mirror of https://github.com/hashicorp/consul
Use provider state table for a global serial index
parent
988510f53c
commit
627aa80d5a
|
@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
|
|
||||||
// Get the provider state
|
// Get the provider state
|
||||||
state := c.delegate.State()
|
state := c.delegate.State()
|
||||||
_, providerState, err := state.CAProviderState(c.id)
|
idx, providerState, err := state.CAProviderState(c.id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
|
|
||||||
// Cert template for generation
|
// Cert template for generation
|
||||||
sn := &big.Int{}
|
sn := &big.Int{}
|
||||||
sn.SetUint64(providerState.SerialIndex + 1)
|
sn.SetUint64(idx + 1)
|
||||||
template := x509.Certificate{
|
template := x509.Certificate{
|
||||||
SerialNumber: sn,
|
SerialNumber: sn,
|
||||||
Subject: pkix.Name{CommonName: serviceId.Service},
|
Subject: pkix.Name{CommonName: serviceId.Service},
|
||||||
|
@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
return "", fmt.Errorf("error encoding private key: %s", err)
|
return "", fmt.Errorf("error encoding private key: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.incrementSerialIndex(providerState)
|
err = c.incrementProviderIndex(providerState)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
|
|
||||||
// Get the provider state
|
// Get the provider state
|
||||||
state := c.delegate.State()
|
state := c.delegate.State()
|
||||||
_, providerState, err := state.CAProviderState(c.id)
|
idx, providerState, err := state.CAProviderState(c.id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
|
|
||||||
// Create the cross-signing template from the existing root CA
|
// Create the cross-signing template from the existing root CA
|
||||||
serialNum := &big.Int{}
|
serialNum := &big.Int{}
|
||||||
serialNum.SetUint64(providerState.SerialIndex + 1)
|
serialNum.SetUint64(idx + 1)
|
||||||
template := *cert
|
template := *cert
|
||||||
template.SerialNumber = serialNum
|
template.SerialNumber = serialNum
|
||||||
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
|
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
|
||||||
|
@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
return "", fmt.Errorf("error encoding private key: %s", err)
|
return "", fmt.Errorf("error encoding private key: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.incrementSerialIndex(providerState)
|
err = c.incrementProviderIndex(providerState)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
return buf.String(), nil
|
return buf.String(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// incrementSerialIndex increments the cert serial number index in the provider
|
// incrementProviderIndex does a write to increment the provider state store table index
|
||||||
// state.
|
// used for serial numbers when generating certificates.
|
||||||
func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error {
|
func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error {
|
||||||
newState := *providerState
|
newState := *providerState
|
||||||
newState.SerialIndex++
|
|
||||||
args := &structs.CARequest{
|
args := &structs.CARequest{
|
||||||
Op: structs.CAOpSetProviderState,
|
Op: structs.CAOpSetProviderState,
|
||||||
ProviderState: &newState,
|
ProviderState: &newState,
|
||||||
|
|
|
@ -1328,10 +1328,9 @@ func TestFSM_CABuiltinProvider(t *testing.T) {
|
||||||
|
|
||||||
// Provider state.
|
// Provider state.
|
||||||
expected := &structs.CAConsulProviderState{
|
expected := &structs.CAConsulProviderState{
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "a",
|
PrivateKey: "a",
|
||||||
RootCert: "b",
|
RootCert: "b",
|
||||||
SerialIndex: 2,
|
|
||||||
RaftIndex: structs.RaftIndex{
|
RaftIndex: structs.RaftIndex{
|
||||||
CreateIndex: 1,
|
CreateIndex: 1,
|
||||||
ModifyIndex: 1,
|
ModifyIndex: 1,
|
||||||
|
|
|
@ -356,10 +356,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
|
||||||
|
|
||||||
{
|
{
|
||||||
expected := &structs.CAConsulProviderState{
|
expected := &structs.CAConsulProviderState{
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "a",
|
PrivateKey: "a",
|
||||||
RootCert: "b",
|
RootCert: "b",
|
||||||
SerialIndex: 1,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ok, err := s.CASetProviderState(0, expected)
|
ok, err := s.CASetProviderState(0, expected)
|
||||||
|
@ -374,10 +373,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
|
||||||
|
|
||||||
{
|
{
|
||||||
expected := &structs.CAConsulProviderState{
|
expected := &structs.CAConsulProviderState{
|
||||||
ID: "bar",
|
ID: "bar",
|
||||||
PrivateKey: "c",
|
PrivateKey: "c",
|
||||||
RootCert: "d",
|
RootCert: "d",
|
||||||
SerialIndex: 2,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
ok, err := s.CASetProviderState(1, expected)
|
ok, err := s.CASetProviderState(1, expected)
|
||||||
|
@ -398,16 +396,14 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
|
||||||
// Create multiple state entries.
|
// Create multiple state entries.
|
||||||
before := []*structs.CAConsulProviderState{
|
before := []*structs.CAConsulProviderState{
|
||||||
{
|
{
|
||||||
ID: "bar",
|
ID: "bar",
|
||||||
PrivateKey: "y",
|
PrivateKey: "y",
|
||||||
RootCert: "z",
|
RootCert: "z",
|
||||||
SerialIndex: 2,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "a",
|
PrivateKey: "a",
|
||||||
RootCert: "b",
|
RootCert: "b",
|
||||||
SerialIndex: 1,
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -423,10 +419,9 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
|
||||||
|
|
||||||
// Modify the state store.
|
// Modify the state store.
|
||||||
after := &structs.CAConsulProviderState{
|
after := &structs.CAConsulProviderState{
|
||||||
ID: "foo",
|
ID: "foo",
|
||||||
PrivateKey: "c",
|
PrivateKey: "c",
|
||||||
RootCert: "d",
|
RootCert: "d",
|
||||||
SerialIndex: 1,
|
|
||||||
}
|
}
|
||||||
ok, err := s.CASetProviderState(100, after)
|
ok, err := s.CASetProviderState(100, after)
|
||||||
assert.NoError(err)
|
assert.NoError(err)
|
||||||
|
|
|
@ -168,10 +168,9 @@ type ConsulCAProviderConfig struct {
|
||||||
|
|
||||||
// CAConsulProviderState is used to track the built-in Consul CA provider's state.
|
// CAConsulProviderState is used to track the built-in Consul CA provider's state.
|
||||||
type CAConsulProviderState struct {
|
type CAConsulProviderState struct {
|
||||||
ID string
|
ID string
|
||||||
PrivateKey string
|
PrivateKey string
|
||||||
RootCert string
|
RootCert string
|
||||||
SerialIndex uint64
|
|
||||||
|
|
||||||
RaftIndex
|
RaftIndex
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue