search

Venafi / vcert-java

Java client SDK designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
Apache License 2.0
9 stars 11 forks source link

Cannot enroll a certificate from Venafi Cloud without a "complete" Subject DN #29

Closed tr1ck3r closed 3 years ago

tr1ck3r commented 3 years ago

PROBLEM SUMMARY Cannot enroll a certificate from Venafi Cloud without a "complete" Subject DN

STEPS TO REPRODUCE

  1. In Venafi Cloud, create a Certificate Issuing Template using the Venafi Built-In CA and set Common Name, Organization, Organizational Unit, City/Locality, State/Province, Country and Subject Alternative Names all to '.*' (a.k.a. Validation is not required). Do not set any Recommended Settings.
  2. Create a DevOps Project and a Zone that maps to the Certificate Issuing Template.
  3. Request a certificate using the Zone and specifying only CN, DNS SANs, key type, and key size: 
    
Config config = Config.builder()
    .connectorType(ConnectorType.CLOUD)
    .build();

final VCertClient client = new VCertClient(config);

final Authentication auth = Authentication.builder() .apiKey("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa") .build();

client.authenticate(auth);

final ZoneConfiguration zoneConfiguration = client.readZoneConfiguration("zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz");

CertificateRequest certificateRequest = new CertificateRequest().subject( new CertificateRequest.PKIXName() .commonName("common-name-only.venafi.example")) .dnsNames(Arrays.asList("dns-san1.venafi.example", "dns-san2.venafi.example", "dns-san3.venafi.example")) .keyType(KeyType.RSA) .keyLength(2048);

certificateRequest = client.generateRequest(zoneConfiguration, certificateRequest); client.requestCertificate(certificateRequest, zoneConfiguration);


**EXPECTED RESULTS**
Certificate is successfully enrolled and its Subject DN has no O, OU, L, ST, or C since none was recommended by the Certificate Issuing Template and, by the '.*' regular expression, it specified that any value including none should be allowed.

**ACTUAL RESULTS**
The request fails with the following exception:

com.venafi.vcert.sdk.VCertException: The requested Organization does not match any of the allowed Organization regular expressions at com.venafi.vcert.sdk.connectors.ZoneConfiguration.validateCertificateRequest(ZoneConfiguration.java:143) at com.venafi.vcert.sdk.connectors.cloud.CloudConnector.generateRequest(CloudConnector.java:181) at com.venafi.vcert.sdk.VCertClient.generateRequest(VCertClient.java:140) at CloudClient.main(CloudClient.java:101)

tr1ck3r commented 3 years ago

Also, if I disable the O, OU, L, ST, and C on the Certificate Issuing Template (clear the regular expression), I get a null pointer exception when the expected behavior would have still been to successfully enroll and for the issued certificate to have no O, OU, L, ST, or C. That Issuing Template configuration is how you require those values to be empty.

java.lang.NullPointerException
        at com.venafi.vcert.sdk.connectors.ZoneConfiguration.isComponentValid(ZoneConfiguration.java:190)
        at com.venafi.vcert.sdk.connectors.ZoneConfiguration.validateCertificateRequest(ZoneConfiguration.java:142)
        at com.venafi.vcert.sdk.connectors.cloud.CloudConnector.generateRequest(CloudConnector.java:181)
        at com.venafi.vcert.sdk.VCertClient.generateRequest(VCertClient.java:140)
        at CloudClient.main(CloudClient.java:101)