Issue #15121 has been reported by Max Martin. ---------------------------------------- Bug #15121: SSL REST API creates .pem files based on URI and not CN https://projects.puppetlabs.com/issues/15121
Author: Max Martin Status: Unreviewed Priority: Normal Assignee: Category: Target version: 2.7.x Affected Puppet version: Keywords: Branch: I'm using the REST API for developing a new prototype, and was playing around with it via CURL to see how I should use it. I attempted to submit a CSR, and according to the instructions in [our documentation](http://docs.puppetlabs.com/guides/rest_api.html), to submit a CSR you don't need to specify a key within the certificate_request endpoint. Of course, it bails out if you don't submit any key at ALL, so I sent the following request: <pre> curl -k -X PUT -H "Content-Type: text/plain" --data-binary @request.csr https://127.0.0.:8140/production/certificate_request/no_key </pre> which caused the following on my master: <pre> notice: no_key has a waiting certificate request notice: Signed certificate request for no_key notice: Removing file Puppet::SSL::CertificateRequest no_key at '/Users/max/work/puppet/test_data/cam/ssl/ca/requests/no_key.pem' </pre> This seemed odd to me, since the CN I had specified when generating the CSR was "fake_host": <pre> openssl req -new -key a_private_key_file.key -subj "/CN=fake_host" -out request.csr </pre> Executing `puppet cert print no_key` confirmed that it had recorded the cert as no_key, but the CN within the cert was fake_host: <pre> Certificate: ... Subject: CN=fake_host </pre> To me, this just seems wrong in that the API is not verifying that the key it receives is the same as the certname in the CSR, and returning failure on mismatch. Nick F has raised some possible ways this could be used for attack, which hopefully he can elaborate in the comments. This was all done in 2.7.14, haven't tested other versions yet. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
