Skip to content

fix: dedupe SAN entries before checking algorithm uniqueness#9472

Open
dmavrodiev wants to merge 3 commits into
envoyproxy:mainfrom
dmavrodiev:fix/9471
Open

fix: dedupe SAN entries before checking algorithm uniqueness#9472
dmavrodiev wants to merge 3 commits into
envoyproxy:mainfrom
dmavrodiev:fix/9471

Conversation

@dmavrodiev

@dmavrodiev dmavrodiev commented Jul 10, 2026

Copy link
Copy Markdown

Dedupe the certificate's domains with sets.New before checking them against the shared pkaSecretSet map, so a repeated SAN no longer conflicts with itself, while a genuine conflict across two different certificates for the same domain and algorithm is still caught.

Add test cases to TestValidateTLSSecretsData:

  • valid-rsa-duplicate-san-domain: reproduces the bug against a new rsa-cert-dup-san.pem / rsa-pkcs8-dup-san.key fixture.
  • conflicting-rsa-algorithm-same-domain-different-secrets: guard rail confirming genuine cross-secret conflicts are still rejected.

Fixes #9471


PR Checklist

  • Authorship & ownership: Coding agents / AI assistants are welcome, but I have reviewed every change, understand how and why it works, can explain and maintain it, and take full responsibility for this PR. I have not submitted generated output I do not understand.
  • DCO: All commits are signed off (git commit -s). See DCO: Sign your work.
  • API agreed first: If this PR contains API changes (changes under /api), the API was discussed and agreed before the implementation. The API change can be in a separate PR, or in the same PR, but the API must be agreed before implementation. N/A if this PR does not contain API changes.
  • Required checks pass: make generate gen-check, make lint, and the unit-test/coverage build pass. (Flaky e2e failures are not considered breakages, but gen-check, lint, and coverage MUST pass.)
  • Tests added/updated: New/changed code is covered by appropriate tests. N/A if this PR does not contain code changes.
  • Docs: User-facing changes update the docs, either in this PR or a follow-up PR. N/A if this PR does not contain user-facing changes.
  • Release notes: For any non-trivial change, added a release-note fragment under release-notes/current/<section>/<pr-number>-<slug>.md (see release-notes/current/README.md for sections and naming). N/A if this PR does not contain non-trivial changes.
  • Generated files committed: Ran make gen-check and committed the result if API/helm charts/modules changed.
  • Scope & compatibility: The PR is reasonably scoped (no unrelated changes) and preserves backward compatibility, or any breaking change is called out above and documented in release-notes/current/breaking_changes/.
  • Codex review: Requested a Codex review and addressed all of its comments.
  • Copilot review: Requested a Copilot review and addressed all of its comments.

Dedupe the certificate's domains with sets.New before checking them
against the shared pkaSecretSet map, so a repeated SAN no longer
conflicts with itself, while a genuine conflict across two different
certificates for the same domain and algorithm is still caught.

Add test cases to TestValidateTLSSecretsData:
- valid-rsa-duplicate-san-domain: reproduces the bug against a new
  rsa-cert-dup-san.pem / rsa-pkcs8-dup-san.key fixture.
- conflicting-rsa-algorithm-same-domain-different-secrets: guard rail
  confirming genuine cross-secret conflicts are still rejected.

Fixes envoyproxy#9471

Signed-off-by: Dimitar Mavrodiev <dmavrodiev@gmail.com>
@dmavrodiev dmavrodiev requested a review from a team as a code owner July 10, 2026 08:40
@netlify

netlify Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 8a37916
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a5492580114fd00088cff20
😎 Deploy Preview https://deploy-preview-9472--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2a797798f6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread internal/gatewayapi/tls.go Outdated
Signed-off-by: Dimitar Mavrodiev <dmavrodiev@gmail.com>
@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.45%. Comparing base (3a75814) to head (8a37916).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9472      +/-   ##
==========================================
+ Coverage   75.28%   75.45%   +0.17%     
==========================================
  Files         252      252              
  Lines       41536    41664     +128     
==========================================
+ Hits        31269    31439     +170     
+ Misses       8143     8100      -43     
- Partials     2124     2125       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

}

// Check uniqueness for each domain in the certificate with this algorithm
seenDomains := sets.New[string]()

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add a comment linking the RFC section here

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@arkodg arkodg added this to the v1.9.0-rc.1 Release milestone Jul 11, 2026
Link the SANs RFC section in the comments.

Signed-off-by: Dimitar Mavrodiev <dmavrodiev@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Valid certificate is rejected when its SAN contains duplicate DNS entries

2 participants