From dba2de57de42a8b5175d7aa1388965566e8d08c9 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Thu, 6 Apr 2017 17:00:50 -0400 Subject: [PATCH 01/11] Change storage of entries from colons to hyphens and add a lookup/migration path Still TODO: tests on migration path Fixes #2552 --- builtin/logical/pki/cert_util.go | 42 ++++++++++++++++++++++-- builtin/logical/pki/crl_util.go | 3 +- builtin/logical/pki/path_intermediate.go | 3 +- builtin/logical/pki/path_issue_sign.go | 5 +-- builtin/logical/pki/path_root.go | 5 +-- builtin/logical/pki/secret_certs.go | 5 +-- 6 files changed, 50 insertions(+), 13 deletions(-) diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index d9425fc5a0aa..15188ced9708 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -185,32 +185,68 @@ func fetchCAInfo(req *logical.Request) (*caInfoBundle, error) { // separate pathing for CA, CRL, and revoked certificates. func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.StorageEntry, error) { var path string + var err error + var certEntry *logical.StorageEntry switch { // Revoked goes first as otherwise ca/crl get hardcoded paths which fail if // we actually want revocation info case strings.HasPrefix(prefix, "revoked/"): - path = "revoked/" + strings.Replace(strings.ToLower(serial), "-", ":", -1) + path = "revoked/" + strings.Replace(strings.ToLower(serial), ":", "-", -1) case serial == "ca": path = "ca" case serial == "crl": path = "crl" + default: + path = "certs/" + strings.Replace(strings.ToLower(serial), ":", "-", -1) + } + + certEntry, err = req.Storage.Get(path) + if err != nil { + return nil, errutil.InternalError{Err: fmt.Sprintf("error fetching certificate %s: %s", serial, err)} + } + if certEntry != nil { + if certEntry.Value == nil || len(certEntry.Value) == 0 { + return nil, errutil.InternalError{Err: fmt.Sprintf("returned certificate bytes for serial %s were empty", serial)} + } + return certEntry, nil + } + + // No point checking these, no old/new style colons/hyphens + if path == "ca" || path == "crl" { + return nil, nil + } + + // Save the desired path + desiredPath := path + + // If we get here we need to check for old-style paths using colons + switch { + case strings.HasPrefix(prefix, "revoked/"): + path = "revoked/" + strings.Replace(strings.ToLower(serial), "-", ":", -1) default: path = "certs/" + strings.Replace(strings.ToLower(serial), "-", ":", -1) } - certEntry, err := req.Storage.Get(path) + certEntry, err = req.Storage.Get(path) if err != nil { return nil, errutil.InternalError{Err: fmt.Sprintf("error fetching certificate %s: %s", serial, err)} } if certEntry == nil { return nil, nil } - if certEntry.Value == nil || len(certEntry.Value) == 0 { return nil, errutil.InternalError{Err: fmt.Sprintf("returned certificate bytes for serial %s were empty", serial)} } + certEntry.Key = desiredPath + if err = req.Storage.Put(certEntry); err != nil { + return nil, errutil.InternalError{Err: fmt.Sprintf("error saving certificate with serial %s to new location", serial)} + } + if err = req.Storage.Delete(path); err != nil { + return nil, errutil.InternalError{Err: fmt.Sprintf("error deleting certificate with serial %s from old location", serial)} + } + return certEntry, nil } diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index aa15f6cc617f..4519a0805918 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -5,6 +5,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "fmt" + "strings" "time" "github.com/hashicorp/vault/helper/errutil" @@ -86,7 +87,7 @@ func revokeCert(b *backend, req *logical.Request, serial string, fromLease bool) revInfo.RevocationTime = currTime.Unix() revInfo.RevocationTimeUTC = currTime.UTC() - revEntry, err = logical.StorageEntryJSON("revoked/"+serial, revInfo) + revEntry, err = logical.StorageEntryJSON("revoked/"+strings.ToLower(strings.Replace(serial, ":", "-", -1)), revInfo) if err != nil { return nil, fmt.Errorf("Error creating revocation entry") } diff --git a/builtin/logical/pki/path_intermediate.go b/builtin/logical/pki/path_intermediate.go index 6bac720240ec..6887e97ae104 100644 --- a/builtin/logical/pki/path_intermediate.go +++ b/builtin/logical/pki/path_intermediate.go @@ -3,6 +3,7 @@ package pki import ( "encoding/base64" "fmt" + "strings" "github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/errutil" @@ -196,7 +197,7 @@ func (b *backend) pathSetSignedIntermediate( return nil, err } - entry.Key = "certs/" + cb.SerialNumber + entry.Key = "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)) entry.Value = inputBundle.CertificateBytes err = req.Storage.Put(entry) if err != nil { diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 429d96315b7b..3759d4d99c90 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -3,6 +3,7 @@ package pki import ( "encoding/base64" "fmt" + "strings" "time" "github.com/hashicorp/vault/helper/certutil" @@ -242,11 +243,11 @@ func (b *backend) pathIssueSignCert( if !role.NoStore { err = req.Storage.Put(&logical.StorageEntry{ - Key: "certs/" + cb.SerialNumber, + Key: "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)), Value: parsedBundle.CertificateBytes, }) if err != nil { - return nil, fmt.Errorf("Unable to store certificate locally: %v", err) + return nil, fmt.Errorf("unable to store certificate locally: %v", err) } } diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index c9a8cf297e78..c10d462b0751 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -3,6 +3,7 @@ package pki import ( "encoding/base64" "fmt" + "strings" "github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/logical" @@ -145,7 +146,7 @@ func (b *backend) pathCAGenerateRoot( // Also store it as just the certificate identified by serial number, so it // can be revoked err = req.Storage.Put(&logical.StorageEntry{ - Key: "certs/" + cb.SerialNumber, + Key: "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)), Value: parsedBundle.CertificateBytes, }) if err != nil { @@ -277,7 +278,7 @@ func (b *backend) pathCASignIntermediate( } err = req.Storage.Put(&logical.StorageEntry{ - Key: "certs/" + cb.SerialNumber, + Key: "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)), Value: parsedBundle.CertificateBytes, }) if err != nil { diff --git a/builtin/logical/pki/secret_certs.go b/builtin/logical/pki/secret_certs.go index fbc653d1daab..32f6f4296cc0 100644 --- a/builtin/logical/pki/secret_certs.go +++ b/builtin/logical/pki/secret_certs.go @@ -2,7 +2,6 @@ package pki import ( "fmt" - "strings" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" @@ -46,10 +45,8 @@ func (b *backend) secretCredsRevoke( return nil, fmt.Errorf("could not find serial in internal secret data") } - serial := strings.Replace(strings.ToLower(serialInt.(string)), "-", ":", -1) - b.revokeStorageLock.Lock() defer b.revokeStorageLock.Unlock() - return revokeCert(b, req, serial, true) + return revokeCert(b, req, serialInt.(string), true) } From c269fe1ce0e5aa13b30664f36e87d359cd7c0da1 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Wed, 26 Apr 2017 02:46:01 -0400 Subject: [PATCH 02/11] Tests for cert and crl util --- builtin/logical/pki/cert_util_test.go | 86 +++++++++++++++ builtin/logical/pki/crl_util.go | 2 +- builtin/logical/pki/crl_util_test.go | 101 ++++++++++++++++++ .../logical/pki/test-fixtures/keys/cert.pem | 22 ++++ .../logical/pki/test-fixtures/keys/key.pem | 27 +++++ .../logical/pki/test-fixtures/keys/pkioutput | 74 +++++++++++++ 6 files changed, 311 insertions(+), 1 deletion(-) create mode 100644 builtin/logical/pki/cert_util_test.go create mode 100644 builtin/logical/pki/crl_util_test.go create mode 100644 builtin/logical/pki/test-fixtures/keys/cert.pem create mode 100644 builtin/logical/pki/test-fixtures/keys/key.pem create mode 100644 builtin/logical/pki/test-fixtures/keys/pkioutput diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go new file mode 100644 index 000000000000..6a7d7d7b96e7 --- /dev/null +++ b/builtin/logical/pki/cert_util_test.go @@ -0,0 +1,86 @@ +package pki + +import ( + "testing" + + "github.com/hashicorp/vault/logical" +) + +func TestFetchCertBySerial(t *testing.T) { + storage := &logical.InmemStorage{} + + cases := map[string]struct { + Req *logical.Request + StorageKey string + }{ + "cert, valid colon": { + &logical.Request{ + Operation: logical.ReadOperation, + Path: "certs/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", + Storage: storage, + }, + "10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", + }, + "cert, revoked colon": { + &logical.Request{ + Operation: logical.ReadOperation, + Path: "revoked/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", + Storage: storage, + }, + "10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", + }, + "cert, valid hyphen": { + &logical.Request{ + Operation: logical.ReadOperation, + Path: "certs/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", + Storage: storage, + }, + "10-e6-fc-62-b7-41-8a-d5-00-5e-45-b6", + }, + "cert, revoked hyphen": { + &logical.Request{ + Operation: logical.ReadOperation, + Path: "revoked/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", + Storage: storage, + }, + "10-e6-fc-62-b7-41-8a-d5-00-5e-45-b6", + }, + "cert, ca": { + &logical.Request{ + Operation: logical.ReadOperation, + Path: "ca", + Storage: storage, + }, + "", + }, + "cert, crl": { + &logical.Request{ + Operation: logical.ReadOperation, + Path: "crl", + Storage: storage, + }, + "", + }, + } + + for name, tc := range cases { + // Put pseudo-cert in inmem storage + err := storage.Put(&logical.StorageEntry{ + Key: tc.Req.Path, + Value: []byte("some data"), + }) + if err != nil { + t.Fatalf("error writing to storage on %s: %s", name, err) + } + + certEntry, err := fetchCertBySerial(tc.Req, tc.Req.Path, tc.StorageKey) + if err != nil { + t.Fatalf("fetchBySerial error on %s: %s", name, err) + } + + // Check for non-nil on valid/revoked certs + if certEntry == nil && tc.Req.Path != "ca" && tc.Req.Path != "crl" { // if true + t.Fatalf("fetchBySerial returned nil on %s", name) + } + } +} diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index 4519a0805918..dedba708a6be 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -66,7 +66,7 @@ func revokeCert(b *backend, req *logical.Request, serial string, fromLease bool) cert, err := x509.ParseCertificate(certEntry.Value) if err != nil { - return nil, fmt.Errorf("Error parsing certificate") + return nil, fmt.Errorf("Error parsing certificate: %s", err) } if cert == nil { return nil, fmt.Errorf("Got a nil certificate") diff --git a/builtin/logical/pki/crl_util_test.go b/builtin/logical/pki/crl_util_test.go new file mode 100644 index 000000000000..c6ea119b8dde --- /dev/null +++ b/builtin/logical/pki/crl_util_test.go @@ -0,0 +1,101 @@ +package pki + +import ( + "encoding/pem" + "io/ioutil" + "testing" + "time" + + "github.com/hashicorp/vault/helper/jsonutil" + "github.com/hashicorp/vault/logical" +) + +func TestRevokeCert(t *testing.T) { + storage := &logical.InmemStorage{} + config := logical.TestBackendConfig() + config.StorageView = storage + + b := Backend() + _, err := b.Setup(config) + if err != nil { + t.Fatal(err) + } + + certValue, err := ioutil.ReadFile("test-fixtures/keys/cert.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + block, _ := pem.Decode(certValue) + if block == nil { + t.Fatal("failed to decode PEM cert into DER") + } + + var revInfo revocationInfo + currTime := time.Now() + revInfo.CertificateBytes = block.Bytes + revInfo.RevocationTime = currTime.Unix() + revInfo.RevocationTimeUTC = currTime.UTC() + encodedCertValue, err := jsonutil.EncodeJSON(revInfo) + if err != nil { + t.Fatalf("error encoding pseudo cert value: %s", err) + } + + cases := map[string]struct { + Req *logical.Request + StorageKey string + StorageValue []byte + }{ + "cert, valid colon": { + &logical.Request{ + Operation: logical.UpdateOperation, + Path: "certs/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", + Storage: storage, + }, + "7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", + certValue, + }, + "cert, revoked colon": { + &logical.Request{ + Operation: logical.UpdateOperation, + Path: "revoked/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", + Storage: storage, + }, + "7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", + encodedCertValue, + }, + "cert, valid hyphen": { + &logical.Request{ + Operation: logical.UpdateOperation, + Path: "certs/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", + Storage: storage, + }, + "7f-e8-e1-29-31-41-9e-a4-ac-df-82-08-d1-64-b5-2f-84-2c-6d-b0", + certValue, + }, + "cert, revoked hyphen": { + &logical.Request{ + Operation: logical.UpdateOperation, + Path: "revoked/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", + Storage: storage, + }, + "7f-e8-e1-29-31-41-9e-a4-ac-df-82-08-d1-64-b5-2f-84-2c-6d-b0", + encodedCertValue, + }, + } + + for name, tc := range cases { + // Put pseudo-cert in inmem storage + err := storage.Put(&logical.StorageEntry{ + Key: tc.Req.Path, + Value: tc.StorageValue, + }) + if err != nil { + t.Fatalf("error writing to storage on %s: %s", name, err) + } + + _, err = revokeCert(b, tc.Req, tc.StorageKey, false) + if err != nil { + t.Fatalf("revokeCert error on %s: %s", name, err) + } + } +} diff --git a/builtin/logical/pki/test-fixtures/keys/cert.pem b/builtin/logical/pki/test-fixtures/keys/cert.pem new file mode 100644 index 000000000000..942d26698b12 --- /dev/null +++ b/builtin/logical/pki/test-fixtures/keys/cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw +MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS +TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn +SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi +YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5 +donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG +B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1 +MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e +HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o +k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x +OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A +AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br +aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs +X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4 +aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA +KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN +QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj +xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk= +-----END CERTIFICATE----- diff --git a/builtin/logical/pki/test-fixtures/keys/key.pem b/builtin/logical/pki/test-fixtures/keys/key.pem new file mode 100644 index 000000000000..add982002acf --- /dev/null +++ b/builtin/logical/pki/test-fixtures/keys/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftetT8pu +HflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNheZhA +6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMmMO5N +TRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJGuUd +y54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuHC3N2 +DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABAoIBAHR7fFV0eAGaopsX +9OD0TUGlsephBXb43g0GYHfJ/1Ew18w9oaxszJEqkl+PB4W3xZ3yG3e8ZomxDOhF +RreF2WgG5xOfhDogMwu6NodbArfgnAvoC6JnW3qha8HMP4F500RFVyCRcd6A3Frd +rFtaZn/UyCsBAN8/zkwPeYHayo7xX6d9kzgRl9HluEX5PXI5+3uiBDUiM085gkLI +5Cmadh9fMdjfhDXI4x2JYmILpp/9Nlc/krB15s5n1MPNtn3yL0TI0tWp0WlwDCV7 +oUm1SfIM0F1fXGFyFDcqwoIr6JCQgXk6XtTg31YhH1xgUIclUVdtHqmAwAbLdIhQ +GAiHn2kCgYEAwD4pZ8HfpiOG/EHNoWsMATc/5yC7O8F9WbvcHZQIymLY4v/7HKZb +VyOR6UQ5/O2cztSGIuKSF6+OK1C34lOyCuTSOTFrjlgEYtLIXjdGLfFdtOO8GRQR +akVXdwuzNAjTBaH5eXbG+NKcjmCvZL48dQVlfDTVulzFGbcsVTHIMQUCgYEA7IQI +FVsKnY3KqpyGqXq92LMcsT3XgW6X1BIIV+YhJ5AFUFkFrjrbXs94/8XyLfi0xBQy +efK+8g5sMs7koF8LyZEcAXWZJQduaKB71hoLlRaU4VQkL/dl2B6VFmAII/CsRCYh +r9RmDN2PF/mp98Ih9dpC1VqcCDRGoTYsd7jLalMCgYAMgH5k1wDaZxkSMp1S0AlZ +0uP+/evvOOgT+9mWutfPgZolOQx1koQCKLgGeX9j6Xf3I28NubpSfAI84uTyfQrp +FnRtb79U5Hh0jMynA+U2e6niZ6UF5H41cQj9Hu+qhKBkj2IP+h96cwfnYnZFkPGR +kqZE65KyqfHPeFATwkcImQKBgCdrfhlpGiTWXCABhKQ8s+WpPLAB2ahV8XJEKyXT +UlVQuMIChGLcpnFv7P/cUxf8asx/fUY8Aj0/0CLLvulHziQjTmKj4gl86pb/oIQ3 +xRRtNhU0O+/OsSfLORgIm3K6C0w0esregL/GMbJSR1TnA1gBr7/1oSnw5JC8Ab9W +injHAoGAJT1MGAiQrhlt9GCGe6Ajw4omdbY0wS9NXefnFhf7EwL0es52ezZ28zpU +2LXqSFbtann5CHgpSLxiMYPDIf+er4xgg9Bz34tz1if1rDfP2Qrxdrpr4jDnrGT3 +gYC2qCpvVD9RRUMKFfnJTfl5gMQdBW/LINkHtJ82snAeLl3gjQ4= +-----END RSA PRIVATE KEY----- diff --git a/builtin/logical/pki/test-fixtures/keys/pkioutput b/builtin/logical/pki/test-fixtures/keys/pkioutput new file mode 100644 index 000000000000..526ff03167b2 --- /dev/null +++ b/builtin/logical/pki/test-fixtures/keys/pkioutput @@ -0,0 +1,74 @@ +Key Value +lease_id pki/issue/example-dot-com/d8214077-9976-8c68-9c07-6610da30aea4 +lease_duration 279359999 +lease_renewable false +certificate -----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw +MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS +TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn +SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi +YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5 +donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG +B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1 +MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e +HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o +k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x +OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A +AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br +aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs +X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4 +aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA +KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN +QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj +xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk= +-----END CERTIFICATE----- +issuing_ca -----BEGIN CERTIFICATE----- +MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw +MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 +Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 +z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x +AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb +6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH +SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G +A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx +7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc +BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA +wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 +U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa +cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N +ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ +t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk +zehNe5dFTjFpylg1o6b8Ow== +-----END CERTIFICATE----- +private_key -----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftetT8pu +HflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNheZhA +6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMmMO5N +TRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJGuUd +y54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuHC3N2 +DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABAoIBAHR7fFV0eAGaopsX +9OD0TUGlsephBXb43g0GYHfJ/1Ew18w9oaxszJEqkl+PB4W3xZ3yG3e8ZomxDOhF +RreF2WgG5xOfhDogMwu6NodbArfgnAvoC6JnW3qha8HMP4F500RFVyCRcd6A3Frd +rFtaZn/UyCsBAN8/zkwPeYHayo7xX6d9kzgRl9HluEX5PXI5+3uiBDUiM085gkLI +5Cmadh9fMdjfhDXI4x2JYmILpp/9Nlc/krB15s5n1MPNtn3yL0TI0tWp0WlwDCV7 +oUm1SfIM0F1fXGFyFDcqwoIr6JCQgXk6XtTg31YhH1xgUIclUVdtHqmAwAbLdIhQ +GAiHn2kCgYEAwD4pZ8HfpiOG/EHNoWsMATc/5yC7O8F9WbvcHZQIymLY4v/7HKZb +VyOR6UQ5/O2cztSGIuKSF6+OK1C34lOyCuTSOTFrjlgEYtLIXjdGLfFdtOO8GRQR +akVXdwuzNAjTBaH5eXbG+NKcjmCvZL48dQVlfDTVulzFGbcsVTHIMQUCgYEA7IQI +FVsKnY3KqpyGqXq92LMcsT3XgW6X1BIIV+YhJ5AFUFkFrjrbXs94/8XyLfi0xBQy +efK+8g5sMs7koF8LyZEcAXWZJQduaKB71hoLlRaU4VQkL/dl2B6VFmAII/CsRCYh +r9RmDN2PF/mp98Ih9dpC1VqcCDRGoTYsd7jLalMCgYAMgH5k1wDaZxkSMp1S0AlZ +0uP+/evvOOgT+9mWutfPgZolOQx1koQCKLgGeX9j6Xf3I28NubpSfAI84uTyfQrp +FnRtb79U5Hh0jMynA+U2e6niZ6UF5H41cQj9Hu+qhKBkj2IP+h96cwfnYnZFkPGR +kqZE65KyqfHPeFATwkcImQKBgCdrfhlpGiTWXCABhKQ8s+WpPLAB2ahV8XJEKyXT +UlVQuMIChGLcpnFv7P/cUxf8asx/fUY8Aj0/0CLLvulHziQjTmKj4gl86pb/oIQ3 +xRRtNhU0O+/OsSfLORgIm3K6C0w0esregL/GMbJSR1TnA1gBr7/1oSnw5JC8Ab9W +injHAoGAJT1MGAiQrhlt9GCGe6Ajw4omdbY0wS9NXefnFhf7EwL0es52ezZ28zpU +2LXqSFbtann5CHgpSLxiMYPDIf+er4xgg9Bz34tz1if1rDfP2Qrxdrpr4jDnrGT3 +gYC2qCpvVD9RRUMKFfnJTfl5gMQdBW/LINkHtJ82snAeLl3gjQ4= +-----END RSA PRIVATE KEY----- +private_key_type rsa From 4bf51ca52c48873223870cee729ffdf13503330f Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Wed, 26 Apr 2017 09:58:34 -0400 Subject: [PATCH 03/11] Fix crl_util test --- builtin/logical/pki/crl_util_test.