weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Set max commonName length to 64 characters

Browse Source 
Signed-off-by: James Munnelly <james@munnelly.eu>
This commit is contained in:
James Munnelly 2019-07-04 17:16:23 +01:00
parent edbe6e20ad
commit 34e4214ac2
5 changed files with 37 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
deploy/manifests/00-crds.yaml
View File

@ -78,16 +78,16 @@ spec:
commonName:
description: CommonName is a common name to be used on the Certificate.
If no CommonName is given, then the first entry in DNSNames is used
as the CommonName. The CommonName should have a length shorter than
64 bytes to avoid generating invalid CSRs; in order to have longer
as the CommonName. The CommonName should have a length of 64 characters
or fewer to avoid generating invalid CSRs; in order to have longer
domain names, set the CommonName (or first DNSNames entry) to have
less than 64 bytes, and then add the longer domain name to DNSNames.
64 characters or fewer, and then add the longer domain name to DNSNames.
type: string
dnsNames:
description: DNSNames is a list of subject alt names to be used on the
Certificate. If no CommonName is given, then the first entry in DNSNames
is used as the CommonName - any requirements for the CommonName would
then also apply to this first entry.
is used as the CommonName and must have a length of 64 characters
or fewer.
items:
type: string
type: array

4
docs/generated/reference/output/reference/api-docs/index.html
View File

@ -85,11 +85,11 @@ Appears In:
</tr>
<tr>
<td><code>commonName</code><br /> <em>string</em></td>
<td>CommonName is a common name to be used on the Certificate. If no CommonName is given, then the first entry in DNSNames is used as the CommonName. The CommonName should have a length shorter than 64 bytes to avoid generating invalid CSRs; in order to have longer domain names, set the CommonName (or first DNSNames entry) to have less than 64 bytes, and then add the longer domain name to DNSNames.</td>
<td>CommonName is a common name to be used on the Certificate. If no CommonName is given, then the first entry in DNSNames is used as the CommonName. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs; in order to have longer domain names, set the CommonName (or first DNSNames entry) to have 64 characters or fewer, and then add the longer domain name to DNSNames.</td>
</tr>
<tr>
<td><code>dnsNames</code><br /> <em>string array</em></td>
<td>DNSNames is a list of subject alt names to be used on the Certificate. If no CommonName is given, then the first entry in DNSNames is used as the CommonName - any requirements for the CommonName would then also apply to this first entry.</td>
<td>DNSNames is a list of subject alt names to be used on the Certificate. If no CommonName is given, then the first entry in DNSNames is used as the CommonName and must have a length of 64 characters or fewer.</td>
</tr>
<tr>
<td><code>duration</code><br /> *<a href="#duration-v1">Duration</a>*</td>

9
pkg/apis/certmanager/v1alpha1/types_certificate.go
View File

@ -66,10 +66,10 @@ type CertificateSpec struct {
// CommonName is a common name to be used on the Certificate.
// If no CommonName is given, then the first entry in DNSNames is used as
// the CommonName.
// The CommonName should have a length shorter than 64 bytes to avoid
// The CommonName should have a length of 64 characters or fewer to avoid
// generating invalid CSRs; in order to have longer domain names, set the
// CommonName (or first DNSNames entry) to have less than 64 bytes, and
// then add the longer domain name to DNSNames.
// CommonName (or first DNSNames entry) to have 64 characters or fewer,
// and then add the longer domain name to DNSNames.
// +optional
CommonName string `json:"commonName,omitempty"`
@ -87,8 +87,7 @@ type CertificateSpec struct {
// DNSNames is a list of subject alt names to be used on the Certificate.
// If no CommonName is given, then the first entry in DNSNames is used as
// the CommonName - any requirements for the CommonName would then also
// apply to this first entry.
// the CommonName and must have a length of 64 characters or fewer.
// +optional
DNSNames []string `json:"dnsNames,omitempty"`

12
pkg/apis/certmanager/validation/certificate.go
View File

@ -50,14 +50,14 @@ func ValidateCertificateSpec(crt *v1alpha1.CertificateSpec, fldPath *field.Path)
if len(crt.CommonName) == 0 && len(crt.DNSNames) == 0 {
el = append(el, field.Required(fldPath.Child("dnsNames"), "at least one dnsName is required if commonName is not set"))
}
// if a common name has been specified, ensure it is no longer than 63 chars
if len(crt.CommonName) > 63 {
el = append(el, field.TooLong(fldPath.Child("commonName"), crt.CommonName, 63))
// if a common name has been specified, ensure it is no longer than 64 chars
if len(crt.CommonName) > 64 {
el = append(el, field.TooLong(fldPath.Child("commonName"), crt.CommonName, 64))
}
// if the common name has *not* been specified, ensure the first dnsName is no longer than 63 chars
// if the common name has *not* been specified, ensure the first dnsName is no longer than 64 chars
// as it will be used as the commonName
if crt.CommonName == "" && len(crt.DNSNames) > 0 && len(crt.DNSNames[0]) > 63 {
el = append(el, field.TooLong(fldPath.Child("dnsNames").Index(0), crt.DNSNames[0], 63))
if crt.CommonName == "" && len(crt.DNSNames) > 0 && len(crt.DNSNames[0]) > 64 {
el = append(el, field.TooLong(fldPath.Child("dnsNames").Index(0), crt.DNSNames[0], 64))
}
if len(crt.IPAddresses) > 0 {

30
pkg/apis/certmanager/validation/certificate_test.go
View File

@ -395,53 +395,63 @@ func TestValidateCertificate(t *testing.T) {
field.Invalid(fldPath.Child("ipAddresses").Index(0), "blah", "invalid IP address"),
},
},
"invalid certificate with commonName longer than 63 bytes": {
"valid certificate with commonName exactly 64 bytes": {
cfg: &v1alpha1.Certificate{
Spec: v1alpha1.CertificateSpec{
CommonName: "this-is-a-certificate-common-name-which-is-longer-than-sixty-three-bytes",
CommonName: "this-is-a-big-long-string-which-is-exactly-sixty-four-characters",
SecretName: "abc",
IssuerRef: validIssuerRef,
},
},
errs: []*field.Error{},
},
"invalid certificate with commonName longer than 64 bytes": {
cfg: &v1alpha1.Certificate{
Spec: v1alpha1.CertificateSpec{
CommonName: "this-is-a-big-long-string-which-has-exactly-sixty-five-characters",
SecretName: "abc",
IssuerRef: validIssuerRef,
},
},
errs: []*field.Error{
field.TooLong(fldPath.Child("commonName"), "this-is-a-certificate-common-name-which-is-longer-than-sixty-three-bytes", 63),
field.TooLong(fldPath.Child("commonName"), "this-is-a-big-long-string-which-has-exactly-sixty-five-characters", 64),
},
},
"invalid certificate with no commonName and first dnsName longer than 63 bytes": {
"invalid certificate with no commonName and first dnsName longer than 64 bytes": {
cfg: &v1alpha1.Certificate{
Spec: v1alpha1.CertificateSpec{
SecretName: "abc",
IssuerRef: validIssuerRef,
DNSNames: []string{
"this-is-a-certificate-dns-name-which-is-longer-than-sixty-three-bytes",
"this-is-a-big-long-string-which-has-exactly-sixty-five-characters",
"dnsName",
},
},
},
errs: []*field.Error{
field.TooLong(fldPath.Child("dnsNames").Index(0), "this-is-a-certificate-dns-name-which-is-longer-than-sixty-three-bytes", 63),
field.TooLong(fldPath.Child("dnsNames").Index(0), "this-is-a-big-long-string-which-has-exactly-sixty-five-characters", 64),
},
},
"valid certificate with no commonName and second dnsName longer than 63 bytes": {
"valid certificate with no commonName and second dnsName longer than 64 bytes": {
cfg: &v1alpha1.Certificate{
Spec: v1alpha1.CertificateSpec{
SecretName: "abc",
IssuerRef: validIssuerRef,
DNSNames: []string{
"dnsName",
"this-is-a-certificate-dns-name-which-is-longer-than-sixty-three-bytes",
"this-is-a-big-long-string-which-has-exactly-sixty-five-characters",
},
},
},
},
"valid certificate with commonName and first dnsName longer than 63 bytes": {
"valid certificate with commonName and first dnsName longer than 64 bytes": {
cfg: &v1alpha1.Certificate{
Spec: v1alpha1.CertificateSpec{
CommonName: "testcn",
SecretName: "abc",
IssuerRef: validIssuerRef,
DNSNames: []string{
"this-is-a-certificate-dns-name-which-is-longer-than-sixty-three-bytes",
"this-is-a-big-long-string-which-has-exactly-sixty-five-characters",
"dnsName",
},
},