Use provider state table for a global serial index

This commit is contained in:
Kyle Havlovitz 2018-05-04 16:01:38 -07:00 committed by Mitchell Hashimoto
parent 988510f53c
commit 627aa80d5a
No known key found for this signature in database
GPG Key ID: 744E147AA52F5B0A
4 changed files with 30 additions and 38 deletions

View File

@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// Get the provider state // Get the provider state
state := c.delegate.State() state := c.delegate.State()
_, providerState, err := state.CAProviderState(c.id) idx, providerState, err := state.CAProviderState(c.id)
if err != nil { if err != nil {
return "", err return "", err
} }
@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// Cert template for generation // Cert template for generation
sn := &big.Int{} sn := &big.Int{}
sn.SetUint64(providerState.SerialIndex + 1) sn.SetUint64(idx + 1)
template := x509.Certificate{ template := x509.Certificate{
SerialNumber: sn, SerialNumber: sn,
Subject: pkix.Name{CommonName: serviceId.Service}, Subject: pkix.Name{CommonName: serviceId.Service},
@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
return "", fmt.Errorf("error encoding private key: %s", err) return "", fmt.Errorf("error encoding private key: %s", err)
} }
err = c.incrementSerialIndex(providerState) err = c.incrementProviderIndex(providerState)
if err != nil { if err != nil {
return "", err return "", err
} }
@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
// Get the provider state // Get the provider state
state := c.delegate.State() state := c.delegate.State()
_, providerState, err := state.CAProviderState(c.id) idx, providerState, err := state.CAProviderState(c.id)
if err != nil { if err != nil {
return "", err return "", err
} }
@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
// Create the cross-signing template from the existing root CA // Create the cross-signing template from the existing root CA
serialNum := &big.Int{} serialNum := &big.Int{}
serialNum.SetUint64(providerState.SerialIndex + 1) serialNum.SetUint64(idx + 1)
template := *cert template := *cert
template.SerialNumber = serialNum template.SerialNumber = serialNum
template.SignatureAlgorithm = rootCA.SignatureAlgorithm template.SignatureAlgorithm = rootCA.SignatureAlgorithm
@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
return "", fmt.Errorf("error encoding private key: %s", err) return "", fmt.Errorf("error encoding private key: %s", err)
} }
err = c.incrementSerialIndex(providerState) err = c.incrementProviderIndex(providerState)
if err != nil { if err != nil {
return "", err return "", err
} }
@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
return buf.String(), nil return buf.String(), nil
} }
// incrementSerialIndex increments the cert serial number index in the provider // incrementProviderIndex does a write to increment the provider state store table index
// state. // used for serial numbers when generating certificates.
func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error { func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error {
newState := *providerState newState := *providerState
newState.SerialIndex++
args := &structs.CARequest{ args := &structs.CARequest{
Op: structs.CAOpSetProviderState, Op: structs.CAOpSetProviderState,
ProviderState: &newState, ProviderState: &newState,

View File

@ -1331,7 +1331,6 @@ func TestFSM_CABuiltinProvider(t *testing.T) {
ID: "foo", ID: "foo",
PrivateKey: "a", PrivateKey: "a",
RootCert: "b", RootCert: "b",
SerialIndex: 2,
RaftIndex: structs.RaftIndex{ RaftIndex: structs.RaftIndex{
CreateIndex: 1, CreateIndex: 1,
ModifyIndex: 1, ModifyIndex: 1,

View File

@ -359,7 +359,6 @@ func TestStore_CABuiltinProvider(t *testing.T) {
ID: "foo", ID: "foo",
PrivateKey: "a", PrivateKey: "a",
RootCert: "b", RootCert: "b",
SerialIndex: 1,
} }
ok, err := s.CASetProviderState(0, expected) ok, err := s.CASetProviderState(0, expected)
@ -377,7 +376,6 @@ func TestStore_CABuiltinProvider(t *testing.T) {
ID: "bar", ID: "bar",
PrivateKey: "c", PrivateKey: "c",
RootCert: "d", RootCert: "d",
SerialIndex: 2,
} }
ok, err := s.CASetProviderState(1, expected) ok, err := s.CASetProviderState(1, expected)
@ -401,13 +399,11 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
ID: "bar", ID: "bar",
PrivateKey: "y", PrivateKey: "y",
RootCert: "z", RootCert: "z",
SerialIndex: 2,
}, },
{ {
ID: "foo", ID: "foo",
PrivateKey: "a", PrivateKey: "a",
RootCert: "b", RootCert: "b",
SerialIndex: 1,
}, },
} }
@ -426,7 +422,6 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
ID: "foo", ID: "foo",
PrivateKey: "c", PrivateKey: "c",
RootCert: "d", RootCert: "d",
SerialIndex: 1,
} }
ok, err := s.CASetProviderState(100, after) ok, err := s.CASetProviderState(100, after)
assert.NoError(err) assert.NoError(err)

View File

@ -171,7 +171,6 @@ type CAConsulProviderState struct {
ID string ID string
PrivateKey string PrivateKey string
RootCert string RootCert string
SerialIndex uint64
RaftIndex RaftIndex
} }