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/builtin/logical/pki/crl_util_test.go b/builtin/logical/pki/crl_util_test.go index c6ea119b8dde..f22c8f8e108c 100644 --- a/builtin/logical/pki/crl_util_test.go +++ b/builtin/logical/pki/crl_util_test.go @@ -29,13 +29,14 @@ func TestRevokeCert(t *testing.T) { if block == nil { t.Fatal("failed to decode PEM cert into DER") } + certDER := block.Bytes var revInfo revocationInfo currTime := time.Now() - revInfo.CertificateBytes = block.Bytes + revInfo.CertificateBytes = certDER revInfo.RevocationTime = currTime.Unix() revInfo.RevocationTimeUTC = currTime.UTC() - encodedCertValue, err := jsonutil.EncodeJSON(revInfo) + encodedCertDER, err := jsonutil.EncodeJSON(revInfo) if err != nil { t.Fatalf("error encoding pseudo cert value: %s", err) } @@ -52,7 +53,7 @@ func TestRevokeCert(t *testing.T) { Storage: storage, }, "7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - certValue, + certDER, }, "cert, revoked colon": { &logical.Request{ @@ -61,7 +62,7 @@ func TestRevokeCert(t *testing.T) { Storage: storage, }, "7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - encodedCertValue, + encodedCertDER, }, "cert, valid hyphen": { &logical.Request{ @@ -70,7 +71,7 @@ func TestRevokeCert(t *testing.T) { Storage: storage, }, "7f-e8-e1-29-31-41-9e-a4-ac-df-82-08-d1-64-b5-2f-84-2c-6d-b0", - certValue, + certDER, }, "cert, revoked hyphen": { &logical.Request{ @@ -79,7 +80,7 @@ func TestRevokeCert(t *testing.T) { Storage: storage, }, "7f-e8-e1-29-31-41-9e-a4-ac-df-82-08-d1-64-b5-2f-84-2c-6d-b0", - encodedCertValue, + encodedCertDER, }, } From ced4c880505e45753f9aab5ba7f12d79fd6aa244 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Wed, 26 Apr 2017 16:05:58 -0400 Subject: [PATCH 04/11] Add remaining tests --- builtin/logical/pki/cert_util_test.go | 2 +- builtin/logical/pki/crl_util_test.go | 30 ++++- builtin/logical/pki/path_intermediate_test.go | 74 ++++++++++ builtin/logical/pki/path_issue_sign_test.go | 94 +++++++++++++ builtin/logical/pki/path_root_test.go | 126 ++++++++++++++++++ builtin/logical/pki/test-fixtures/cacert.pem | 20 +++ builtin/logical/pki/test-fixtures/cakey.pem | 27 ++++ .../logical/pki/test-fixtures/root/csr.pem | 16 +++ .../logical/pki/test-fixtures/root/pkioutput | 74 ++++++++++ .../logical/pki/test-fixtures/root/root.crl | 12 ++ .../pki/test-fixtures/root/rootcacert.pem | 20 +++ .../pki/test-fixtures/root/rootcakey.pem | 27 ++++ 12 files changed, 518 insertions(+), 4 deletions(-) create mode 100644 builtin/logical/pki/path_intermediate_test.go create mode 100644 builtin/logical/pki/path_issue_sign_test.go create mode 100644 builtin/logical/pki/path_root_test.go create mode 100644 builtin/logical/pki/test-fixtures/cacert.pem create mode 100644 builtin/logical/pki/test-fixtures/cakey.pem create mode 100644 builtin/logical/pki/test-fixtures/root/csr.pem create mode 100644 builtin/logical/pki/test-fixtures/root/pkioutput create mode 100644 builtin/logical/pki/test-fixtures/root/root.crl create mode 100644 builtin/logical/pki/test-fixtures/root/rootcacert.pem create mode 100644 builtin/logical/pki/test-fixtures/root/rootcakey.pem diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go index 6a7d7d7b96e7..8183a47b1876 100644 --- a/builtin/logical/pki/cert_util_test.go +++ b/builtin/logical/pki/cert_util_test.go @@ -79,7 +79,7 @@ func TestFetchCertBySerial(t *testing.T) { } // Check for non-nil on valid/revoked certs - if certEntry == nil && tc.Req.Path != "ca" && tc.Req.Path != "crl" { // if true + if certEntry == nil && tc.Req.Path != "ca" && tc.Req.Path != "crl" { t.Fatalf("fetchBySerial returned nil on %s", name) } } diff --git a/builtin/logical/pki/crl_util_test.go b/builtin/logical/pki/crl_util_test.go index f22c8f8e108c..d8e720b545de 100644 --- a/builtin/logical/pki/crl_util_test.go +++ b/builtin/logical/pki/crl_util_test.go @@ -6,6 +6,7 @@ import ( "testing" "time" + "github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/logical" ) @@ -21,6 +22,29 @@ func TestRevokeCert(t *testing.T) { t.Fatal(err) } + // Place CA cert in storage + rootCAKeyPEM, err := ioutil.ReadFile("test-fixtures/root/rootcakey.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + rootCACertPEM, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + cb := &certutil.CertBundle{} + cb.PrivateKey = string(rootCAKeyPEM) + cb.PrivateKeyType = certutil.RSAPrivateKey + cb.Certificate = string(rootCACertPEM) + + bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) + if err != nil { + t.Fatal(err) + } + err = storage.Put(bundleEntry) + if err != nil { + t.Fatal(err) + } + certValue, err := ioutil.ReadFile("test-fixtures/keys/cert.pem") if err != nil { t.Fatalf("err: %v", err) @@ -94,9 +118,9 @@ func TestRevokeCert(t *testing.T) { t.Fatalf("error writing to storage on %s: %s", name, err) } - _, err = revokeCert(b, tc.Req, tc.StorageKey, false) - if err != nil { - t.Fatalf("revokeCert error on %s: %s", name, err) + resp, err := revokeCert(b, tc.Req, tc.StorageKey, false) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: err: %v resp: %#v", err, resp) } } } diff --git a/builtin/logical/pki/path_intermediate_test.go b/builtin/logical/pki/path_intermediate_test.go new file mode 100644 index 000000000000..e4b15919e8d3 --- /dev/null +++ b/builtin/logical/pki/path_intermediate_test.go @@ -0,0 +1,74 @@ +package pki + +import ( + "io/ioutil" + "strings" + "testing" + + "github.com/hashicorp/vault/helper/certutil" + "github.com/hashicorp/vault/logical" + "github.com/hashicorp/vault/logical/framework" +) + +func TestSetSignedIntermediate(t *testing.T) { + storage := &logical.InmemStorage{} + config := logical.TestBackendConfig() + config.StorageView = storage + + b := Backend() + _, err := b.Setup(config) + if err != nil { + t.Fatal(err) + } + + // Put cert bundle in inmem storage + privateCertPEM, err := ioutil.ReadFile("test-fixtures/cakey.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + cb := &certutil.CertBundle{} + cb.PrivateKey = string(privateCertPEM) + cb.PrivateKeyType = certutil.RSAPrivateKey + + bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) + if err != nil { + t.Fatal(err) + } + err = storage.Put(bundleEntry) + if err != nil { + t.Fatal(err) + } + + certValue, err := ioutil.ReadFile("test-fixtures/cacert.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + + req := &logical.Request{ + Operation: logical.UpdateOperation, + Storage: storage, + } + + fd := &framework.FieldData{ + Raw: map[string]interface{}{ + "certificate": certValue, + }, + Schema: pathSetSignedIntermediate(b).Fields, + } + + resp, err := b.pathSetSignedIntermediate(req, fd) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: err: %v resp: %#v", err, resp) + } + + // Verify that value was written to storage + serial := "5e:21:03:b9:e7:30:b9:af:7e:8f:55:c7:2e:77:28:9f:14:3f:24:17" + storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) + entry, err := storage.Get(storageKey) + if err != nil { + t.Fatal(err) + } + if entry == nil { + t.Fatal("update operation unsucessful, data not written to storage") + } +} diff --git a/builtin/logical/pki/path_issue_sign_test.go b/builtin/logical/pki/path_issue_sign_test.go new file mode 100644 index 000000000000..761582aeb356 --- /dev/null +++ b/builtin/logical/pki/path_issue_sign_test.go @@ -0,0 +1,94 @@ +package pki + +import ( + "io/ioutil" + "strings" + "testing" + + "github.com/hashicorp/vault/helper/certutil" + "github.com/hashicorp/vault/logical" + "github.com/hashicorp/vault/logical/framework" +) + +func TestIssueSignCert(t *testing.T) { + storage := &logical.InmemStorage{} + config := logical.TestBackendConfig() + config.StorageView = storage + + b := Backend() + _, err := b.Setup(config) + if err != nil { + t.Fatal(err) + } + + // Place CA cert in storage + rootCAKeyPEM, err := ioutil.ReadFile("test-fixtures/root/rootcakey.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + rootCACertPEM, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + cb := &certutil.CertBundle{} + cb.PrivateKey = string(rootCAKeyPEM) + cb.PrivateKeyType = certutil.RSAPrivateKey + cb.Certificate = string(rootCACertPEM) + + bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) + if err != nil { + t.Fatal(err) + } + err = storage.Put(bundleEntry) + if err != nil { + t.Fatal(err) + } + + req := &logical.Request{ + Operation: logical.UpdateOperation, + Storage: storage, + } + + ttl := b.System().DefaultLeaseTTL() + role := &roleEntry{ + TTL: ttl.String(), + AllowLocalhost: true, + AllowAnyName: true, + AllowIPSANs: true, + EnforceHostnames: false, + GenerateLease: new(bool), + KeyType: "rsa", + KeyBits: 2048, + UseCSRCommonName: false, + UseCSRSANs: false, + } + *role.GenerateLease = false + + fd := &framework.FieldData{ + Raw: map[string]interface{}{ + "format": "pem", + "common_name": "test.example.com", + }, + Schema: map[string]*framework.FieldSchema{ + "format": &framework.FieldSchema{Type: framework.TypeString}, + "common_name": &framework.FieldSchema{Type: framework.TypeString}, + "exclude_cn_from_sans": &framework.FieldSchema{Type: framework.TypeBool}, + }, + } + + resp, err := b.pathIssueSignCert(req, fd, role, false, false) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: err: %v resp: %#v", err, resp) + } + + // Verify that value was written to storage + serial := resp.Data["serial_number"].(string) + storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) + entry, err := storage.Get(storageKey) + if err != nil { + t.Fatal(err) + } + if entry == nil { + t.Fatal("update operation unsucessful, data not written to storage") + } +} diff --git a/builtin/logical/pki/path_root_test.go b/builtin/logical/pki/path_root_test.go new file mode 100644 index 000000000000..3535bddc4af1 --- /dev/null +++ b/builtin/logical/pki/path_root_test.go @@ -0,0 +1,126 @@ +package pki + +import ( + "io/ioutil" + "strings" + "testing" + + "github.com/hashicorp/vault/helper/certutil" + "github.com/hashicorp/vault/logical" + "github.com/hashicorp/vault/logical/framework" +) + +func TestCAGenerateRoot(t *testing.T) { + storage := &logical.InmemStorage{} + config := logical.TestBackendConfig() + config.StorageView = storage + + b := Backend() + _, err := b.Setup(config) + if err != nil { + t.Fatal(err) + } + + req := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "root/generate/internal", + Storage: storage, + } + + fd := &framework.FieldData{ + Raw: map[string]interface{}{ + "exported": "internal", + "common_name": "test.example.com", + }, + Schema: pathGenerateRoot(b).Fields, + } + + resp, err := b.pathCAGenerateRoot(req, fd) + if err != nil { + t.Fatalf("error: %s", err) + } + if resp.Error() != nil { + t.Fatalf("logical.Response error: %s", resp.Error()) + } + + // Verify that value was written to storage + serial := resp.Data["serial_number"].(string) + storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) + entry, err := storage.Get(storageKey) + if err != nil { + t.Fatal(err) + } + if entry == nil { + t.Fatal("update operation unsucessful, data not written to storage") + } +} + +func TestCASignIntermediate(t *testing.T) { + storage := &logical.InmemStorage{} + config := logical.TestBackendConfig() + config.StorageView = storage + + b := Backend() + _, err := b.Setup(config) + if err != nil { + t.Fatal(err) + } + + // Place CA cert in storage + rootCAKeyPEM, err := ioutil.ReadFile("test-fixtures/root/rootcakey.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + rootCACertPEM, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + cb := &certutil.CertBundle{} + cb.PrivateKey = string(rootCAKeyPEM) + cb.PrivateKeyType = certutil.RSAPrivateKey + cb.Certificate = string(rootCACertPEM) + + bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) + if err != nil { + t.Fatal(err) + } + err = storage.Put(bundleEntry) + if err != nil { + t.Fatal(err) + } + + req := &logical.Request{ + Operation: logical.UpdateOperation, + Path: "root/sign-intermediate", + Storage: storage, + } + + csrPEM, err := ioutil.ReadFile("test-fixtures/root/csr.pem") + if err != nil { + t.Fatalf("err: %v", err) + } + + fd := &framework.FieldData{ + Raw: map[string]interface{}{ + "common_name": "test.example.com", + "csr": string(csrPEM), + }, + Schema: pathSignIntermediate(b).Fields, + } + + resp, err := b.pathCASignIntermediate(req, fd) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: err: %v resp: %#v", err, resp) + } + + // Verify that value was written to storage + serial := resp.Data["serial_number"].