diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 4adf181d3..1cb5dd1cb 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -47,7 +47,7 @@ import ( ) var ( - stepCount = 0 + stepCount = 0 ) func TestPKI_RequireCN(t *testing.T) { @@ -1849,7 +1849,7 @@ func TestBackend_SignVerbatim(t *testing.T) { // generate root rootData := map[string]interface{}{ "common_name": "test.com", - "ttl": "172800", + "not_after": "9999-12-31T23:59:59Z", } resp, err := b.HandleRequest(context.Background(), &logical.Request{ @@ -1978,6 +1978,43 @@ func TestBackend_SignVerbatim(t *testing.T) { t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR") } + // Now check signing a certificate using the not_after input using the Y10K value + resp, err = b.HandleRequest(context.Background(), &logical.Request{ + Operation: logical.UpdateOperation, + Path: "sign-verbatim/test", + Storage: storage, + Data: map[string]interface{}{ + "csr": pemCSR, + "not_after": "9999-12-31T23:59:59Z", + }, + }) + if err != nil { + t.Fatal(err) + } + if resp != nil && resp.IsError() { + t.Fatalf(resp.Error().Error()) + } + if resp.Data == nil || resp.Data["certificate"] == nil { + t.Fatal("did not get expected data") + } + certString = resp.Data["certificate"].(string) + block, _ = pem.Decode([]byte(certString)) + if block == nil { + t.Fatal("nil pem block") + } + certs, err = x509.ParseCertificates(block.Bytes) + if err != nil { + t.Fatal(err) + } + if len(certs) != 1 { + t.Fatalf("expected a single cert, got %d", len(certs)) + } + cert = certs[0] + notAfter := cert.NotAfter.Format(time.RFC3339) + if notAfter != "9999-12-31T23:59:59Z" { + t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter")) + } + // now check that if we set generate-lease it takes it from the role and the TTLs match roleData = map[string]interface{}{ "ttl": "4h", diff --git a/builtin/logical/pki/fields.go b/builtin/logical/pki/fields.go index b8a00757b..e5ff77e47 100644 --- a/builtin/logical/pki/fields.go +++ b/builtin/logical/pki/fields.go @@ -123,6 +123,12 @@ be larger than the role max TTL.`, }, } + fields["not_after"] = &framework.FieldSchema{ + Type: framework.TypeString, + Description: `Set the not after field of the certificate with specified date value. + The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`, + } + return fields } diff --git a/changelog/13736.txt b/changelog/13736.txt new file mode 100644 index 000000000..f90f36356 --- /dev/null +++ b/changelog/13736.txt @@ -0,0 +1,3 @@ +```release-note:improvement +core/pki: Support Y10K value in notAfter field when signing non-CA certificates +```