Add explicit cn_validations field to PKI Roles #15996
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cipherboy
changed the title
cipherboy
force-pushed
the
cipherboy-add-explicit-cn-validation
branch
from
e4805ab
to
ef2e484
Compare
cipherboy
force-pushed
the
cipherboy-add-explicit-cn-validation
branch
from
ef2e484
to
6aeba62
Compare
|
@stevendpclark Clarified OR semantics hopefully. :) |
stevendpclark
approved these changes
Jun 16, 2022
This new parameter allows disabling all validations on a common name, enabled by default on sign-verbatim and issuer generation options. Presently, the default behavior is to allow either an email address (denoted with an @ in the name) or a hostname to pass validation. Operators can restrict roles to just a single option (e.g., for email certs, limit CNs to have strictly email addresses and not hostnames). By setting the value to `disabled`, CNs of other formats can be accepted without validating their contents against our minimal correctness checks for email/hostname/wildcard that we typically apply even when broad permissions (allow_any_name=true, enforce_hostnames=false, and allow_wildcard_certificates=true) are granted on the role. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
force-pushed
the
cipherboy-add-explicit-cn-validation
branch
from
6aeba62
to
aa9b500
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This new parameter allows disabling all validations on a common name, enabled by default on
sign-verbatimand issuer generation options.Presently, the default behavior is to allow either an email address (denoted with an
@in the name) or a hostname to pass validation. Operators can restrict roles to just a single option (e.g., for email certs, limit CNs to have strictly email addresses and not hostnames).By setting the value to
disabled, CNs of other formats can be accepted without validating their contents against our minimal correctness checks for email/hostname/wildcard that we typically apply even when broad permissions (allow_any_name=true,enforce_hostnames=false, andallow_wildcard_certificates=true) are granted on the role.Resolves: #15596