(string) + storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) + entry, err := storage.Get(storageKey) + if err != nil { + t.Fatal(err) + } + if entry == nil { + t.Fatal("update operation unsucessful, data not written to storage") + } +} diff --git a/builtin/logical/pki/test-fixtures/cacert.pem b/builtin/logical/pki/test-fixtures/cacert.pem new file mode 100644 index 000000000000..9d9a3859e53a --- /dev/null +++ b/builtin/logical/pki/test-fixtures/cacert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIUXiEDuecwua9+j1XHLnconxQ/JBcwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwMzU4WhgPMjA2 +NjA0MjAxNjA0MjhaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhx +VP3IN897TYzkaBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bV +zg9ZL1AI5H7dY2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZ +wvBafQEjSsYk9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75 +unIJ29nL0yB7zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabks +sqVyA825/1we2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABo4GBMH8w +DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBTo2I+W +3Wb2MBe3OWuj5qCbafavMB8GA1UdIwQYMBaAFBTo2I+W3Wb2MBe3OWuj5qCbafav +MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB +AQAyjJzDMzf28yMgiu//2R6LD3+zuLHlfX8+p5JB7WDBT7CgSm89gzMRtD2DvqZQ +6iLbZv/x7Td8bdLsOKf3LDCkZyOygJ0Sr9+6YZdc9heWO8tsO/SbcLhj9/vK8YyV +5fJo+vECW8I5zQLeTKfPqJtTU0zFspv0WYCB96Hsbhd1hTfHmVgjBoxi0YuduAa8 +3EHuYPfTYkO3M4QJCoQ+3S6LXSTDqppd1KGAy7QhRU6shd29EpSVxhgqZ+CIOpZu +3RgPOgPqfqcOD/v/SRPqhRf+P5O5Dc/N4ZXTZtfJbaY0qE+smpeQUskVQ2TrSqha +UYpNk7+toZW3Gioo0lBD3gH2 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/builtin/logical/pki/test-fixtures/cakey.pem b/builtin/logical/pki/test-fixtures/cakey.pem new file mode 100644 index 000000000000..ecba4754cd9e --- /dev/null +++ b/builtin/logical/pki/test-fixtures/cakey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhxVP3IN897TYzk +aBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bVzg9ZL1AI5H7d +Y2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZwvBafQEjSsYk +9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75unIJ29nL0yB7 +zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabkssqVyA825/1we +2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABAoIBAD1pBd9ov8t6Surq +sY2hZUM0Hc16r+ln5LcInbx6djjaxvHiWql+OYgyXimP764lPYuTuspjFPKB1SOU ++N7XDxCkwFeayXXHdDlYtZ4gm5Z9mMVOT+j++8xWdxZaqJ56fmX9zOPM2LuR3paB +L52Xgh9EwHJmMApYAzaCvbu8bU+iHeNTW80xabxQrp9VCu/A1BXUX06jK4T+wmjZ +kDA82uQp3dCOF1tv/10HgwqkJj6/1jjM0XUzUZR6iV85S6jrA7wD7gDDeqNO8YHN +08YMRgTKk4pbA7AqoC5xbL3gbSjsjyw48KRq0FkdkjsgV0PJZRMUU9fv9puDa23K +WRPa8LECgYEAyeth5bVH8FXnVXIAAFU6W0WdgCK3VakhjItLw0eoxshuTwbVq64w +CNOB8y1pfP83WiJjX3qRG43NDW07X69J57YKtCCb6KICVUPmecgYZPkmegD1HBQZ +5+Aak+5pIUQuycQ0t65yHGu4Jsju05gEFgdzydFjNANgiPxRzZxzAkkCgYEA9S+y +ZR063oCQDg/GhMLCx19nCJyU44Figh1YCD6kTrsSTECuRpQ5B1F9a+LeZT2wnYxv ++qMvvV+lfVY73f5WZ567u2jSDIsCH34p4g7sE25lKwo+Lhik6EtOehJFs2ZUemaT +Ym7EjqWlC1whrG7P4MnTGzPOVNAGAxsGPtT58nMCgYAs/R8A2VU//UPfy9ioOlUY +RPiEtjd3BIoPEHI+/lZihAHf5bvx1oupS8bmcbXRPeQNVyAhA+QU6ZFIbpAOD7Y9 +xFe6LpHOUVqHuOs/MxAMX17tTA1QxkHHYi1JzJLr8I8kMW01h86w+mc7bQWZa4Nt +jReFXfvmeOInY2CumS8e0QKBgC23ow/vj1aFqla04lNG7YK3a0LTz39MVM3mItAG +viRgBV1qghRu9uNCcpx3RPijtBbsZMTbQL+S4gyo06jlD79qfZ7IQMJN+SteHvkj +xykoYHzSAB4gQj9+KzffyFdXMVFRZxHnjYb7o/amSzEXyHMlrtNXqZVu5HAXzeZR +V/m5AoGAAStS43Q7qSJSMfMBITKMdKlqCObnifD77WeR2WHGrpkq26300ggsDpMS +UTmnAAo77lSMmDsdoNn2XZmdeTu1CPoQnoZSE5CqPd5GeHA/hhegVCdeYxSXZJoH +Lhiac+AhCEog/MS1GmVsjynD7eDGVFcsJ6SWuam7doKfrpPqPnE= +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/builtin/logical/pki/test-fixtures/root/csr.pem b/builtin/logical/pki/test-fixtures/root/csr.pem new file mode 100644 index 000000000000..58ebe0c73668 --- /dev/null +++ b/builtin/logical/pki/test-fixtures/root/csr.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx +ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 +Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 +z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x +AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb +6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH +SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaAAMA0GCSqG +SIb3DQEBBQUAA4IBAQDCQqX/dOU0gUonjSpNocnKx4vKl5M5tdmJ3VExnBpde0tl +KCiRzVFlvQcJp8NPsJeoMzqQEn19BIiBKqgDf1OyeZaj+oDfW3JThsK8Jb8dlOVW +nGvmhNEST0kPsKbHJqyWuseLNtIRFsp5weoHoDIU9WECCxm0UBAMvA2Ltu7Kbu/k +RcHSI5ouBLUhcfb3GqS38xvR9wqAFYcvKZySGjeP+x82GhkeqWCTKYMiMvUUnqOs +EhhWv9qGzyF6mjSnHNqcP6wmHMw1xG1JCIuQbjkYu2EdH1epJaObVv1753uHfskE +R/fii/GlEd+/lSUlHSpcFqz717Gx+1hodkZlQtpl +-----END CERTIFICATE REQUEST----- diff --git a/builtin/logical/pki/test-fixtures/root/pkioutput b/builtin/logical/pki/test-fixtures/root/pkioutput new file mode 100644 index 000000000000..312ae18deae8 --- /dev/null +++ b/builtin/logical/pki/test-fixtures/root/pkioutput @@ -0,0 +1,74 @@ +Key Value +lease_id pki/root/generate/exported/7bf99d76-dd3e-2c5b-04ce-5253062ad586 +lease_duration 315359999 +lease_renewable false +certificate -----BEGIN CERTIFICATE----- +MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw +MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 +Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 +z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x +AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb +6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH +SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G +A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx +7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc +BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA +wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 +U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa +cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N +ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ +t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk +zehNe5dFTjFpylg1o6b8Ow== +-----END CERTIFICATE----- +expiration 1.772072879e+09 +issuing_ca -----BEGIN CERTIFICATE----- +MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw +MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 +Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 +z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x +AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb +6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH +SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G +A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx +7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc +BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA +wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 +U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa +cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N +ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ +t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk +zehNe5dFTjFpylg1o6b8Ow== +-----END CERTIFICATE----- +private_key -----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p +t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3 +BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w +/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv +0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi +18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb +ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn +8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f +nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8 +2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t +grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc +bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9 +0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN +ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf +lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1 +lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj +AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG +ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib +thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU +4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb +iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO +tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y +LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc +4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX +OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8= +-----END RSA PRIVATE KEY----- +private_key_type rsa +serial_number 6f:98:9d:f8:67:1a:31:e3:27:60:1b:f7:32:f7:53:19:68:a0:c8:9d diff --git a/builtin/logical/pki/test-fixtures/root/root.crl b/builtin/logical/pki/test-fixtures/root/root.crl new file mode 100644 index 000000000000..a80c9e4117cb --- /dev/null +++ b/builtin/logical/pki/test-fixtures/root/root.crl @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBrjCBlzANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbRcN +MTYwMjI5MDIyOTE3WhcNMjUwMTA1MTAyOTE3WjArMCkCFG+YnfhnGjHjJ2Ab9zL3 +UxlooMidFxExNjAyMjgyMTI5MTctMDUwMKAjMCEwHwYDVR0jBBgwFoAUncSzT/6H +MexyuiU9/7EgHu+ok5swDQYJKoZIhvcNAQELBQADggEBAG9YDXpNe4LJroKZmVCn +HqMhW8eyzyaPak2nPPGCVUnc6vt8rlBYQU+xlBizD6xatZQDMPgrT8sBl9W3ysXk +RUlliHsT/SHddMz5dAZsBPRMJ7pYWLTx8jI4w2WRfbSyI4bY/6qTRNkEBUv+Fk8J +xvwB89+EM0ENcVMhv9ghsUA8h7kOg673HKwRstLDAzxS/uLmEzFjj8SV2m5DbV2Y +UUCKRSV20/kxJMIC9x2KikZhwOSyv1UE1otD+RQvbfAoZPUDmvp2FR/E0NGjBBOg +1TtCPRrl63cjqU3s8KQ4uah9Vj+Cwcu9n/yIKKtNQq4NKHvagv8GlUsoJ4BdAxCw +IA0= +-----END X509 CRL----- diff --git a/builtin/logical/pki/test-fixtures/root/rootcacert.pem b/builtin/logical/pki/test-fixtures/root/rootcacert.pem new file mode 100644 index 000000000000..dcb307a14011 --- /dev/null +++ b/builtin/logical/pki/test-fixtures/root/rootcacert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw +MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 +Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 +z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x +AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb +6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH +SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G +A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx +7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc +BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA +wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 +U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa +cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N +ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ +t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk +zehNe5dFTjFpylg1o6b8Ow== +-----END CERTIFICATE----- diff --git a/builtin/logical/pki/test-fixtures/root/rootcakey.pem b/builtin/logical/pki/test-fixtures/root/rootcakey.pem new file mode 100644 index 000000000000..e950da5ba304 --- /dev/null +++ b/builtin/logical/pki/test-fixtures/root/rootcakey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p +t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3 +BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w +/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv +0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi +18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb +ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn +8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f +nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8 +2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t +grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc +bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9 +0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN +ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf +lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1 +lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj +AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG +ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib +thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU +4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb +iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO +tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y +LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc +4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX +OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8= +-----END RSA PRIVATE KEY----- From a5ddaabdba5eea804a09df5b30c3204149fe2fdf Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 27 Apr 2017 09:47:56 -0400 Subject: [PATCH 05/11] Rename tests, use HandleRequest() for existing paths --- builtin/logical/pki/cert_util_test.go | 2 +- builtin/logical/pki/crl_util_test.go | 2 +- builtin/logical/pki/path_intermediate_test.go | 19 +++----- builtin/logical/pki/path_issue_sign_test.go | 2 +- builtin/logical/pki/path_root_test.go | 44 ++++++------------- 5 files changed, 21 insertions(+), 48 deletions(-) diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go index 8183a47b1876..0c35bf1d5fee 100644 --- a/builtin/logical/pki/cert_util_test.go +++ b/builtin/logical/pki/cert_util_test.go @@ -6,7 +6,7 @@ import ( "github.com/hashicorp/vault/logical" ) -func TestFetchCertBySerial(t *testing.T) { +func TestPki_FetchCertBySerial(t *testing.T) { storage := &logical.InmemStorage{} cases := map[string]struct { diff --git a/builtin/logical/pki/crl_util_test.go b/builtin/logical/pki/crl_util_test.go index d8e720b545de..20cc9b63b5c5 100644 --- a/builtin/logical/pki/crl_util_test.go +++ b/builtin/logical/pki/crl_util_test.go @@ -11,7 +11,7 @@ import ( "github.com/hashicorp/vault/logical" ) -func TestRevokeCert(t *testing.T) { +func TestPki_RevokeCert(t *testing.T) { storage := &logical.InmemStorage{} config := logical.TestBackendConfig() config.StorageView = storage diff --git a/builtin/logical/pki/path_intermediate_test.go b/builtin/logical/pki/path_intermediate_test.go index e4b15919e8d3..97b3b0481eae 100644 --- a/builtin/logical/pki/path_intermediate_test.go +++ b/builtin/logical/pki/path_intermediate_test.go @@ -7,10 +7,9 @@ import ( "github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/logical" - "github.com/hashicorp/vault/logical/framework" ) -func TestSetSignedIntermediate(t *testing.T) { +func TestPki_SetSignedIntermediate(t *testing.T) { storage := &logical.InmemStorage{} config := logical.TestBackendConfig() config.StorageView = storage @@ -44,19 +43,11 @@ func TestSetSignedIntermediate(t *testing.T) { t.Fatalf("err: %v", err) } - req := &logical.Request{ - Operation: logical.UpdateOperation, - Storage: storage, - } - - fd := &framework.FieldData{ - Raw: map[string]interface{}{ - "certificate": certValue, - }, - Schema: pathSetSignedIntermediate(b).Fields, - } + req := logical.TestRequest(t, logical.UpdateOperation, "intermediate/set-signed") + req.Data["certificate"] = certValue + req.Storage = storage - resp, err := b.pathSetSignedIntermediate(req, fd) + resp, err := b.HandleRequest(req) if err != nil || (resp != nil && resp.IsError()) { t.Fatalf("bad: err: %v resp: %#v", err, resp) } diff --git a/builtin/logical/pki/path_issue_sign_test.go b/builtin/logical/pki/path_issue_sign_test.go index 761582aeb356..ef3687f607ee 100644 --- a/builtin/logical/pki/path_issue_sign_test.go +++ b/builtin/logical/pki/path_issue_sign_test.go @@ -10,7 +10,7 @@ import ( "github.com/hashicorp/vault/logical/framework" ) -func TestIssueSignCert(t *testing.T) { +func TestPki_IssueSignCert(t *testing.T) { storage := &logical.InmemStorage{} config := logical.TestBackendConfig() config.StorageView = storage diff --git a/builtin/logical/pki/path_root_test.go b/builtin/logical/pki/path_root_test.go index 3535bddc4af1..fcdb1b0102c3 100644 --- a/builtin/logical/pki/path_root_test.go +++ b/builtin/logical/pki/path_root_test.go @@ -7,10 +7,9 @@ import ( "github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/logical" - "github.com/hashicorp/vault/logical/framework" ) -func TestCAGenerateRoot(t *testing.T) { +func TestPki_CAGenerateRoot(t *testing.T) { storage := &logical.InmemStorage{} config := logical.TestBackendConfig() config.StorageView = storage @@ -21,21 +20,12 @@ func TestCAGenerateRoot(t *testing.T) { t.Fatal(err) } - req := &logical.Request{ - Operation: logical.UpdateOperation, - Path: "root/generate/internal", - Storage: storage, - } - - fd := &framework.FieldData{ - Raw: map[string]interface{}{ - "exported": "internal", - "common_name": "test.example.com", - }, - Schema: pathGenerateRoot(b).Fields, - } + req := logical.TestRequest(t, logical.UpdateOperation, "root/generate/internal") + req.Storage = storage + req.Data["common_name"] = "test.example.com" - resp, err := b.pathCAGenerateRoot(req, fd) + // resp, err := b.pathCAGenerateRoot(req, fd) + resp, err := b.HandleRequest(req) if err != nil { t.Fatalf("error: %s", err) } @@ -55,7 +45,7 @@ func TestCAGenerateRoot(t *testing.T) { } } -func TestCASignIntermediate(t *testing.T) { +func TestPki_CASignIntermediate(t *testing.T) { storage := &logical.InmemStorage{} config := logical.TestBackendConfig() config.StorageView = storage @@ -89,26 +79,18 @@ func TestCASignIntermediate(t *testing.T) { t.Fatal(err) } - req := &logical.Request{ - Operation: logical.UpdateOperation, - Path: "root/sign-intermediate", - Storage: storage, - } - csrPEM, err := ioutil.ReadFile("test-fixtures/root/csr.pem") if err != nil { t.Fatalf("err: %v", err) } - fd := &framework.FieldData{ - Raw: map[string]interface{}{ - "common_name": "test.example.com", - "csr": string(csrPEM), - }, - Schema: pathSignIntermediate(b).Fields, - } + req := logical.TestRequest(t, logical.UpdateOperation, "root/sign-intermediate") + req.Storage = storage + req.Data["csr"] = string(csrPEM) + req.Data["common_name"] = "test.example.com" - resp, err := b.pathCASignIntermediate(req, fd) + // resp, err := b.pathCASignIntermediate(req, fd) + resp, err := b.HandleRequest(req) if err != nil || (resp != nil && resp.IsError()) { t.Fatalf("bad: err: %v resp: %#v", err, resp) } From 7fdf4acc6f481ecda39806535f7d6de0011fbf6f Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 27 Apr 2017 12:30:44 -0400 Subject: [PATCH 06/11] Verify update operation was performed on revokeCert --- builtin/logical/pki/crl_util_test.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/builtin/logical/pki/crl_util_test.go b/builtin/logical/pki/crl_util_test.go index 20cc9b63b5c5..ccf3ad469a0f 100644 --- a/builtin/logical/pki/crl_util_test.go +++ b/builtin/logical/pki/crl_util_test.go @@ -3,6 +3,7 @@ package pki import ( "encoding/pem" "io/ioutil" + "strings" "testing" "time" @@ -109,7 +110,6 @@ func TestPki_RevokeCert(t *testing.T) { } for name, tc := range cases { - // Put pseudo-cert in inmem storage err := storage.Put(&logical.StorageEntry{ Key: tc.Req.Path, Value: tc.StorageValue, @@ -122,5 +122,15 @@ func TestPki_RevokeCert(t *testing.T) { if err != nil || (resp != nil && resp.IsError()) { t.Fatalf("bad: err: %v resp: %#v", err, resp) } + + // Verify that value was written to storage + storageKey := "revoked/" + strings.ToLower(strings.Replace(tc.StorageKey, ":", "-", -1)) + entry, err := storage.Get(storageKey) + if err != nil { + t.Fatal(err) + } + if entry == nil { + t.Fatal("update operation unsucessful, data not written to storage") + } } } From 38a01b8e1bce0a027014fa9e3765fbec8fd92df8 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Thu, 27 Apr 2017 17:09:59 -0400 Subject: [PATCH 07/11] Refactor cert_util_test --- builtin/logical/pki/cert_util.go | 1 + builtin/logical/pki/cert_util_test.go | 102 +++++++------ builtin/logical/pki/crl_util_test.go | 136 ------------------ builtin/logical/pki/path_intermediate_test.go | 65 --------- builtin/logical/pki/path_issue_sign_test.go | 94 ------------ builtin/logical/pki/path_root_test.go | 108 -------------- builtin/logical/pki/test-fixtures/cacert.pem | 20 --- builtin/logical/pki/test-fixtures/cakey.pem | 27 ---- .../logical/pki/test-fixtures/keys/cert.pem | 22 --- .../logical/pki/test-fixtures/keys/key.pem | 27 ---- .../logical/pki/test-fixtures/keys/pkioutput | 74 ---------- .../logical/pki/test-fixtures/root/csr.pem | 16 --- .../logical/pki/test-fixtures/root/pkioutput | 74 ---------- .../logical/pki/test-fixtures/root/root.crl | 12 -- .../pki/test-fixtures/root/rootcacert.pem | 20 --- .../pki/test-fixtures/root/rootcakey.pem | 27 ---- 16 files changed, 56 insertions(+), 769 deletions(-) delete mode 100644 builtin/logical/pki/crl_util_test.go delete mode 100644 builtin/logical/pki/path_intermediate_test.go delete mode 100644 builtin/logical/pki/path_issue_sign_test.go delete mode 100644 builtin/logical/pki/path_root_test.go delete mode 100644 builtin/logical/pki/test-fixtures/cacert.pem delete mode 100644 builtin/logical/pki/test-fixtures/cakey.pem delete mode 100644 builtin/logical/pki/test-fixtures/keys/cert.pem delete mode 100644 builtin/logical/pki/test-fixtures/keys/key.pem delete mode 100644 builtin/logical/pki/test-fixtures/keys/pkioutput delete mode 100644 builtin/logical/pki/test-fixtures/root/csr.pem delete mode 100644 builtin/logical/pki/test-fixtures/root/pkioutput delete mode 100644 builtin/logical/pki/test-fixtures/root/root.crl delete mode 100644 builtin/logical/pki/test-fixtures/root/rootcacert.pem delete mode 100644 builtin/logical/pki/test-fixtures/root/rootcakey.pem diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index 15188ced9708..e632aaa5b492 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -239,6 +239,7 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St return nil, errutil.InternalError{Err: fmt.Sprintf("returned certificate bytes for serial %s were empty", serial)} } + // Update old-style paths to new-style paths certEntry.Key = desiredPath if err = req.Storage.Put(certEntry); err != nil { return nil, errutil.InternalError{Err: fmt.Sprintf("error saving certificate with serial %s to new location", serial)} diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go index 0c35bf1d5fee..c0c20332fdd3 100644 --- a/builtin/logical/pki/cert_util_test.go +++ b/builtin/logical/pki/cert_util_test.go @@ -1,8 +1,11 @@ package pki import ( + "fmt" "testing" + "strings" + "github.com/hashicorp/vault/logical" ) @@ -10,77 +13,82 @@ func TestPki_FetchCertBySerial(t *testing.T) { storage := &logical.InmemStorage{} cases := map[string]struct { - Req *logical.Request - StorageKey string + Req *logical.Request + Prefix string + Serial string }{ - "cert, valid colon": { - &logical.Request{ - Operation: logical.ReadOperation, - Path: "certs/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", - Storage: storage, - }, - "10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", - }, - "cert, revoked colon": { - &logical.Request{ - Operation: logical.ReadOperation, - Path: "revoked/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", - Storage: