Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: mark SAN as critical when subject is empty #311

Merged
merged 2 commits into from
Jan 19, 2025
Merged

Fix: mark SAN as critical when subject is empty #311

merged 2 commits into from
Jan 19, 2025
+55 −1

Conversation

howardjohn
Copy link
Contributor

Fixes #310

howardjohn added a commit to howardjohn/ztunnel that referenced this pull request Jan 17, 2025
@howardjohn
Make csr test stricter and more correct
58fc904 
Part of istio#1431

Fails without rustls/rcgen#311
This was referenced Jan 17, 2025
Open
Open
@djc
Copy link
Member

djc commented Jan 18, 2025

Seems reasonable to me!

cpu
cpu approved these changes Jan 18, 2025
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this. I agree it's the right approach (and matches Go x509's behaviour - always reassuring).

Would you mind adding a small test w/ x509-parser to prevent regression? Something like generating two certs, both with SANs, but only one with a subject, and then asserting the criticality of the SAN ext matches expectation would be great.

@cpu
Copy link
Member

cpu commented Jan 19, 2025

Would you mind adding a small test w/ x509-parser to prevent regression?

I'll push a test commit for this in a moment. There's no use waiting on a test if it's quick to write.

@cpu cpu enabled auto-merge January 19, 2025 16:35
@cpu cpu added this pull request to the merge queue Jan 19, 2025
Merged via the queue into rustls:main with commit 611340f Jan 19, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpu cpu cpu approved these changes

@est31 est31 est31 approved these changes

@djc djc djc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Subject alternative name extension must be marked critical if the "subject" field is empty
4 participants
@howardjohn @djc @cpu @est31