PKI: bug regarding "IP Subject Alternative Names are not allowed in this role, but was provided some via CSR"

[bhiggins]

The CSRs I send to Vault are minimal and do not contain IP SANs (or in fact any SANs). I hit the error in the subject after upgrading to 0.7.0 after being on 0.6.4. After looking at the code I see there's two places where this error is produced and I think I'm hitting this one:

https://github.com/hashicorp/vault/blob/v0.7.0/builtin/logical/pki/cert_util.go#L639

I'm hitting all the conditions: I am sending a CSR, the role does have CSR SANs enabled (since that's the default for this setting, and I wasn't setting it previously), and I do have IP SANs disabled for the role.

Looks like the fix is simple: something like changing the condition on line 637 to "if len(csr.IPAddresses) > 0 && !role.AllowIPSANs".

As a workaround I have disabled CSR SANs for the role which works out fine for my use case.

[jefferai]

Can you provide the CSR? It would help with debugging/verification.

[bhiggins]

Certainly. My goal with the CSR is to keep it minimal and use it only convey the public key (I didn't see another way to do so). Everything else I want in the signed cert is sent outside the CSR (in my case, I only use common_name and alt_names, not yet had a need to anything else like ip_sans). As a result I'm able to generate CSRs very simply with Go like this: csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{}, key). Here's an example, though it doesn't run in the playground because it hits the time limit: https://play.golang.org/p/bwMTM_g5eY

Sample output:

-----BEGIN CERTIFICATE REQUEST-----
MIICRTCCAS0CAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgr
fzdvVQxhNcib6zo1cH1/1ws2askD4dssafJhUGEatiWTezC4kXJ3EpS9/GUZgFZi
mD9w+8p9hIjEBdmNawHy6qSbd5t4I2+QtkHSLe0C93RGDoXpHrmqNI5W+kbAOhQH
9GB3F6P9dznszWTkijl0xczOLgUDqBQ0wiwR6DFomMr/GU/ALTb/BgUP27aayKV+
HA2m62cFejfezj0kQtDLg1+ZlU22lUg16t4JH/votcbrqjUtB4bnfRFW3lr0R8k/
hkF/9Y58Beo/gLSGKON/5Bq7ITcpHu6EPtMV2rB0My5QM8njI6DhGvSbubLcuJQ6
pu1elZlbM90neIt6tm8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCd7cE9o2uD
Wdl9lw8YbLYuxVk48odzsN4X18e63DXYaAeS3F61TnOXNX9GcZVXeFEzGDzYfvUF
fUDCymLKmwBX6QGJSeP8kCKh9KbNJ1cYSgBrT9Ce7HuiL1tSGERNYBd4ropsf2Fz
UdrF6eBtUamLlVSG1yO+Dn3t4CoD6mO3OX2n8vlkV8UW7Lie5SPhrPoRw91FJOax
4tuAwAhttfeE+yjSrMkPk9XLd1/nqNmlPHPdXVGetoFqVRGYB78CQLQpTd94s5gQ
8ATGQkIiBCFntsT0tGKMPgC73F+oef3fZg7a/rcMdWD6/MY4eBdxudlGQ3fWBmXU
bBaYjiHpEKlZ
-----END CERTIFICATE REQUEST-----

Here's what OpenSSL thinks about this CSR:

$ openssl req -text -noout < csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a7:3d:0d:e5:b7:ef:bb:08:02:e3:75:99:8a:fa:
                    f5:61:ab:a4:56:5b:4c:a7:7e:67:bb:65:fa:d1:58:
                    d7:83:03:b0:da:fb:4f:7a:27:f0:7b:90:a2:74:d8:
                    3d:f6:a7:4f:8a:4b:05:08:95:11:a2:65:8c:a8:12:
                    e0:0b:be:e9:c5:f2:81:ff:bf:69:a6:bb:b3:dc:b5:
                    aa:bb:75:dd:0e:b9:95:42:3d:6d:a8:28:de:0d:d9:
                    0c:d0:dc:7f:5c:d1:09:5a:4b:86:c3:3f:e8:a9:c1:
                    25:de:55:90:25:33:e0:26:4b:37:b0:ce:bc:0f:7b:
                    06:04:fc:80:05:d2:0e:6c:57
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         a5:43:f3:93:83:56:cb:36:d9:d8:53:a4:f7:a2:34:5a:fc:d0:
         17:64:be:0f:3e:cc:6d:09:03:9d:64:02:70:d2:b7:95:31:db:
         fc:48:50:3e:ec:c5:bb:cf:a8:29:a0:b4:09:3c:51:f4:82:24:
         25:68:a9:88:6d:a9:62:70:4a:25:f9:85:da:bd:68:03:93:9c:
         1e:d4:cf:16:5c:09:c3:4e:63:ee:c5:c5:fa:eb:85:a4:16:4e:
         44:85:90:fa:3b:8b:53:39:87:b4:f0:6c:fa:89:3a:41:27:94:
         89:00:85:1a:af:07:cb:b9:fb:2e:79:f3:14:c3:7f:9e:13:5d:
         6c:7d