Add more metadata to structs.CARoot

This commit is contained in:
Kyle Havlovitz 2018-05-04 16:01:54 -07:00 committed by Mitchell Hashimoto
parent 627aa80d5a
commit 6e9f1f8acb
No known key found for this signature in database
GPG Key ID: 744E147AA52F5B0A
3 changed files with 42 additions and 16 deletions

View File

@ -98,15 +98,9 @@ func (s *ConnectCA) ConfigurationSet(
return err return err
} }
id, err := connect.CalculateCertFingerprint(newRootPEM) newActiveRoot, err := parseCARoot(newRootPEM, args.Config.Provider)
if err != nil { if err != nil {
return fmt.Errorf("error parsing root fingerprint: %v", err) return err
}
newActiveRoot := &structs.CARoot{
ID: id,
Name: fmt.Sprintf("%s CA Root Cert", config.Provider),
RootCert: newRootPEM,
Active: true,
} }
// Compare the new provider's root CA ID to the current one. If they // Compare the new provider's root CA ID to the current one. If they
@ -240,6 +234,10 @@ func (s *ConnectCA) Roots(
reply.Roots[i] = &structs.CARoot{ reply.Roots[i] = &structs.CARoot{
ID: r.ID, ID: r.ID,
Name: r.Name, Name: r.Name,
SerialNumber: r.SerialNumber,
SigningKeyID: r.SigningKeyID,
NotBefore: r.NotBefore,
NotAfter: r.NotAfter,
RootCert: r.RootCert, RootCert: r.RootCert,
IntermediateCerts: r.IntermediateCerts, IntermediateCerts: r.IntermediateCerts,
RaftIndex: r.RaftIndex, RaftIndex: r.RaftIndex,

View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"net" "net"
"strconv" "strconv"
"strings"
"sync" "sync"
"time" "time"
@ -427,15 +428,9 @@ func (s *Server) initializeCA() error {
return fmt.Errorf("error getting root cert: %v", err) return fmt.Errorf("error getting root cert: %v", err)
} }
id, err := connect.CalculateCertFingerprint(rootPEM) rootCA, err := parseCARoot(rootPEM, conf.Provider)
if err != nil { if err != nil {
return fmt.Errorf("error parsing root fingerprint: %v", err) return err
}
rootCA := &structs.CARoot{
ID: id,
Name: fmt.Sprintf("%s CA Root Cert", conf.Provider),
RootCert: rootPEM,
Active: true,
} }
// Check if the CA root is already initialized and exit if it is. // Check if the CA root is already initialized and exit if it is.
@ -478,6 +473,28 @@ func (s *Server) initializeCA() error {
return nil return nil
} }
// parseCARoot returns a filled-in structs.CARoot from a raw PEM value.
func parseCARoot(pemValue, provider string) (*structs.CARoot, error) {
id, err := connect.CalculateCertFingerprint(pemValue)
if err != nil {
return nil, fmt.Errorf("error parsing root fingerprint: %v", err)
}
rootCert, err := connect.ParseCert(pemValue)
if err != nil {
return nil, fmt.Errorf("error parsing root cert: %v", err)
}
return &structs.CARoot{
ID: id,
Name: fmt.Sprintf("%s CA Root Cert", strings.Title(provider)),
SerialNumber: rootCert.SerialNumber.Uint64(),
SigningKeyID: connect.HexString(rootCert.AuthorityKeyId),
NotBefore: rootCert.NotBefore,
NotAfter: rootCert.NotAfter,
RootCert: pemValue,
Active: true,
}, nil
}
// createProvider returns a connect CA provider from the given config. // createProvider returns a connect CA provider from the given config.
func (s *Server) createCAProvider(conf *structs.CAConfiguration) (connect_ca.Provider, error) { func (s *Server) createCAProvider(conf *structs.CAConfiguration) (connect_ca.Provider, error) {
switch conf.Provider { switch conf.Provider {

View File

@ -28,6 +28,17 @@ type CARoot struct {
// opaque to Consul and is not used for anything internally. // opaque to Consul and is not used for anything internally.
Name string Name string
// SerialNumber is the x509 serial number of the certificate.
SerialNumber uint64
// SigningKeyID is the ID of the public key that corresponds to the
// private key used to sign the certificate.
SigningKeyID string
// Time validity bounds.
NotBefore time.Time
NotAfter time.Time
// RootCert is the PEM-encoded public certificate. // RootCert is the PEM-encoded public certificate.
RootCert string RootCert string