-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding support for chained intermediate CAs in pki backend #1694
Changes from all commits
8cafd44
150ca81
63b4866
8260062
2cd3859
3e50925
0c1a614
98aeab4
01e21ef
8175e17
39ec2be
5e9110f
bebb375
07f777d
e565f22
60598fa
14fda90
c854eca
23e2c41
3ba090b
7e14f5b
f5866ab
2fb0914
ebda83a
5e77c2f
31e82e1
c1f3ff1
a5747a4
a19f428
ade4d2a
12719db
04d3681
b402e4d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -140,15 +140,6 @@ func (b *backend) pathSetSignedIntermediate( | |
} | ||
} | ||
|
||
// If only one certificate is provided and it's a CA | ||
// the parsing will assign it to the IssuingCA, so move it over | ||
if inputBundle.Certificate == nil && inputBundle.IssuingCA != nil { | ||
inputBundle.Certificate = inputBundle.IssuingCA | ||
inputBundle.IssuingCA = nil | ||
inputBundle.CertificateBytes = inputBundle.IssuingCABytes | ||
inputBundle.IssuingCABytes = nil | ||
} | ||
|
||
if inputBundle.Certificate == nil { | ||
return logical.ErrorResponse("supplied certificate could not be successfully parsed"), nil | ||
} | ||
|
@@ -179,15 +170,6 @@ func (b *backend) pathSetSignedIntermediate( | |
return nil, fmt.Errorf("saved key could not be parsed successfully") | ||
} | ||
|
||
equal, err := certutil.ComparePublicKeys(parsedCB.PrivateKey.Public(), inputBundle.Certificate.PublicKey) | ||
if err != nil { | ||
return logical.ErrorResponse(fmt.Sprintf( | ||
"error matching public keys: %v", err)), nil | ||
} | ||
if !equal { | ||
return logical.ErrorResponse("key in certificate does not match stored key"), nil | ||
} | ||
|
||
inputBundle.PrivateKey = parsedCB.PrivateKey | ||
inputBundle.PrivateKeyType = parsedCB.PrivateKeyType | ||
inputBundle.PrivateKeyBytes = parsedCB.PrivateKeyBytes | ||
|
@@ -196,6 +178,10 @@ func (b *backend) pathSetSignedIntermediate( | |
return logical.ErrorResponse("the given certificate is not marked for CA use and cannot be used with this backend"), nil | ||
} | ||
|
||
if err := inputBundle.Verify(); err != nil { | ||
return nil, fmt.Errorf("verification of parsed bundle failed: %s", err) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's the reason for removing this? This is ensuring that the certificate that you're setting matches the backend's stored key. Seems like a decent check to have. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I see; this is handled later in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Correct. All the chain verification logic was consolidated in |
||
} | ||
|
||
cb, err = inputBundle.ToCertBundle() | ||
if err != nil { | ||
return nil, fmt.Errorf("error converting raw values into cert bundle: %s", err) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The text for this probably needs some changes to accommodate the new info.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I need to add the ca_chain to a few other documents too.