luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Use provider state table for a global serial index

This commit is contained in:
Kyle Havlovitz 2018-05-04 16:01:38 -07:00 committed by Mitchell Hashimoto
parent 5998623c44
commit baf4db1c72
No known key found for this signature in database
GPG Key ID: 744E147AA52F5B0A
4 changed files with 30 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
agent/connect/ca/ca_provider_consul.go
View File

@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// Get the provider state
state := c.delegate.State()
_, providerState, err := state.CAProviderState(c.id)
idx, providerState, err := state.CAProviderState(c.id)
if err != nil {
return "", err
}
@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// Cert template for generation
sn := &big.Int{}
sn.SetUint64(providerState.SerialIndex + 1)
sn.SetUint64(idx + 1)
template := x509.Certificate{
SerialNumber: sn,
Subject: pkix.Name{CommonName: serviceId.Service},
@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
return "", fmt.Errorf("error encoding private key: %s", err)
}
err = c.incrementSerialIndex(providerState)
err = c.incrementProviderIndex(providerState)
if err != nil {
return "", err
}
@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
// Get the provider state
state := c.delegate.State()
_, providerState, err := state.CAProviderState(c.id)
idx, providerState, err := state.CAProviderState(c.id)
if err != nil {
return "", err
}
@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
// Create the cross-signing template from the existing root CA
serialNum := &big.Int{}
serialNum.SetUint64(providerState.SerialIndex + 1)
serialNum.SetUint64(idx + 1)
template := *cert
template.SerialNumber = serialNum
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
return "", fmt.Errorf("error encoding private key: %s", err)
}
err = c.incrementSerialIndex(providerState)
err = c.incrementProviderIndex(providerState)
if err != nil {
return "", err
}
@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
return buf.String(), nil
}
// incrementSerialIndex increments the cert serial number index in the provider
// state.
func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error {
// incrementProviderIndex does a write to increment the provider state store table index
// used for serial numbers when generating certificates.
func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error {
newState := *providerState
newState.SerialIndex++
args := &structs.CARequest{
Op: structs.CAOpSetProviderState,
ProviderState: &newState,

1
agent/consul/fsm/commands_oss_test.go
View File

@ -1331,7 +1331,6 @@ func TestFSM_CABuiltinProvider(t *testing.T) {
ID: "foo",
PrivateKey: "a",
RootCert: "b",
SerialIndex: 2,
RaftIndex: structs.RaftIndex{
CreateIndex: 1,
ModifyIndex: 1,

5
agent/consul/state/connect_ca_test.go
View File

@ -359,7 +359,6 @@ func TestStore_CABuiltinProvider(t *testing.T) {
ID: "foo",
PrivateKey: "a",
RootCert: "b",
SerialIndex: 1,
}
ok, err := s.CASetProviderState(0, expected)
@ -377,7 +376,6 @@ func TestStore_CABuiltinProvider(t *testing.T) {
ID: "bar",
PrivateKey: "c",
RootCert: "d",
SerialIndex: 2,
}
ok, err := s.CASetProviderState(1, expected)
@ -401,13 +399,11 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
ID: "bar",
PrivateKey: "y",
RootCert: "z",
SerialIndex: 2,
},
{
ID: "foo",
PrivateKey: "a",
RootCert: "b",
SerialIndex: 1,
},
}
@ -426,7 +422,6 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
ID: "foo",
PrivateKey: "c",
RootCert: "d",
SerialIndex: 1,
}
ok, err := s.CASetProviderState(100, after)
assert.NoError(err)

1
agent/structs/connect_ca.go
View File

@ -171,7 +171,6 @@ type CAConsulProviderState struct {
ID string
PrivateKey string
RootCert string
SerialIndex uint64
RaftIndex
}