storage, - }, - "10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", - }, - "cert, valid hyphen": { - &logical.Request{ - Operation: logical.ReadOperation, - Path: "certs/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", - Storage: storage, - }, - "10-e6-fc-62-b7-41-8a-d5-00-5e-45-b6", - }, - "cert, revoked hyphen": { - &logical.Request{ - Operation: logical.ReadOperation, - Path: "revoked/10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6", - Storage: storage, - }, - "10-e6-fc-62-b7-41-8a-d5-00-5e-45-b6", - }, - "cert, ca": { + "valid cert": { &logical.Request{ Operation: logical.ReadOperation, - Path: "ca", Storage: storage, }, - "", + "certs/", + "00:00:00:00:00:00:00:00", }, - "cert, crl": { + "revoked cert": { &logical.Request{ Operation: logical.ReadOperation, - Path: "crl", Storage: storage, }, - "", + "revoked/", + "11:11:11:11:11:11:11:11", }, } + // Test for colon-based paths in storage + for name, tc := range cases { + storageKey := fmt.Sprintf("%s%s", tc.Prefix, tc.Serial) + err := storage.Put(&logical.StorageEntry{ + Key: storageKey, + Value: []byte("some data"), + }) + if err != nil { + t.Fatalf("error writing to storage on %s colon-based storage path: %s", name, err) + } + + certEntry, err := fetchCertBySerial(tc.Req, tc.Prefix, tc.Serial) + if err != nil { + t.Fatalf("error on %s for colon-based storage path: %s", name, err) + } + + // Check for non-nil on valid/revoked certs + if certEntry == nil { + t.Fatalf("nil on %s for colon-based storage path", name) + } + + // Ensure that cert serials are converted/updated after fetch + expectedKey := fmt.Sprintf("%s%s", tc.Prefix, strings.Replace(strings.ToLower(tc.Serial), ":", "-", -1)) + se, err := storage.Get(expectedKey) + if err != nil { + t.Fatalf("error on %s for colon-based storage path:%s", name, err) + } + if strings.Compare(expectedKey, se.Key) != 0 { + t.Fatalf("expected: %s, got: %s", expectedKey, certEntry.Key) + } + } + + // Reset storage + storage = &logical.InmemStorage{} + + // Test for hyphen-base paths in storage for name, tc := range cases { - // Put pseudo-cert in inmem storage + storageKey := fmt.Sprintf("%s%s", tc.Prefix, strings.Replace(strings.ToLower(tc.Serial), ":", "-", -1)) err := storage.Put(&logical.StorageEntry{ - Key: tc.Req.Path, + Key: storageKey, Value: []byte("some data"), }) if err != nil { - t.Fatalf("error writing to storage on %s: %s", name, err) + t.Fatalf("error writing to storage on %s hyphen-based storage path: %s", name, err) } - certEntry, err := fetchCertBySerial(tc.Req, tc.Req.Path, tc.StorageKey) + certEntry, err := fetchCertBySerial(tc.Req, tc.Prefix, tc.Serial) if err != nil { - t.Fatalf("fetchBySerial error on %s: %s", name, err) + t.Fatalf("error on %s for hyphen-based storage path: %s", name, err) } // Check for non-nil on valid/revoked certs - if certEntry == nil && tc.Req.Path != "ca" && tc.Req.Path != "crl" { - t.Fatalf("fetchBySerial returned nil on %s", name) + if certEntry == nil { + t.Fatalf("nil on %s for hyphen-based storage path", name) } } } diff --git a/builtin/logical/pki/crl_util_test.go b/builtin/logical/pki/crl_util_test.go deleted file mode 100644 index ccf3ad469a0f..000000000000 --- a/builtin/logical/pki/crl_util_test.go +++ /dev/null @@ -1,136 +0,0 @@ -package pki - -import ( - "encoding/pem" - "io/ioutil" - "strings" - "testing" - "time" - - "github.com/hashicorp/vault/helper/certutil" - "github.com/hashicorp/vault/helper/jsonutil" - "github.com/hashicorp/vault/logical" -) - -func TestPki_RevokeCert(t *testing.T) { - storage := &logical.InmemStorage{} - config := logical.TestBackendConfig() - config.StorageView = storage - - b := Backend() - _, err := b.Setup(config) - if err != nil { - t.Fatal(err) - } - - // Place CA cert in storage - rootCAKeyPEM, err := ioutil.ReadFile("test-fixtures/root/rootcakey.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - rootCACertPEM, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - cb := &certutil.CertBundle{} - cb.PrivateKey = string(rootCAKeyPEM) - cb.PrivateKeyType = certutil.RSAPrivateKey - cb.Certificate = string(rootCACertPEM) - - bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) - if err != nil { - t.Fatal(err) - } - err = storage.Put(bundleEntry) - if err != nil { - t.Fatal(err) - } - - certValue, err := ioutil.ReadFile("test-fixtures/keys/cert.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - block, _ := pem.Decode(certValue) - if block == nil { - t.Fatal("failed to decode PEM cert into DER") - } - certDER := block.Bytes - - var revInfo revocationInfo - currTime := time.Now() - revInfo.CertificateBytes = certDER - revInfo.RevocationTime = currTime.Unix() - revInfo.RevocationTimeUTC = currTime.UTC() - encodedCertDER, err := jsonutil.EncodeJSON(revInfo) - if err != nil { - t.Fatalf("error encoding pseudo cert value: %s", err) - } - - cases := map[string]struct { - Req *logical.Request - StorageKey string - StorageValue []byte - }{ - "cert, valid colon": { - &logical.Request{ - Operation: logical.UpdateOperation, - Path: "certs/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - Storage: storage, - }, - "7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - certDER, - }, - "cert, revoked colon": { - &logical.Request{ - Operation: logical.UpdateOperation, - Path: "revoked/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - Storage: storage, - }, - "7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - encodedCertDER, - }, - "cert, valid hyphen": { - &logical.Request{ - Operation: logical.UpdateOperation, - Path: "certs/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - Storage: storage, - }, - "7f-e8-e1-29-31-41-9e-a4-ac-df-82-08-d1-64-b5-2f-84-2c-6d-b0", - certDER, - }, - "cert, revoked hyphen": { - &logical.Request{ - Operation: logical.UpdateOperation, - Path: "revoked/7f:e8:e1:29:31:41:9e:a4:ac:df:82:08:d1:64:b5:2f:84:2c:6d:b0", - Storage: storage, - }, - "7f-e8-e1-29-31-41-9e-a4-ac-df-82-08-d1-64-b5-2f-84-2c-6d-b0", - encodedCertDER, - }, - } - - for name, tc := range cases { - err := storage.Put(&logical.StorageEntry{ - Key: tc.Req.Path, - Value: tc.StorageValue, - }) - if err != nil { - t.Fatalf("error writing to storage on %s: %s", name, err) - } - - resp, err := revokeCert(b, tc.Req, tc.StorageKey, false) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: err: %v resp: %#v", err, resp) - } - - // Verify that value was written to storage - storageKey := "revoked/" + strings.ToLower(strings.Replace(tc.StorageKey, ":", "-", -1)) - entry, err := storage.Get(storageKey) - if err != nil { - t.Fatal(err) - } - if entry == nil { - t.Fatal("update operation unsucessful, data not written to storage") - } - } -} diff --git a/builtin/logical/pki/path_intermediate_test.go b/builtin/logical/pki/path_intermediate_test.go deleted file mode 100644 index 97b3b0481eae..000000000000 --- a/builtin/logical/pki/path_intermediate_test.go +++ /dev/null @@ -1,65 +0,0 @@ -package pki - -import ( - "io/ioutil" - "strings" - "testing" - - "github.com/hashicorp/vault/helper/certutil" - "github.com/hashicorp/vault/logical" -) - -func TestPki_SetSignedIntermediate(t *testing.T) { - storage := &logical.InmemStorage{} - config := logical.TestBackendConfig() - config.StorageView = storage - - b := Backend() - _, err := b.Setup(config) - if err != nil { - t.Fatal(err) - } - - // Put cert bundle in inmem storage - privateCertPEM, err := ioutil.ReadFile("test-fixtures/cakey.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - cb := &certutil.CertBundle{} - cb.PrivateKey = string(privateCertPEM) - cb.PrivateKeyType = certutil.RSAPrivateKey - - bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) - if err != nil { - t.Fatal(err) - } - err = storage.Put(bundleEntry) - if err != nil { - t.Fatal(err) - } - - certValue, err := ioutil.ReadFile("test-fixtures/cacert.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - - req := logical.TestRequest(t, logical.UpdateOperation, "intermediate/set-signed") - req.Data["certificate"] = certValue - req.Storage = storage - - resp, err := b.HandleRequest(req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: err: %v resp: %#v", err, resp) - } - - // Verify that value was written to storage - serial := "5e:21:03:b9:e7:30:b9:af:7e:8f:55:c7:2e:77:28:9f:14:3f:24:17" - storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) - entry, err := storage.Get(storageKey) - if err != nil { - t.Fatal(err) - } - if entry == nil { - t.Fatal("update operation unsucessful, data not written to storage") - } -} diff --git a/builtin/logical/pki/path_issue_sign_test.go b/builtin/logical/pki/path_issue_sign_test.go deleted file mode 100644 index ef3687f607ee..000000000000 --- a/builtin/logical/pki/path_issue_sign_test.go +++ /dev/null @@ -1,94 +0,0 @@ -package pki - -import ( - "io/ioutil" - "strings" - "testing" - - "github.com/hashicorp/vault/helper/certutil" - "github.com/hashicorp/vault/logical" - "github.com/hashicorp/vault/logical/framework" -) - -func TestPki_IssueSignCert(t *testing.T) { - storage := &logical.InmemStorage{} - config := logical.TestBackendConfig() - config.StorageView = storage - - b := Backend() - _, err := b.Setup(config) - if err != nil { - t.Fatal(err) - } - - // Place CA cert in storage - rootCAKeyPEM, err := ioutil.ReadFile("test-fixtures/root/rootcakey.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - rootCACertPEM, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - cb := &certutil.CertBundle{} - cb.PrivateKey = string(rootCAKeyPEM) - cb.PrivateKeyType = certutil.RSAPrivateKey - cb.Certificate = string(rootCACertPEM) - - bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) - if err != nil { - t.Fatal(err) - } - err = storage.Put(bundleEntry) - if err != nil { - t.Fatal(err) - } - - req := &logical.Request{ - Operation: logical.UpdateOperation, - Storage: storage, - } - - ttl := b.System().DefaultLeaseTTL() - role := &roleEntry{ - TTL: ttl.String(), - AllowLocalhost: true, - AllowAnyName: true, - AllowIPSANs: true, - EnforceHostnames: false, - GenerateLease: new(bool), - KeyType: "rsa", - KeyBits: 2048, - UseCSRCommonName: false, - UseCSRSANs: false, - } - *role.GenerateLease = false - - fd := &framework.FieldData{ - Raw: map[string]interface{}{ - "format": "pem", - "common_name": "test.example.com", - }, - Schema: map[string]*framework.FieldSchema{ - "format": &framework.FieldSchema{Type: framework.TypeString}, - "common_name": &framework.FieldSchema{Type: framework.TypeString}, - "exclude_cn_from_sans": &framework.FieldSchema{Type: framework.TypeBool}, - }, - } - - resp, err := b.pathIssueSignCert(req, fd, role, false, false) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: err: %v resp: %#v", err, resp) - } - - // Verify that value was written to storage - serial := resp.Data["serial_number"].