (== all) extensions on the CSR. (authored by Daniel Pittman <daniel@puppetlabs.com>).Oct 21 2011, 7:13 PM

Changes (2)

Path

Size

lib/

puppet/

ssl/

certificate_authority.rb

spec/

unit/

ssl/

certificate_authority_spec.rb

rPUa729d906482d

View Options

lib/puppet/ssl/certificate_authority.rb