(#2848) Reject unknown (== all) extensions on the CSR.
fca1ff08e263Unpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(#2848) Reject unknown (== all) extensions on the CSR.

If we get a CSR with a request extension that we don't recognize, we used to
just ignore those. This can lead to dangerous situations, or at least
surprising behaviour, since we wouldn't copy those extensions into the final
certificate.

This changes that, by establishing an internal policy that we will whitelist
acceptable request extensions, and will hard-reject anything that isn't on
that.

Once something passes the whitelist we will have further policy, which will
enforce sanity in the request => certificate path.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>

Details

Provenance

Daniel Pittman <daniel@puppetlabs.com>	Authored on
Nick Lewis <nick@puppetlabs.com>	Committed on Oct 22 2011, 12:51 AM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU443a7561b63c: (#2848) extract the subjectAltName value from the CSR.

Branches

Unknown

Tags

Unknown

Event Timeline

Nick Lewis <nick@puppetlabs.com> committed rPUfca1ff08e263: (#2848) Reject unknown (== all) extensions on the CSR. (authored by Daniel Pittman <daniel@puppetlabs.com>).Oct 22 2011, 12:51 AM

Changes (2)

Path

Size

lib/

puppet/

ssl/

certificate_authority.rb

spec/

unit/

ssl/

certificate_authority_spec.rb

rPUfca1ff08e263

View Options

lib/puppet/ssl/certificate_authority.rb