Adds "raw(/pem)" format to individual cert routes (#10947) (#10948)

Similar to "/pki/ca(/pem)" routes to retrieve certificates in raw or pem formats, this adds "pki/cert/{serial}/raw(/pem)" routes for any certificate.
2025-11-01 19:17:58 +00:00 · 2022-02-07 09:47:13 -05:00
parent 9b782bbd32
commit 1c7ce153fd
5 changed files with 132 additions and 1 deletions
--- a/builtin/logical/pki/path_fetch.go
+++ b/builtin/logical/pki/path_fetch.go
@@ -53,6 +53,27 @@ func pathFetchCRL(b *backend) *framework.Path {
 	}
 }

+// Returns any valid (non-revoked) cert in raw format.
+func pathFetchValidRaw(b *backend) *framework.Path {
+	return &framework.Path{
+		Pattern: `cert/(?P<serial>[0-9A-Fa-f-:]+)/raw(/pem)?`,
+		Fields: map[string]*framework.FieldSchema{
+			"serial": {
+				Type: framework.TypeString,
+				Description: `Certificate serial number, in colon- or
+hyphen-separated octal`,
+			},
+		},
+
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.ReadOperation: b.pathFetchRead,
+		},
+
+		HelpSynopsis:    pathFetchHelpSyn,
+		HelpDescription: pathFetchHelpDesc,
+	}
+}
+
 // Returns any valid (non-revoked) cert. Since "ca" fits the pattern, this path
 // also handles returning the CA cert in a non-raw format.
 func pathFetchValid(b *backend) *framework.Path {
@@ -150,6 +171,12 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
 	case req.Path == "cert/crl":
 		serial = "crl"
 		pemType = "X509 CRL"
+	case strings.HasSuffix(req.Path, "/pem") || strings.HasSuffix(req.Path, "/raw"):
+		serial = data.Get("serial").(string)
+		contentType = "application/pkix-cert"
+		if strings.HasSuffix(req.Path, "/pem") {
+			pemType = "CERTIFICATE"
+		}
 	default:
 		serial = data.Get("serial").(string)
 		pemType = "CERTIFICATE"