mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-10 00:27:02 +02:00
67515c7e4a
* Move resolveIssuerCRLPath to PKI issuing package. * Move fetchCertBySerial to PKI issuing package. * Move fetchRevocationInfo to PKI revocation package. * Make associateRevokedCertWithIsssuer a method of RevocationInfo. * Move serialFromCert and normalizeSerial to PKI parsing package. * Move writeUnifiedRevocationEntry to PKI revocation package. * Run make fmt.
74 lines
2.1 KiB
Go
74 lines
2.1 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package pki
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/vault/builtin/logical/pki/revocation"
|
|
)
|
|
|
|
const (
|
|
unifiedRevocationReadPathPrefix = revocation.UnifiedRevocationReadPathPrefix
|
|
)
|
|
|
|
func getUnifiedRevocationBySerial(sc *storageContext, serial string) (*revocation.UnifiedRevocationEntry, error) {
|
|
clusterPaths, err := lookupUnifiedClusterPaths(sc)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, path := range clusterPaths {
|
|
serialPath := path + serial
|
|
entryRaw, err := sc.Storage.Get(sc.Context, serialPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if entryRaw != nil {
|
|
var revEntry revocation.UnifiedRevocationEntry
|
|
if err := entryRaw.DecodeJSON(&revEntry); err != nil {
|
|
return nil, fmt.Errorf("failed json decoding of unified entry at path %s: %w", serialPath, err)
|
|
}
|
|
revEntry.SerialNumber = serial
|
|
return &revEntry, nil
|
|
}
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
// listClusterSpecificUnifiedRevokedCerts returns a list of revoked certificates from a given cluster
|
|
func listClusterSpecificUnifiedRevokedCerts(sc *storageContext, clusterId string) ([]string, error) {
|
|
path := unifiedRevocationReadPathPrefix + clusterId + "/"
|
|
serials, err := sc.Storage.List(sc.Context, path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return serials, nil
|
|
}
|
|
|
|
// lookupUnifiedClusterPaths returns a map of cluster id to the prefix storage path for that given cluster's
|
|
// unified revoked certificates
|
|
func lookupUnifiedClusterPaths(sc *storageContext) (map[string]string, error) {
|
|
fullPaths := map[string]string{}
|
|
|
|
clusterPaths, err := sc.Storage.List(sc.Context, unifiedRevocationReadPathPrefix)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, clusterIdWithSlash := range clusterPaths {
|
|
// Only include folder listings, if a file were to be stored under this path ignore it.
|
|
if strings.HasSuffix(clusterIdWithSlash, "/") {
|
|
clusterId := clusterIdWithSlash[:len(clusterIdWithSlash)-1] // remove trailing /
|
|
fullPaths[clusterId] = unifiedRevocationReadPathPrefix + clusterIdWithSlash
|
|
}
|
|
}
|
|
|
|
return fullPaths, nil
|
|
}
|