ensure we don't generate an empty SAN certificate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-18 18:44:41 +01:00 · 2023-01-18 18:44:41 +01:00 · fdc445e6a1
parent e3f8afcf80
commit fdc445e6a1
3 changed files with 13 additions and 5 deletions
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -235,9 +235,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        data = CertificateGenerationSerializer(data=request.data)
        if not data.is_valid():
            return Response(data.errors, status=400)
+        raw_san = data.validated_data.get("subject_alt_name", "")
+        sans = raw_san.split(",") if raw_san != "" else []
        builder = CertificateBuilder(data.validated_data["common_name"])
        builder.build(
-            subject_alt_names=data.validated_data.get("subject_alt_name", "").split(","),
+            subject_alt_names=sans,
            validity_days=int(data.validated_data["validity_days"]),
        )
        instance = builder.save()
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@ -57,7 +57,10 @@ class CertificateBuilder:
        one_day = datetime.timedelta(1, 0, 0)
        self.__private_key = self.generate_private_key()
        self.__public_key = self.__private_key.public_key()
-        alt_names: list[x509.GeneralName] = [x509.DNSName(x) for x in subject_alt_names or []]
+        alt_names: list[x509.GeneralName] = []
+        for alt_name in subject_alt_names:
+            if alt_name.strip() != "":
+                alt_names.append(x509.DNSName(alt_name))
        self.__builder = (
            x509.CertificateBuilder()
            .subject_name(
@ -76,12 +79,15 @@ class CertificateBuilder:
                    ]
                )
            )
-            .add_extension(x509.SubjectAlternativeName(alt_names), critical=True)
            .not_valid_before(datetime.datetime.today() - one_day)
            .not_valid_after(datetime.datetime.today() + datetime.timedelta(days=validity_days))
            .serial_number(int(uuid.uuid4()))
            .public_key(self.__public_key)
        )
+        if alt_names:
+            self.__builder = self.__builder.add_extension(
+                x509.SubjectAlternativeName(alt_names), critical=True
+            )
        self.__certificate = self.__builder.sign(
            private_key=self.__private_key,
            algorithm=hashes.SHA256(),
--- a/authentik/providers/oauth2/views/jwks.py
+++ b/authentik/providers/oauth2/views/jwks.py
@ -51,10 +51,10 @@ class JWKSView(View):
            public_key: RSAPublicKey = private_key.public_key()
            public_numbers = public_key.public_numbers()
            key_data = {
+                "kid": key.kid,
                "kty": "RSA",
                "alg": JWTAlgorithms.RS256,
                "use": "sig",
-                "kid": key.kid,
                "n": b64_enc(public_numbers.n),
                "e": b64_enc(public_numbers.e),
            }
@ -62,10 +62,10 @@ class JWKSView(View):
            public_key: EllipticCurvePublicKey = private_key.public_key()
            public_numbers = public_key.public_numbers()
            key_data = {
+                "kid": key.kid,
                "kty": "EC",
                "alg": JWTAlgorithms.ES256,
                "use": "sig",
-                "kid": key.kid,
                "x": b64_enc(public_numbers.x),
                "y": b64_enc(public_numbers.y),
                "crv": ec_crv_map.get(type(public_key.curve), public_key.curve.name),