luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Return the signed ca in the ca_chain response field within sign-intermediate api call. (#15524) 

* Return signed ca as part of ca_chain field within sign-intermediate

 - When signing a CA certificate we should include it along with the signing CA's CA chain in the response.
This commit is contained in:
Steven Clark 2022-05-20 11:06:44 -04:00 committed by GitHub
parent f969c05772
commit 892d4d1e37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
builtin/logical/pki/backend_test.go
View File

@ -4150,6 +4150,10 @@ func runFullCAChainTest(t *testing.T, keyType string) {
rootCaCert := parseCert(t, rootCert)
intermediaryCaCert := parseCert(t, intermediateCert)
requireSignedBy(t, intermediaryCaCert, rootCaCert.PublicKey)
intermediateCaChain := intermediateSignedData["ca_chain"].([]interface{})
require.Equal(t, parseCert(t, intermediateCaChain[0].(string)), intermediaryCaCert, "intermediate signed cert should have been part of ca_chain")
require.Equal(t, parseCert(t, intermediateCaChain[1].(string)), rootCaCert, "root cert should have been part of ca_chain")
resp, err = client.Logical().Write("pki-intermediate/intermediate/set-signed", map[string]interface{}{
"certificate": intermediateCert + "\n" + rootCert + "\n",

20
builtin/logical/pki/path_root.go
View File

@ -383,32 +383,30 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.")
}
caChain := append([]string{cb.Certificate}, cb.CAChain...)
switch format {
case "pem":
resp.Data["certificate"] = cb.Certificate
resp.Data["issuing_ca"] = signingCB.Certificate
if cb.CAChain != nil && len(cb.CAChain) > 0 {
resp.Data["ca_chain"] = cb.CAChain
}
resp.Data["ca_chain"] = caChain
case "pem_bundle":
resp.Data["certificate"] = cb.ToPEMBundle()
resp.Data["issuing_ca"] = signingCB.Certificate
if cb.CAChain != nil && len(cb.CAChain) > 0 {
resp.Data["ca_chain"] = cb.CAChain
}
resp.Data["ca_chain"] = caChain
case "der":
resp.Data["certificate"] = base64.StdEncoding.EncodeToString(parsedBundle.CertificateBytes)
resp.Data["issuing_ca"] = base64.StdEncoding.EncodeToString(signingBundle.CertificateBytes)
var caChain []string
var derCaChain []string
derCaChain = append(derCaChain, base64.StdEncoding.EncodeToString(parsedBundle.CertificateBytes))
for _, caCert := range parsedBundle.CAChain {
caChain = append(caChain, base64.StdEncoding.EncodeToString(caCert.Bytes))
}
if caChain != nil && len(caChain) > 0 {
resp.Data["ca_chain"] = cb.CAChain
derCaChain = append(derCaChain, base64.StdEncoding.EncodeToString(caCert.Bytes))
}
resp.Data["ca_chain"] = derCaChain
default:
return nil, fmt.Errorf("unsupported format argument: %s", format)
}

4
changelog/15524.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:change
secrets/pki: the signed CA certificate from the sign-intermediate api will now appear within the ca_chain
response field along with the issuer's ca chain.
```