diff --git a/pkg/util/pki/match.go b/pkg/util/pki/match.go index e59aec5cd..0024db5f9 100644 --- a/pkg/util/pki/match.go +++ b/pkg/util/pki/match.go @@ -151,27 +151,13 @@ func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpe } if spec.OtherNames != nil { - sanExtension, err := extractSANExtension(x509req.Extensions) - if err != nil { - violations = append(violations, "spec.otherNames") - } - - generalNames, err := UnmarshalSANs(sanExtension.Value) + matched, err := matchOtherNames(x509req.Extensions, spec.OtherNames) if err != nil { return nil, err } - - CertificateRequestOtherNameSpec, err := ToOtherNameSpec(generalNames.OtherNames) - if err != nil { - // This means the CertificateRequest's otherName was not a utf8 valued - violations = append(violations, "spec.otherName") - } - if !util.EqualOtherNamesUnsorted(CertificateRequestOtherNameSpec, spec.OtherNames) { - - // This means the oid or utf8Value did not match + if !matched { violations = append(violations, "spec.otherNames") } - } if spec.LiteralSubject == "" { @@ -242,6 +228,30 @@ func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpe return violations, nil } +func matchOtherNames(extension []pkix.Extension, otherNames []cmapi.OtherName) (bool, error) { + sanExtension, err := extractSANExtension(extension) + if err != nil { + return false, nil + } + + generalNames, err := UnmarshalSANs(sanExtension.Value) + if err != nil { + return false, err + } + + CertificateRequestOtherNameSpec, err := ToOtherNameSpec(generalNames.OtherNames) + if err != nil { + // This means the CertificateRequest's otherName was not a utf8 valued + return false, nil + } + + if !util.EqualOtherNamesUnsorted(CertificateRequestOtherNameSpec, otherNames) { + return false, nil + } + + return true, nil +} + func ToOtherNameSpec(parsedOtherName []OtherName) ([]cmapi.OtherName, error) { ret := make([]cmapi.OtherName, len(parsedOtherName)) for index, otherName := range parsedOtherName { @@ -312,6 +322,16 @@ func SecretDataAltNamesMatchSpec(secret *corev1.Secret, spec cmapi.CertificateSp violations = append(violations, "spec.emailAddresses") } + if spec.OtherNames != nil { + matched, err := matchOtherNames(x509cert.Extensions, spec.OtherNames) + if err != nil { + return nil, err + } + if !matched { + violations = append(violations, "spec.otherNames") + } + } + return violations, nil } diff --git a/pkg/util/pki/match_test.go b/pkg/util/pki/match_test.go index 50516aff4..66db88dff 100644 --- a/pkg/util/pki/match_test.go +++ b/pkg/util/pki/match_test.go @@ -346,6 +346,73 @@ func TestSecretDataAltNamesMatchSpec(t *testing.T) { }), violations: []string{"spec.ipAddresses"}, }, + "should match if otherNames are equal": { + spec: cmapi.CertificateSpec{ + OtherNames: []cmapi.OtherName{ + { + OID: "1.3.6.1.4.1.311.20.2.3", + UTF8Value: "upn2@testdomain.local", + }, + { + OID: "1.3.6.1.4.1.311.20.2.3", + UTF8Value: "upn@testdomain.local", + }, + }, + }, // openssl req -nodes -newkey rsa:2048 -subj "/CN=someCN" \ + // -addext 