From fdc445e6a18b49d0ade4e5f8e310aad74a4d082b Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 18 Jan 2023 18:44:41 +0100 Subject: [PATCH] ensure we don't generate an empty SAN certificate Signed-off-by: Jens Langhammer --- authentik/crypto/api.py | 4 +++- authentik/crypto/builder.py | 10 ++++++++-- authentik/providers/oauth2/views/jwks.py | 4 ++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/authentik/crypto/api.py b/authentik/crypto/api.py index a5bef7f0f..ed6d05a7e 100644 --- a/authentik/crypto/api.py +++ b/authentik/crypto/api.py @@ -235,9 +235,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet): data = CertificateGenerationSerializer(data=request.data) if not data.is_valid(): return Response(data.errors, status=400) + raw_san = data.validated_data.get("subject_alt_name", "") + sans = raw_san.split(",") if raw_san != "" else [] builder = CertificateBuilder(data.validated_data["common_name"]) builder.build( - subject_alt_names=data.validated_data.get("subject_alt_name", "").split(","), + subject_alt_names=sans, validity_days=int(data.validated_data["validity_days"]), ) instance = builder.save() diff --git a/authentik/crypto/builder.py b/authentik/crypto/builder.py index ecdc68df1..6166e6c0c 100644 --- a/authentik/crypto/builder.py +++ b/authentik/crypto/builder.py @@ -57,7 +57,10 @@ class CertificateBuilder: one_day = datetime.timedelta(1, 0, 0) self.__private_key = self.generate_private_key() self.__public_key = self.__private_key.public_key() - alt_names: list[x509.GeneralName] = [x509.DNSName(x) for x in subject_alt_names or []] + alt_names: list[x509.GeneralName] = [] + for alt_name in subject_alt_names: + if alt_name.strip() != "": + alt_names.append(x509.DNSName(alt_name)) self.__builder = ( x509.CertificateBuilder() .subject_name( @@ -76,12 +79,15 @@ class CertificateBuilder: ] ) ) - .add_extension(x509.SubjectAlternativeName(alt_names), critical=True) .not_valid_before(datetime.datetime.today() - one_day) .not_valid_after(datetime.datetime.today() + datetime.timedelta(days=validity_days)) .serial_number(int(uuid.uuid4())) .public_key(self.__public_key) ) + if alt_names: + self.__builder = self.__builder.add_extension( + x509.SubjectAlternativeName(alt_names), critical=True + ) self.__certificate = self.__builder.sign( private_key=self.__private_key, algorithm=hashes.SHA256(), diff --git a/authentik/providers/oauth2/views/jwks.py b/authentik/providers/oauth2/views/jwks.py index ee9a57ef7..0227897bb 100644 --- a/authentik/providers/oauth2/views/jwks.py +++ b/authentik/providers/oauth2/views/jwks.py @@ -51,10 +51,10 @@ class JWKSView(View): public_key: RSAPublicKey = private_key.public_key() public_numbers = public_key.public_numbers() key_data = { + "kid": key.kid, "kty": "RSA", "alg": JWTAlgorithms.RS256, "use": "sig", - "kid": key.kid, "n": b64_enc(public_numbers.n), "e": b64_enc(public_numbers.e), } @@ -62,10 +62,10 @@ class JWKSView(View): public_key: EllipticCurvePublicKey = private_key.public_key() public_numbers = public_key.public_numbers() key_data = { + "kid": key.kid, "kty": "EC", "alg": JWTAlgorithms.ES256, "use": "sig", - "kid": key.kid, "x": b64_enc(public_numbers.x), "y": b64_enc(public_numbers.y), "crv": ec_crv_map.get(type(public_key.curve), public_key.curve.name),