Diffusion puppet f3419620b420

Validate CSR CN and provided certname before signing
f3419620b420Unpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

Validate CSR CN and provided certname before signing

This adds a few new checks when signing CSRs, to validate the CN. First,
it must conform to a small set of characters, which are the printable
ASCII characters, except for '/' (because we store these in files). This
prevents attacks such as a CN "foo^H^H^Hbar", which appears as "bar" to
"puppet cert list".

The other check is that the certname for the SSL::Host that we think
we're signing must match the CN. This prevents a CSR with the CN "foo"
from being submitted as a CSR for "bar", which would cause it to appear
as "bar" to "puppet cert list", but to issue a certificate for "foo".

Details

Provenance

Patrick Carlisle <patrick@puppetlabs.com>	Authored on
Nick Lewis <nick@puppetlabs.com>	Committed on Jun 27 2012, 2:12 AM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU34b9c0b6a2e5: Updating CHANGELOG, lib/puppet.rb, conf/redhat/puppet.spec for Puppet 2.7.17

Branches

Unknown

Tags

Unknown

Event Timeline

Nick Lewis <nick@puppetlabs.com> committed rPUf3419620b420: Validate CSR CN and provided certname before signing (authored by Patrick Carlisle <patrick@puppetlabs.com>).Jun 27 2012, 2:12 AM

Changes (2)

Path

Size

lib/

puppet/

ssl/

certificate_authority.rb

spec/

unit/

ssl/

certificate_authority_spec.rb

rPUf3419620b420

View Options

lib/puppet/ssl/certificate_authority.rb