open-vault/builtin/logical/pki/secret_certs.go

package pki

import (
	"fmt"
	"strings"
	"time"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

// SecretCertsType is the name used to identify this type
const SecretCertsType = "pki"

func secretCerts(b *backend) *framework.Secret {
	return &framework.Secret{
		Type: SecretCertsType,
		Fields: map[string]*framework.FieldSchema{
			"certificate": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "The PEM-encoded concatenated certificate and issuing certificate authority",
			},
			"private_key": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "The PEM-encoded private key for the certificate",
			},
			"serial": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "The serial number of the certificate, for handy reference",
			},
		},

		DefaultDuration:    168 * time.Hour,
		DefaultGracePeriod: 10 * time.Minute,

		Revoke: b.secretCredsRevoke,
	}
}

func (b *backend) secretCredsRevoke(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	if req.Secret == nil {
		return nil, fmt.Errorf("Secret is nil in request")
	}

	serialInt, ok := req.Secret.InternalData["serial"]
	if !ok {
		return nil, fmt.Errorf("Could not find serial in internal secret data")
	}

	serial := strings.Replace(strings.ToLower(serialInt.(string)), "-", ":", -1)

	return revokeCert(req, serial)
}
Initial PKI backend implementation. Complete: * Up-to-date API documents * Backend configuration (root certificate and private key) * Highly granular role configuration * Certificate generation * CN checking against role * IP and DNS subject alternative names * Server, client, and code signing usage types * Later certificate (but not private key) retrieval * CRL creation and update * CRL/CA bare endpoints (for cert extensions) * Revocation (both Vault-native and by serial number) * CRL force-rotation endpoint Missing: * OCSP support (can't implement without changes in Vault) * Unit tests Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-05-15 16:13:05 +00:00			`package pki`

			`import (`
			`"fmt"`
			`"strings"`
			`"time"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`// SecretCertsType is the name used to identify this type`
			`const SecretCertsType = "pki"`

			`func secretCerts(b backend) framework.Secret {`
			`return &framework.Secret{`
			`Type: SecretCertsType,`
			`Fields: map[string]*framework.FieldSchema{`
			`"certificate": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "The PEM-encoded concatenated certificate and issuing certificate authority",`
			`},`
			`"private_key": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "The PEM-encoded private key for the certificate",`
			`},`
			`"serial": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "The serial number of the certificate, for handy reference",`
			`},`
			`},`

			`DefaultDuration: 168 * time.Hour,`
			`DefaultGracePeriod: 10 * time.Minute,`

			`Revoke: b.secretCredsRevoke,`
			`}`
			`}`

			`func (b *backend) secretCredsRevoke(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`if req.Secret == nil {`
			`return nil, fmt.Errorf("Secret is nil in request")`
			`}`

			`serialInt, ok := req.Secret.InternalData["serial"]`
			`if !ok {`
			`return nil, fmt.Errorf("Could not find serial in internal secret data")`
			`}`

			`serial := strings.Replace(strings.ToLower(serialInt.(string)), "-", ":", -1)`

			`return revokeCert(req, serial)`
			`}`