Skip to content

Commit 03becc4

Browse files
hiyosihiyosi
committed
Make sure to set uri_sans parameter
Signed-off-by: Tomoya Usami <[email protected]>
1 parent 3f67b6b commit 03becc4

File tree

5 files changed

+82
-43
lines changed

5 files changed

+82
-43
lines changed

pkg/server/plugin/upstreamauthority/vault/testdata/intermediate-csr.pem

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
-----BEGIN CERTIFICATE REQUEST-----
2-
MIH5MIGfAgEAMD0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZTUElGRkUxHTAbBgNV
3-
BAMMFHRlc3QtaW50ZXJtZWRpYXRlLWNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
4-
QgAEJdubi12ArVLguehwX4rkj0YoWYfl2RXtWswLfJuCRRUBNDCmARprr/nbcW2+
5-
0tQ1gyFnvv04J8D5bz2dnxvB9aAAMAoGCCqGSM49BAMCA0kAMEYCIQDb0bE0odj5
6-
EXz81sEgUl4DOfcYZ34YOSusS+YElc3jTgIhAPIzNH+mD0goEVgWuVvmgNbZmftw
7-
8mQYInhuqXq0AmL6
2+
MIIBEDCBuAIBADAdMQswCQYDVQQGEwJVUzEOMAwGA1UEChMFU1BJUkUwWTATBgcq
3+
hkjOPQIBBggqhkjOPQMBBwNCAAQI1FDnfpUSdXuUJewcmF+Mlxn1AzsnCIP/zUVm
4+
ipFC9HtCWgE+5t/C1zChb7LkqhmIDaFmN8BsPpMJyzGoqPLfoDkwNwYJKoZIhvcN
5+
AQkOMSowKDAmBgNVHREEHzAdhhtzcGlmZmU6Ly9pbnRlcm1lZGlhdGUtc3BpcmUw
6+
CgYIKoZIzj0EAwIDRwAwRAIgK6jQpWH/yqgj1lA+Trt4kUfHv4zUPXYnpoHu1OM7
7+
dA0CIEi3E5epUlzXO9gH5lXa/HlbVhVoZK5lcc17tCjAQQlu
88
-----END CERTIFICATE REQUEST-----

pkg/server/plugin/upstreamauthority/vault/vault_client.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -350,10 +350,19 @@ func (c *Client) LookupSelf(token string) (*vapi.Secret, error) {
350350
func (c *Client) SignIntermediate(ttl string, csr *x509.CertificateRequest) (*SignCSRResponse, error) {
351351
csrPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csr.Raw})
352352

353+
var uris []string
354+
for _, uri := range csr.URIs {
355+
uris = append(uris, uri.String())
356+
}
357+
if len(uris) == 0 {
358+
return nil, status.Errorf(codes.Internal, "CSR must have least one URIs")
359+
}
360+
353361
reqData := map[string]interface{}{
354362
"common_name": csr.Subject.CommonName,
355363
"organization": strings.Join(csr.Subject.Organization, ","),
356364
"country": strings.Join(csr.Subject.Country, ","),
365+
"uri_sans": strings.Join(uris, ","),
357366
"csr": string(csrPEM),
358367
"ttl": ttl,
359368
}

pkg/server/plugin/upstreamauthority/vault/vault_client_test.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -633,6 +633,7 @@ func TestSignIntermediate(t *testing.T) {
633633
require.NoError(t, err)
634634

635635
testTTL := "0"
636+
spiffeID := "spiffe://intermediate-spire"
636637
csr, err := pemutil.LoadCertificateRequest(testReqCSR)
637638
require.NoError(t, err)
638639

@@ -641,6 +642,19 @@ func TestSignIntermediate(t *testing.T) {
641642
require.NotNil(t, resp.UpstreamCACertPEM)
642643
require.NotNil(t, resp.UpstreamCACertChainPEM)
643644
require.NotNil(t, resp.CACertPEM)
645+
646+
cert, err := pemutil.ParseCertificate([]byte(resp.CACertPEM))
647+
require.NoError(t, err)
648+
649+
hasURISAN := func(spiffeID string, cert *x509.Certificate) bool {
650+
for _, uri := range cert.URIs {
651+
if uri.String() == spiffeID {
652+
return true
653+
}
654+
}
655+
return false
656+
}(spiffeID, cert)
657+
require.True(t, hasURISAN)
644658
}
645659

646660
func TestSignIntermediateErrorFromEndpoint(t *testing.T) {

0 commit comments

Comments
 (0)