connect: use correct subject key id for leaf certificates. (#7091)

This commit is contained in:
Hans Hasselberg 2020-01-22 11:28:28 +01:00 committed by GitHub
parent 2163f79170
commit f3a01e6a4a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 1 deletions

View File

@ -343,6 +343,12 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
return "", err
}
// Create the subjectKeyId for the cert from the csr public key.
subjectKeyID, err := connect.KeyId(csr.PublicKey)
if err != nil {
return "", err
}
// Parse the SPIFFE ID
spiffeId, err := connect.ParseCertURI(csr.URIs[0])
if err != nil {
@ -402,7 +408,7 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
NotAfter: effectiveNow.Add(c.config.LeafCertTTL),
NotBefore: effectiveNow,
AuthorityKeyId: keyId,
SubjectKeyId: keyId,
SubjectKeyId: subjectKeyID,
DNSNames: csr.DNSNames,
IPAddresses: csr.IPAddresses,
}

View File

@ -176,6 +176,9 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
require.Equal(spiffeService.URI(), parsed.URIs[0])
require.Equal(connect.ServiceCN("foo", connect.TestClusterID), parsed.Subject.CommonName)
require.Equal(uint64(2), parsed.SerialNumber.Uint64())
subjectKeyID, err := connect.KeyId(csr.PublicKey)
require.NoError(err)
require.Equal(subjectKeyID, parsed.SubjectKeyId)
requireNotEncoded(t, parsed.SubjectKeyId)
requireNotEncoded(t, parsed.AuthorityKeyId)