Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolving an issue where we don't check to see if unrepeatedSans exists before using it #12417

Merged
merged 1 commit into from
Oct 30, 2024
Merged

Resolving an issue where we don't check to see if unrepeatedSans exists before using it #12417

merged 1 commit into from
Oct 30, 2024

Conversation

codyrancher
Copy link
Contributor

@codyrancher codyrancher commented Oct 29, 2024
edited
Loading

Summary

#12255

Technical notes summary

First note:
This issue doesn't require the user to filter anything on the list page. The page just needs to contain a tls cert secret with a special format.

Second note:
This one has been difficult to reproduce due to my lack of knowledge in certs. It looks like you need to have a cert with a specially formed SANs to get this issue to reproduce. I artificially reproduced this issue using this key, cert (unused) and made a diff to the model.

MyKey.key

-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCi+jqGS26sAKyg
C3i/8Jce5nxvVWLvS+fQQm4lu8g//ddsrU2Ga+FGhP79/zsBhU7tJG2tswm5vxzz
mCeJKYJBS8Oqu5IN0MdBZfcmPjvA+q0s+k03FjBLlFl+aeg+1xK4rhg02WgF2QQe
iQ3wCLeoVVlmd4ioxG7jdkCICEmkqC1R1Faba8MZoL7NwT0xC1S8wR1FVdWqNWNR
q8YkDdmvXdtyTrTnl22cGC930+b+jOzza9NFOnJINxPQg9REyNPGkRIUmClrswSp
eNh5fvMBpDW027O9FUmpYs7c/UTZgQgrphHBqsyGJThtb0b1hoESW6V8qEWnQxvw
SbFb58wr2268TMXANa3bNVt27pYCKMsATKzeG1DdRdfeDPMISPxF4M0VkbaIL8In
rrI7c/zqRDs8BgFW5MFW8Vvhnw8EfNcKg5NwHeFuFzxCeXMt5RjA81pWp5hJ69je
9KO0OTfnfFfXYJeF+Uqm+U06VcBWOf8fbFx8d15XDr2+1NejtUaXdtvVIFhW0hfS
ezU396rW80lhW+B9slD+zvRL2vpdxyyEM4HkN6lwi4Z5em+wmJCPyERy2x1Tr8MK
fJHzrb2SyLgJTkWvH24H7GbA6IBUUUzpfAjXS/HfaIck8rbbG/xLAYJ2GO5uIQ1G
p6MmcYLMhSN/Vf8zjv+cXQmN2O2FywIDAQABAoICABxjqj4qdaTQmUFnvijxJ+Hi
FFrwbMNyXXcRm05HX6KF/TiZF6AKursl/6UPCKBDMHRunAxd25vXhpuILZre+CmX
oQXklpSBgbQKpvqqbI45HGFxWHH4E4GW3d//Ys1PeZth+CV8mXorS2RmS188pYFV
HLWUrOF5FjfZKXSIvQtJoFtYuZ1pMBsOvS3qM1aPursGiKrDQOzdT+eyHFm7b+f0
WX2X6DtPTXCbZelhqCM/OSdN6QduHuolbfYsgJVaxkkYjCW6O7ze+jjrLAo96uam
TBStEKonQyWWaKJmG9AngdzYmM87iVT0tteZQqsSOvmPrUwBo+B2+C7rJ1HzFsVl
0E3zzN8znFG6z6OtH4ST6xNJETL0K9Qe1lOpfEviSnYfdTrnbTrmI+hrM+sVslpQ
