open-vault/builtin/logical/pki/secret_certs.go

package pki

import (
	"fmt"
	"strings"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

// SecretCertsType is the name used to identify this type
const SecretCertsType = "pki"

func secretCerts(b *backend) *framework.Secret {
	return &framework.Secret{
		Type: SecretCertsType,
		Fields: map[string]*framework.FieldSchema{
			"certificate": &framework.FieldSchema{
				Type: framework.TypeString,
				Description: `The PEM-encoded concatenated certificate and
issuing certificate authority`,
			},
			"private_key": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "The PEM-encoded private key for the certificate",
			},
			"serial": &framework.FieldSchema{
				Type: framework.TypeString,
				Description: `The serial number of the certificate, for handy
reference`,
			},
		},

		Revoke: b.secretCredsRevoke,
	}
}

func (b *backend) secretCredsRevoke(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	if req.Secret == nil {
		return nil, fmt.Errorf("Secret is nil in request")
	}

	serialInt, ok := req.Secret.InternalData["serial_number"]
	if !ok {
		return nil, fmt.Errorf("Could not find serial in internal secret data")
	}

	serial := strings.Replace(strings.ToLower(serialInt.(string)), "-", ":", -1)

	b.revokeStorageLock.Lock()
	defer b.revokeStorageLock.Unlock()

	return revokeCert(b, req, serial)
}
Initial PKI backend implementation. Complete: * Up-to-date API documents * Backend configuration (root certificate and private key) * Highly granular role configuration * Certificate generation * CN checking against role * IP and DNS subject alternative names * Server, client, and code signing usage types * Later certificate (but not private key) retrieval * CRL creation and update * CRL/CA bare endpoints (for cert extensions) * Revocation (both Vault-native and by serial number) * CRL force-rotation endpoint Missing: * OCSP support (can't implement without changes in Vault) * Unit tests Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-05-15 16:13:05 +00:00			`package pki`

			`import (`
			`"fmt"`
			`"strings"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

			`// SecretCertsType is the name used to identify this type`
			`const SecretCertsType = "pki"`

			`func secretCerts(b backend) framework.Secret {`
			`return &framework.Secret{`
			`Type: SecretCertsType,`
			`Fields: map[string]*framework.FieldSchema{`
			`"certificate": &framework.FieldSchema{`
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert. Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-06-18 14:44:02 +00:00			`Type: framework.TypeString,`
			Description: `The PEM-encoded concatenated certificate and
			issuing certificate authority`,
Initial PKI backend implementation. Complete: * Up-to-date API documents * Backend configuration (root certificate and private key) * Highly granular role configuration * Certificate generation * CN checking against role * IP and DNS subject alternative names * Server, client, and code signing usage types * Later certificate (but not private key) retrieval * CRL creation and update * CRL/CA bare endpoints (for cert extensions) * Revocation (both Vault-native and by serial number) * CRL force-rotation endpoint Missing: * OCSP support (can't implement without changes in Vault) * Unit tests Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-05-15 16:13:05 +00:00			`},`
			`"private_key": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "The PEM-encoded private key for the certificate",`
			`},`
			`"serial": &framework.FieldSchema{`
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert. Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-06-18 14:44:02 +00:00			`Type: framework.TypeString,`
			Description: `The serial number of the certificate, for handy
			reference`,
Initial PKI backend implementation. Complete: * Up-to-date API documents * Backend configuration (root certificate and private key) * Highly granular role configuration * Certificate generation * CN checking against role * IP and DNS subject alternative names * Server, client, and code signing usage types * Later certificate (but not private key) retrieval * CRL creation and update * CRL/CA bare endpoints (for cert extensions) * Revocation (both Vault-native and by serial number) * CRL force-rotation endpoint Missing: * OCSP support (can't implement without changes in Vault) * Unit tests Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-05-15 16:13:05 +00:00			`},`
			`},`

			`Revoke: b.secretCredsRevoke,`
			`}`
			`}`

			`func (b *backend) secretCredsRevoke(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`
			`if req.Secret == nil {`
			`return nil, fmt.Errorf("Secret is nil in request")`
			`}`

A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions useful for other parts of Vault (including the API) to take advantage of. Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-06-15 17:33:23 +00:00			`serialInt, ok := req.Secret.InternalData["serial_number"]`
Initial PKI backend implementation. Complete: * Up-to-date API documents * Backend configuration (root certificate and private key) * Highly granular role configuration * Certificate generation * CN checking against role * IP and DNS subject alternative names * Server, client, and code signing usage types * Later certificate (but not private key) retrieval * CRL creation and update * CRL/CA bare endpoints (for cert extensions) * Revocation (both Vault-native and by serial number) * CRL force-rotation endpoint Missing: * OCSP support (can't implement without changes in Vault) * Unit tests Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-05-15 16:13:05 +00:00			`if !ok {`
			`return nil, fmt.Errorf("Could not find serial in internal secret data")`
			`}`

			`serial := strings.Replace(strings.ToLower(serialInt.(string)), "-", ":", -1)`

A few things: * Add comments to every non-obvious (e.g. not basic read/write handler type) function * Remove revoked/ endpoint, at least for now * Add configurable CRL lifetime * Cleanup * Address some comments from code review Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-06-19 16:48:18 +00:00			`b.revokeStorageLock.Lock()`
			`defer b.revokeStorageLock.Unlock()`
Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe. Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-06-12 02:28:13 +00:00
A few things: * Add comments to every non-obvious (e.g. not basic read/write handler type) function * Remove revoked/ endpoint, at least for now * Add configurable CRL lifetime * Cleanup * Address some comments from code review Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-06-19 16:48:18 +00:00			`return revokeCert(b, req, serial)`
Initial PKI backend implementation. Complete: * Up-to-date API documents * Backend configuration (root certificate and private key) * Highly granular role configuration * Certificate generation * CN checking against role * IP and DNS subject alternative names * Server, client, and code signing usage types * Later certificate (but not private key) retrieval * CRL creation and update * CRL/CA bare endpoints (for cert extensions) * Revocation (both Vault-native and by serial number) * CRL force-rotation endpoint Missing: * OCSP support (can't implement without changes in Vault) * Unit tests Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com> 2015-05-15 16:13:05 +00:00			`}`