Support Y10K value in notAfter field when signing non-CA certificates (#13736)

* Support Y10K value in notAfter field when signing non-CA certificates * Add changelog entry for 13736 * Add test for using not_after parameter for non-CA certificates that are being signed * Fix CA value for test for not_after value when signing non-CA certs * Address formatting * Add changelog file * Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
2022-01-31 15:37:50 -06:00 · 2022-01-31 15:37:50 -06:00 · c260d35ab1
parent f5b9aefd1e
commit c260d35ab1
3 changed files with 48 additions and 2 deletions
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@ -47,7 +47,7 @@ import (
 )

 var (
-	stepCount               = 0
+	stepCount = 0
 )

 func TestPKI_RequireCN(t *testing.T) {
@ -1849,7 +1849,7 @@ func TestBackend_SignVerbatim(t *testing.T) {
 	// generate root
 	rootData := map[string]interface{}{
 		"common_name": "test.com",
-		"ttl":         "172800",
+		"not_after":   "9999-12-31T23:59:59Z",
 	}

 	resp, err := b.HandleRequest(context.Background(), &logical.Request{
@ -1978,6 +1978,43 @@ func TestBackend_SignVerbatim(t *testing.T) {
 		t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR")
 	}

+	// Now check signing a certificate using the not_after input using the Y10K value
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "sign-verbatim/test",
+		Storage:   storage,
+		Data: map[string]interface{}{
+			"csr":       pemCSR,
+			"not_after": "9999-12-31T23:59:59Z",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf(resp.Error().Error())
+	}
+	if resp.Data == nil || resp.Data["certificate"] == nil {
+		t.Fatal("did not get expected data")
+	}
+	certString = resp.Data["certificate"].(string)
+	block, _ = pem.Decode([]byte(certString))
+	if block == nil {
+		t.Fatal("nil pem block")
+	}
+	certs, err = x509.ParseCertificates(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(certs) != 1 {
+		t.Fatalf("expected a single cert, got %d", len(certs))
+	}
+	cert = certs[0]
+	notAfter := cert.NotAfter.Format(time.RFC3339)
+	if notAfter != "9999-12-31T23:59:59Z" {
+		t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
+	}
+
 	// now check that if we set generate-lease it takes it from the role and the TTLs match
 	roleData = map[string]interface{}{
 		"ttl":            "4h",
--- a/builtin/logical/pki/fields.go
+++ b/builtin/logical/pki/fields.go
@ -123,6 +123,12 @@ be larger than the role max TTL.`,
 		},
 	}

+	fields["not_after"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Set the not after field of the certificate with specified date value.
+                      The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
+	}
+
 	return fields
 }

--- a/changelog/13736.txt
+++ b/changelog/13736.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+core/pki: Support Y10K value in notAfter field when signing non-CA certificates
+```