connect: store signingKeyId instead of authorityKeyId (#6005)

2019-06-27 10:47:22 -04:00 · 2019-06-27 10:47:22 -04:00 · 8ece11a24a
parent 7a6a83397a
commit 8ece11a24a
2 changed files with 45 additions and 1 deletions
--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@ -1084,7 +1084,7 @@ func parseCARoot(pemValue, provider, clusterID string) (*structs.CARoot, error)
 		ID:                  id,
 		Name:                fmt.Sprintf("%s CA Root Cert", strings.Title(provider)),
 		SerialNumber:        rootCert.SerialNumber.Uint64(),
-		SigningKeyID:        connect.HexString(rootCert.AuthorityKeyId),
+		SigningKeyID:        connect.HexString(rootCert.SubjectKeyId),
 		ExternalTrustDomain: clusterID,
 		NotBefore:           rootCert.NotBefore,
 		NotAfter:            rootCert.NotAfter,
--- a/agent/consul/leader_test.go
+++ b/agent/consul/leader_test.go
@ -1301,3 +1301,47 @@ func TestLeader_ConfigEntryBootstrap(t *testing.T) {
 		require.Equal(t, global_entry_init.Config, global.Config)
 	})
 }
+
+func TestLeader_ParseCARoot(t *testing.T) {
+	type test struct {
+		pem           string
+		expectedError bool
+	}
+	tests := []test{
+		{"", true},
+		{`-----BEGIN CERTIFICATE-----
+MIIDHDCCAsKgAwIBAgIQS+meruRVzrmVwEhXNrtk9jAKBggqhkjOPQQDAjCBuTEL
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMUAwPgYDVQQDEzdDb25zdWwgQWdlbnQgQ0Eg
+MTkzNzYxNzQwMjcxNzUxOTkyMzAyMzE1NDkxNjUzODYyMzAwNzE3MB4XDTE5MDQx
+MjA5MTg0NVoXDTIwMDQxMTA5MTg0NVowHDEaMBgGA1UEAxMRY2xpZW50LmRjMS5j
+b25zdWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS2UroGUh5k7eR//iPsn9ne
+CMCVsERnjqQnK6eDWnM5kTXgXcPPe5pcAS9xs0g8BZ+oVsJSc7sH6RYvX+gw6bCl
+o4IBRjCCAUIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
+BgEFBQcDATAMBgNVHRMBAf8EAjAAMGgGA1UdDgRhBF84NDphNDplZjoxYTpjODo1
+MzoxMDo1YTpjNTplYTpjZTphYTowZDo2ZjpjOTozODozZDphZjo0NTphZTo5OTo4
+YzpiYjoyNzpiYzpiMzpmYTpmMDozMToxNDo4ZTozNDBqBgNVHSMEYzBhgF8yYTox
+MjpjYTo0Mzo0NzowODpiZjoxYTo0Yjo4MTpkNDo2MzowNTo1ODowZToxYzo3Zjoy
+NTo0ZjozNDpmNDozYjpmYzo5YTpkNzo4Mjo2YjpkYzpmODo3YjphMTo5ZDAtBgNV
+HREEJjAkghFjbGllbnQuZGMxLmNvbnN1bIIJbG9jYWxob3N0hwR/AAABMAoGCCqG
+SM49BAMCA0gAMEUCIHcLS74KSQ7RA+edwOprmkPTh1nolwXz9/y9CJ5nMVqEAiEA
+h1IHCbxWsUT3AiARwj5/D/CUppy6BHIFkvcpOCQoVyo=
+-----END CERTIFICATE-----`, false},
+	}
+	for _, test := range tests {
+		root, err := parseCARoot(test.pem, "consul", "cluster")
+		if err == nil && test.expectedError {
+			require.Error(t, err)
+		}
+		if test.pem != "" {
+			rootCert, err := connect.ParseCert(test.pem)
+			require.NoError(t, err)
+
+			// just to make sure these two are not the same
+			require.NotEqual(t, rootCert.AuthorityKeyId, rootCert.SubjectKeyId)
+
+			require.Equal(t, connect.HexString(rootCert.SubjectKeyId), root.SigningKeyID)
+		}
+	}
+}