mirror of https://github.com/hashicorp/consul
Use provider state table for a global serial index
parent
988510f53c
commit
627aa80d5a
|
@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
|||
|
||||
// Get the provider state
|
||||
state := c.delegate.State()
|
||||
_, providerState, err := state.CAProviderState(c.id)
|
||||
idx, providerState, err := state.CAProviderState(c.id)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
|||
|
||||
// Cert template for generation
|
||||
sn := &big.Int{}
|
||||
sn.SetUint64(providerState.SerialIndex + 1)
|
||||
sn.SetUint64(idx + 1)
|
||||
template := x509.Certificate{
|
||||
SerialNumber: sn,
|
||||
Subject: pkix.Name{CommonName: serviceId.Service},
|
||||
|
@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
|||
return "", fmt.Errorf("error encoding private key: %s", err)
|
||||
}
|
||||
|
||||
err = c.incrementSerialIndex(providerState)
|
||||
err = c.incrementProviderIndex(providerState)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
|||
|
||||
// Get the provider state
|
||||
state := c.delegate.State()
|
||||
_, providerState, err := state.CAProviderState(c.id)
|
||||
idx, providerState, err := state.CAProviderState(c.id)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
|||
|
||||
// Create the cross-signing template from the existing root CA
|
||||
serialNum := &big.Int{}
|
||||
serialNum.SetUint64(providerState.SerialIndex + 1)
|
||||
serialNum.SetUint64(idx + 1)
|
||||
template := *cert
|
||||
template.SerialNumber = serialNum
|
||||
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
|
||||
|
@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
|||
return "", fmt.Errorf("error encoding private key: %s", err)
|
||||
}
|
||||
|
||||
err = c.incrementSerialIndex(providerState)
|
||||
err = c.incrementProviderIndex(providerState)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
|||
return buf.String(), nil
|
||||
}
|
||||
|
||||
// incrementSerialIndex increments the cert serial number index in the provider
|
||||
// state.
|
||||
func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error {
|
||||
// incrementProviderIndex does a write to increment the provider state store table index
|
||||
// used for serial numbers when generating certificates.
|
||||
func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error {
|
||||
newState := *providerState
|
||||
newState.SerialIndex++
|
||||
args := &structs.CARequest{
|
||||
Op: structs.CAOpSetProviderState,
|
||||
ProviderState: &newState,
|
||||
|
|
|
@ -1328,10 +1328,9 @@ func TestFSM_CABuiltinProvider(t *testing.T) {
|
|||
|
||||
// Provider state.
|
||||
expected := &structs.CAConsulProviderState{
|
||||
ID: "foo",
|
||||
PrivateKey: "a",
|
||||
RootCert: "b",
|
||||
SerialIndex: 2,
|
||||
ID: "foo",
|
||||
PrivateKey: "a",
|
||||
RootCert: "b",
|
||||
RaftIndex: structs.RaftIndex{
|
||||
CreateIndex: 1,
|
||||
ModifyIndex: 1,
|
||||
|
|
|
@ -356,10 +356,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
|
|||
|
||||
{
|
||||
expected := &structs.CAConsulProviderState{
|
||||
ID: "foo",
|
||||
PrivateKey: "a",
|
||||
RootCert: "b",
|
||||
SerialIndex: 1,
|
||||
ID: "foo",
|
||||
PrivateKey: "a",
|
||||
RootCert: "b",
|
||||
}
|
||||
|
||||
ok, err := s.CASetProviderState(0, expected)
|
||||
|
@ -374,10 +373,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
|
|||
|
||||
{
|
||||
expected := &structs.CAConsulProviderState{
|
||||
ID: "bar",
|
||||
PrivateKey: "c",
|
||||
RootCert: "d",
|
||||
SerialIndex: 2,
|
||||
ID: "bar",
|
||||
PrivateKey: "c",
|
||||
RootCert: "d",
|
||||
}
|
||||
|
||||
ok, err := s.CASetProviderState(1, expected)
|
||||
|
@ -398,16 +396,14 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
|
|||
// Create multiple state entries.
|
||||
before := []*structs.CAConsulProviderState{
|
||||
{
|
||||
ID: "bar",
|
||||
PrivateKey: "y",
|
||||
RootCert: "z",
|
||||
SerialIndex: 2,
|
||||
ID: "bar",
|
||||
PrivateKey: "y",
|
||||
RootCert: "z",
|
||||
},
|
||||
{
|
||||
ID: "foo",
|
||||
PrivateKey: "a",
|
||||
RootCert: "b",
|
||||
SerialIndex: 1,
|
||||
ID: "foo",
|
||||
PrivateKey: "a",
|
||||
RootCert: "b",
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -423,10 +419,9 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
|
|||
|
||||
// Modify the state store.
|
||||
after := &structs.CAConsulProviderState{
|
||||
ID: "foo",
|
||||
PrivateKey: "c",
|
||||
RootCert: "d",
|
||||
SerialIndex: 1,
|
||||
ID: "foo",
|
||||
PrivateKey: "c",
|
||||
RootCert: "d",
|
||||
}
|
||||
ok, err := s.CASetProviderState(100, after)
|
||||
assert.NoError(err)
|
||||
|
|
|
@ -168,10 +168,9 @@ type ConsulCAProviderConfig struct {
|
|||
|
||||
// CAConsulProviderState is used to track the built-in Consul CA provider's state.
|
||||
type CAConsulProviderState struct {
|
||||
ID string
|
||||
PrivateKey string
|
||||
RootCert string
|
||||
SerialIndex uint64
|
||||
ID string
|
||||
PrivateKey string
|
||||
RootCert string
|
||||
|
||||
RaftIndex
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue