"pki/sign-verbatim/$role" ignores "not_before_duration"

[Naugrimm]

Describe the bug
"pki/sign-verbatim/$role" ignores "not_before_duration" set in this role.

To Reproduce
Steps to reproduce the behavior:

1. Set up a PKI:

vault secrets enable -path=test-pki pki
vault write test-pki/root/generate/internal common_name=test-ca.localdomain
vault write test-pki/roles/test-localdomain allowed_domains=test.localdomain not_before_duration=24h allow_subdomains=true

2. Create a CSR:

openssl req -new -nodes -newkey rsa:2048 -out client.csr -subj /CN=sub.test.localdomain -batch

3. Sign the CSR via the "sign-verbatim" endpoint:

vault write -format=json test-pki/sign-verbatim/test-localdomain [email protected] ttl=48h format=pem_bundle | jq .data.certificate -r | openssl x509 -noout -dates

Expected behavior
The notBefore date should be $now - 24h.

Environment:

• Vault Server Version (retrieve with vault status): 1.3.2
• Vault CLI Version (retrieve with vault version): 1.3.2
• Server Operating System/Architecture: Linux vault-001 4.19.0-8-amd64 Initial Website Import #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux / Debian 10.3

Vault server configuration file(s):

{
  "api_addr": "...",
  "default_lease_ttl": "768h",
  "listener": {
    "tcp": {
      "address": "127.0.0.1:8200",
      "tls_cert_file": "",
      "tls_disable": "true",
      "tls_key_file": ""
    }
  },
  "max_lease_ttl": "87600h",
  "seal": {
    "transit": {
      "address": "...",
      "disable_renewal": "false",
      "key_name": "autounseal",
      "mount_path": "transit/",
      "tls_skip_verify": "true",
      "token": "..."
    }
  },
  "storage": {
    "consul": {
      "address": "localhost:8500",
      "path": "vault"
    }
  },
  "telemetry": {
    "disable_hostname": true,
    "params": {
      "format": [
        "prometheus"
      ]
    }
  },
  "ui": true
}

Additional context
The "sign" endpoint correctly handles "not_before_duration":

echo "NOW: $(date)"
echo "CERT DATES:"
vault write -format=json test-pki/sign/test-localdomain [email protected] ttl=48h format=pem_bundle | jq .data.certificate -r | openssl x509 -noout -dates

NOW: Mon 09 Mar 2020 09:20:52 AM UTC
CERT DATES:
notBefore=Mar  8 09:20:52 2020 GMT
notAfter=Mar 11 09:20:52 2020 GMT

The "sign-verbatim" endpoint does not:

echo "NOW: $(date)"
echo "CERT DATES:"
vault write -format=json test-pki/sign-verbatim/test-localdomain [email protected] ttl=48h format=pem_bundle | jq .data.certificate -r | openssl x509 -noout -dates

NOW: Mon 09 Mar 2020 09:21:40 AM UTC
CERT DATES:
notBefore=Mar  9 09:21:10 2020 GMT
notAfter=Mar 11 09:21:40 2020 GMT

[jefferai]

This is correct. See https://www.vaultproject.io/api-docs/secret/pki/#inlinecode-name-156

[Naugrimm]

Is there a specific reason that this field is considered in the "sign" endpoint, but not in "sign-verbatim"?

[jefferai]

Yes, the point of sign-verbatim is that you are taking the values verbatim from the CSR rather than applying role parameters to it.

[Naugrimm]

Understood. The problem is, that notBefore- and notAfter-date of a certificate can not be taken from the CSR, as they cannot be specified (Please correct me if I am wrong).

I suppose the "not_before_duration" setting in the role was introduced, because of possible clock skew between the Vault server and the client that verifies the certificate.

This problem occurs regardless if I use the "sign" or "sign-verbatim" endpoint.
In the "sign" endpoint a workaround was introduced, in the "sign-verbatim" not. That's the reason, why I filed a bug issue :)

In "plain openssl" one could manually specify the "-startdate" ($now - $not_before_duration) and "-enddate" ($now + $ttl) parameter when signing a CSR. It would be really great, if Vault would support this scenario in the sign-verbatim-endpoint.

Btw: The reason for using "sign-verbatim" is the requirement to support custom X509v3-extensions.