-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds "raw(/pem)" format to individual cert routes closes #10947 #10948
Adds "raw(/pem)" format to individual cert routes closes #10947 #10948
Conversation
I did not see any existing tests for the |
\o Greetings @abriening, sorry about the delay. We've discussed this PR and are happy to accept it. Do you have time to add a changelog entry, tests, and docs? Former would probably be something like: ```release-note:improvement secrets/pki: Add ability to fetch individual certificate DER and PEM ``` Or something similar, in a file named For docs, you could add it to For tests, in Let me know if you're not interested and I'll add these and cherry-pick. Thank you! |
Will do. |
528f5e6
to
e64a017
Compare
@cipherboy Rebased against Not really needed for this PR but testing |
e64a017
to
9af47db
Compare
9af47db
to
97ce3a5
Compare
Similar to "/pki/ca(/pem)" routes to retrieve certificates in raw or pem formats, this adds "pki/cert/{serial}/raw(/pem)" routes for any certificate.
97ce3a5
to
abfeb56
Compare
pushed |
Many thanks for your contribution @abriening! :-) |
As mentioned in hashicorp#10948, it appears we're incorrectly using the `application/pkix-cert` media type for PEM blobs, when `application/x-pem-file` is more appropriate. Per RFC 5280 Section 4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert` is only applicable when a single DER certificate is used. Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use the newer `application/pem-certificate-chain` media type for certificates. However, this is not applicable for CRLs, so we use fall back to `application/x-pem-file` for these. Notably, no official IETF source is present for the latter. On the OpenSSL PKI tutorial (https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is cited as coming from S/MIME's predecessor, PEM, but neither of the main PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type. Signed-off-by: Alexander Scheel <[email protected]>
* Use application/pem-certificate-chain for PEMs As mentioned in #10948, it appears we're incorrectly using the `application/pkix-cert` media type for PEM blobs, when `application/x-pem-file` is more appropriate. Per RFC 5280 Section 4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert` is only applicable when a single DER certificate is used. Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use the newer `application/pem-certificate-chain` media type for certificates. However, this is not applicable for CRLs, so we use fall back to `application/x-pem-file` for these. Notably, no official IETF source is present for the latter. On the OpenSSL PKI tutorial (https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is cited as coming from S/MIME's predecessor, PEM, but neither of the main PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type. Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]>
* Use application/pem-certificate-chain for PEMs As mentioned in #10948, it appears we're incorrectly using the `application/pkix-cert` media type for PEM blobs, when `application/x-pem-file` is more appropriate. Per RFC 5280 Section 4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert` is only applicable when a single DER certificate is used. Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use the newer `application/pem-certificate-chain` media type for certificates. However, this is not applicable for CRLs, so we use fall back to `application/x-pem-file` for these. Notably, no official IETF source is present for the latter. On the OpenSSL PKI tutorial (https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is cited as coming from S/MIME's predecessor, PEM, but neither of the main PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type. Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]>
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.