-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRLs generated by PKI engine convert issuer name from UTF8String to PrintableString in the ASN.1 structure #10550
Comments
Hey, thanks for the comment and the details! Have you checked if this issue is still present in more recent versions of Vault? I looked at the issue that you linked, and it appears it was fixed in Go back in 2012. We upgrade to newer versions of Go frequently so if this is a language bug it should have been fixed a long time ago. With that, I'm going to close the issue. If this bug is still present in more recent versions of Vault please re-open and let us know! And thanks again! |
I was wrong to say that the issue was caused by that bug in Go, but it is closely related to it. The fix for that bug was to promote the field to UTF8String as needed according to the content of the string that is being marshalled to ASN.1. I will check again on the latest version, but I expect it will still have the same problem. I'll reopen this issue if that is the case. |
Hi @swayne275, I confirmed that the issue is still present in vault 1.6.1. I used a self signed certificate in UTF-8 encoding, generated like this:
The command I then setup a PKI secrets engine:
You can now |
I'll reopen for discussion but I don't think that this is an issue in Vault. Not that we can't consider a workaround if this is indeed default Windows behavior, but using the name on the cert for revocation is not a part of the CRL spec. It is supposed to be a combination of the issuer's key and the serial number of the certificate. Given that, converting from PrintableString to UTF8String or vice versa depending on whether there is a need for UTF8 is completely valid, because it's only supporting information and not security-sensitive information. Is this a particular program on Windows? Or Windows itself (and if so, which version(s))? |
Thanks for reopening. The part of the spec you are referring to is about matching a certificate with an entry in the certificate revocation list, to determine if it is revoked or not. The problem I am having however is about the issuer of the CRL itself. Section 6 of the spec covers path validation of the certification path used to verify the signature on the CRL itself. If I understand it correctly, in 6.3.3 (b)(1) it is mentioned that the issuer of the CRL should match the issuer of the certificate that is being checked for revocation. This is done by windows itself. More specifically, we are encountering the issue in the context of public key based Windows logon using Kerberos PKINIT. As far as I know this behaviour is present in all Windows versions since at least server 2008 and probably even before that. This issue may be under the radar a bit because by default, Active Directory Certificate Services only creates (CA) certificates with PrintableString, and you have to change a setting (https://mskb.pkisolutions.com/kb/890772) to get a UTF8String issuer name that will trigger the issue. However, it is still a valid thing to do according to the spec (and the German PKI standard mentioned in the link). You could also encounter this issue if you use a different PKI than the default Windows one. |
This section which defines the term “issuer” is also of interest: https://tools.ietf.org/html/rfc5280#section-4.1.2.4 |
I tried to reproduce the issue with openssl, but there it seems to work, ignoring the encoding difference. So it seems that you are correct that this is not a bug in vault but instead a bug in Windows. However, the proposed solution to keep the original encoding that was in the CA certificate for the issuer in the CRL would solve this issue for Windows, and should not cause issues for other implementations such as openssl, since they would then simply be comparing UTF8String vs UTF8String without having to do the conversion first. |
Would you accept a PR to keep the same encoding for the CRL issuer name as in the original certificate? If so, I'd be willing to work on that this week. |
Here's some funny related stuff. Just today, I created a root CA with openssl (with the default setting of
and for the Vault-generated intermediate -- generated with
This resulted in this madness:
🤯 Groningen != Groningen So, the cause turned out to be that I can't tell if defaulting to UTF8 is better than moving to UTF8 only when strings don't fit in a regular printablestring, but I can tell you that this was confusing. Carry on with your original ticket 🚶 |
JFTR, this is a limitation of Go's CRL building: it round-trips via |
Note that as the corresponding Go issue has now been completed, this will be picked up when Go 1.20 is released. Therefore since there's nothing else to do on the Vault side (other than wait for a pending Go version bump when it is released), I'm closing this issue as completed! |
Describe the bug
I have an intermediate CA setup in a vault PKI secrets engine. The commonName of this CA certificate is encoded as UTF8String (as required by the ISIS-MTT standard, see https://mskb.pkisolutions.com/kb/890772), but the CRL exposed by vault on
/v1/<mount path>/crl
has the issuer commonName encoded as PrintableString. This causes the client certificates signed by this CA (that refer to this CRL) to be rejected by Windows because there is no binary match on the issuer commonName of the CRL and the issuer commonName of the client certificate (which does have its issuer commonName properly encoded as UTF8String).I think I have tracked this down to the following bug in the Go ASN.1 implementation: golang/go#3791
They have a "fix" that upgrades the encoding to UTF8String but only if the string contains non-ASCII characters (https://codereview.appspot.com/6348074). For my usecase the encoding should always match the encoding of the commonName of the CA certificate, regardless of content.
Since the specific encoding to be used should be decided by vault I opened an issue for vault instead of for the ASN.1 implementation in Go.
To Reproduce
openssl x509 -in certificate.pem -outform der | openssl asn1parse -inform der -i
)curl http://<vault host>:<vault port>/v1/<mount path>/crl | openssl asn1parse -inform der -i
shows PrintableString for issuer name instead of UTF8StringExpected behavior
When the commonName of the CA cert is UTF8String, the issuer commonName in the CRL should also be encoded as UTF8String.
When the commonName of the CA cert is PrintableString, the issuer commonName in the CRL should also be encoded as PrintableString.
Environment:
vault status
): 1.1.3vault version
): 1.1.3The text was updated successfully, but these errors were encountered: