Skip to content

Commit

Permalink
backport of commit 7739114
Browse files Browse the repository at this point in the history
  • Loading branch information
sgmiller authored Feb 26, 2024
1 parent 060b975 commit d7cab73
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
8 changes: 8 additions & 0 deletions builtin/credential/cert/path_login.go
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,14 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d
// Check for client cert being explicitly listed in the config (and matching other constraints)
if tCert.SerialNumber.Cmp(clientCert.SerialNumber) == 0 &&
bytes.Equal(tCert.AuthorityKeyId, clientCert.AuthorityKeyId) {
pkMatch, err := certutil.ComparePublicKeysAndType(tCert.PublicKey, clientCert.PublicKey)
if err != nil {
return nil, nil, err
}
if !pkMatch {
// Someone may be trying to pass off a forged certificate as the trusted non-CA cert. Reject early.
return nil, logical.ErrorResponse("public key mismatch of a trusted leaf certificate"), nil
}
matches, err := b.matchesConstraints(ctx, clientCert, trustedNonCA.Certificates, trustedNonCA, verifyConf)

// matchesConstraints returns an error when OCSP verification fails,
Expand Down
5 changes: 5 additions & 0 deletions changelog/25649.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```release-note:security
auth/cert: compare public keys of trusted non-CA certificates with incoming
client certificates to prevent trusting certs with the same serial number
but not the same public/private key.
```

0 comments on commit d7cab73

Please sign in to comment.