ca: cleanup validateSetIntermediate

agent/connect/ca/common.go

@@ -9,11 +9,7 @@ import (
 	"github.com/hashicorp/consul/agent/connect"
 )
 
-func validateSetIntermediate(
+func validateSetIntermediate(intermediatePEM, rootPEM string, spiffeID *connect.SpiffeIDSigning) error {
-	intermediatePEM, rootPEM string,
-	currentPrivateKey string, // optional
-	spiffeID *connect.SpiffeIDSigning,
-) error {
 	// Get the key from the incoming intermediate cert so we can compare it
 	// to the currently stored key.
 	intermediate, err := connect.ParseCert(intermediatePEM)
@@ -21,26 +17,6 @@ func validateSetIntermediate(
 		return fmt.Errorf("error parsing intermediate PEM: %v", err)
 	}
 
-	if currentPrivateKey != "" {
-		privKey, err := connect.ParseSigner(currentPrivateKey)
-		if err != nil {
-			return err
-		}
-
-		// Compare the two keys to make sure they match.
-		b1, err := x509.MarshalPKIXPublicKey(intermediate.PublicKey)
-		if err != nil {
-			return err
-		}
-		b2, err := x509.MarshalPKIXPublicKey(privKey.Public())
-		if err != nil {
-			return err
-		}
-		if !bytes.Equal(b1, b2) {
-			return fmt.Errorf("intermediate cert is for a different private key")
-		}
-	}
-
 	// Validate the remaining fields and make sure the intermediate validates against
 	// the given root cert.
 	if !intermediate.IsCA {
@@ -65,6 +41,32 @@ func validateSetIntermediate(
 	return nil
 }
 
+func validateIntermediateSignedByPrivateKey(intermediatePEM string, privateKey string) error {
+	intermediate, err := connect.ParseCert(intermediatePEM)
+	if err != nil {
+		return fmt.Errorf("error parsing intermediate PEM: %v", err)
+	}
+
+	privKey, err := connect.ParseSigner(privateKey)
+	if err != nil {
+		return err
+	}
+
+	// Compare the two keys to make sure they match.
+	b1, err := x509.MarshalPKIXPublicKey(intermediate.PublicKey)
+	if err != nil {
+		return err
+	}
+	b2, err := x509.MarshalPKIXPublicKey(privKey.Public())
+	if err != nil {
+		return err
+	}
+	if !bytes.Equal(b1, b2) {
+		return fmt.Errorf("intermediate cert is for a different private key")
+	}
+	return nil
+}
+
 func validateSignIntermediate(csr *x509.CertificateRequest, spiffeID *connect.SpiffeIDSigning) error {
 	// We explicitly _don't_ require that the CSR has a valid SPIFFE signing URI
 	// SAN because AWS PCA doesn't let us set one :(. We need to relax it here

agent/connect/ca/provider_consul.go

@@ -253,12 +253,10 @@ func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM string) error
 		return fmt.Errorf("cannot set an intermediate using another root in the primary datacenter")
 	}
 
-	err = validateSetIntermediate(
+	if err = validateSetIntermediate(intermediatePEM, rootPEM, c.spiffeID); err != nil {
-		intermediatePEM, rootPEM,
+		return err
-		providerState.PrivateKey,
+	}
-		c.spiffeID,
+	if err := validateIntermediateSignedByPrivateKey(intermediatePEM, providerState.PrivateKey); err != nil {
-	)
-	if err != nil {
 		return err
 	}
 

agent/connect/ca/provider_vault.go

@@ -402,8 +402,7 @@ func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error {
 		return fmt.Errorf("cannot set an intermediate using another root in the primary datacenter")
 	}
 
-	// the private key is in vault, so we can't use it in this validation
+	err := validateSetIntermediate(intermediatePEM, rootPEM, v.spiffeID)
-	err := validateSetIntermediate(intermediatePEM, rootPEM, "", v.spiffeID)
 	if err != nil {
 		return err
 	}