From 7b890bcf4d78e6bd3ebc9589d67c98f0ca4d76b3 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Fri, 19 Oct 2018 10:54:52 -0400 Subject: [PATCH] Remove now-spurious ttl check and logic from sign-verbatim. This endpoint eventually goes through generateCreationBundle where we already have the right checks. Also add expiration to returned value to match output when using root generation. Fixes #5549 --- builtin/logical/pki/path_issue_sign.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 2785009b3001..118db414003a 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -154,8 +154,6 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da } entry := &roleEntry{ - TTL: b.System().DefaultLeaseTTL(), - MaxTTL: b.System().MaxLeaseTTL(), AllowLocalhost: true, AllowAnyName: true, AllowIPSANs: true, @@ -186,10 +184,6 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da entry.NoStore = role.NoStore } - if entry.MaxTTL > 0 && entry.TTL > entry.MaxTTL { - return logical.ErrorResponse(fmt.Sprintf("requested ttl of %s is greater than max ttl of %s", entry.TTL, entry.MaxTTL)), nil - } - return b.pathIssueSignCert(ctx, req, data, entry, true, true) } @@ -244,6 +238,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d } respData := map[string]interface{}{ + "expiration": int64(parsedBundle.Certificate.NotAfter.Unix()), "serial_number": cb.SerialNumber, }