mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-23 07:31:09 +02:00
c4fcb4a086
* Move fetchCertBySerial back into the main PKI package. In order to avoid polluting the issuing package with StorageContext, move fetchCertBySerial back to the main PKI package. Note that this requires that FetchRevocationInfo also be moved back to the main package. * Run make fmt.
85 lines
2.6 KiB
Go
85 lines
2.6 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package revocation
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
|
"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
|
|
"github.com/hashicorp/vault/sdk/helper/errutil"
|
|
)
|
|
|
|
const (
|
|
RevokedPath = "revoked/"
|
|
)
|
|
|
|
type RevocationInfo struct {
|
|
CertificateBytes []byte `json:"certificate_bytes"`
|
|
RevocationTime int64 `json:"revocation_time"`
|
|
RevocationTimeUTC time.Time `json:"revocation_time_utc"`
|
|
CertificateIssuer issuing.IssuerID `json:"issuer_id"`
|
|
}
|
|
|
|
func (ri *RevocationInfo) AssociateRevokedCertWithIsssuer(revokedCert *x509.Certificate, issuerIDCertMap map[issuing.IssuerID]*x509.Certificate) bool {
|
|
for issuerId, issuerCert := range issuerIDCertMap {
|
|
if bytes.Equal(revokedCert.RawIssuer, issuerCert.RawSubject) {
|
|
if err := revokedCert.CheckSignatureFrom(issuerCert); err == nil {
|
|
// Valid mapping. Add it to the specified entry.
|
|
ri.CertificateIssuer = issuerId
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// FetchIssuerMapForRevocationChecking fetches a map of IssuerID->parsed cert for revocation
|
|
// usage. Unlike other paths, this needs to handle the legacy bundle
|
|
// more gracefully than rejecting it outright.
|
|
func FetchIssuerMapForRevocationChecking(sc pki_backend.StorageContext) (map[issuing.IssuerID]*x509.Certificate, error) {
|
|
var err error
|
|
var issuers []issuing.IssuerID
|
|
|
|
if !sc.UseLegacyBundleCaStorage() {
|
|
issuers, err = issuing.ListIssuers(sc.GetContext(), sc.GetStorage())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("could not fetch issuers list: %w", err)
|
|
}
|
|
} else {
|
|
// Hack: this isn't a real IssuerID, but it works for fetchCAInfo
|
|
// since it resolves the reference.
|
|
issuers = []issuing.IssuerID{issuing.LegacyBundleShimID}
|
|
}
|
|
|
|
issuerIDCertMap := make(map[issuing.IssuerID]*x509.Certificate, len(issuers))
|
|
for _, issuer := range issuers {
|
|
_, bundle, caErr := issuing.FetchCertBundleByIssuerId(sc.GetContext(), sc.GetStorage(), issuer, false)
|
|
if caErr != nil {
|
|
return nil, fmt.Errorf("error fetching CA certificate for issuer id %v: %w", issuer, caErr)
|
|
}
|
|
|
|
if bundle == nil {
|
|
return nil, fmt.Errorf("faulty reference: %v - CA info not found", issuer)
|
|
}
|
|
|
|
parsedBundle, err := issuing.ParseCABundle(sc.GetContext(), sc.GetPkiManagedView(), bundle)
|
|
if err != nil {
|
|
return nil, errutil.InternalError{Err: err.Error()}
|
|
}
|
|
|
|
if parsedBundle.Certificate == nil {
|
|
return nil, errutil.InternalError{Err: "stored CA information not able to be parsed"}
|
|
}
|
|
|
|
issuerIDCertMap[issuer] = parsedBundle.Certificate
|
|
}
|
|
|
|
return issuerIDCertMap, nil
|
|
}
|