Skip to content

PKI: Certificates issued by Vault do not have DER-ordered distinguished names #9705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
williams-brian opened this issue Aug 10, 2020 · 1 comment
Closed

PKI: Certificates issued by Vault do not have DER-ordered distinguished names #9705

williams-brian opened this issue Aug 10, 2020 · 1 comment
Labels
secret/pki

Comments

@williams-brian
Copy link

williams-brian commented Aug 10, 2020
edited
Loading

Describe the bug
RFC 5280 (Section 4.1) says that certificate fields are to be encoded with DER when calculating X.509 signatures.
The Section 11.6 of X.690 standard says that a set-of component must be ordered in lexicographical order when the encoding is DER.
The distinguished names of certificates generated by Vault do not obey this rule,
and it causes certificate validation failure when the validator correctly distinguishes between BER (which is unordered) and DER (this is uncommon, but I know that validation fails with at least BouncyCastle).

To Reproduce
Run these commands on a fresh Vault instance:

vault secrets enable pki

vault write pki/root/generate/internal \
    common_name=example.com \
    ttl=8760h

vault write pki/config/urls \
    issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
    crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"

vault write pki/roles/example \
    allow_any_name=true \
    country=US \
    province=California \
    locality='San Francisco' \
    organization=Hashicorp \
    ou='test,long test'

vault write -format=json pki/issue/example common_name=example.com ttl=24h | jq -r .data.certificate | openssl x509 -subject -noout
=> subject= /C=US/ST=California/L=San Francisco/O=Hashicorp/OU=long test/OU=test/CN=example.com

Observe the subject output: /C=US/ST=California/L=San Francisco/O=Hashicorp/OU=long test/OU=test/CN=example.com

Expected behavior
The correct output should be: /C=US/ST=California/L=San Francisco/O=Hashicorp/OU=test/OU=long test/CN=example.com
There are two OUs, and shorter values come before longer values in DER ordering.

Environment:

  • Vault Server Version (retrieve with vault status): v1.4.3
  • Vault CLI Version (retrieve with vault version): v1.4.3
  • Server Operating System/Architecture: Linux

Vault server configuration file(s):
None, but I started Vault with these commands:

vault-dev-env() {
          export VAULT_TOKEN=TEST \
                 VAULT_ADDR='http://localhost:8200' \
                 VAULT_DEV_ROOT_TOKEN_ID=TEST \
                 MYSQL_URL='vault:vault@tcp(localhost:3306)/'
  }
  
  docker run --rm -d \
          -e MYSQL_ROOT_PASSWORD=root \
          -e MYSQL_DATABASE=main \
          -e MYSQL_USER=vault \
          -e MYSQL_PASSWORD=vault \
          -p 3306:3306 mysql:5.7 --default-authentication-plugin=mysql_native_password \
          && vault-dev-env && vault server -dev

Additional context
This is a bug in golang encoding/asn1 and it has already been fixed upstream in Go 1.15 with golang/go#38228.
I have submitted this issue for tracking purposes.
@HridoyRoy
Copy link
Contributor

Hello,
Thanks for filing this issue! Vault is now using go 1.15, so I am marking this as resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
secret/pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@raskchanky @HridoyRoy @williams-brian