Vault: PKI Secrets Engine: underscores not permitted in common_name value

Created on 31 Jan 2018  路  4Comments  路  Source: hashicorp/vault

It appears that the underscore character is being incorrectly filtered/disallowed in the common_name value.

Environment:

  • Vault Version: Vault v0.9.3 ('5acd6a21d5a69ab49d0f7c0bf540123a9b2c696d')
  • Operating System/Architecture: Linux

Vault Config File:
N/A

Startup Log Output:
N/A

Expected Behavior:

$ vault write vaultron_root_pki/issue/vaultron-dot-waves \
common_name=intra_twingly.tactotruck.vaultron.waves
Key                 Value
---                 -----
certificate         -----BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIUT5b6GH0a0kKqlhh/+F/JeYUbYYEwDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAxMOdmF1bHRyb24ud2F2ZXMwHhcNMTgwMTMxMTUyNzI3WhcN
MTgwMjA3MTUyNzU2WjA6MTgwNgYDVQQDEy9vcHMtY29uc3VsLWNsdXN0ZXItcHJv
ZC0wMS5pbnRyYS52YXVsdHJvbi53YXZlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMI9TdE37n/7DpgLkhYyuqU/9NIhXWbZ5SavTjZu0xKRddJZZxfB
ntLaOt93cEVk+/zYrD0FBuJ7BDDhEIoyEF9WAltdZY9zh8kRpfQI5koe+h3vhxBv
bZJIsZLNdeZrIyREBAYmCxU2SaAqE5g3DOsVLCVGaTSLSowc6BpUS+rcRXTTZBF6
0txcqlJMsmGikMJh/FVKZf0mT8FS+6k89r/ax9CGdXJgmSOdDaXV8LDT0WLTR6n5
7hdOKMxRO72tF2FUBa48EV/DUghkxuwR6OXEPFKDYWS5TSk7UqwBEUHr0g6CYVB4
p1pTOfUIY5ulGLfha9xDY6cg5xLXM0ZQMHkCAwEAAaOCAR8wggEbMA4GA1UdDwEB
/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYE
FB4b5JLs9cpbpvjM5yheOTSDtSRZMB8GA1UdIwQYMBaAFDRqgsEA154if+TIO6vk
Pa1/PbdOMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovL2xvY2Fs
aG9zdDo4MjAwL3YxL3BraS9jYTA6BgNVHREEMzAxgi9vcHMtY29uc3VsLWNsdXN0
ZXItcHJvZC0wMS5pbnRyYS52YXVsdHJvbi53YXZlczAxBgNVHR8EKjAoMCagJKAi
hiBodHRwOi8vbG9jYWxob3N0OjgyMDAvdjEvcGtpL2NybDANBgkqhkiG9w0BAQsF
AAOCAQEARLa0OVOriIX17ydK0t/j/tbXgvbQduKDyM839uzolG31S9nDxgL4984L
fYgE04WqaFX905SpTawuH5n7tJSun6EIK8LINSTkoZxzVnFP5KJJ+vrIVfyrN3qk
ymYIjlGWaj74a/oHh/WzuEGnCdx4BoMb93hxr5UFLio3BPktEzl0kLBpHobm9Ek5
yhErcXWwYypXxyjkzdiWd7Rw2wZ92/S1UHp5CbgrmvUAhlcVwth2FhVlA273zeRg
JW5B1ROsBQtcguGIHpe8G9//uL8ruqPLLbSGu+fKYyVC+CAecGcO67taJsW4IwHJ
/TzaeKYhxHCLmo8t2BJ3vCVeqqbOgQ==
-----END CERTIFICATE-----
issuing_ca          -----BEGIN CERTIFICATE-----
MIIDPjCCAiagAwIBAgIUSQwfKxT/hla4hd7yYLrHfTZTroswDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAxMOdmF1bHRyb24ud2F2ZXMwHhcNMTgwMTMxMTUyMjEzWhcN
MjgwMTI5MTUyMjQzWjAZMRcwFQYDVQQDEw52YXVsdHJvbi53YXZlczCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANLANgI2KodaMYZQGlWuzl1CYPRifdtp
1VbDCPGaSzaDxlUrKQpPeoJ2S9xdm97vmB8Za1t2rAh1IeZihsgpeuZ6fG1IAXEh
iEk2SPqE7kJePSiRX0hQMM11+IZ+vkNgVMakjgEakz9gS5KazgMgi7waGyBNudrz
