Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds "raw(/pem)" format to individual cert routes closes #10947 #10948

Merged

Conversation

abriening
Copy link
Contributor

Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.

@hashicorp-cla
Copy link

hashicorp-cla commented Feb 19, 2021

CLA assistant check
All committers have signed the CLA.

@vercel vercel bot temporarily deployed to Preview – vault-storybook February 19, 2021 19:25 Inactive
@vercel vercel bot temporarily deployed to Preview – vault February 19, 2021 19:25 Inactive
@abriening
Copy link
Contributor Author

I did not see any existing tests for the raw(/pem) routes so I didn't add any. The existing builtin/logical/pki/backend_test.go tests are passing. Looks like build-common-layers depends on inaccessible SSH Keys so the build is failing.

@cipherboy
Copy link
Contributor

\o Greetings @abriening, sorry about the delay. We've discussed this PR and are happy to accept it.

Do you have time to add a changelog entry, tests, and docs? Former would probably be something like:

```release-note:improvement
secrets/pki: Add ability to fetch individual certificate DER and PEM
```

Or something similar, in a file named /changelog/10948.txt.

For docs, you could add it to website/content/api-docs/secret/pki.mdx near the top, after Read Certificate.

For tests, in builtin/logical/pki/backend_test.go, you could add one there since the certificate has a known serial number... It looks like req := client.NewRequest("GET", "/pki/cert/f00bar/raw/pem") would do what you need, plus client.RawRequest(req). This'll give you a Response object you can read for the PEM/DER. :-)

Let me know if you're not interested and I'll add these and cherry-pick. Thank you!

@abriening
Copy link
Contributor Author

Will do.

@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from 528f5e6 to e64a017 Compare February 7, 2022 01:14
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 01:14 Inactive
@abriening
Copy link
Contributor Author

abriening commented Feb 7, 2022

@cipherboy Rebased against master main since it's been a while. Added docs, changelog entry & backend test. Tested directly against the Backend, since that's how most other tests in that suite were running.

Not really needed for this PR but testing content-type == "application/pkix-cert" does have me wondering if that is correct for PEM. Should it be application/x-pem-file? But that's another MR for another day.

@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from e64a017 to 9af47db Compare February 7, 2022 01:26
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 01:26 Inactive
@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from 9af47db to 97ce3a5 Compare February 7, 2022 01:30
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 01:30 Inactive
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.
@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from 97ce3a5 to abfeb56 Compare February 7, 2022 14:00
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 14:00 Inactive
@abriening
Copy link
Contributor Author

pushed make fmt change that was failing CI.

@cipherboy cipherboy merged commit 1c7ce15 into hashicorp:main Feb 7, 2022
@cipherboy
Copy link
Contributor

Many thanks for your contribution @abriening! :-)

cipherboy added a commit to cipherboy/vault that referenced this pull request Feb 7, 2022
As mentioned in hashicorp#10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <[email protected]>
@abriening abriening deleted the allow-raw-pem-routes-for-any-cert branch February 7, 2022 20:25
cipherboy added a commit that referenced this pull request Feb 8, 2022
* Use application/pem-certificate-chain for PEMs

As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <[email protected]>

* Add changelog entry

Signed-off-by: Alexander Scheel <[email protected]>
fairclothjm pushed a commit that referenced this pull request Feb 12, 2022
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.
fairclothjm pushed a commit that referenced this pull request Feb 12, 2022
* Use application/pem-certificate-chain for PEMs

As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <[email protected]>

* Add changelog entry

Signed-off-by: Alexander Scheel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants