ca: cleanup validateSetIntermediate
This commit is contained in:
Daniel Nephin
parent
ef03f7be73
commit
af651eaaad
|
|
@ -9,11 +9,7 @@ import (
|
|||
"github.com/hashicorp/consul/agent/connect"
|
||||
)
|
||||
|
||||
func validateSetIntermediate(
|
||||
intermediatePEM, rootPEM string,
|
||||
currentPrivateKey string, // optional
|
||||
spiffeID *connect.SpiffeIDSigning,
|
||||
) error {
|
||||
func validateSetIntermediate(intermediatePEM, rootPEM string, spiffeID *connect.SpiffeIDSigning) error {
|
||||
// Get the key from the incoming intermediate cert so we can compare it
|
||||
// to the currently stored key.
|
||||
intermediate, err := connect.ParseCert(intermediatePEM)
|
||||
|
|
@ -21,26 +17,6 @@ func validateSetIntermediate(
|
|||
return fmt.Errorf("error parsing intermediate PEM: %v", err)
|
||||
}
|
||||
|
||||
if currentPrivateKey != "" {
|
||||
privKey, err := connect.ParseSigner(currentPrivateKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Compare the two keys to make sure they match.
|
||||
b1, err := x509.MarshalPKIXPublicKey(intermediate.PublicKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
b2, err := x509.MarshalPKIXPublicKey(privKey.Public())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !bytes.Equal(b1, b2) {
|
||||
return fmt.Errorf("intermediate cert is for a different private key")
|
||||
}
|
||||
}
|
||||
|
||||
// Validate the remaining fields and make sure the intermediate validates against
|
||||
// the given root cert.
|
||||
if !intermediate.IsCA {
|
||||
|
|
@ -65,6 +41,32 @@ func validateSetIntermediate(
|
|||
return nil
|
||||
}
|
||||
|
||||
func validateIntermediateSignedByPrivateKey(intermediatePEM string, privateKey string) error {
|
||||
intermediate, err := connect.ParseCert(intermediatePEM)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error parsing intermediate PEM: %v", err)
|
||||
}
|
||||
|
||||
privKey, err := connect.ParseSigner(privateKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Compare the two keys to make sure they match.
|
||||
b1, err := x509.MarshalPKIXPublicKey(intermediate.PublicKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
b2, err := x509.MarshalPKIXPublicKey(privKey.Public())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !bytes.Equal(b1, b2) {
|
||||
return fmt.Errorf("intermediate cert is for a different private key")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func validateSignIntermediate(csr *x509.CertificateRequest, spiffeID *connect.SpiffeIDSigning) error {
|
||||
// We explicitly _don't_ require that the CSR has a valid SPIFFE signing URI
|
||||
// SAN because AWS PCA doesn't let us set one :(. We need to relax it here
|
||||
|
|
|
|||
|
|
@ -253,12 +253,10 @@ func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM string) error
|
|||
return fmt.Errorf("cannot set an intermediate using another root in the primary datacenter")
|
||||
}
|
||||
|
||||
err = validateSetIntermediate(
|
||||
intermediatePEM, rootPEM,
|
||||
providerState.PrivateKey,
|
||||
c.spiffeID,
|
||||
)
|
||||
if err != nil {
|
||||
if err = validateSetIntermediate(intermediatePEM, rootPEM, c.spiffeID); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := validateIntermediateSignedByPrivateKey(intermediatePEM, providerState.PrivateKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -402,8 +402,7 @@ func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error {
|
|||
return fmt.Errorf("cannot set an intermediate using another root in the primary datacenter")
|
||||
}
|
||||
|
||||
// the private key is in vault, so we can't use it in this validation
|
||||
err := validateSetIntermediate(intermediatePEM, rootPEM, "", v.spiffeID)
|
||||
err := validateSetIntermediate(intermediatePEM, rootPEM, v.spiffeID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue