Skip to content

Commit

Permalink
Include full chain in /cert/ca_chain response
Browse files Browse the repository at this point in the history
This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489

Signed-off-by: Alexander Scheel <[email protected]>
  • Loading branch information
cipherboy committed Feb 7, 2022
1 parent 1c7ce15 commit 89fba83
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 0 deletions.
17 changes: 17 additions & 0 deletions builtin/logical/pki/path_fetch.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
var certEntry, revokedEntry *logical.StorageEntry
var funcErr error
var certificate []byte
var fullChain []byte
var revocationTime int64
response = &logical.Response{
Data: map[string]interface{}{},
Expand Down Expand Up @@ -207,6 +208,18 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
certStr = strings.Join([]string{certStr, strings.TrimSpace(string(pem.EncodeToMemory(&block)))}, "\n")
}
certificate = []byte(strings.TrimSpace(certStr))

rawChain := caInfo.GetFullChain()
var chainStr string
for _, ca := range rawChain {
block := pem.Block{
Type: "CERTIFICATE",
Bytes: ca.Bytes,
}
chainStr = strings.Join([]string{certStr, strings.TrimSpace(string(pem.EncodeToMemory(&block)))}, "\n")
}
fullChain = []byte(strings.TrimSpace(chainStr))

goto reply
}

Expand Down Expand Up @@ -288,6 +301,10 @@ reply:
default:
response.Data["certificate"] = string(certificate)
response.Data["revocation_time"] = revocationTime

if len(fullChain) > 0 {
response.Data["ca_chain"] = string(fullChain)
}
}

return
Expand Down
15 changes: 15 additions & 0 deletions sdk/helper/certutil/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -687,6 +687,21 @@ func (b *CAInfoBundle) GetCAChain() []*CertBlock {
return chain
}

func (b *CAInfoBundle) GetFullChain() []*CertBlock {
var chain []*CertBlock

chain = append(chain, &CertBlock{
Certificate: b.Certificate,
Bytes: b.CertificateBytes,
})

if len(b.CAChain) > 0 {
chain = append(chain, b.CAChain...)
}

return chain
}

type CertExtKeyUsage int

const (
Expand Down

0 comments on commit 89fba83

Please sign in to comment.