From 23e67be230856770ca760d29ed602ba7bed2c4ec Mon Sep 17 00:00:00 2001 From: Gabriel Santos Date: Mon, 16 May 2022 21:15:18 +0100 Subject: [PATCH] pki/sign-verbatim uses role not before duration (#15429) * Use "not_before_duration" fiueld from role if above 0 * 'test' and update docs * changelog file * Requested changes - improved test and better description to changelog * changelog description: * update to ttl and not_before_duration API docs --- builtin/logical/pki/backend_test.go | 12 ++++++++---- builtin/logical/pki/path_issue_sign.go | 3 +++ changelog/15429.txt | 3 +++ website/content/api-docs/secret/pki.mdx | 15 ++++++++------- 4 files changed, 22 insertions(+), 11 deletions(-) create mode 100644 changelog/15429.txt diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index f2e36df2f..6ddd8b4a7 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -2178,9 +2178,10 @@ func runTestSignVerbatim(t *testing.T, keyType string) { // create a role entry; we use this to check that sign-verbatim when used with a role is still honoring TTLs roleData := map[string]interface{}{ - "ttl": "4h", - "max_ttl": "8h", - "key_type": keyType, + "ttl": "4h", + "max_ttl": "8h", + "key_type": keyType, + "not_before_duration": "2h", } resp, err = b.HandleRequest(context.Background(), &logical.Request{ Operation: logical.UpdateOperation, @@ -2247,7 +2248,10 @@ func runTestSignVerbatim(t *testing.T, keyType string) { } cert := certs[0] if math.Abs(float64(time.Now().Add(12*time.Hour).Unix()-cert.NotAfter.Unix())) < 10 { - t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR") + t.Fatalf("sign-verbatim did not properly cap validity period (notAfter) on signed CSR: was %v vs requested %v but should've been %v", cert.NotAfter, time.Now().Add(12*time.Hour), time.Now().Add(8*time.Hour)) + } + if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 { + t.Fatalf("sign-verbatim did not properly cap validity period (notBefore) on signed CSR: was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour)) } // Now check signing a certificate using the not_after input using the Y10K value diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 041fd596c..8b669c69a 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -212,6 +212,9 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da if role.GenerateLease != nil { *entry.GenerateLease = *role.GenerateLease } + if role.NotBeforeDuration > 0 { + entry.NotBeforeDuration = role.NotBeforeDuration + } entry.NoStore = role.NoStore entry.Issuer = role.Issuer } diff --git a/changelog/15429.txt b/changelog/15429.txt new file mode 100644 index 000000000..1f46aafb5 --- /dev/null +++ b/changelog/15429.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/pki: Have pki/sign-verbatim use the not_before_duration field defined in the role +``` \ No newline at end of file diff --git a/website/content/api-docs/secret/pki.mdx b/website/content/api-docs/secret/pki.mdx index 26b336a96..0949785f7 100644 --- a/website/content/api-docs/secret/pki.mdx +++ b/website/content/api-docs/secret/pki.mdx @@ -686,8 +686,7 @@ have access.** path and takes the value `default`. - `name` `(string: "")` - Specifies a role. If set, the following parameters - from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, and - `no_store`. + from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, `no_store` and `not_before_duration`. - `csr` `(string: )` - Specifies the PEM-encoded CSR. @@ -1970,10 +1969,10 @@ request is denied. - `ttl` `(string: "")` - Specifies the Time To Live value to be used for the validity period of the requested certificate, provided as a string duration - with time suffix. Hour is the largest suffix. If not set, uses the system - default value or the value of `max_ttl`, whichever is shorter. See - `not_after` as an alternative for setting an absolute end date (rather - than a relative one). + with time suffix. Hour is the largest suffix. The value specified is strictly + used for future validity. If not set, uses the system default value or the + value of `max_ttl`, whichever is shorter. See `not_after` as an alternative + for setting an absolute end date (rather than a relative one). - `max_ttl` `(string: "")` - Specifies the maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, @@ -2209,7 +2208,9 @@ request is denied. - `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints valid when issuing non-CA certificates. -- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to backdate the NotBefore property. +- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to + backdate the NotBefore property. This value has no impact in the validity period + of the requested certificate, specified in the `ttl` field. - `not_after` `(string)` - Set the Not After field of the certificate with specified date value. The value format should be given in UTC format