c48936c4fd
Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public.
63 lines
1.9 KiB
Go
63 lines
1.9 KiB
Go
package pki
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/certutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
func (b *backend) getGenerationParams(
|
|
data *framework.FieldData,
|
|
) (exported bool, format string, role *roleEntry, errorResp *logical.Response) {
|
|
exportedStr := data.Get("exported").(string)
|
|
switch exportedStr {
|
|
case "exported":
|
|
exported = true
|
|
case "internal":
|
|
default:
|
|
errorResp = logical.ErrorResponse(
|
|
`the "exported" path parameter must be "internal" or "exported"`)
|
|
return
|
|
}
|
|
|
|
format = getFormat(data)
|
|
if format == "" {
|
|
errorResp = logical.ErrorResponse(
|
|
`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
|
|
return
|
|
}
|
|
|
|
role = &roleEntry{
|
|
TTL: time.Duration(data.Get("ttl").(int)) * time.Second,
|
|
KeyType: data.Get("key_type").(string),
|
|
KeyBits: data.Get("key_bits").(int),
|
|
AllowLocalhost: true,
|
|
AllowAnyName: true,
|
|
AllowIPSANs: true,
|
|
EnforceHostnames: false,
|
|
AllowedURISANs: []string{"*"},
|
|
AllowedOtherSANs: []string{"*"},
|
|
AllowedSerialNumbers: []string{"*"},
|
|
OU: data.Get("ou").([]string),
|
|
Organization: data.Get("organization").([]string),
|
|
Country: data.Get("country").([]string),
|
|
Locality: data.Get("locality").([]string),
|
|
Province: data.Get("province").([]string),
|
|
StreetAddress: data.Get("street_address").([]string),
|
|
PostalCode: data.Get("postal_code").([]string),
|
|
}
|
|
|
|
if role.KeyType == "rsa" && role.KeyBits < 2048 {
|
|
errorResp = logical.ErrorResponse("RSA keys < 2048 bits are unsafe and not supported")
|
|
return
|
|
}
|
|
|
|
if err := certutil.ValidateKeyTypeLength(role.KeyType, role.KeyBits); err != nil {
|
|
errorResp = logical.ErrorResponse(err.Error())
|
|
}
|
|
|
|
return
|
|
}
|