[SERVER-1307] Clojure CA should refuse to sign any CSRs with authorized extensions Created: 2016/05/02  Updated: 2016/08/12  Resolved: 2016/07/13

Status: Closed
Project: Puppet Server
Component/s: None
Affects Version/s: None
Fix Version/s: SERVER 2.5.0

Type: New Feature Priority: Normal
Reporter: Nathaniel Smith Assignee: Erik Dasher
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is blocked by PUP-6258 Update Puppet OID lists to add new au... Closed
Epic Link: Securing SSL Extensions
Sub-team: jade
Story Points: 3
Sprint: Server Jade 2016-06-01, Server Jade 2016-06-29, Server Jade 2016-07-13, Server Jade 2016-07-27
Release Notes: Not Needed
QA Contact: Erik Dasher


In Scope

  • Update the Clojure CA to reject any CSR with x.509 extensions under the new puppet.1.3 OID arc. This should mirror the handling of CSRs with subjectAlternativeNames, see ensure-no-dns-alt-names! in the puppetserver codebase.

Out of Scope

  • Doing anything with the CSRs besides rejecting them

Comment by Justin Stoller [ 2016/07/06 ]

This has passed CI and is waiting to be promoted into a PE build.

Generated at Wed Apr 01 15:16:47 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.