/3bfZITyMfvqh+Lf9zc4Pd15FcgxkQSdweRLuOJWA1Gd+7Q31awXDDjdLZF5M/AS
EciXwZBuxTc+Jgq5CJfmQ8O+Iv3leQv/zrPWP4di5T6qEs3tKaywA5+qjM+UXMqV
gepejfceUXpuVB/YPy3lf547ZzTA31gKOyoS2EuxLk34EN5DdzWA+xMCAwEAAaN+
MHwwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDRq
gsEA154if+TIO6vkPa1/PbdOMB8GA1UdIwQYMBaAFDRqgsEA154if+TIO6vkPa1/
PbdOMBkGA1UdEQQSMBCCDnZhdWx0cm9uLndhdmVzMA0GCSqGSIb3DQEBCwUAA4IB
AQBTBI0Cq9lZWCwed0Td7N/vrL37d0G2ubfj8nJ6kOMeX9jseP8BYE8n35I/nJa5
RSE3KUsIOj+Zo8z0q70OlAPAyNfTPPiBNpme9VSTPSO7aPc47Y6MunG24/16bp6M
YPWcbylaS96rJ6lz+fbuaZ2PSlAqkY+yZCG3Hzv9h/lxyKLeCXSmmUoqx67qJ5a5
WtWSluNtF302p9rjImNy6/PNEhN0U+PHJyEiV5CBosdFNWC3sNRY6I1Z8fcYp364
jbEdgm6Sg11YvMxSQEMqJzdqHCGfw9zDfXmQuq3qaGiIilz5YN0rLpsrtObVtKyu
CmCHicOXi4HV9vrKUfltIKvn
-----END CERTIFICATE-----
private_key         -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwj1N0Tfuf/sOmAuSFjK6pT/00iFdZtnlJq9ONm7TEpF10lln
F8Ge0to633dwRWT7/NisPQUG4nsEMOEQijIQX1YCW11lj3OHyRGl9AjmSh76He+H
EG9tkkixks115msjJEQEBiYLFTZJoCoTmDcM6xUsJUZpNItKjBzoGlRL6txFdNNk
EXrS3FyqUkyyYaKQwmH8VUpl/SZPwVL7qTz2v9rH0IZ1cmCZI50NpdXwsNPRYtNH
qfnuF04ozFE7va0XYVQFrjwRX8NSCGTG7BHo5cQ8UoNhZLlNKTtSrAERQevSDoJh
UHinWlM59Qhjm6UYt+Fr3ENjpyDnEtczRlAweQIDAQABAoIBAQCpaV6dw/K4nPe1
lSHtSoGP76BQRdl5A0Lh4rSMtUxTPZtNw7wu9CjaLox6q2m4nMNLXI+dCO1gS3r0
RthuMAwnmpSjq2oRG+qqbEIZ/kkdDLeJtIhQxV8D33NBXwId3gPgdZIs6rFv5tGA
aDJ+6ETUJLtEJ41KztJOMkgd7rfoNn3WH3W2Qi/TEdg/MZszZr4dfnBRH+8x0g4M
ophbRoiApagUe9ABCO96MaxLUHydcuIYBk8zfmIZWR58t67PcmAZe2ghD7aYkBvH
HQ4hha34SQEwzbmfSCJmOgk3TTuVbx0334gbEt8o6omHDc8cByOm/FRCNgNDOPt0
WB0GVwChAoGBAMNPn5iJdR3iqqLYJDrqd+VXfU5z369I9q/je+KOaGawOgGbuh2/
X2sjL5VlL+asD0BPXhi6EGDKAdIEHgcd+/+0DnXg08Xs0qf2y8F5TBJoIk7nczMw
9wfdOb0l+bkaqa4KXXArS2HMQsFWicbHVt505Wrh/3vlG9V/as7KWhM/AoGBAP6Y
cPlnKtWp98YetqmISMuSwDcAQ8QPcAKeKzPqJLIjafzxmdbMuc43UBi1nBQ0EJAG
IKE5cdtyXfe8mXt2Tb1xBuzLi4QzhzMMJeDff10umQj/puc84zCz0cpUcq0FWhAQ
Vz8P6rDh5a4a5Y7rWgRPqwPi5PgXKrsq7ei8pqZHAoGAZ+pUWr8/7d+stCnV1Pbt
Rbuv8u7Z45QplFmvj1H/oCtBIZvugWdR6Fn3NkB5JP0EvE2+Hd/ZWPYB0/DW3SiJ
7Hmre/JcGqGvTyiTLmRQIjb/kgW5GFKEDM4aq1WqMV9LSks/fa+7UtRv7BgUBAwJ
XyDI8349BXlXvtclR9MH69cCgYBK6+VjH58VXX1SyjsKzNZPQhJanTNUAQ7/Vjh0
gJTn71ADZb3V3k1XiCOEAf26XE/7cjIr/9GnuJI6kz+/e2MJOrfE+2lFMDy7IvoK
oPrEGzBh24nsRpi8/k3gctWEYSzNyWFDZ5WzE+cZQ0UGt++3kRJMhHrJH1gt2EZG
1S1dhQKBgBDdROLWCmH00CK0dI2fg94/y3lsOHLA5kBqm/NaaMmQfzaFW8OgqjUI
abThWzK1PgFjLBcd5wbTcxgJAwz/0Pl0QMv14fLPaX1d4c4IY3L09yC8GGIeyEfx
Eo5wCT1ATpnnu6C9FM7qnvqYLJfEK4IS/V5cVfebwlZ4B+oMM9O2
-----END RSA PRIVATE KEY-----
private_key_type    rsa
serial_number       4f:96:fa:18:7d:1a:d2:42:aa:96:18:7f:f8:5f:c9:79:85:1b:61:81

Actual Behavior:

$ vault write vaultron_root_pki/issue/vaultron-dot-waves \
common_name=intra_twingly.tactotruck.vaultron.waves
Error writing data to vaultron_root_pki/issue/vaultron-dot-waves: Error making API request.

URL: PUT http://localhost:8200/v1/vaultron_root_pki/issue/vaultron-dot-waves
Code: 400. Errors:

* common name intra_twingly.tactotruck.vaultron.waves not allowed by this role

Steps to Reproduce:

  1. Enable PKI Secrets Engine
  2. Configure a role:
vault write vaultron_root_pki/roles/vaultron-dot-waves \
allowed_domains=vaultron.waves \
allow_subdomains=true \
max_ttl=14400h
  1. Attempt to request a certificate from the role with an underscore character as part of the common_name value:
$ vault write vaultron_root_pki/issue/vaultron-dot-waves \
common_name=intra_twingly.tactotruck.vaultron.waves
Error writing data to vaultron_root_pki/issue/vaultron-dot-waves: Error making API request.

URL: PUT http://localhost:8200/v1/vaultron_root_pki/issue/vaultron-dot-waves
Code: 400. Errors:

* common name intra_twingly.tactotruck.vaultron.waves not allowed by this role

Important Factoids:

If you switch in a hyphen instead of an underscore the certificate can be requested as expected.

References:

N/A

picture brianshumate

Most helpful comment

At present, setting allow_any_name will not allow it either because enforce_hostnames (which defaults to true) takes precedence and fails the common name having an underscore.

picture vishalnayak on 31 Jan 2018
1 👍1

All 4 comments

Looks like underscores are not valid in _hostnames_ as in this example per RFC 1123

brianshumate picture brianshumate on 31 Jan 2018

Reopening as a reminder to examine some of the code around CN. It doesn't have to be a DNS name, so allow_any_name should maybe allow it.

jefferai picture jefferai on 31 Jan 2018

At present, setting allow_any_name will not allow it either because enforce_hostnames (which defaults to true) takes precedence and fails the common name having an underscore.

vishalnayak picture vishalnayak on 31 Jan 2018
1 👍1

Ah hah! I knew we'd been down this road before...

@brianshumate can you relay?

jefferai picture jefferai on 31 Jan 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

anthonyGuo picture anthonyGuo  路  3Comments
mfischer-zd picture mfischer-zd  路  3Comments
maxsivanov picture maxsivanov  路  3Comments
adamroddick picture adamroddick  路  3Comments
gtmtech picture gtmtech  路  3Comments