Support Y10K value in notAfter field when signing non-CA certificates (#13736)
* Support Y10K value in notAfter field when signing non-CA certificates * Add changelog entry for 13736 * Add test for using not_after parameter for non-CA certificates that are being signed * Fix CA value for test for not_after value when signing non-CA certs * Address formatting * Add changelog file * Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
This commit is contained in:
parent
f5b9aefd1e
commit
c260d35ab1
|
@ -1849,7 +1849,7 @@ func TestBackend_SignVerbatim(t *testing.T) {
|
|||
// generate root
|
||||
rootData := map[string]interface{}{
|
||||
"common_name": "test.com",
|
||||
"ttl": "172800",
|
||||
"not_after": "9999-12-31T23:59:59Z",
|
||||
}
|
||||
|
||||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||||
|
@ -1978,6 +1978,43 @@ func TestBackend_SignVerbatim(t *testing.T) {
|
|||
t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR")
|
||||
}
|
||||
|
||||
// Now check signing a certificate using the not_after input using the Y10K value
|
||||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||||
Operation: logical.UpdateOperation,
|
||||
Path: "sign-verbatim/test",
|
||||
Storage: storage,
|
||||
Data: map[string]interface{}{
|
||||
"csr": pemCSR,
|
||||
"not_after": "9999-12-31T23:59:59Z",
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if resp != nil && resp.IsError() {
|
||||
t.Fatalf(resp.Error().Error())
|
||||
}
|
||||
if resp.Data == nil || resp.Data["certificate"] == nil {
|
||||
t.Fatal("did not get expected data")
|
||||
}
|
||||
certString = resp.Data["certificate"].(string)
|
||||
block, _ = pem.Decode([]byte(certString))
|
||||
if block == nil {
|
||||
t.Fatal("nil pem block")
|
||||
}
|
||||
certs, err = x509.ParseCertificates(block.Bytes)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(certs) != 1 {
|
||||
t.Fatalf("expected a single cert, got %d", len(certs))
|
||||
}
|
||||
cert = certs[0]
|
||||
notAfter := cert.NotAfter.Format(time.RFC3339)
|
||||
if notAfter != "9999-12-31T23:59:59Z" {
|
||||
t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
|
||||
}
|
||||
|
||||
// now check that if we set generate-lease it takes it from the role and the TTLs match
|
||||
roleData = map[string]interface{}{
|
||||
"ttl": "4h",
|
||||
|
|
|
@ -123,6 +123,12 @@ be larger than the role max TTL.`,
|
|||
},
|
||||
}
|
||||
|
||||
fields["not_after"] = &framework.FieldSchema{
|
||||
Type: framework.TypeString,
|
||||
Description: `Set the not after field of the certificate with specified date value.
|
||||
The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
|
||||
}
|
||||
|
||||
return fields
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
core/pki: Support Y10K value in notAfter field when signing non-CA certificates
|
||||
```
|
Loading…
Reference in New Issue