Support Y10K value in notAfter field when signing non-CA certificates (#13736)

* Support Y10K value in notAfter field when signing non-CA certificates

* Add changelog entry for 13736

* Add test for using not_after parameter for non-CA certificates that are being signed

* Fix CA value for test for not_after value when signing non-CA certs

* Address formatting

* Add changelog file

* Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
This commit is contained in:
Gregory Harris 2022-01-31 15:37:50 -06:00 committed by GitHub
parent f5b9aefd1e
commit c260d35ab1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 2 deletions

View File

@ -1849,7 +1849,7 @@ func TestBackend_SignVerbatim(t *testing.T) {
// generate root
rootData := map[string]interface{}{
"common_name": "test.com",
"ttl": "172800",
"not_after": "9999-12-31T23:59:59Z",
}
resp, err := b.HandleRequest(context.Background(), &logical.Request{
@ -1978,6 +1978,43 @@ func TestBackend_SignVerbatim(t *testing.T) {
t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR")
}
// Now check signing a certificate using the not_after input using the Y10K value
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Operation: logical.UpdateOperation,
Path: "sign-verbatim/test",
Storage: storage,
Data: map[string]interface{}{
"csr": pemCSR,
"not_after": "9999-12-31T23:59:59Z",
},
})
if err != nil {
t.Fatal(err)
}
if resp != nil && resp.IsError() {
t.Fatalf(resp.Error().Error())
}
if resp.Data == nil || resp.Data["certificate"] == nil {
t.Fatal("did not get expected data")
}
certString = resp.Data["certificate"].(string)
block, _ = pem.Decode([]byte(certString))
if block == nil {
t.Fatal("nil pem block")
}
certs, err = x509.ParseCertificates(block.Bytes)
if err != nil {
t.Fatal(err)
}
if len(certs) != 1 {
t.Fatalf("expected a single cert, got %d", len(certs))
}
cert = certs[0]
notAfter := cert.NotAfter.Format(time.RFC3339)
if notAfter != "9999-12-31T23:59:59Z" {
t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
}
// now check that if we set generate-lease it takes it from the role and the TTLs match
roleData = map[string]interface{}{
"ttl": "4h",

View File

@ -123,6 +123,12 @@ be larger than the role max TTL.`,
},
}
fields["not_after"] = &framework.FieldSchema{
Type: framework.TypeString,
Description: `Set the not after field of the certificate with specified date value.
The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
}
return fields
}

3
changelog/13736.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
core/pki: Support Y10K value in notAfter field when signing non-CA certificates
```