Add hook for ENT tweaking of PKI contraints verification options. (#29048)

builtin/logical/pki/issuing/cert_verify.go

@@ -4,7 +4,9 @@
 package issuing
 
 import (
+	"context"
 	"fmt"
+	"github.com/hashicorp/vault/sdk/logical"
 	"os"
 	"strconv"
 	"time"
@@ -33,7 +35,7 @@ func isCertificateVerificationDisabled() (bool, error) {
 	return disable, nil
 }
 
-func VerifyCertificate(parsedBundle *certutil.ParsedCertBundle) error {
+func VerifyCertificate(ctx context.Context, storage logical.Storage, issuerId IssuerID, parsedBundle *certutil.ParsedCertBundle) error {
 	if verificationDisabled, err := isCertificateVerificationDisabled(); err != nil {
 		return err
 	} else if verificationDisabled {
@@ -68,6 +70,10 @@ func VerifyCertificate(parsedBundle *certutil.ParsedCertBundle) error {
 		DisableNameConstraintChecks:    false,
 	}
 
+	if err := entSetCertVerifyOptions(ctx, storage, issuerId, &options); err != nil {
+		return err
+	}
+
 	certificate, err := convertCertificate(parsedBundle.CertificateBytes)
 	if err != nil {
 		return err

builtin/logical/pki/issuing/issuing_stubs_oss.go

@@ -0,0 +1,19 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package issuing
+
+import (
+	"context"
+
+	ctx509 "github.com/google/certificate-transparency-go/x509"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+//go:generate go run github.com/hashicorp/vault/tools/stubmaker
+
+func entSetCertVerifyOptions(ctx context.Context, storage logical.Storage, issuerId IssuerID, options *ctx509.VerifyOptions) error {
+	return nil
+}

builtin/logical/pki/path_issue_sign.go

@@ -432,7 +432,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 		}
 	}
 
-	if err := issuing.VerifyCertificate(parsedBundle); err != nil {
+	if err := issuing.VerifyCertificate(sc.GetContext(), sc.GetStorage(), issuerId, parsedBundle); err != nil {
 		return nil, err
 	}