Change Subject Common Name verification

Subject Common Names can now also be configured to be allowed or
denied, similar to SANs. When a Subject Common Name is not explicitly
allowed or denied, its type will be determined and its value will be
validated according to the constraints for that type of name (i.e. URI).

Author: hslatman

api/read/read_test.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -146,7 +145,7 @@ func Test_badProtoJSONError_Render(t *testing.T) {
 			res := w.Result()
 			defer res.Body.Close()
 
-			data, err := ioutil.ReadAll(res.Body)
+			data, err := io.ReadAll(res.Body)
 			assert.NoError(t, err)
 
 			v := struct {

authority/admin/api/policy_test.go

@@ -312,7 +312,6 @@ func TestPolicyAdminResponder_CreateAuthorityPolicy(t *testing.T) {
 					Allow: &linkedca.X509Names{
 						Dns: []string{"*.local"},
 					},
-					DisableSubjectCommonNameVerification: false,
 				},
 			}
 			body, err := protojson.Marshal(policy)
@@ -1030,7 +1029,6 @@ func TestPolicyAdminResponder_CreateProvisionerPolicy(t *testing.T) {
 					Allow: &linkedca.X509Names{
 						Dns: []string{"*.local"},
 					},
-					DisableSubjectCommonNameVerification: false,
 				},
 			}
 			body, err := protojson.Marshal(policy)

authority/policy.go

@@ -288,6 +288,9 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 			if allow.Uris != nil {
 				opts.X509.AllowedNames.URIDomains = allow.Uris
 			}
+			if allow.CommonNames != nil {
+				opts.X509.AllowedNames.CommonNames = allow.CommonNames
+			}
 		}
 		if deny := x509.GetDeny(); deny != nil {
 			opts.X509.DeniedNames = &authPolicy.X509NameOptions{}
@@ -303,10 +306,12 @@ func policyToCertificates(p *linkedca.Policy) *authPolicy.Options {
 			if deny.Uris != nil {
 				opts.X509.DeniedNames.URIDomains = deny.Uris
 			}
+			if deny.CommonNames != nil {
+				opts.X509.DeniedNames.CommonNames = deny.CommonNames
+			}
 		}
 
 		opts.X509.AllowWildcardLiteral = x509.AllowWildcardLiteral
-		opts.X509.DisableCommonNameVerification = x509.DisableSubjectCommonNameVerification
 	}
 
 	// fill ssh policy configuration

authority/policy/options.go

@@ -31,7 +31,6 @@ type X509PolicyOptionsInterface interface {
 	GetAllowedNameOptions() *X509NameOptions
 	GetDeniedNameOptions() *X509NameOptions
 	IsWildcardLiteralAllowed() bool
-	ShouldVerifyCommonName() bool
 }
 
 // X509PolicyOptions is a container for x509 allowed and denied
@@ -47,15 +46,11 @@ type X509PolicyOptions struct {
 	// such as *.example.com and @example.com are allowed. Defaults
 	// to false.
 	AllowWildcardLiteral bool `json:"allowWildcardLiteral,omitempty"`
-
-	// DisableCommonNameVerification indicates if the Subject Common Name
-	// is verified in addition to the SANs. Defaults to false, resulting in
-	// Common Names being verified.
-	DisableCommonNameVerification bool `json:"disableCommonNameVerification,omitempty"`
 }
 
 // X509NameOptions models the X509 name policy configuration.
 type X509NameOptions struct {
+	CommonNames    []string `json:"cn,omitempty"`
 	DNSDomains     []string `json:"dns,omitempty"`
 	IPRanges       []string `json:"ip,omitempty"`
 	EmailAddresses []string `json:"email,omitempty"`
@@ -65,7 +60,8 @@ type X509NameOptions struct {
 // HasNames checks if the AllowedNameOptions has one or more
 // names configured.
 func (o *X509NameOptions) HasNames() bool {
-	return len(o.DNSDomains) > 0 ||
+	return len(o.CommonNames) > 0 ||
+		len(o.DNSDomains) > 0 ||
 		len(o.IPRanges) > 0 ||
 		len(o.EmailAddresses) > 0 ||
 		len(o.URIDomains) > 0
@@ -96,15 +92,6 @@ func (o *X509PolicyOptions) IsWildcardLiteralAllowed() bool {
 	return o.AllowWildcardLiteral
 }
 
-// ShouldVerifyCommonName returns whether the authority
-// should verify the Subject Common Name in addition to the SANs.
-func (o *X509PolicyOptions) ShouldVerifyCommonName() bool {
-	if o == nil {
-		return false
-	}
-	return !o.DisableCommonNameVerification
-}
-
 // SSHPolicyOptionsInterface is an interface for providers of
 // SSH user and host name policy configuration.
 type SSHPolicyOptionsInterface interface {

authority/policy/options_test.go

@@ -43,43 +43,3 @@ func TestX509PolicyOptions_IsWildcardLiteralAllowed(t *testing.T) {
 		})
 	}
 }
-
-func TestX509PolicyOptions_ShouldVerifySubjectCommonName(t *testing.T) {
-	tests := []struct {
-		name    string
-		options *X509PolicyOptions
-		want    bool
-	}{
-		{
-			name:    "nil-options",
-			options: nil,
-			want:    false,
-		},
-		{
-			name:    "not-set",
-			options: &X509PolicyOptions{},
-			want:    true,
-		},
-		{
-			name: "set-true",
-			options: &X509PolicyOptions{
-				DisableCommonNameVerification: true,
-			},
-			want: false,
-		},
-		{
-			name: "set-false",
-			options: &X509PolicyOptions{
-				DisableCommonNameVerification: false,
-			},
-			want: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := tt.options.ShouldVerifyCommonName(); got != tt.want {
-				t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

authority/policy/policy.go

@@ -28,6 +28,7 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,
 	allowed := policyOptions.GetAllowedNameOptions()
 	if allowed != nil && allowed.HasNames() {
 		options = append(options,
+			policy.WithPermittedCommonNames(allowed.CommonNames...),
 			policy.WithPermittedDNSDomains(allowed.DNSDomains...),
 			policy.WithPermittedIPsOrCIDRs(allowed.IPRanges...),
 			policy.WithPermittedEmailAddresses(allowed.EmailAddresses...),
@@ -38,6 +39,7 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,
 	denied := policyOptions.GetDeniedNameOptions()
 	if denied != nil && denied.HasNames() {
 		options = append(options,
+			policy.WithExcludedCommonNames(denied.CommonNames...),
 			policy.WithExcludedDNSDomains(denied.DNSDomains...),
 			policy.WithExcludedIPsOrCIDRs(denied.IPRanges...),
 			policy.WithExcludedEmailAddresses(denied.EmailAddresses...),
@@ -50,10 +52,6 @@ func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy,
 		return nil, nil
 	}
 
-	if policyOptions.ShouldVerifyCommonName() {
-		options = append(options, policy.WithSubjectCommonNameVerification())
-	}
-
 	if policyOptions.IsWildcardLiteralAllowed() {
 		options = append(options, policy.WithAllowLiteralWildcardNames())
 	}

authority/policy_test.go

@@ -218,17 +218,15 @@ func Test_policyToCertificates(t *testing.T) {
 					Allow: &linkedca.X509Names{
 						Dns: []string{"*.local"},
 					},
-					AllowWildcardLiteral:                 false,
-					DisableSubjectCommonNameVerification: false,
+					AllowWildcardLiteral: false,
 				},
 			},
 			want: &policy.Options{
 				X509: &policy.X509PolicyOptions{
 					AllowedNames: &policy.X509NameOptions{
 						DNSDomains: []string{"*.local"},
 					},
-					AllowWildcardLiteral:          false,
-					DisableCommonNameVerification: false,
+					AllowWildcardLiteral: false,
 				},
 			},
 		},
@@ -237,19 +235,20 @@ func Test_policyToCertificates(t *testing.T) {
 			policy: &linkedca.Policy{
 				X509: &linkedca.X509Policy{
 					Allow: &linkedca.X509Names{
-						Dns:    []string{"step"},
-						Ips:    []string{"127.0.0.1/24"},
-						Emails: []string{"*.example.com"},
-						Uris:   []string{"https://*.local"},
+						Dns:         []string{"step"},
+						Ips:         []string{"127.0.0.1/24"},
+						Emails:      []string{"*.example.com"},
+						Uris:        []string{"https://*.local"},
+						CommonNames: []string{"some name"},
 					},
 					Deny: &linkedca.X509Names{
-						Dns:    []string{"bad"},
-						Ips:    []string{"127.0.0.30"},
-						Emails: []string{"badhost.example.com"},
-						Uris:   []string{"https://badhost.local"},
+						Dns:         []string{"bad"},
+						Ips:         []string{"127.0.0.30"},
+						Emails:      []string{"badhost.example.com"},
+						Uris:        []string{"https://badhost.local"},
+						CommonNames: []string{"another name"},
 					},
-					AllowWildcardLiteral:                 true,
-					DisableSubjectCommonNameVerification: false,
+					AllowWildcardLiteral: true,
 				},
 				Ssh: &linkedca.SSHPolicy{
 					Host: &linkedca.SSHHostPolicy{
@@ -283,15 +282,16 @@ func Test_policyToCertificates(t *testing.T) {
 						IPRanges:       []string{"127.0.0.1/24"},
 						EmailAddresses: []string{"*.example.com"},
 						URIDomains:     []string{"https://*.local"},
+						CommonNames:    []string{"some name"},
 					},
 					DeniedNames: &policy.X509NameOptions{
 						DNSDomains:     []string{"bad"},
 						IPRanges:       []string{"127.0.0.30"},
 						EmailAddresses: []string{"badhost.example.com"},
 						URIDomains:     []string{"https://badhost.local"},
+						CommonNames:    []string{"another name"},
 					},
-					AllowWildcardLiteral:          true,
-					DisableCommonNameVerification: false,
+					AllowWildcardLiteral: true,
 				},
 				SSH: &policy.SSHPolicyOptions{
 					Host: &policy.SSHHostCertificateOptions{
@@ -369,8 +369,7 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
 			DeniedNames: &policy.X509NameOptions{
 				DNSDomains: []string{"badhost.local"},
 			},
-			AllowWildcardLiteral:          true,
-			DisableCommonNameVerification: false,
+			AllowWildcardLiteral: true,
 		},
 	}
 
@@ -429,8 +428,7 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
 			DeniedNames: &policy.X509NameOptions{
 				DNSDomains: []string{"badhost.local"},
 			},
-			AllowWildcardLiteral:          true,
-			DisableCommonNameVerification: false,
+			AllowWildcardLiteral: true,
 		},
 		SSH: &policy.SSHPolicyOptions{
 			Host: &policy.SSHHostCertificateOptions{
@@ -488,8 +486,7 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
 			DeniedNames: &policy.X509NameOptions{
 				DNSDomains: []string{"badhost.local"},
 			},
-			AllowWildcardLiteral:          true,
-			DisableCommonNameVerification: false,
+			AllowWildcardLiteral: true,
 		},
 		SSH: &policy.SSHPolicyOptions{
 			Host: &policy.SSHHostCertificateOptions{
@@ -700,8 +697,7 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
 							DeniedNames: &policy.X509NameOptions{
 								DNSDomains: []string{"badhost.local"},
 							},
-							AllowWildcardLiteral:          true,
-							DisableCommonNameVerification: false,
+							AllowWildcardLiteral: true,
 						},
 					},
 				},
@@ -800,8 +796,7 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
 							DeniedNames: &policy.X509NameOptions{
 								DNSDomains: []string{"badhost.local"},
 							},
-							AllowWildcardLiteral:          true,
-							DisableCommonNameVerification: false,
+							AllowWildcardLiteral: true,
 						},
 						SSH: &policy.SSHPolicyOptions{
 							Host: &policy.SSHHostCertificateOptions{
@@ -916,8 +911,7 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
 							Deny: &linkedca.X509Names{
 								Dns: []string{"badhost.local"},
 							},
-							AllowWildcardLiteral:                 true,
-							DisableSubjectCommonNameVerification: false,
+							AllowWildcardLiteral: true,
 						},
 						Ssh: &linkedca.SSHPolicy{
 							Host: &linkedca.SSHHostPolicy{
@@ -982,8 +976,7 @@ func TestAuthority_reloadPolicyEngines(t *testing.T) {
 							Deny: &linkedca.X509Names{
 								Dns: []string{"badhost.local"},
 							},
-							AllowWildcardLiteral:                 true,
-							DisableSubjectCommonNameVerification: false,
+							AllowWildcardLiteral: true,
 						},
 					}, nil
 				},

authority/provisioner/options.go

@@ -70,11 +70,6 @@ type X509Options struct {
 	// such as *.example.com and @example.com are allowed. Defaults
 	// to false.
 	AllowWildcardLiteral bool `json:"-"`
-
-	// DisableCommonNameVerification indicates if the Subject Common Name
-	// is verified in addition to the SANs. Defaults to false, resulting
-	// in Common Names to be verified.
-	DisableCommonNameVerification bool `json:"-"`
 }
 
 // HasTemplate returns true if a template is defined in the provisioner options.
@@ -107,13 +102,6 @@ func (o *X509Options) IsWildcardLiteralAllowed() bool {
 	return o.AllowWildcardLiteral
 }
 
-func (o *X509Options) ShouldVerifyCommonName() bool {
-	if o == nil {
-		return false
-	}
-	return !o.DisableCommonNameVerification
-}
-
 // TemplateOptions generates a CertificateOptions with the template and data
 // defined in the ProvisionerOptions, the provisioner generated data, and the
 // user data provided in the request. If no template has been provided,

authority/provisioner/options_test.go

@@ -322,38 +322,3 @@ func TestX509Options_IsWildcardLiteralAllowed(t *testing.T) {
 		})
 	}
 }
-
-func TestX509Options_ShouldVerifySubjectCommonName(t *testing.T) {
-	tests := []struct {
-		name    string
-		options *X509Options
-		want    bool
-	}{
-		{
-			name:    "nil-options",
-			options: nil,
-			want:    false,
-		},
-		{
-			name: "set-true",
-			options: &X509Options{
-				DisableCommonNameVerification: true,
-			},
-			want: false,
-		},
-		{
-			name: "set-false",
-			options: &X509Options{
-				DisableCommonNameVerification: false,
-			},
-			want: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := tt.options.ShouldVerifyCommonName(); got != tt.want {
-				t.Errorf("X509PolicyOptions.ShouldVerifySubjectCommonName() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

authority/tls_test.go

@@ -701,9 +701,9 @@ ZYtQ9Ot36qc=
 			options := &policy.Options{
 				X509: &policy.X509PolicyOptions{
 					AllowedNames: &policy.X509NameOptions{
-						DNSDomains: []string{"*.smallstep.com"},
+						CommonNames: []string{"smallstep test"},
+						DNSDomains:  []string{"*.smallstep.com"},
 					},
-					DisableCommonNameVerification: true, // TODO(hs): allows "smallstep test"; do we want to keep it like this?
 				},
 			}
 			engine, err := policy.New(options)