Use provider state table for a global serial index

This commit is contained in:
Kyle Havlovitz 2018-05-04 16:01:38 -07:00 committed by Mitchell Hashimoto
parent 5998623c44
commit baf4db1c72
No known key found for this signature in database
GPG key ID: 744E147AA52F5B0A
4 changed files with 30 additions and 38 deletions

View file

@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// Get the provider state
state := c.delegate.State()
_, providerState, err := state.CAProviderState(c.id)
idx, providerState, err := state.CAProviderState(c.id)
if err != nil {
return "", err
}
@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// Cert template for generation
sn := &big.Int{}
sn.SetUint64(providerState.SerialIndex + 1)
sn.SetUint64(idx + 1)
template := x509.Certificate{
SerialNumber: sn,
Subject: pkix.Name{CommonName: serviceId.Service},
@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
return "", fmt.Errorf("error encoding private key: %s", err)
}
err = c.incrementSerialIndex(providerState)
err = c.incrementProviderIndex(providerState)
if err != nil {
return "", err
}
@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
// Get the provider state
state := c.delegate.State()
_, providerState, err := state.CAProviderState(c.id)
idx, providerState, err := state.CAProviderState(c.id)
if err != nil {
return "", err
}
@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
// Create the cross-signing template from the existing root CA
serialNum := &big.Int{}
serialNum.SetUint64(providerState.SerialIndex + 1)
serialNum.SetUint64(idx + 1)
template := *cert
template.SerialNumber = serialNum
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
return "", fmt.Errorf("error encoding private key: %s", err)
}
err = c.incrementSerialIndex(providerState)
err = c.incrementProviderIndex(providerState)
if err != nil {
return "", err
}
@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
return buf.String(), nil
}
// incrementSerialIndex increments the cert serial number index in the provider
// state.
func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error {
// incrementProviderIndex does a write to increment the provider state store table index
// used for serial numbers when generating certificates.
func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error {
newState := *providerState
newState.SerialIndex++
args := &structs.CARequest{
Op: structs.CAOpSetProviderState,
ProviderState: &newState,

View file

@ -1328,10 +1328,9 @@ func TestFSM_CABuiltinProvider(t *testing.T) {
// Provider state.
expected := &structs.CAConsulProviderState{
ID: "foo",
PrivateKey: "a",
RootCert: "b",
SerialIndex: 2,
ID: "foo",
PrivateKey: "a",
RootCert: "b",
RaftIndex: structs.RaftIndex{
CreateIndex: 1,
ModifyIndex: 1,

View file

@ -356,10 +356,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
{
expected := &structs.CAConsulProviderState{
ID: "foo",
PrivateKey: "a",
RootCert: "b",
SerialIndex: 1,
ID: "foo",
PrivateKey: "a",
RootCert: "b",
}
ok, err := s.CASetProviderState(0, expected)
@ -374,10 +373,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
{
expected := &structs.CAConsulProviderState{
ID: "bar",
PrivateKey: "c",
RootCert: "d",
SerialIndex: 2,
ID: "bar",
PrivateKey: "c",
RootCert: "d",
}
ok, err := s.CASetProviderState(1, expected)
@ -398,16 +396,14 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
// Create multiple state entries.
before := []*structs.CAConsulProviderState{
{
ID: "bar",
PrivateKey: "y",
RootCert: "z",
SerialIndex: 2,
ID: "bar",
PrivateKey: "y",
RootCert: "z",
},
{
ID: "foo",
PrivateKey: "a",
RootCert: "b",
SerialIndex: 1,
ID: "foo",
PrivateKey: "a",
RootCert: "b",
},
}
@ -423,10 +419,9 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
// Modify the state store.
after := &structs.CAConsulProviderState{
ID: "foo",
PrivateKey: "c",
RootCert: "d",
SerialIndex: 1,
ID: "foo",
PrivateKey: "c",
RootCert: "d",
}
ok, err := s.CASetProviderState(100, after)
assert.NoError(err)

View file

@ -168,10 +168,9 @@ type ConsulCAProviderConfig struct {
// CAConsulProviderState is used to track the built-in Consul CA provider's state.
type CAConsulProviderState struct {
ID string
PrivateKey string
RootCert string
SerialIndex uint64
ID string
PrivateKey string
RootCert string
RaftIndex
}