Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use email address with "allowed_domains_template" for PKI Roles #12694

Closed
ropnop opened this issue Sep 30, 2021 · 2 comments
Closed

Unable to use email address with "allowed_domains_template" for PKI Roles #12694

ropnop opened this issue Sep 30, 2021 · 2 comments
Labels
bug Used to indicate a potential bug secret/pki

Comments

@ropnop
Copy link

ropnop commented Sep 30, 2021

Describe the bug
It is currently not possible to use allowed_domains_template to create dynamic email address CNs from a PKI Role. I would like to be to use the allowed_domains_template to let users request certificates with a CN of an email address based on their current entity, but due to the way email addresses are split up before being verified against the domain template, it always failes.

To Reproduce
Steps to reproduce the behavior:

  1. Enable a PKI endpoint with a policy like this:
{
    "allowed_domains": ["{{identity.entity.aliases.auth_userpass_80888708.name}}@example.com"],
    "max_ttl": "24h",
    "key_usage": "DigitalSignature",
    "ext_key_usgae": "ClientAuth",
    "organization": "Example",
    "ou": "Example",
    "allow_bare_domains": true,
    "client_flag": true,
    "allowed_domains_template": true,
    "enforce_hostnames": false
  }

  1. Request a certificate from the endpoint with <user_name>@example.com: vault write pki_int/issue/example common_name="[email protected]"

  2. Issuing fails:

* common name [email protected] not allowed by this role

Expected behavior
I would expect the validation check at https://github.com/hashicorp/vault/blob/main/builtin/logical/pki/cert_util.go#L331-L335 to pass by having sanitizedName be the fully provided email address. Currently, it compares the currDomain, which is correctly expanded via the template to [email protected], to the emailDomain ("example.com") because isEmail is true.

Additional context
The current logic assumes we need to validate the domain suffix of the email only, but when using the template we want to validate the complete email address (i.e. only allow someone to issue a cert matching their username). I could probably get away putting the email address in a SAN after #10249 gets merged in, but wanted to start a discussion around how to validate email addresses in CNs here.

Happy to open a PR if we agree on an approach?
@ropnop
Copy link
Author

ropnop commented Oct 4, 2021

Doing more research, this seems very related to this stale issue reported here: #5991

It appears it's currently impossible to limit PKI certificate issuing/signing to specific email addresses in either CNs or SANs. You have to allow the entire bare domain, which lets users request certificates for any email address and the bare domain itself

@hghaf099 hghaf099 added bug Used to indicate a potential bug secret/pki labels Oct 4, 2021
@hghaf099
Copy link
Contributor

hghaf099 commented Oct 4, 2021

This issue is a duplicate of #12336, and has been addressed in #12716
Going to close this issue.

@hghaf099 hghaf099 closed this as completed Oct 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug secret/pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ropnop @hghaf099