Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermediate-CA cert using permitted_dns_domains breaks cert-auth logins #3862

Closed
stampycode opened this issue Jan 29, 2018 · 8 comments
Closed

Intermediate-CA cert using permitted_dns_domains breaks cert-auth logins #3862

stampycode opened this issue Jan 29, 2018 · 8 comments
Assignees
@vishalnayak
Milestone
0.9.4

Comments

@stampycode
Copy link
Contributor

When using an intermediate CA with permitted_dns_domains set, any client cert generated by the Intermediate is not permitted to auth into the endpoint. There appears to be a bug whereby the /auth/ endpoint is incorrectly rejecting client certs that match the permitted DNS domain wildcard pattern.

Environment:
(using REST only, no client binary)

  • Vault Version:
    0.8.3

Expected Behavior:
The auth/cert login endpoint should auth successfully.

Actual Behavior:

"failed to verify client's certificate: x509: a root or intermediate certificate is not authorized to sign in this domain"

Steps to Reproduce:
Enable 2 PKI endpoints.
Configure one as self-signed root CA.
Configure second as Intermediate CA.
Sign the intermediate with the root CA. (using the permitted_dns_domains option)
Upload the signed intermediate.
Install the Intermediate CA to the /auth/cert endpoint.
Generate a client cert with the Intermediate CA.
Authenticate with the client cert.
Fail.

The above works fully, if when signing the Intermediate CA cert, the 'permitted_dns_domains' option is not used. If the option is used, regardless of what the value is set to, the above process fails with the shown error.
@stampycode stampycode changed the title client auth with custom root CA not working Intermediate-CA cert using permitted_dns_domains breaks cert-auth logins Jan 29, 2018
@jefferai
Copy link
Member

Are you sure that the names values match? Does this work in 0.9.3?

@stampycode
Copy link
Contributor Author

stampycode commented Jan 29, 2018
edited
Loading

Yeah the names match. I was using a wildcard rule .foo.example.com as well as explicit domain named certs me.foo.example.com.
edit: Haven't tried in 0.9.3 yet.

@jefferai
Copy link
Member

Sure, but what names are on the certificate you're trying to auth with?

@stampycode
Copy link
Contributor Author

The name on the certificate was me.foo.example.com.

@jefferai
Copy link
Member

Can you post the output from openssl x509 -in <cert.pem> -noout -text for the client and CA certs?

@stampycode
Copy link
Contributor Author

CA:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        33:36:e2:d5:e2:58:68:08:b6:51:1f:5d:35:5b:dc:f4:72:25:d8:f2
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=rmgops.com
    Validity
        Not Before: Jan 29 18:08:15 2018 GMT
        Not After : Jan 27 18:08:45 2028 GMT
    Subject: CN=intra.rmgops.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:a7:a2:d5:85:15:d2:35:d9:24:6f:49:ce:c1:0e:
                2c:01:5f:8e:44:e9:8e:57:df:27:5b:e0:5c:92:60:
                76:b5:53:34:59:c8:a4:fe:f1:fb:17:7e:b6:d7:35:
                f2:2b:f5:7f:39:eb:45:6d:67:ad:16:30:9f:db:d2:
                2f:a2:b7:77:0f:14:6f:0c:10:6b:90:c0:6c:9b:13:
                2b:7e:7e:f0:20:18:37:85:18:dd:38:b5:d8:40:22:
                fb:5a:e7:36:06:9f:91:96:7e:d5:18:67:f3:fe:52:
                f2:36:aa:94:63:4b:bf:1a:39:0e:e3:d3:f5:5c:3a:
                98:46:16:5a:b6:b5:ca:d3:ce:42:7e:44:01:14:de:
                bd:98:eb:17:7e:ed:a9:7f:a0:60:ba:44:33:17:6f:
                dd:e4:ae:2e:32:8b:72:f3:f6:c4:31:54:5a:13:06:
                09:b9:17:5c:c7:62:34:9d:48:6a:eb:4c:d5:5b:47:
                76:a1:84:84:35:f4:b1:1c:83:8f:54:56:b7:d4:b0:
                28:cd:b9:f1:75:9f:c8:1e:2a:4f:9c:fb:8f:8d:f8:
                1a:fe:ae:ff:4b:79:cd:84:0b:84:09:e8:43:6d:c7:
                16:d5:28:b5:dc:1b:c7:83:6c:d5:fd:05:bd:5a:ce:
                af:93:91:da:11:08:ef:c9:6a:99:4c:9d:d1:de:2d:
                cc:3f
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Subject Key Identifier:
            28:2F:27:19:48:EA:D5:62:5D:11:13:2F:F8:59:E0:20:DE:A6:0D:9C
        X509v3 Authority Key Identifier:
            keyid:0D:17:70:E5:E7:75:3C:77:C8:76:F2:5D:17:B4:B1:18:78:65:73:86

        X509v3 Subject Alternative Name:
            DNS:intra.rmgops.com
        X509v3 Name Constraints: critical
            Permitted:
              DNS:.intra.rmgops.com

Signature Algorithm: sha256WithRSAEncryption
     6e:8d:ae:29:cd:e6:fe:69:a9:e2:83:29:cf:df:76:52:25:9c:
     96:e4:79:ba:00:3a:73:f2:ff:83:1a:b7:48:4f:15:0c:04:fb:
     5c:0b:84:95:81:9a:f5:3e:1f:aa:a8:1d:f9:7b:95:59:00:24:
     13:a4:b5:0c:65:57:14:96:df:c9:07:6e:7d:eb:db:4f:0f:4f:
     fc:74:c4:a8:1f:2e:19:fa:fd:f6:f3:e6:a2:66:80:e9:ca:2b:
     9b:05:74:d8:d1:c0:52:ab:ad:ad:c0:b9:3c:fc:b9:ca:cf:18:
     c8:06:87:a7:b5:f2:f2:53:ae:8f:8d:bc:55:a3:d0:e2:0f:0b:
     2e:0b:ca:6e:42:48:56:0c:00:a9:a9:d6:b6:e0:e3:a0:f4:c3:
     83:06:14:5b:73:ee:f7:32:5d:46:b2:82:9f:7f:44:aa:f1:ad:
     92:80:b4:da:13:6c:2f:56:38:ec:43:3f:5f:1a:93:77:28:1b:
     d7:2e:91:a3:80:7f:b0:9f:33:5b:b5:c3:d1:34:75:31:86:a2:
     42:56:90:94:c4:0f:25:3b:f0:d6:81:30:4d:86:1e:67:f3:1b:
     ce:32:10:a0:25:9d:55:d7:0e:f0:98:61:53:fb:b6:8e:e8:c4:
     62:8e:09:c8:04:b4:7e:80:e1:ab:a4:12:31:8c:23:68:17:ec:
     a3:56:22:65

Client Cert:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        65:a6:a6:2b:d7:ad:56:a8:17:88:bf:24:f0:6c:54:c2:cd:c9:2e:9e
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=intra.rmgops.com
    Validity
        Not Before: Jan 29 18:09:31 2018 GMT
        Not After : Jan 28 18:10:01 2023 GMT
    Subject: CN=example.intra.rmgops.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:bf:5f:e5:0d:98:a2:2f:f7:71:e0:7c:cf:2b:bb:
                c5:86:0f:61:64:fc:76:a0:96:d7:d3:2b:3b:0c:bb:
                4f:e7:a5:22:26:07:67:d0:1c:7f:be:d8:07:61:08:
                15:e4:d7:79:b1:71:ea:c0:3d:53:47:c9:9f:da:c2:
                89:bb:2e:95:ca:8e:0d:49:ee:bf:4f:34:48:2d:ef:
                75:90:f3:35:f3:f5:44:b7:a6:48:68:3a:78:47:2b:
                e1:e0:79:58:7a:6f:86:99:24:c1:18:18:fa:82:b6:
                80:a7:1b:d5:87:76:d0:9f:0e:77:49:60:4c:ec:1e:
                12:b9:34:bd:e3:47:71:8f:ee:5a:e7:21:56:dd:cb:
                f0:b3:b6:9e:9a:92:9a:c7:20:59:22:f6:83:93:33:
                d6:be:31:6f:55:61:1a:85:65:93:66:6f:f0:d4:3d:
                45:b1:26:d7:b3:9a:03:13:5a:4b:14:2a:a0:67:43:
                fb:20:89:74:90:84:ec:39:4c:bc:e2:a0:dd:cb:37:
                38:a5:54:96:a4:fe:82:56:44:16:8e:71:47:68:09:
                99:5a:eb:fa:8b:e8:b5:ff:62:c0:e3:d3:f5:cc:70:
                51:67:d1:9a:b9:57:c8:9a:97:7e:42:8b:65:30:25:
                9a:2a:16:f5:f4:73:1f:58:1f:bf:9b:f3:97:29:52:
                25:73
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment, Key Agreement
        X509v3 Extended Key Usage:
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Subject Key Identifier:
            84:E1:25:F2:DB:FE:98:75:33:69:49:AA:75:16:A2:FD:07:49:E4:56
        X509v3 Authority Key Identifier:
            keyid:28:2F:27:19:48:EA:D5:62:5D:11:13:2F:F8:59:E0:20:DE:A6:0D:9C

        X509v3 Subject Alternative Name:
            DNS:example.intra.rmgops.com
Signature Algorithm: sha256WithRSAEncryption
     31:0d:28:0c:1e:a1:a3:6f:f1:a2:e9:ab:c1:ce:18:04:ff:14:
     31:a8:cb:a7:bd:7f:f2:e6:bd:81:e8:da:b7:18:90:e4:37:be:
     50:e9:e6:73:87:6c:97:92:00:c0:53:4f:85:78:43:0e:e4:36:
     a5:d5:43:b0:74:4e:4f:8c:2d:2d:bc:57:b6:fe:9f:22:6e:f3:
     b1:90:ac:6d:c8:7a:7f:ad:a3:11:38:ea:4f:ce:7f:5d:b2:95:
     5f:27:12:f0:6f:d5:77:51:1b:ba:04:50:9a:59:b7:29:f4:cf:
     99:6b:dd:6d:54:25:3c:4c:ce:99:bf:56:f7:f0:43:88:6f:f7:
     ad:e7:b8:5b:d2:df:2a:01:c6:1a:90:56:d8:90:e5:2e:1f:a0:
     76:93:cc:c1:e0:ef:70:21:44:f5:38:b7:8b:67:4a:3a:1a:10:
     aa:e9:fb:2f:6b:f6:15:78:cf:47:a9:e0:f5:19:b6:c3:7e:17:
     6d:a0:09:a9:ad:c0:63:e7:8f:52:dd:23:0b:2c:6e:77:09:04:
     53:85:8a:11:36:fd:fc:0c:13:83:67:4b:68:9e:14:6d:a5:17:
     94:2d:40:94:88:49:d2:72:96:ea:f4:8e:75:f0:a3:cd:3c:e2:
     02:2b:cf:f1:65:6b:5f:52:b9:90:ac:17:04:fd:3f:35:cc:00:
     ad:27:28:c1

The domain names have changed since I was testing with example.com above, but the issue is the same. I'm happy to post the pem files if that would be helpful.

@jefferai
Copy link
Member

Cool, thanks...having this should help with trying to reproduce. I'm not sure what the issue is yet, although I think this is coming from straight Go verification logic. I'll try to address by 0.9.4.

@jefferai jefferai added this to the 0.9.4 milestone Jan 29, 2018
@jefferai
Copy link
Member

@stampycode would you be able to test a change from a branch?

@vishalnayak vishalnayak mentioned this issue Feb 14, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vishalnayak vishalnayak

Labels
None yet
Projects
None yet
Milestone
0.9.4
Development

No branches or pull requests
3 participants
@jefferai @vishalnayak @stampycode