From d7f67b88569c822efc23930115f335b7767c67d2 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Fri, 21 Apr 2023 14:16:16 -0400 Subject: [PATCH] Add additional fields to LIST issuers for Web UI (#20276) * Add additional fields to LIST issuers for Web UI Signed-off-by: Alexander Scheel * Add changelog entry Signed-off-by: Alexander Scheel --------- Signed-off-by: Alexander Scheel --- builtin/logical/pki/path_fetch_issuers.go | 24 +++++++++++++++++++++-- changelog/20276.txt | 3 +++ 2 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 changelog/20276.txt diff --git a/builtin/logical/pki/path_fetch_issuers.go b/builtin/logical/pki/path_fetch_issuers.go index ed20b2122..003286a52 100644 --- a/builtin/logical/pki/path_fetch_issuers.go +++ b/builtin/logical/pki/path_fetch_issuers.go @@ -84,8 +84,28 @@ func (b *backend) pathListIssuersHandler(ctx context.Context, req *logical.Reque responseKeys = append(responseKeys, string(identifier)) responseInfo[string(identifier)] = map[string]interface{}{ - "issuer_name": issuer.Name, - "is_default": identifier == config.DefaultIssuerId, + "issuer_name": issuer.Name, + "is_default": identifier == config.DefaultIssuerId, + "serial_number": issuer.SerialNumber, + + // While nominally this could be considered sensitive information + // to be returned on an unauthed endpoint, there's two mitigating + // circumstances: + // + // 1. Key IDs are purely random numbers generated by Vault and + // have no relationship to the actual key material. + // 2. They also don't _do_ anything by themselves. There is no + // modification of KeyIDs allowed, you need to be authenticated + // to Vault to understand what they mean, you _essentially_ + // get the same information from looking at/comparing various + // cert's SubjectPublicKeyInfo field, and there's the `default` + // reference that anyone with issuer generation capabilities + // can use even if they can't access any of the other /key/* + // endpoints. + // + // So all in all, exposing this value is not a security risk and + // is otherwise beneficial for the UI, hence its inclusion. + "key_id": issuer.KeyID, } } diff --git a/changelog/20276.txt b/changelog/20276.txt new file mode 100644 index 000000000..71f288ab9 --- /dev/null +++ b/changelog/20276.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/pki: Include CA serial number, key UUID on issuers list endpoint. +```