openssl_x509_certificate
handles CN in a way that violates the x509 spec
#14079
Labels
Status: Untriaged
An issue that has yet to be triaged.
openssl_x509_certificate
handles CN in a way that violates the x509 spec
#14079
Description
RFC5280 subsection 4.1.2.6 sez:
TL;DR, as I understand it, you must have one of common_name or a subject_alt_name entry. If you have a common_name entry, it must match the subject_alt_name entry. But common_name is not required.
Currently, the resource implicitly requires common_name to be specified: https://github.com/chef/chef/blob/main/lib/chef/resource/openssl_x509_certificate.rb#L221. Implicit because common_name isn't marked as required: https://github.com/chef/chef/blob/main/lib/chef/resource/openssl_x509_certificate.rb#L101.
I believe the correct solution is to leave the common_name and subject_alt_name property definitions as-is, add an
unless
check on the nilness of common_name, and require that one ofsubject_alt_name
orcommon_name
be set.Chef Version
I'm using CINC version 15.7.32, but the bug applies to the main branch.
Platform Version
I'm running on Ubuntu 20.04, but the bug applies to all platforms.
Replication Case
Attempt to create a certificate that does not specify common_name.
Client Output
Stacktrace
The text was updated successfully, but these errors were encountered: