mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-02 11:38:02 +00:00
PKI: Add missing default cases within switch statements (#14661)
* Misc PKI code fixes. - Harden the code base a bit adding default's to switch statements to various error handlers and processing statements. - Fixup some error messages to include proper values we support. * Additional default case missing within PKI * Fix typo in PKI error message
This commit is contained in:
Steven Clark
@@ -25,14 +25,14 @@ func (b *backend) getGenerationParams(ctx context.Context,
|
||||
case "kms":
|
||||
default:
|
||||
errorResp = logical.ErrorResponse(
|
||||
`the "exported" path parameter must be "internal" or "exported"`)
|
||||
`the "exported" path parameter must be "internal", "exported" or "kms"`)
|
||||
return
|
||||
}
|
||||
|
||||
format = getFormat(data)
|
||||
if format == "" {
|
||||
errorResp = logical.ErrorResponse(
|
||||
`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
|
||||
`the "format" path parameter must be "pem", "der", or "pem_bundle"`)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@@ -114,7 +114,7 @@ func fetchCAInfo(ctx context.Context, b *backend, req *logical.Request) (*certut
|
||||
return nil, errutil.InternalError{Err: "stored CA information not able to be parsed"}
|
||||
}
|
||||
|
||||
caInfo := &certutil.CAInfoBundle{*parsedBundle, nil}
|
||||
caInfo := &certutil.CAInfoBundle{ParsedCertBundle: *parsedBundle, URLs: nil}
|
||||
|
||||
entries, err := getURLs(ctx, req)
|
||||
if err != nil {
|
||||
@@ -721,7 +721,7 @@ func signCert(b *backend,
|
||||
|
||||
case "ed25519":
|
||||
// Verify that the key matches the role type
|
||||
if csr.PublicKeyAlgorithm != x509.PublicKeyAlgorithm(x509.Ed25519) {
|
||||
if csr.PublicKeyAlgorithm != x509.Ed25519 {
|
||||
return nil, errutil.UserError{Err: fmt.Sprintf(
|
||||
"role requires keys of type %s",
|
||||
data.role.KeyType)}
|
||||
@@ -747,6 +747,8 @@ func signCert(b *backend,
|
||||
return nil, errutil.UserError{Err: "RSA keys < 2048 bits are unsafe and not supported"}
|
||||
}
|
||||
|
||||
default:
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf("unsupported key type value: %s", data.role.KeyType)}
|
||||
}
|
||||
|
||||
creation, err := generateCreationBundle(b, data, caSign, csr)
|
||||
@@ -1441,5 +1443,5 @@ func stringToOid(in string) (asn1.ObjectIdentifier, error) {
|
||||
}
|
||||
ret = append(ret, i)
|
||||
}
|
||||
return asn1.ObjectIdentifier(ret), nil
|
||||
return ret, nil
|
||||
}
|
||||
|
||||
@@ -33,12 +33,15 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
|
||||
}
|
||||
|
||||
signingBundle, caErr := fetchCAInfo(ctx, b, req)
|
||||
switch caErr.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(fmt.Sprintf("could not fetch the CA certificate: %s", caErr)), nil
|
||||
case errutil.InternalError:
|
||||
return nil, fmt.Errorf("error fetching CA certificate: %s", caErr)
|
||||
if caErr != nil {
|
||||
switch caErr.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(fmt.Sprintf("could not fetch the CA certificate: %s", caErr)), nil
|
||||
default:
|
||||
return nil, fmt.Errorf("error fetching CA certificate: %s", caErr)
|
||||
}
|
||||
}
|
||||
|
||||
if signingBundle == nil {
|
||||
return nil, errors.New("CA info not found")
|
||||
}
|
||||
@@ -55,7 +58,7 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
|
||||
switch err.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(err.Error()), nil
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
@@ -74,7 +77,7 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
|
||||
switch err.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(err.Error()), nil
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
@@ -123,15 +126,16 @@ func revokeCert(ctx context.Context, b *backend, req *logical.Request, serial st
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error saving revoked certificate to new location")
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
crlErr := buildCRL(ctx, b, req, false)
|
||||
switch crlErr.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
|
||||
case errutil.InternalError:
|
||||
return nil, fmt.Errorf("error encountered during CRL building: %w", crlErr)
|
||||
if crlErr != nil {
|
||||
switch crlErr.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
|
||||
default:
|
||||
return nil, fmt.Errorf("error encountered during CRL building: %w", crlErr)
|
||||
}
|
||||
}
|
||||
|
||||
resp := &logical.Response{
|
||||
@@ -220,11 +224,13 @@ func buildCRL(ctx context.Context, b *backend, req *logical.Request, forceNew bo
|
||||
|
||||
WRITE:
|
||||
signingBundle, caErr := fetchCAInfo(ctx, b, req)
|
||||
switch caErr.(type) {
|
||||
case errutil.UserError:
|
||||
return errutil.UserError{Err: fmt.Sprintf("could not fetch the CA certificate: %s", caErr)}
|
||||
case errutil.InternalError:
|
||||
return errutil.InternalError{Err: fmt.Sprintf("error fetching CA certificate: %s", caErr)}
|
||||
if caErr != nil {
|
||||
switch caErr.(type) {
|
||||
case errutil.UserError:
|
||||
return errutil.UserError{Err: fmt.Sprintf("could not fetch the CA certificate: %s", caErr)}
|
||||
default:
|
||||
return errutil.InternalError{Err: fmt.Sprintf("error fetching CA certificate: %s", caErr)}
|
||||
}
|
||||
}
|
||||
|
||||
crlBytes, err := signingBundle.Certificate.CreateCRL(rand.Reader, signingBundle.PrivateKey, revokedCerts, time.Now(), time.Now().Add(crlLifetime))
|
||||
|
||||
@@ -124,6 +124,8 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
|
||||
resp.Data["private_key"] = base64.StdEncoding.EncodeToString(parsedBundle.PrivateKeyBytes)
|
||||
resp.Data["private_key_type"] = csrb.PrivateKeyType
|
||||
}
|
||||
default:
|
||||
return nil, fmt.Errorf("unsupported format argument: %s", format)
|
||||
}
|
||||
|
||||
if data.Get("private_key_format").(string) == "pkcs8" {
|
||||
|
||||
@@ -263,6 +263,8 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
|
||||
respData["private_key"] = base64.StdEncoding.EncodeToString(parsedBundle.PrivateKeyBytes)
|
||||
respData["private_key_type"] = cb.PrivateKeyType
|
||||
}
|
||||
default:
|
||||
return nil, fmt.Errorf("unsupported format: %s", format)
|
||||
}
|
||||
|
||||
var resp *logical.Response
|
||||
|
||||
@@ -220,6 +220,8 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
|
||||
resp.Data["private_key"] = base64.StdEncoding.EncodeToString(parsedBundle.PrivateKeyBytes)
|
||||
resp.Data["private_key_type"] = cb.PrivateKeyType
|
||||
}
|
||||
default:
|
||||
return nil, fmt.Errorf("unsupported format argument: %s", format)
|
||||
}
|
||||
|
||||
if data.Get("private_key_format").(string) == "pkcs8" {
|
||||
@@ -396,6 +398,8 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
|
||||
if caChain != nil && len(caChain) > 0 {
|
||||
resp.Data["ca_chain"] = cb.CAChain
|
||||
}
|
||||
default:
|
||||
return nil, fmt.Errorf("unsupported format argument: %s", format)
|
||||
}
|
||||
|
||||
err = req.Storage.Put(ctx, &logical.StorageEntry{
|
||||
|
||||
Reference in New Issue
Block a user