scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 02:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Support Y10K value in notAfter field when signing non-CA certificates (#13736)

Browse Source 
* Support Y10K value in notAfter field when signing non-CA certificates

* Add changelog entry for 13736

* Add test for using not_after parameter for non-CA certificates that are being signed

* Fix CA value for test for not_after value when signing non-CA certs

* Address formatting

* Add changelog file

* Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
This commit is contained in:
Gregory Harris
2022-01-31 15:37:50 -06:00
committed by GitHub
parent 0fd78c64ab
commit 634e54ae2a
3 changed files with 48 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
builtin/logical/pki/backend_test.go
View File

@@ -47,7 +47,7 @@ import (
) )
var ( var (
stepCount = 0 stepCount = 0
) )
func TestPKI_RequireCN(t *testing.T) { func TestPKI_RequireCN(t *testing.T) {
@@ -1849,7 +1849,7 @@ func TestBackend_SignVerbatim(t *testing.T) {
// generate root // generate root
rootData := map[string]interface{}{ rootData := map[string]interface{}{
"common_name": "test.com", "common_name": "test.com",
"ttl": "172800", "not_after": "9999-12-31T23:59:59Z",
} }
resp, err := b.HandleRequest(context.Background(), &logical.Request{ resp, err := b.HandleRequest(context.Background(), &logical.Request{
@@ -1978,6 +1978,43 @@ func TestBackend_SignVerbatim(t *testing.T) {
t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR") t.Fatalf("sign-verbatim did not properly cap validity period on signed CSR")
} }
// Now check signing a certificate using the not_after input using the Y10K value
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Operation: logical.UpdateOperation,
Path: "sign-verbatim/test",
Storage: storage,
Data: map[string]interface{}{
"csr": pemCSR,
"not_after": "9999-12-31T23:59:59Z",
},
})
if err != nil {
t.Fatal(err)
}
if resp != nil && resp.IsError() {
t.Fatalf(resp.Error().Error())
}
if resp.Data == nil || resp.Data["certificate"] == nil {
t.Fatal("did not get expected data")
}
certString = resp.Data["certificate"].(string)
block, _ = pem.Decode([]byte(certString))
if block == nil {
t.Fatal("nil pem block")
}
certs, err = x509.ParseCertificates(block.Bytes)
if err != nil {
t.Fatal(err)
}
if len(certs) != 1 {
t.Fatalf("expected a single cert, got %d", len(certs))
}
cert = certs[0]
notAfter := cert.NotAfter.Format(time.RFC3339)
if notAfter != "9999-12-31T23:59:59Z" {
t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
}
// now check that if we set generate-lease it takes it from the role and the TTLs match // now check that if we set generate-lease it takes it from the role and the TTLs match
roleData = map[string]interface{}{ roleData = map[string]interface{}{
"ttl": "4h", "ttl": "4h",

6
builtin/logical/pki/fields.go
View File

@@ -123,6 +123,12 @@ be larger than the role max TTL.`,
}, },
} }
fields["not_after"] = &framework.FieldSchema{
Type: framework.TypeString,
Description: `Set the not after field of the certificate with specified date value.
The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ`,
}
return fields return fields
} }

3
changelog/13736.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:improvement
core/pki: Support Y10K value in notAfter field when signing non-CA certificates
```