ca: add some godoc and func for finding leaf signing cert

This will be used in a follow up commit.
This commit is contained in:
Daniel Nephin 2021-11-23 12:49:43 -05:00
parent 52f0853ff9
commit 32ef9c5d5c
2 changed files with 26 additions and 6 deletions

View File

@ -1149,11 +1149,9 @@ func (c *CAManager) RenewIntermediate(ctx context.Context, isPrimary bool) error
// If this is the primary, check if this is a provider that uses an intermediate cert. If
// it isn't, we don't need to check for a renewal.
if isPrimary {
if _, ok := provider.(ca.PrimaryUsesIntermediate); !ok {
if isPrimary && !primaryUsesIntermediate(provider) {
return nil
}
}
activeIntermediate, err := provider.ActiveIntermediate()
if err != nil {
@ -1536,3 +1534,16 @@ func (c *CAManager) checkExpired(pem string) error {
}
return nil
}
func primaryUsesIntermediate(provider ca.Provider) bool {
_, ok := provider.(ca.PrimaryUsesIntermediate)
return ok
}
func (c *CAManager) isIntermediateUsedToSignLeaf() bool {
if c.serverConf.Datacenter != c.serverConf.PrimaryDatacenter {
return true
}
provider, _ := c.getCAProvider()
return primaryUsesIntermediate(provider)
}

View File

@ -86,11 +86,20 @@ type CARoot struct {
NotBefore time.Time
NotAfter time.Time
// RootCert is the PEM-encoded public certificate.
// RootCert is the PEM-encoded public certificate for the root CA. The
// certificate is the same for all federated clusters.
RootCert string
// IntermediateCerts is a list of PEM-encoded intermediate certs to
// attach to any leaf certs signed by this CA.
// attach to any leaf certs signed by this CA. The list may include a
// certificate cross-signed by an old root CA, any subordinate CAs below the
// root CA, and the intermediate CA used to sign leaf certificates in the
// local Datacenter.
//
// If the provider which created this root uses an intermediate to sign
// leaf certificates (Vault provider), or this is a secondary Datacenter then
// the intermediate used to sign leaf certificates will be the last in the
// list.
IntermediateCerts []string
// SigningCert is the PEM-encoded signing certificate and SigningKey