2015-05-15 16:13:05 +00:00
|
|
|
package pki
|
|
|
|
|
|
|
|
import (
|
2015-06-15 17:33:23 +00:00
|
|
|
"fmt"
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
"github.com/hashicorp/vault/helper/certutil"
|
2015-05-15 16:13:05 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
|
|
|
func pathConfigCA(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
|
|
|
Pattern: "config/ca",
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"pem_bundle": &framework.FieldSchema{
|
2015-06-18 14:44:02 +00:00
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: `PEM-format, concatenated unencrypted secret key
|
|
|
|
and certificate`,
|
2015-05-15 16:13:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.WriteOperation: b.pathCAWrite,
|
|
|
|
},
|
|
|
|
|
|
|
|
HelpSynopsis: pathConfigCAHelpSyn,
|
|
|
|
HelpDescription: pathConfigCAHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathCAWrite(
|
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
pemBundle := d.Get("pem_bundle").(string)
|
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
parsedBundle, err := certutil.ParsePEMBundle(pemBundle)
|
|
|
|
if err != nil {
|
|
|
|
switch err.(type) {
|
|
|
|
case certutil.InternalError:
|
|
|
|
return nil, err
|
|
|
|
default:
|
|
|
|
return logical.ErrorResponse(err.Error()), nil
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
2015-06-17 16:43:36 +00:00
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-18 14:44:02 +00:00
|
|
|
// Handle the case of a self-signed certificate
|
|
|
|
if parsedBundle.Certificate == nil && parsedBundle.IssuingCA != nil {
|
|
|
|
parsedBundle.Certificate = parsedBundle.IssuingCA
|
|
|
|
parsedBundle.CertificateBytes = parsedBundle.IssuingCABytes
|
|
|
|
}
|
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
// TODO?: CRLs can only be generated with RSA keys right now, in the
|
|
|
|
// Go standard library. The plubming is here to support non-RSA keys
|
|
|
|
// if the library gets support
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
if parsedBundle.PrivateKeyType != certutil.RSAPrivateKey {
|
|
|
|
return logical.ErrorResponse("Currently, only RSA keys are supported for the CA certificate"), nil
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
if !parsedBundle.Certificate.IsCA {
|
|
|
|
return logical.ErrorResponse("The given certificate is not marked for CA use and cannot be used with this backend"), nil
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
cb, err := parsedBundle.ToCertBundle()
|
2015-06-15 17:33:23 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Error converting raw values into cert bundle: %s", err)
|
|
|
|
}
|
2015-06-17 16:43:36 +00:00
|
|
|
|
2015-05-15 16:13:05 +00:00
|
|
|
entry, err := logical.StorageEntryJSON("config/ca_bundle", cb)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
err = req.Storage.Put(entry)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// For ease of later use, also store just the certificate at a known
|
|
|
|
// location, plus a blank CRL
|
|
|
|
entry.Key = "ca"
|
2015-06-17 16:43:36 +00:00
|
|
|
entry.Value = parsedBundle.CertificateBytes
|
2015-05-15 16:13:05 +00:00
|
|
|
err = req.Storage.Put(entry)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
entry.Key = "crl"
|
|
|
|
entry.Value = []byte{}
|
|
|
|
err = req.Storage.Put(entry)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
const pathConfigCAHelpSyn = `
|
|
|
|
Configure the CA certificate and private key used for generated credentials.
|
|
|
|
`
|
|
|
|
|
|
|
|
const pathConfigCAHelpDesc = `
|
|
|
|
This configures the CA information used for credentials
|
|
|
|
generated by this backend. This must be a PEM-format, concatenated
|
|
|
|
unencrypted secret key and certificate.
|
|
|
|
|
|
|
|
For security reasons, you can only view the certificate when reading this endpoint.
|
|
|
|
`
|