139 lines
4.3 KiB
Go
139 lines
4.3 KiB
Go
|
package pki
|
||
|
|
||
|
import "github.com/hashicorp/vault/logical/framework"
|
||
|
|
||
|
// addIssueAndSignCommonFields adds fields common to both CA and non-CA issuing
|
||
|
// and signing
|
||
|
func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
|
||
|
fields["format"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Default: "pem",
|
||
|
Description: `Format for returned data. Can be "pem" or "der";
|
||
|
defaults to "pem".`,
|
||
|
}
|
||
|
|
||
|
fields["ip_sans"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The requested IP SANs, if any, in a
|
||
|
comma-delimited list`,
|
||
|
}
|
||
|
|
||
|
return fields
|
||
|
}
|
||
|
|
||
|
// addNonCACommonFields adds fields with help text specific to non-CA
|
||
|
// certificate issuing and signing
|
||
|
func addNonCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
|
||
|
fields = addIssueAndSignCommonFields(fields)
|
||
|
|
||
|
fields["role"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The desired role with configuration for this
|
||
|
request`,
|
||
|
}
|
||
|
|
||
|
fields["common_name"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The requested common name; if you want more than
|
||
|
one, specify the alternative names in the
|
||
|
alt_names map. If email protection is enabled
|
||
|
in the role, this may be an email address.`,
|
||
|
}
|
||
|
|
||
|
fields["alt_names"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The requested Subject Alternative Names, if any,
|
||
|
in a comma-delimited list. If email protection
|
||
|
is enabled for the role, this may contain
|
||
|
email addresses.`,
|
||
|
}
|
||
|
|
||
|
fields["ttl"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The requested Time To Live for the certificate;
|
||
|
sets the expiration date. If not specified
|
||
|
the role default, backend default, or system
|
||
|
default TTL is used, in that order. Cannot
|
||
|
be later than the role max TTL.`,
|
||
|
}
|
||
|
|
||
|
return fields
|
||
|
}
|
||
|
|
||
|
// addCACommonFields adds fields with help text specific to CA
|
||
|
// certificate issuing and signing
|
||
|
func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
|
||
|
fields = addIssueAndSignCommonFields(fields)
|
||
|
|
||
|
fields["alt_names"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The requested Subject Alternative Names, if any,
|
||
|
in a comma-delimited list. May contain both
|
||
|
DNS names and email addresses.`,
|
||
|
}
|
||
|
|
||
|
fields["common_name"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The requested common name; if you want more than
|
||
|
one, specify the alternative names in the alt_names
|
||
|
map. If not specified when signing, the common
|
||
|
name will be taken from the CSR; other names
|
||
|
must still be specified in alt_names or ip_sans.`,
|
||
|
}
|
||
|
|
||
|
fields["ttl"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `The requested Time To Live for the certificate;
|
||
|
sets the expiration date. If not specified
|
||
|
the role default, backend default, or system
|
||
|
default TTL is used, in that order. Cannot
|
||
|
be larger than the mount max TTL. Note:
|
||
|
this only has an effect when generating
|
||
|
a CA cert or signing a CA cert, not when
|
||
|
generating a CSR for an intermediate CA.`,
|
||
|
}
|
||
|
|
||
|
return fields
|
||
|
}
|
||
|
|
||
|
// addCAKeyGenerationFields adds fields with help text specific to CA key
|
||
|
// generation and exporting
|
||
|
func addCAKeyGenerationFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
|
||
|
fields["exported"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Description: `Must be "internal" or "exported". If set to
|
||
|
"exported", the generated private key will be
|
||
|
returned. This is your *only* chance to retrieve
|
||
|
the private key!`,
|
||
|
}
|
||
|
|
||
|
fields["key_bits"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeInt,
|
||
|
Default: 2048,
|
||
|
Description: `The number of bits to use. You will almost
|
||
|
certainly want to change this if you adjust
|
||
|
the key_type.`,
|
||
|
}
|
||
|
|
||
|
fields["key_type"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeString,
|
||
|
Default: "rsa",
|
||
|
Description: `The type of key to use; defaults to RSA. "rsa"
|
||
|
and "ec" are the only valid values.`,
|
||
|
}
|
||
|
|
||
|
return fields
|
||
|
}
|
||
|
|
||
|
// addCAIssueFields adds fields common to CA issuing, e.g. when returning
|
||
|
// an actual certificate
|
||
|
func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
|
||
|
fields["max_path_length"] = &framework.FieldSchema{
|
||
|
Type: framework.TypeInt,
|
||
|
Default: -1,
|
||
|
Description: "The maximum allowable path length",
|
||
|
}
|
||
|
|
||
|
return fields
|
||
|
}
|