8ehHxnBR8fq8UyaSa1gHQx/KCVLMf3j6RUHv1zhIYiZ4lCWsmasn71eOyE80gePG
Uy5j/VeqV/UFM+WHv/wa4+QsAG2ItKN6P1pQwotnM8DrasVstJUskOAKl8ZAbq10
nUnEIxSbt+D/rezTrFbf5NY4w9ScxlpwasT2+OfpJldnuCizLayAI38pLjby/3OD
ze0JlMatJXSXPiYuyguSZB+O4JxJgCMmE75/hqy77k8FZug3BbCXZ1ZcHcujuas4
QNaOBZszArgwoTfl1xABAoIBAQDPbnd7F6so/laI8+ycAA++C5duMLhXUE/qxX/C
sL5TWGeZWtakg06aOAwCdnDKFRGYpjf11smN52WzBTzT3Ks9P+WG+XLycPnxZSom
gqxBKB1vV9Kt9h7I+aIPxlqHrB3ICTaxsdGnXL5GvQDXm5hmcO62vqit2QidQ5Kw
PrwO6+x8/5/ZGbFLga6N65A2gOqnO7YNekGjxMXxFdCmC+sXK4yuR+KdkvKEA05Z
/c2qKuT+6dwk+aPHI8rZMHxpcHPQ9pOU1qVOK1QL8FpjAVdXTA9CJ6bh183vvQsO
rdo4g0d3SYzTuKvftKoxyFdmgtDtD9oRCLozHXJjvnznO9DLAoIBAQDJIyq24u/n
SsGwJB7vqoocLe+u2BaTaawm/dxpHcA2zGcdwDsOBtyUq1Qz8KmeTWKNhyy/pUH7
2Gb3WDF+6OuUBA9X48rO0b5hFLaeFL3tQkpLQvVWZYmkhTEYiLhOrG6Qz1RHTSJ6
H2/Y7xCCJV9mH4Xs8nfpC8K3vM5QzKhIjFuzdCOHmnS0Mni0PlWV/3QG7IRYVkBj
qS3BAp5VMmHonDAVmG2V5Sz4JZTunsLF5H0VbZhuPM9aLj50+cV09CxZfrSGQ8w9
tAr1Y/rzpBILxT+ynDrFrLYE7HFdAyrPIfCeuFY2AhndyD8Yp4GwSQVq9P7QcMuw
PzMMRxuMt38BAoIBAQDJ9yK6ZQcv+MPEwMtF8QFi5uJgVWuHCBln2zhUFcaaW98y
/7ExqO+lVKDM3QlgmTbyzBR8ds70LbNlpNne5mKMVmRjEQoMaFfT484whNa28hoG
yRnGa3b586UJevW2V6z/kYkBZsNdEv3o3imtxD+UrqyenfCapFCw3pQ6qjpsxOUT
p8i5lzx66h9M62kUyFywy4CsirbSf8rCu5zVr5EMlEh7gF5zUhpy0s087dOLtgwU
7xp7nd0LDhx5b64S83ywnwR+zKdS/vjsTu+SqkGiK9pHbVgdWQOYQxY7CqcIkznI
OYK2un4OaFe19Py0QPavetm18CtrjWZNG7F9a04VAoIBAFB/n5fEaYli9PO+8Raw
ZUfz5opOd3KWB00vqqfzPTtxQQ+6IKhzfJKPo0qKVghCJmBIKlOlGyxlJoh1ppGJ
PMdnfJCLXV66uPv3o0LPQFgVgNBwQupKBvVuTQDprwHlpvaT08IZj+PacxQaUbwU
owKnOR1kyTLe/xY0HUpfLjai3gyLPbEG0xBPZtmUXQKEU3Z18F2+X1TDn8kweBfW
6zKCWAg8khc8umux9tItffxffuQ1kZ0E/2OzQFHmqO0u0BUdTbiyp6pGRWCCnCwo
jQRi9CRSvH7iqZJ84r38B4UQq1GKqw5AdwO5Ie+HErNv9hghZ14a1pp6IL8YMmF2
CwECggEBALweJfg47qZcywLFqGVFA4HQEFpkB9ZBTQArCVcdKQzca8KQ9visM3yp
h3MODhpB/2cHInv/FvKmHE+MbyJCq+PqDF+P0sbedtPbZ4MYlmTDINBcB9Aa0jt9
rjEPTd5aXFb0CpLLPpE/Xurnx07QSyjTPW6RZSbLK5+5j3jV78xqSM3MmaO1vcet
3SJBLv+d8Rt9zY8AwW0IhRcwQheIhcoretYwZ0NBxDJzRfXWtNOdU6VODKRgdSv1
vJEHzyb3oPAJi7oPpx0+SFBJtPm+e0OwkieLE8FDXS3f7ir0X03ag5UJv/JtjGZN
ZQJCxnPLhLsU0UlkqFfmE4XT8kQbXuM=
-----END PRIVATE KEY-----

