pki/sign-verbatim uses role not before duration (#15429)

* Use "not_before_duration" fiueld from role if above 0

* 'test' and update docs

* changelog file

* Requested changes - improved test and better description to changelog

* changelog description:

* update to ttl and not_before_duration API docs
This commit is contained in:
Gabriel Santos 2022-05-16 21:15:18 +01:00 committed by GitHub
parent 210045cd1f
commit 23e67be230
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 22 additions and 11 deletions

View File

@ -2181,6 +2181,7 @@ func runTestSignVerbatim(t *testing.T, keyType string) {
"ttl": "4h",
"max_ttl": "8h",
"key_type": keyType,
"not_before_duration": "2h",
}
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Operation: logical.UpdateOperation,
@ -2247,7 +2248,10 @@ func runTestSignVerbatim(t *testing.T, keyType string) {
}
cert := certs[0]
if math.Abs(float64(time.Now().Add(12*time.Hour).Unix()-cert.NotAfter.Unix())) < 10 {
t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR")
t.Fatalf("sign-verbatim did not properly cap validity period (notAfter) on signed CSR: was %v vs requested %v but should've been %v", cert.NotAfter, time.Now().Add(12*time.Hour), time.Now().Add(8*time.Hour))
}
if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
t.Fatalf("sign-verbatim did not properly cap validity period (notBefore) on signed CSR: was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
}
// Now check signing a certificate using the not_after input using the Y10K value

View File

@ -212,6 +212,9 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da
if role.GenerateLease != nil {
*entry.GenerateLease = *role.GenerateLease
}
if role.NotBeforeDuration > 0 {
entry.NotBeforeDuration = role.NotBeforeDuration
}
entry.NoStore = role.NoStore
entry.Issuer = role.Issuer
}

3
changelog/15429.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Have pki/sign-verbatim use the not_before_duration field defined in the role
```

View File

@ -686,8 +686,7 @@ have access.**
path and takes the value `default`.
- `name` `(string: "")` - Specifies a role. If set, the following parameters
from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, and
`no_store`.
from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, `no_store` and `not_before_duration`.
- `csr` `(string: <required>)` - Specifies the PEM-encoded CSR.
@ -1970,10 +1969,10 @@ request is denied.
- `ttl` `(string: "")` - Specifies the Time To Live value to be used for the
validity period of the requested certificate, provided as a string duration
with time suffix. Hour is the largest suffix. If not set, uses the system
default value or the value of `max_ttl`, whichever is shorter. See
`not_after` as an alternative for setting an absolute end date (rather
than a relative one).
with time suffix. Hour is the largest suffix. The value specified is strictly
used for future validity. If not set, uses the system default value or the
value of `max_ttl`, whichever is shorter. See `not_after` as an alternative
for setting an absolute end date (rather than a relative one).
- `max_ttl` `(string: "")` - Specifies the maximum Time To Live provided as a
string duration with time suffix. Hour is the largest suffix. If not set,
@ -2209,7 +2208,9 @@ request is denied.
- `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints
valid when issuing non-CA certificates.
- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to backdate the NotBefore property.
- `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
backdate the NotBefore property. This value has no impact in the validity period
of the requested certificate, specified in the `ttl` field.
- `not_after` `(string)` - Set the Not After field of the certificate with
specified date value. The value format should be given in UTC format