Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add per-issuer AIA URI information to PKI secrets engine #16563

Merged
merged 11 commits into from
Aug 19, 2022
Merged

Add per-issuer AIA URI information to PKI secrets engine #16563

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
810570b
Add per-issuer AIA URI information
cipherboy Jul 25, 2022
dcac982
Add changelog
cipherboy Aug 4, 2022
f23073d
Add documentation on per-issuer AIA info
cipherboy Aug 4, 2022
81de44b
Add tests for per-issuer AIA information
cipherboy Aug 4, 2022
497e994
Refactor AIA setting on the issuer
cipherboy Aug 15, 2022
6e7d288
Clarify error messages w.r.t. AIA naming
cipherboy Aug 15, 2022
4715416
Clarify error messages regarding AIA URLs
cipherboy Aug 15, 2022
dbaa745
Rename getURLs -> getGlobalAIAURLs
cipherboy Aug 18, 2022
4f001e4
Correct AIA acronym expansion word orders
cipherboy Aug 18, 2022
9078de1
Fix bad comment suggesting re-generating roots
cipherboy Aug 18, 2022
a5e743c
Add two entries to URL tests
cipherboy Aug 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Clarify error messages regarding AIA URLs 
This clarifies which request parameter the invalid URL is contained
in, disambiguating the sometimes ambiguous usage of AIA, per suggestion
by Max.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
  • Loading branch information
@cipherboy
cipherboy committed Aug 18, 2022
commit 4715416a595744ca5bc81493528571cab711a214
6 changes: 3 additions & 3 deletions builtin/logical/pki/path_config_urls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,21 +124,21 @@ func (b *backend) pathWriteURL(ctx context.Context, req *logical.Request, data *
entries.IssuingCertificates = urlsInt.([]string)
if badURL := validateURLs(entries.IssuingCertificates); badURL != "" {
return logical.ErrorResponse(fmt.Sprintf(
"invalid URL found in issuing certificates: %s", badURL)), nil
"invalid URL found in Authority Information Access (AIA) parameter issuing_certificates: %s", badURL)), nil
}
}
if urlsInt, ok := data.GetOk("crl_distribution_points"); ok {
entries.CRLDistributionPoints = urlsInt.([]string)
if badURL := validateURLs(entries.CRLDistributionPoints); badURL != "" {
return logical.ErrorResponse(fmt.Sprintf(
"invalid URL found in CRL distribution points: %s", badURL)), nil
"invalid URL found in Authority Information Access (AIA) parameter crl_distribution_points: %s", badURL)), nil
}
}
if urlsInt, ok := data.GetOk("ocsp_servers"); ok {
entries.OCSPServers = urlsInt.([]string)
if badURL := validateURLs(entries.OCSPServers); badURL != "" {
return logical.ErrorResponse(fmt.Sprintf(
"invalid URL found in OCSP servers: %s", badURL)), nil
"invalid URL found in Authority Information Access (AIA) parameter ocsp_servers: %s", badURL)), nil
}
}

Expand Down
8 changes: 4 additions & 4 deletions builtin/logical/pki/path_fetch_issuers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,15 +329,15 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
// AIA access changes
issuerCertificates := data.Get("issuing_certificates").([]string)
if badURL := validateURLs(issuerCertificates); badURL != "" {
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in AIA URLs parameter issuing_certificates: %s", badURL)), nil
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in Authority Information Access (AIA) parameter issuing_certificates: %s", badURL)), nil
}
crlDistributionPoints := data.Get("crl_distribution_points").([]string)
if badURL := validateURLs(crlDistributionPoints); badURL != "" {
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in AIA URLs parameter crl_distribution_points: %s", badURL)), nil
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in Authority Information Access (AIA) parameter crl_distribution_points: %s", badURL)), nil
}
ocspServers := data.Get("ocsp_servers").([]string)
if badURL := validateURLs(ocspServers); badURL != "" {
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in AIA URLs parameter ocsp_servers: %s", badURL)), nil
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in Authority Information Access (AIA) parameter ocsp_servers: %s", badURL)), nil
}

modified := false
Expand Down Expand Up @@ -626,7 +626,7 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
if ok {
urlsValue := rawURLsValue.([]string)
if badURL := validateURLs(urlsValue); badURL != "" {
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in AIA URLs parameter %v: %s", pair.Source, badURL)), nil
return logical.ErrorResponse(fmt.Sprintf("invalid URL found in Authority Information Access (AIA) parameter %v: %s", pair.Source, badURL)), nil
}

if isStringArrayDifferent(urlsValue, *pair.Dest) {
Expand Down
2 changes: 1 addition & 1 deletion builtin/logical/pki/path_manage_issuers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,7 @@ func (b *backend) pathImportIssuers(ctx context.Context, req *logical.Request, d
// In particular, if there's no default AIA URLs configuration, we should
// tell the user that's probably next.
if entries, err := getURLs(ctx, req.Storage); err == nil && len(entries.IssuingCertificates) == 0 && len(entries.CRLDistributionPoints) == 0 && len(entries.OCSPServers) == 0 {
response.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls or the newly generated issuer with this information.")
response.AddWarning("This mount hasn't configured any authority access information (AIA) fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls or the newly generated issuer with this information.")
}

return response, nil
Expand Down
4 changes: 2 additions & 2 deletions builtin/logical/pki/path_root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so prior to issuing leaves.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls or the newly generated issuer with this information.")
resp.AddWarning("This mount hasn't configured any authority access (AIA) information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls or the newly generated issuer with this information.")
}

switch format {
Expand Down Expand Up @@ -408,7 +408,7 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so and re-generate the issuer.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls or the newly generated issuer with this information.")
resp.AddWarning("This mount hasn't configured any authority access information (AIA) fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls or the newly generated issuer with this information.")
}

caChain := append([]string{cb.Certificate}, cb.CAChain...)
Expand Down