'subjectAltName=otherName:msUPN;UTF8:upn@testdomain.local,otherName:msUPN;UTF8:upn2@testdomain.local' -x509 | + data: []byte(`-----BEGIN CERTIFICATE----- +MIIDOzCCAiOgAwIBAgIUJGyXr7GsoPVGC9PkG/QR5NQ3doQwDQYJKoZIhvcNAQEL +BQAwADAeFw0yNDAxMDkxMzQwNDZaFw0yNDAyMDgxMzQwNDZaMAAwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFVLGrwoVnLaVERh5l6/+Wc1bDrEOCrsZz +FUYOBJNpoJmbcl6Cp3DLyqrgkzAXWusUft77DmOpMz5C/2IWtI0Ju/NBg2wCwu6U ++NcL70WTx2h1v7fN0YHdzElGcO018bPpA9QEfzoB07G+G8dqTwUMrCq6qE5vbmY3 +PywXfvCKbES4AFvQAcrm8qBOs4RPMlHp59gTAh9G3oVp1xJBoAHJr4CWbg65+ed9 +d2YbVZjZ3aNbVGGc2Qp2vr9p/pcTtb1oyioCmryQmm3fIOMef6smn/LpFhnFoHUN +bJkBICG2JfHfygYkqukrhGFGv/UnVx7nmkeU5nooh7e0t5/cFbxzAgMBAAGjgaww +gakwHQYDVR0OBBYEFDIkbk6FammEuY6X2HODbctYOIHTMB8GA1UdIwQYMBaAFDIk +bk6FammEuY6X2HODbctYOIHTMA8GA1UdEwEB/wQFMAMBAf8wVgYDVR0RBE8wTaAk +BgorBgEEAYI3FAIDoBYMFHVwbkB0ZXN0ZG9tYWluLmxvY2FsoCUGCisGAQQBgjcU +AgOgFwwVdXBuMkB0ZXN0ZG9tYWluLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBq +jj/eTo0ZN6rNYPFYW3Uw4nZLasf3bEQlHG7QPJLaBvg87Yrt+1kWEzDhjlIK1bWi +ns56oLuaXIXjzF6KwkqBRLdqD/1bjPn7qX9uIhdncWs1Fi09mQMdI8Mnasx0IPOe +kosmem3A/RnylWmbaCLON/APhAXrPPbW1abI8gXyH5104T0470PY1CvR4Q6MTbXH +LCOnSiou3CO93H1Rnu9AWDXx5c6Fe1LO+AdaihdXLMAJN6NuMZRcXBChAo6d6/kh +/O44u3tp/z6trRdH+D8D68nyx/xjFqq2BFCfyau9T3KmFjZacUWXQv6tTpElFUlZ +7WkwZWxxkjzh9z529B9h +-----END CERTIFICATE-----`), + }, + "should not match if OtherNames are not equal": { + spec: cmapi.CertificateSpec{ + OtherNames: []cmapi.OtherName{ + { + OID: "1.3.6.1.4.1.311.20.2.3", + UTF8Value: "upn@testdomain.local", + }, + }, + }, + // generated with openssl with: openssl req -nodes -newkey rsa:2048 -subj "/" \ + // -addext 'subjectAltName=otherName:msUPN;UTF8:ANOTHERUPN@testdomain.local' -x509 + data: []byte(`-----BEGIN CERTIFICATE----- +MIIDGzCCAgOgAwIBAgIULTMrWMewcF6XSc8hM6TnL9L8NrgwDQYJKoZIhvcNAQEL +BQAwADAeFw0yNDAxMDkxMzQyMTVaFw0yNDAyMDgxMzQyMTVaMAAwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnIvWN7Nj/+bST7R1tmxu0olvjwgfPBhCp +/6OiPuANxZtYkQiqIx4KxnA5KErpQHzp9zlExE2FJUd5Fn83V5+we8/tXRT4mdVg +uOhVab8KHXciW2Ia0B6zdJakYL0qy6ol6kQDUansZi+0vBVbRzJIDAJLRSHGjXRT +BlYuZxgyOawD19vdBKDg3zz2vszQprSONM5qefnk0S3nbsIN3rPprifwjCjn+GMc +pcVXF1UizhyGFTxX7CiTNQg2sD6eAxvNHwyPfYo0cAWVXk1Ctoy+nGWX70zYQIw5 +PI9+hagoFBy8AMhg2MgwAJV3Iay8JRnItCkE5xrh6XxMaGzBDTybAgMBAAGjgYww +gYkwHQYDVR0OBBYEFMjP9HapmDU06sI25oFVVX7h4mziMB8GA1UdIwQYMBaAFMjP +9HapmDU06sI25oFVVX7h4mziMA8GA1UdEwEB/wQFMAMBAf8wNgYDVR0RBC8wLaAr +BgorBgEEAYI3FAIDoB0MG0FOT1RIRVJVUE5AdGVzdGRvbWFpbi5sb2NhbDANBgkq +hkiG9w0BAQsFAAOCAQEAbQLZXPWqT78YmhWich59tiQ+3VStjamS/dI9qrgjo3CN +phYWiTe5anIv1tp2MOFD0eueO+zDLtSfFWLTBq4Qce+fDZK4WEPJrj9A/77WP55R +1IGvQVYhEAGVAiSFudp5loUx6LhcADcO45zWq/RBgWKDI4oUu744UZUJ5e68Vb/O +43QVvRF9qkte8X7LCBr1lX1mElh1d+qD2BiTuLzkMJeDNonmBfD1JM1zCZgYXCoE +20gLNilYVngZprTUOjjBYQMdrovC3XG2ByUTAXREyonQpmzRPKRnV+125kQooLXx +PvQpPM/KS8XNIJZXrbaEw0feitL6Pb+8+W5BHVcDkQ== +-----END CERTIFICATE-----`), + violations: []string{"spec.otherNames"}, + }, "should not match if ipAddresses has been made the commonName": { spec: cmapi.CertificateSpec{ IPAddresses: []string{"127.0.0.1"},