MyCertificate.crt

-----BEGIN CERTIFICATE-----
MIIFuzCCA6OgAwIBAgIUHD3bjPR3j2S/vMweiXun2h3ocBswDQYJKoZIhvcNAQEL
BQAwbTELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmF6MQ0wCwYDVQQHDARtZXNhMQ0w
CwYDVQQKDARzdXNlMQswCQYDVQQLDAJ1aTERMA8GA1UEAwwIc3VzZS5jb20xEzAR
BgkqhkiG9w0BCQEWBHRlc3QwHhcNMjQxMDI5MjA0NTQ2WhcNMjUxMDI5MjA0NTQ2
WjBtMQswCQYDVQQGEwJ1czELMAkGA1UECAwCYXoxDTALBgNVBAcMBG1lc2ExDTAL
BgNVBAoMBHN1c2UxCzAJBgNVBAsMAnVpMREwDwYDVQQDDAhzdXNlLmNvbTETMBEG
CSqGSIb3DQEJARYEdGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AKL6OoZLbqwArKALeL/wlx7mfG9VYu9L59BCbiW7yD/912ytTYZr4UaE/v3/OwGF
Tu0kba2zCbm/HPOYJ4kpgkFLw6q7kg3Qx0Fl9yY+O8D6rSz6TTcWMEuUWX5p6D7X
EriuGDTZaAXZBB6JDfAIt6hVWWZ3iKjEbuN2QIgISaSoLVHUVptrwxmgvs3BPTEL
VLzBHUVV1ao1Y1GrxiQN2a9d23JOtOeXbZwYL3fT5v6M7PNr00U6ckg3E9CD1ETI
08aREhSYKWuzBKl42Hl+8wGkNbTbs70VSaliztz9RNmBCCumEcGqzIYlOG1vRvWG
gRJbpXyoRadDG/BJsVvnzCvbbrxMxcA1rds1W3bulgIoywBMrN4bUN1F194M8whI
/EXgzRWRtogvwieusjtz/OpEOzwGAVbkwVbxW+GfDwR81wqDk3Ad4W4XPEJ5cy3l
GMDzWlanmEnr2N70o7Q5N+d8V9dgl4X5Sqb5TTpVwFY5/x9sXHx3XlcOvb7U16O1
Rpd229UgWFbSF9J7NTf3qtbzSWFb4H2yUP7O9Eva+l3HLIQzgeQ3qXCLhnl6b7CY
kI/IRHLbHVOvwwp8kfOtvZLIuAlORa8fbgfsZsDogFRRTOl8CNdL8d9ohyTyttsb
/EsBgnYY7m4hDUanoyZxgsyFI39V/zOO/5xdCY3Y7YXLAgMBAAGjUzBRMB0GA1Ud
DgQWBBQJ4e+AdKfZK0f7t7ffqa4LdKPxozAfBgNVHSMEGDAWgBQJ4e+AdKfZK0f7
t7ffqa4LdKPxozAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCD
XXuNzOUeHa1EhX/bBrMca8iXyZCxZfjGzIms4ZiyT0nzeIZq7bGdoF5es5f43QM1
c1j9cDL/DjQAvVnGWZoB0F0K8CEcXEyRN3EJZP1I/qL/6coViK3S2wHpRaUfj8qf
fy3hVpBsBoDjsLstymyAzU7AFkHetZAw7MB9/ClswVYBYm0B1iQgnBCr3TLy617h
1dTHZEdX55z118RjF7BFLKVKU89v27meeAl5FylqEBt2l1nmGlAkmN1QaPjdCGNS
4CHOJEdWDx+y1BuDGCwK4uWP4M8L2acF6JNRwdtP/UJqmeNEKsxy0j1rPNv+ANjj
aRFa39ji4EtAdacmmwGwQlT6VQJ6tAuRCClf9uuS2Ny1d3wql2G85T4K3kgk/8XJ
0TRiSIHTlxP26xujkbCSUd64w5jPn5DTZfoC6fIm7dmJm9elfPjsufdZwGJMo4rN
fVUU916IXW5Xhb24lgEqotdZO2hLnsyb31GJSsrCU5074FjxCqUnRgFiaE5O7p2h
Dt34Ln3w90mAb64pIQCrs03EBky+dn5H3IP73n/ANjktUg+tQwGqmXHQMucuVPvr
iuBSQVrpf8PqSUi6emjW0QYcC1LN6zRBdVlR02FF3VF2iQJJDbjzKJVvzDwMEAE3
1foQN9+XgU4vsEWo28Zd/rabY2DT76QThOSpWRQL4A==
-----END CERTIFICATE-----

image

Areas or cases that should be tested

Secrets list page

Checklist

  • The PR is linked to an issue and the linked issue has a Milestone, or no issue is needed
  • The PR has a Milestone
  • The PR template has been filled out
  • The PR has been self reviewed
  • The PR has a reviewer assigned
  • The PR has automated tests or clear instructions for manual tests and the linked issue has appropriate QA labels, or tests are not needed
  • The PR has reviewed with UX and tested in light and dark mode, or there are no UX changes

@codyrancher codyrancher added this to the v2.10.0 milestone Oct 30, 2024
@codyrancher codyrancher marked this pull request as ready for review October 30, 2024 00:58
@nwmac nwmac merged commit 001b6e9 into rancher:master Oct 30, 2024
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nwmac nwmac nwmac approved these changes

@rak-phillip rak-phillip Awaiting requested review from rak-phillip

Assignees

@codyrancher codyrancher

Labels
None yet
Projects
None yet
Milestone
v2.10.0
Development

Successfully merging this pull request may close these issues.
2 participants
@codyrancher @nwmac