You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
It is currently not possible to use allowed_domains_template to create dynamic email address CNs from a PKI Role. I would like to be to use the allowed_domains_template to let users request certificates with a CN of an email address based on their current entity, but due to the way email addresses are split up before being verified against the domain template, it always failes.
Request a certificate from the endpoint with <user_name>@example.com: vault write pki_int/issue/example common_name="ropnop@example.com"
Issuing fails:
* common name ropnop@example.com not allowed by this role
Expected behavior
I would expect the validation check at https://github.com/hashicorp/vault/blob/main/builtin/logical/pki/cert_util.go#L331-L335 to pass by having sanitizedName be the fully provided email address. Currently, it compares the currDomain, which is correctly expanded via the template to ropnop@example.com, to the emailDomain ("example.com") because isEmail is true.
Additional context
The current logic assumes we need to validate the domain suffix of the email only, but when using the template we want to validate the complete email address (i.e. only allow someone to issue a cert matching their username). I could probably get away putting the email address in a SAN after #10249 gets merged in, but wanted to start a discussion around how to validate email addresses in CNs here.
Happy to open a PR if we agree on an approach?
The text was updated successfully, but these errors were encountered:
Doing more research, this seems very related to this stale issue reported here: #5991
It appears it's currently impossible to limit PKI certificate issuing/signing to specific email addresses in either CNs or SANs. You have to allow the entire bare domain, which lets users request certificates for any email address and the bare domain itself
Describe the bug
It is currently not possible to use
allowed_domains_template
to create dynamic email address CNs from a PKI Role. I would like to be to use theallowed_domains_template
to let users request certificates with a CN of an email address based on their current entity, but due to the way email addresses are split up before being verified against the domain template, it always failes.To Reproduce
Steps to reproduce the behavior:
Request a certificate from the endpoint with <user_name>@example.com:
vault write pki_int/issue/example common_name="ropnop@example.com"
Issuing fails:
Expected behavior
I would expect the validation check at https://github.com/hashicorp/vault/blob/main/builtin/logical/pki/cert_util.go#L331-L335 to pass by having
sanitizedName
be the fully provided email address. Currently, it compares thecurrDomain
, which is correctly expanded via the template toropnop@example.com
, to theemailDomain
("example.com") becauseisEmail
is true.Additional context
The current logic assumes we need to validate the domain suffix of the email only, but when using the template we want to validate the complete email address (i.e. only allow someone to issue a cert matching their username). I could probably get away putting the email address in a SAN after #10249 gets merged in, but wanted to start a discussion around how to validate email addresses in CNs here.
Happy to open a PR if we agree on an approach?
The text was updated successfully, but these errors were encountered: