mirror of https://github.com/hashicorp/consul
connect: use correct subject key id for leaf certificates. (#7091)
parent
a33154ac9b
commit
82c556d1be
|
@ -343,6 +343,12 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Create the subjectKeyId for the cert from the csr public key.
|
||||||
|
subjectKeyID, err := connect.KeyId(csr.PublicKey)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
// Parse the SPIFFE ID
|
// Parse the SPIFFE ID
|
||||||
spiffeId, err := connect.ParseCertURI(csr.URIs[0])
|
spiffeId, err := connect.ParseCertURI(csr.URIs[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -402,7 +408,7 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
||||||
NotAfter: effectiveNow.Add(c.config.LeafCertTTL),
|
NotAfter: effectiveNow.Add(c.config.LeafCertTTL),
|
||||||
NotBefore: effectiveNow,
|
NotBefore: effectiveNow,
|
||||||
AuthorityKeyId: keyId,
|
AuthorityKeyId: keyId,
|
||||||
SubjectKeyId: keyId,
|
SubjectKeyId: subjectKeyID,
|
||||||
DNSNames: csr.DNSNames,
|
DNSNames: csr.DNSNames,
|
||||||
IPAddresses: csr.IPAddresses,
|
IPAddresses: csr.IPAddresses,
|
||||||
}
|
}
|
||||||
|
|
|
@ -176,6 +176,9 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
|
||||||
require.Equal(spiffeService.URI(), parsed.URIs[0])
|
require.Equal(spiffeService.URI(), parsed.URIs[0])
|
||||||
require.Equal(connect.ServiceCN("foo", connect.TestClusterID), parsed.Subject.CommonName)
|
require.Equal(connect.ServiceCN("foo", connect.TestClusterID), parsed.Subject.CommonName)
|
||||||
require.Equal(uint64(2), parsed.SerialNumber.Uint64())
|
require.Equal(uint64(2), parsed.SerialNumber.Uint64())
|
||||||
|
subjectKeyID, err := connect.KeyId(csr.PublicKey)
|
||||||
|
require.NoError(err)
|
||||||
|
require.Equal(subjectKeyID, parsed.SubjectKeyId)
|
||||||
requireNotEncoded(t, parsed.SubjectKeyId)
|
requireNotEncoded(t, parsed.SubjectKeyId)
|
||||||
requireNotEncoded(t, parsed.AuthorityKeyId)
|
requireNotEncoded(t, parsed.AuthorityKeyId)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue