From d7cab7386f22b5d5af7811ff6f6917b57c5f5b09 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Mon, 26 Feb 2024 22:22:50 +0000 Subject: [PATCH] backport of commit 773911494e767482207674b5e7bdb9608693c8c0 --- builtin/credential/cert/path_login.go | 8 ++++++++ changelog/25649.txt | 5 +++++ 2 files changed, 13 insertions(+) create mode 100644 changelog/25649.txt diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go index 6b1f279dfd7b..18783c0fdf98 100644 --- a/builtin/credential/cert/path_login.go +++ b/builtin/credential/cert/path_login.go @@ -280,6 +280,14 @@ func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d // Check for client cert being explicitly listed in the config (and matching other constraints) if tCert.SerialNumber.Cmp(clientCert.SerialNumber) == 0 && bytes.Equal(tCert.AuthorityKeyId, clientCert.AuthorityKeyId) { + pkMatch, err := certutil.ComparePublicKeysAndType(tCert.PublicKey, clientCert.PublicKey) + if err != nil { + return nil, nil, err + } + if !pkMatch { + // Someone may be trying to pass off a forged certificate as the trusted non-CA cert. Reject early. + return nil, logical.ErrorResponse("public key mismatch of a trusted leaf certificate"), nil + } matches, err := b.matchesConstraints(ctx, clientCert, trustedNonCA.Certificates, trustedNonCA, verifyConf) // matchesConstraints returns an error when OCSP verification fails, diff --git a/changelog/25649.txt b/changelog/25649.txt new file mode 100644 index 000000000000..2ce669886201 --- /dev/null +++ b/changelog/25649.txt @@ -0,0 +1,5 @@ +```release-note:security +auth/cert: compare public keys of trusted non-CA certificates with incoming +client certificates to prevent trusting certs with the same serial number +but not the same public/private key. +``` \ No newline at end of file