mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-25 08:31:09 +02:00
187c051ef3
* Update PKI to natively use time.Duration Among other things this now means PKI will output durations in seconds like other backends, instead of as Go strings. * Add a warning when refusing to blow away an existing root instead of just returning success * Fix another issue found while debugging this... The reason it wasn't caught on tests in the first place is that the ttl and max ttl were only being compared if in addition to a provided csr, a role was also provided. This was because the check was in the role != nil block instead of outside of it. This has been fixed, which made the problem occur in all sign-verbatim cases and the changes in this PR have now verified the fix.
57 lines
1.6 KiB
Go
57 lines
1.6 KiB
Go
package pki
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
)
|
|
|
|
func (b *backend) getGenerationParams(
|
|
data *framework.FieldData,
|
|
) (exported bool, format string, role *roleEntry, errorResp *logical.Response) {
|
|
exportedStr := data.Get("exported").(string)
|
|
switch exportedStr {
|
|
case "exported":
|
|
exported = true
|
|
case "internal":
|
|
default:
|
|
errorResp = logical.ErrorResponse(
|
|
`the "exported" path parameter must be "internal" or "exported"`)
|
|
return
|
|
}
|
|
|
|
format = getFormat(data)
|
|
if format == "" {
|
|
errorResp = logical.ErrorResponse(
|
|
`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
|
|
return
|
|
}
|
|
|
|
role = &roleEntry{
|
|
TTL: time.Duration(data.Get("ttl").(int)) * time.Second,
|
|
KeyType: data.Get("key_type").(string),
|
|
KeyBits: data.Get("key_bits").(int),
|
|
AllowLocalhost: true,
|
|
AllowAnyName: true,
|
|
AllowIPSANs: true,
|
|
EnforceHostnames: false,
|
|
OU: data.Get("ou").([]string),
|
|
Organization: data.Get("organization").([]string),
|
|
Country: data.Get("country").([]string),
|
|
Locality: data.Get("locality").([]string),
|
|
Province: data.Get("province").([]string),
|
|
StreetAddress: data.Get("street_address").([]string),
|
|
PostalCode: data.Get("postal_code").([]string),
|
|
}
|
|
|
|
if role.KeyType == "rsa" && role.KeyBits < 2048 {
|
|
errorResp = logical.ErrorResponse("RSA keys < 2048 bits are unsafe and not supported")
|
|
return
|
|
}
|
|
|
|
errorResp = validateKeyTypeLength(role.KeyType, role.KeyBits)
|
|
|
|
return
|
|
}
|