mirror of https://github.com/status-im/consul.git
Use provider state table for a global serial index
This commit is contained in:
parent
988510f53c
commit
627aa80d5a
|
@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
|
|
||||||
// Get the provider state
|
// Get the provider state
|
||||||
state := c.delegate.State()
|
state := c.delegate.State()
|
||||||
_, providerState, err := state.CAProviderState(c.id)
|
idx, providerState, err := state.CAProviderState(c.id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
|
|
||||||
// Cert template for generation
|
// Cert template for generation
|
||||||
sn := &big.Int{}
|
sn := &big.Int{}
|
||||||
sn.SetUint64(providerState.SerialIndex + 1)
|
sn.SetUint64(idx + 1)
|
||||||
template := x509.Certificate{
|
template := x509.Certificate{
|
||||||
SerialNumber: sn,
|
SerialNumber: sn,
|
||||||
Subject: pkix.Name{CommonName: serviceId.Service},
|
Subject: pkix.Name{CommonName: serviceId.Service},
|
||||||
|
@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
return "", fmt.Errorf("error encoding private key: %s", err)
|
return "", fmt.Errorf("error encoding private key: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.incrementSerialIndex(providerState)
|
err = c.incrementProviderIndex(providerState)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
|
|
||||||
// Get the provider state
|
// Get the provider state
|
||||||
state := c.delegate.State()
|
state := c.delegate.State()
|
||||||
_, providerState, err := state.CAProviderState(c.id)
|
idx, providerState, err := state.CAProviderState(c.id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
|
|
||||||
// Create the cross-signing template from the existing root CA
|
// Create the cross-signing template from the existing root CA
|
||||||
serialNum := &big.Int{}
|
serialNum := &big.Int{}
|
||||||
serialNum.SetUint64(providerState.SerialIndex + 1)
|
serialNum.SetUint64(idx + 1)
|
||||||
template := *cert
|
template := *cert
|
||||||
template.SerialNumber = serialNum
|
template.SerialNumber = serialNum
|
||||||
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
|
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
|
||||||
|
@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
return "", fmt.Errorf("error encoding private key: %s", err)
|
return "", fmt.Errorf("error encoding private key: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.incrementSerialIndex(providerState)
|
err = c.incrementProviderIndex(providerState)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
return buf.String(), nil
|
return buf.String(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// incrementSerialIndex increments the cert serial number index in the provider
|
// incrementProviderIndex does a write to increment the provider state store table index
|
||||||
// state.
|
// used for serial numbers when generating certificates.
|
||||||
func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error {
|
func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error {
|
||||||
newState := *providerState
|
newState := *providerState
|
||||||
newState.SerialIndex++
|
|
||||||
args := &structs.CARequest{
|
args := &structs.CARequest{
|
||||||
Op: structs.CAOpSetProviderState,
|
Op: structs.CAOpSetProviderState,
|
||||||
ProviderState: &newState,
|
ProviderState: &newState,
|
||||||
|
|
|
@ -1331,7 +1331,6 @@ func TestFSM_CABuiltinProvider(t *testing.T) {
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "a",
|
PrivateKey: "a",
|
||||||
RootCert: "b",
|
RootCert: "b",
|
||||||
SerialIndex: 2,
|
|
||||||
RaftIndex: structs.RaftIndex{
|
RaftIndex: structs.RaftIndex{
|
||||||
CreateIndex: 1,
|
CreateIndex: 1,
|
||||||
ModifyIndex: 1,
|
ModifyIndex: 1,
|
||||||
|
|
|
@ -359,7 +359,6 @@ func TestStore_CABuiltinProvider(t *testing.T) {
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "a",
|
PrivateKey: "a",
|
||||||
RootCert: "b",
|
RootCert: "b",
|
||||||
SerialIndex: 1,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ok, err := s.CASetProviderState(0, expected)
|
ok, err := s.CASetProviderState(0, expected)
|
||||||
|
@ -377,7 +376,6 @@ func TestStore_CABuiltinProvider(t *testing.T) {
|
||||||
ID: "bar",
|
ID: "bar",
|
||||||
PrivateKey: "c",
|
PrivateKey: "c",
|
||||||
RootCert: "d",
|
RootCert: "d",
|
||||||
SerialIndex: 2,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ok, err := s.CASetProviderState(1, expected)
|
ok, err := s.CASetProviderState(1, expected)
|
||||||
|
@ -401,13 +399,11 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
|
||||||
ID: "bar",
|
ID: "bar",
|
||||||
PrivateKey: "y",
|
PrivateKey: "y",
|
||||||
RootCert: "z",
|
RootCert: "z",
|
||||||
SerialIndex: 2,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "a",
|
PrivateKey: "a",
|
||||||
RootCert: "b",
|
RootCert: "b",
|
||||||
SerialIndex: 1,
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -426,7 +422,6 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "c",
|
PrivateKey: "c",
|
||||||
RootCert: "d",
|
RootCert: "d",
|
||||||
SerialIndex: 1,
|
|
||||||
}
|
}
|
||||||
ok, err := s.CASetProviderState(100, after)
|
ok, err := s.CASetProviderState(100, after)
|
||||||
assert.NoError(err)
|
assert.NoError(err)
|
||||||
|
|
|
@ -171,7 +171,6 @@ type CAConsulProviderState struct {
|
||||||
ID string
|
ID string
|
||||||
PrivateKey string
|
PrivateKey string
|
||||||
RootCert string
|
RootCert string
|
||||||
SerialIndex uint64
|
|
||||||
|
|
||||||
RaftIndex
|
RaftIndex
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue