package pki import "github.com/hashicorp/vault/logical/framework" // addIssueAndSignCommonFields adds fields common to both CA and non-CA issuing // and signing func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema { fields["format"] = &framework.FieldSchema{ Type: framework.TypeString, Default: "pem", Description: `Format for returned data. Can be "pem" or "der"; defaults to "pem".`, } fields["ip_sans"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The requested IP SANs, if any, in a comma-delimited list`, } return fields } // addNonCACommonFields adds fields with help text specific to non-CA // certificate issuing and signing func addNonCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema { fields = addIssueAndSignCommonFields(fields) fields["role"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The desired role with configuration for this request`, } fields["common_name"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address.`, } fields["alt_names"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.`, } fields["ttl"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be later than the role max TTL.`, } return fields } // addCACommonFields adds fields with help text specific to CA // certificate issuing and signing func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema { fields = addIssueAndSignCommonFields(fields) fields["alt_names"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.`, } fields["common_name"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans.`, } fields["ttl"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.`, } return fields } // addCAKeyGenerationFields adds fields with help text specific to CA key // generation and exporting func addCAKeyGenerationFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema { fields["exported"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your *only* chance to retrieve the private key!`, } fields["key_bits"] = &framework.FieldSchema{ Type: framework.TypeInt, Default: 2048, Description: `The number of bits to use. You will almost certainly want to change this if you adjust the key_type.`, } fields["key_type"] = &framework.FieldSchema{ Type: framework.TypeString, Default: "rsa", Description: `The type of key to use; defaults to RSA. "rsa" and "ec" are the only valid values.`, } return fields } // addCAIssueFields adds fields common to CA issuing, e.g. when returning // an actual certificate func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema { fields["max_path_length"] = &framework.FieldSchema{ Type: framework.TypeInt, Default: -1, Description: "The maximum allowable path length", } return fields }