(string) - storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) - entry, err := storage.Get(storageKey) - if err != nil { - t.Fatal(err) - } - if entry == nil { - t.Fatal("update operation unsucessful, data not written to storage") - } -} diff --git a/builtin/logical/pki/path_root_test.go b/builtin/logical/pki/path_root_test.go deleted file mode 100644 index fcdb1b0102c3..000000000000 --- a/builtin/logical/pki/path_root_test.go +++ /dev/null @@ -1,108 +0,0 @@ -package pki - -import ( - "io/ioutil" - "strings" - "testing" - - "github.com/hashicorp/vault/helper/certutil" - "github.com/hashicorp/vault/logical" -) - -func TestPki_CAGenerateRoot(t *testing.T) { - storage := &logical.InmemStorage{} - config := logical.TestBackendConfig() - config.StorageView = storage - - b := Backend() - _, err := b.Setup(config) - if err != nil { - t.Fatal(err) - } - - req := logical.TestRequest(t, logical.UpdateOperation, "root/generate/internal") - req.Storage = storage - req.Data["common_name"] = "test.example.com" - - // resp, err := b.pathCAGenerateRoot(req, fd) - resp, err := b.HandleRequest(req) - if err != nil { - t.Fatalf("error: %s", err) - } - if resp.Error() != nil { - t.Fatalf("logical.Response error: %s", resp.Error()) - } - - // Verify that value was written to storage - serial := resp.Data["serial_number"].(string) - storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) - entry, err := storage.Get(storageKey) - if err != nil { - t.Fatal(err) - } - if entry == nil { - t.Fatal("update operation unsucessful, data not written to storage") - } -} - -func TestPki_CASignIntermediate(t *testing.T) { - storage := &logical.InmemStorage{} - config := logical.TestBackendConfig() - config.StorageView = storage - - b := Backend() - _, err := b.Setup(config) - if err != nil { - t.Fatal(err) - } - - // Place CA cert in storage - rootCAKeyPEM, err := ioutil.ReadFile("test-fixtures/root/rootcakey.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - rootCACertPEM, err := ioutil.ReadFile("test-fixtures/root/rootcacert.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - cb := &certutil.CertBundle{} - cb.PrivateKey = string(rootCAKeyPEM) - cb.PrivateKeyType = certutil.RSAPrivateKey - cb.Certificate = string(rootCACertPEM) - - bundleEntry, err := logical.StorageEntryJSON("config/ca_bundle", cb) - if err != nil { - t.Fatal(err) - } - err = storage.Put(bundleEntry) - if err != nil { - t.Fatal(err) - } - - csrPEM, err := ioutil.ReadFile("test-fixtures/root/csr.pem") - if err != nil { - t.Fatalf("err: %v", err) - } - - req := logical.TestRequest(t, logical.UpdateOperation, "root/sign-intermediate") - req.Storage = storage - req.Data["csr"] = string(csrPEM) - req.Data["common_name"] = "test.example.com" - - // resp, err := b.pathCASignIntermediate(req, fd) - resp, err := b.HandleRequest(req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: err: %v resp: %#v", err, resp) - } - - // Verify that value was written to storage - serial := resp.Data["serial_number"].(string) - storageKey := "certs/" + strings.ToLower(strings.Replace(serial, ":", "-", -1)) - entry, err := storage.Get(storageKey) - if err != nil { - t.Fatal(err) - } - if entry == nil { - t.Fatal("update operation unsucessful, data not written to storage") - } -} diff --git a/builtin/logical/pki/test-fixtures/cacert.pem b/builtin/logical/pki/test-fixtures/cacert.pem deleted file mode 100644 index 9d9a3859e53a..000000000000 --- a/builtin/logical/pki/test-fixtures/cacert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDPjCCAiagAwIBAgIUXiEDuecwua9+j1XHLnconxQ/JBcwDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwMzU4WhgPMjA2 -NjA0MjAxNjA0MjhaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhx -VP3IN897TYzkaBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bV -zg9ZL1AI5H7dY2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZ -wvBafQEjSsYk9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75 -unIJ29nL0yB7zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabks -sqVyA825/1we2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABo4GBMH8w -DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBTo2I+W -3Wb2MBe3OWuj5qCbafavMB8GA1UdIwQYMBaAFBTo2I+W3Wb2MBe3OWuj5qCbafav -MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB -AQAyjJzDMzf28yMgiu//2R6LD3+zuLHlfX8+p5JB7WDBT7CgSm89gzMRtD2DvqZQ -6iLbZv/x7Td8bdLsOKf3LDCkZyOygJ0Sr9+6YZdc9heWO8tsO/SbcLhj9/vK8YyV -5fJo+vECW8I5zQLeTKfPqJtTU0zFspv0WYCB96Hsbhd1hTfHmVgjBoxi0YuduAa8 -3EHuYPfTYkO3M4QJCoQ+3S6LXSTDqppd1KGAy7QhRU6shd29EpSVxhgqZ+CIOpZu -3RgPOgPqfqcOD/v/SRPqhRf+P5O5Dc/N4ZXTZtfJbaY0qE+smpeQUskVQ2TrSqha -UYpNk7+toZW3Gioo0lBD3gH2 ------END CERTIFICATE----- \ No newline at end of file diff --git a/builtin/logical/pki/test-fixtures/cakey.pem b/builtin/logical/pki/test-fixtures/cakey.pem deleted file mode 100644 index ecba4754cd9e..000000000000 --- a/builtin/logical/pki/test-fixtures/cakey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhxVP3IN897TYzk -aBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bVzg9ZL1AI5H7d -Y2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZwvBafQEjSsYk -9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75unIJ29nL0yB7 -zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabkssqVyA825/1we -2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABAoIBAD1pBd9ov8t6Surq -sY2hZUM0Hc16r+ln5LcInbx6djjaxvHiWql+OYgyXimP764lPYuTuspjFPKB1SOU -+N7XDxCkwFeayXXHdDlYtZ4gm5Z9mMVOT+j++8xWdxZaqJ56fmX9zOPM2LuR3paB -L52Xgh9EwHJmMApYAzaCvbu8bU+iHeNTW80xabxQrp9VCu/A1BXUX06jK4T+wmjZ -kDA82uQp3dCOF1tv/10HgwqkJj6/1jjM0XUzUZR6iV85S6jrA7wD7gDDeqNO8YHN -08YMRgTKk4pbA7AqoC5xbL3gbSjsjyw48KRq0FkdkjsgV0PJZRMUU9fv9puDa23K -WRPa8LECgYEAyeth5bVH8FXnVXIAAFU6W0WdgCK3VakhjItLw0eoxshuTwbVq64w -CNOB8y1pfP83WiJjX3qRG43NDW07X69J57YKtCCb6KICVUPmecgYZPkmegD1HBQZ -5+Aak+5pIUQuycQ0t65yHGu4Jsju05gEFgdzydFjNANgiPxRzZxzAkkCgYEA9S+y -ZR063oCQDg/GhMLCx19nCJyU44Figh1YCD6kTrsSTECuRpQ5B1F9a+LeZT2wnYxv -+qMvvV+lfVY73f5WZ567u2jSDIsCH34p4g7sE25lKwo+Lhik6EtOehJFs2ZUemaT -Ym7EjqWlC1whrG7P4MnTGzPOVNAGAxsGPtT58nMCgYAs/R8A2VU//UPfy9ioOlUY -RPiEtjd3BIoPEHI+/lZihAHf5bvx1oupS8bmcbXRPeQNVyAhA+QU6ZFIbpAOD7Y9 -xFe6LpHOUVqHuOs/MxAMX17tTA1QxkHHYi1JzJLr8I8kMW01h86w+mc7bQWZa4Nt -jReFXfvmeOInY2CumS8e0QKBgC23ow/vj1aFqla04lNG7YK3a0LTz39MVM3mItAG -viRgBV1qghRu9uNCcpx3RPijtBbsZMTbQL+S4gyo06jlD79qfZ7IQMJN+SteHvkj -xykoYHzSAB4gQj9+KzffyFdXMVFRZxHnjYb7o/amSzEXyHMlrtNXqZVu5HAXzeZR -V/m5AoGAAStS43Q7qSJSMfMBITKMdKlqCObnifD77WeR2WHGrpkq26300ggsDpMS -UTmnAAo77lSMmDsdoNn2XZmdeTu1CPoQnoZSE5CqPd5GeHA/hhegVCdeYxSXZJoH -Lhiac+AhCEog/MS1GmVsjynD7eDGVFcsJ6SWuam7doKfrpPqPnE= ------END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/builtin/logical/pki/test-fixtures/keys/cert.pem b/builtin/logical/pki/test-fixtures/keys/cert.pem deleted file mode 100644 index 942d26698b12..000000000000 --- a/builtin/logical/pki/test-fixtures/keys/cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw -MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS -TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn -SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi -YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5 -donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG -B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1 -MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e -HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o -k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x -OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A -AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br -aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs -X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4 -aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA -KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN -QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj -xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk= ------END CERTIFICATE----- diff --git a/builtin/logical/pki/test-fixtures/keys/key.pem b/builtin/logical/pki/test-fixtures/keys/key.pem deleted file mode 100644 index add982002acf..000000000000 --- a/builtin/logical/pki/test-fixtures/keys/key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftetT8pu -HflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNheZhA -6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMmMO5N -TRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJGuUd -y54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuHC3N2 -DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABAoIBAHR7fFV0eAGaopsX -9OD0TUGlsephBXb43g0GYHfJ/1Ew18w9oaxszJEqkl+PB4W3xZ3yG3e8ZomxDOhF -RreF2WgG5xOfhDogMwu6NodbArfgnAvoC6JnW3qha8HMP4F500RFVyCRcd6A3Frd -rFtaZn/UyCsBAN8/zkwPeYHayo7xX6d9kzgRl9HluEX5PXI5+3uiBDUiM085gkLI -5Cmadh9fMdjfhDXI4x2JYmILpp/9Nlc/krB15s5n1MPNtn3yL0TI0tWp0WlwDCV7 -oUm1SfIM0F1fXGFyFDcqwoIr6JCQgXk6XtTg31YhH1xgUIclUVdtHqmAwAbLdIhQ -GAiHn2kCgYEAwD4pZ8HfpiOG/EHNoWsMATc/5yC7O8F9WbvcHZQIymLY4v/7HKZb -VyOR6UQ5/O2cztSGIuKSF6+OK1C34lOyCuTSOTFrjlgEYtLIXjdGLfFdtOO8GRQR -akVXdwuzNAjTBaH5eXbG+NKcjmCvZL48dQVlfDTVulzFGbcsVTHIMQUCgYEA7IQI -FVsKnY3KqpyGqXq92LMcsT3XgW6X1BIIV+YhJ5AFUFkFrjrbXs94/8XyLfi0xBQy -efK+8g5sMs7koF8LyZEcAXWZJQduaKB71hoLlRaU4VQkL/dl2B6VFmAII/CsRCYh -r9RmDN2PF/mp98Ih9dpC1VqcCDRGoTYsd7jLalMCgYAMgH5k1wDaZxkSMp1S0AlZ -0uP+/evvOOgT+9mWutfPgZolOQx1koQCKLgGeX9j6Xf3I28NubpSfAI84uTyfQrp -FnRtb79U5Hh0jMynA+U2e6niZ6UF5H41cQj9Hu+qhKBkj2IP+h96cwfnYnZFkPGR -kqZE65KyqfHPeFATwkcImQKBgCdrfhlpGiTWXCABhKQ8s+WpPLAB2ahV8XJEKyXT -UlVQuMIChGLcpnFv7P/cUxf8asx/fUY8Aj0/0CLLvulHziQjTmKj4gl86pb/oIQ3 -xRRtNhU0O+/OsSfLORgIm3K6C0w0esregL/GMbJSR1TnA1gBr7/1oSnw5JC8Ab9W -injHAoGAJT1MGAiQrhlt9GCGe6Ajw4omdbY0wS9NXefnFhf7EwL0es52ezZ28zpU -2LXqSFbtann5CHgpSLxiMYPDIf+er4xgg9Bz34tz1if1rDfP2Qrxdrpr4jDnrGT3 -gYC2qCpvVD9RRUMKFfnJTfl5gMQdBW/LINkHtJ82snAeLl3gjQ4= ------END RSA PRIVATE KEY----- diff --git a/builtin/logical/pki/test-fixtures/keys/pkioutput b/builtin/logical/pki/test-fixtures/keys/pkioutput deleted file mode 100644 index 526ff03167b2..000000000000 --- a/builtin/logical/pki/test-fixtures/keys/pkioutput +++ /dev/null @@ -1,74 +0,0 @@ -Key Value -lease_id pki/issue/example-dot-com/d8214077-9976-8c68-9c07-6610da30aea4 -lease_duration 279359999 -lease_renewable false -certificate -----BEGIN CERTIFICATE----- -MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw -MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS -TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn -SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi -YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5 -donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG -B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1 -MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e -HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o -k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x -OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A -AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br -aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs -X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4 -aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA -KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN -QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj -xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk= ------END CERTIFICATE----- -issuing_ca -----BEGIN CERTIFICATE----- -MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw -MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 -Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 -z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x -AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb -6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH -SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx -7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc -BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA -wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 -U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa -cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N -ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ -t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk -zehNe5dFTjFpylg1o6b8Ow== ------END CERTIFICATE----- -private_key -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftetT8pu -HflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNheZhA -6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMmMO5N -TRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJGuUd -y54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuHC3N2 -DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABAoIBAHR7fFV0eAGaopsX -9OD0TUGlsephBXb43g0GYHfJ/1Ew18w9oaxszJEqkl+PB4W3xZ3yG3e8ZomxDOhF -RreF2WgG5xOfhDogMwu6NodbArfgnAvoC6JnW3qha8HMP4F500RFVyCRcd6A3Frd -rFtaZn/UyCsBAN8/zkwPeYHayo7xX6d9kzgRl9HluEX5PXI5+3uiBDUiM085gkLI -5Cmadh9fMdjfhDXI4x2JYmILpp/9Nlc/krB15s5n1MPNtn3yL0TI0tWp0WlwDCV7 -oUm1SfIM0F1fXGFyFDcqwoIr6JCQgXk6XtTg31YhH1xgUIclUVdtHqmAwAbLdIhQ -GAiHn2kCgYEAwD4pZ8HfpiOG/EHNoWsMATc/5yC7O8F9WbvcHZQIymLY4v/7HKZb -VyOR6UQ5/O2cztSGIuKSF6+OK1C34lOyCuTSOTFrjlgEYtLIXjdGLfFdtOO8GRQR -akVXdwuzNAjTBaH5eXbG+NKcjmCvZL48dQVlfDTVulzFGbcsVTHIMQUCgYEA7IQI -FVsKnY3KqpyGqXq92LMcsT3XgW6X1BIIV+YhJ5AFUFkFrjrbXs94/8XyLfi0xBQy -efK+8g5sMs7koF8LyZEcAXWZJQduaKB71hoLlRaU4VQkL/dl2B6VFmAII/CsRCYh -r9RmDN2PF/mp98Ih9dpC1VqcCDRGoTYsd7jLalMCgYAMgH5k1wDaZxkSMp1S0AlZ -0uP+/evvOOgT+9mWutfPgZolOQx1koQCKLgGeX9j6Xf3I28NubpSfAI84uTyfQrp -FnRtb79U5Hh0jMynA+U2e6niZ6UF5H41cQj9Hu+qhKBkj2IP+h96cwfnYnZFkPGR -kqZE65KyqfHPeFATwkcImQKBgCdrfhlpGiTWXCABhKQ8s+WpPLAB2ahV8XJEKyXT -UlVQuMIChGLcpnFv7P/cUxf8asx/fUY8Aj0/0CLLvulHziQjTmKj4gl86pb/oIQ3 -xRRtNhU0O+/OsSfLORgIm3K6C0w0esregL/GMbJSR1TnA1gBr7/1oSnw5JC8Ab9W -injHAoGAJT1MGAiQrhlt9GCGe6Ajw4omdbY0wS9NXefnFhf7EwL0es52ezZ28zpU -2LXqSFbtann5CHgpSLxiMYPDIf+er4xgg9Bz34tz1if1rDfP2Qrxdrpr4jDnrGT3 -gYC2qCpvVD9RRUMKFfnJTfl5gMQdBW/LINkHtJ82snAeLl3gjQ4= ------END RSA PRIVATE KEY----- -private_key_type rsa diff --git a/builtin/logical/pki/test-fixtures/root/csr.pem b/builtin/logical/pki/test-fixtures/root/csr.pem deleted file mode 100644 index 58ebe0c73668..000000000000 --- a/builtin/logical/pki/test-fixtures/root/csr.pem +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx -ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 -Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 -z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x -AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb -6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH -SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaAAMA0GCSqG -SIb3DQEBBQUAA4IBAQDCQqX/dOU0gUonjSpNocnKx4vKl5M5tdmJ3VExnBpde0tl -KCiRzVFlvQcJp8NPsJeoMzqQEn19BIiBKqgDf1OyeZaj+oDfW3JThsK8Jb8dlOVW -nGvmhNEST0kPsKbHJqyWuseLNtIRFsp5weoHoDIU9WECCxm0UBAMvA2Ltu7Kbu/k -RcHSI5ouBLUhcfb3GqS38xvR9wqAFYcvKZySGjeP+x82GhkeqWCTKYMiMvUUnqOs -EhhWv9qGzyF6mjSnHNqcP6wmHMw1xG1JCIuQbjkYu2EdH1epJaObVv1753uHfskE -R/fii/GlEd+/lSUlHSpcFqz717Gx+1hodkZlQtpl ------END CERTIFICATE REQUEST----- diff --git a/builtin/logical/pki/test-fixtures/root/pkioutput b/builtin/logical/pki/test-fixtures/root/pkioutput deleted file mode 100644 index 312ae18deae8..000000000000 --- a/builtin/logical/pki/test-fixtures/root/pkioutput +++ /dev/null @@ -1,74 +0,0 @@ -Key Value -lease_id pki/root/generate/exported/7bf99d76-dd3e-2c5b-04ce-5253062ad586 -lease_duration 315359999 -lease_renewable false -certificate -----BEGIN CERTIFICATE----- -MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw -MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 -Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 -z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x -AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb -6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH -SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx -7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc -BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA -wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 -U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa -cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N -ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ -t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk -zehNe5dFTjFpylg1o6b8Ow== ------END CERTIFICATE----- -expiration 1.772072879e+09 -issuing_ca -----BEGIN CERTIFICATE----- -MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw -MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 -Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 -z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x -AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb -6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH -SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx -7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc -BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA -wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 -U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa -cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N -ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ -t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk -zehNe5dFTjFpylg1o6b8Ow== ------END CERTIFICATE----- -private_key -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p -t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3 -BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w -/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv -0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi -18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb -ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn -8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f -nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8 -2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t -grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc -bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9 -0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN -ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf -lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1 -lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj -AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG -ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib -thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU -4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb -iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO -tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y -LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc -4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX -OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8= ------END RSA PRIVATE KEY----- -private_key_type rsa -serial_number 6f:98:9d:f8:67:1a:31:e3:27:60:1b:f7:32:f7:53:19:68:a0:c8:9d diff --git a/builtin/logical/pki/test-fixtures/root/root.crl b/builtin/logical/pki/test-fixtures/root/root.crl deleted file mode 100644 index a80c9e4117cb..000000000000 --- a/builtin/logical/pki/test-fixtures/root/root.crl +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN X509 CRL----- -MIIBrjCBlzANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbRcN -MTYwMjI5MDIyOTE3WhcNMjUwMTA1MTAyOTE3WjArMCkCFG+YnfhnGjHjJ2Ab9zL3 -UxlooMidFxExNjAyMjgyMTI5MTctMDUwMKAjMCEwHwYDVR0jBBgwFoAUncSzT/6H -MexyuiU9/7EgHu+ok5swDQYJKoZIhvcNAQELBQADggEBAG9YDXpNe4LJroKZmVCn -HqMhW8eyzyaPak2nPPGCVUnc6vt8rlBYQU+xlBizD6xatZQDMPgrT8sBl9W3ysXk -RUlliHsT/SHddMz5dAZsBPRMJ7pYWLTx8jI4w2WRfbSyI4bY/6qTRNkEBUv+Fk8J -xvwB89+EM0ENcVMhv9ghsUA8h7kOg673HKwRstLDAzxS/uLmEzFjj8SV2m5DbV2Y -UUCKRSV20/kxJMIC9x2KikZhwOSyv1UE1otD+RQvbfAoZPUDmvp2FR/E0NGjBBOg -1TtCPRrl63cjqU3s8KQ4uah9Vj+Cwcu9n/yIKKtNQq4NKHvagv8GlUsoJ4BdAxCw -IA0= ------END X509 CRL----- diff --git a/builtin/logical/pki/test-fixtures/root/rootcacert.pem b/builtin/logical/pki/test-fixtures/root/rootcacert.pem deleted file mode 100644 index dcb307a14011..000000000000 --- a/builtin/logical/pki/test-fixtures/root/rootcacert.pem +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw -MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7 -Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0 -z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x -AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb -6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH -SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx -7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc -BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA -wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2 -U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa -cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N -ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ -t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk -zehNe5dFTjFpylg1o6b8Ow== ------END CERTIFICATE----- diff --git a/builtin/logical/pki/test-fixtures/root/rootcakey.pem b/builtin/logical/pki/test-fixtures/root/rootcakey.pem deleted file mode 100644 index e950da5ba304..000000000000 --- a/builtin/logical/pki/test-fixtures/root/rootcakey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p -t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3 -BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w -/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv -0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi -18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb -ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn -8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f -nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8 -2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t -grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc -bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9 -0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN -ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf -lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1 -lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj -AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG -ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib -thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU -4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb -iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO -tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y -LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc -4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX -OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8= ------END RSA PRIVATE KEY----- From 74965a87af47099b859552fdf2674038228a2c2e Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Fri, 28 Apr 2017 08:55:28 -0400 Subject: [PATCH 08/11] Add test for ca and crl case --- builtin/logical/pki/cert_util_test.go | 46 ++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go index c0c20332fdd3..33cf2210d608 100644 --- a/builtin/logical/pki/cert_util_test.go +++ b/builtin/logical/pki/cert_util_test.go @@ -19,16 +19,14 @@ func TestPki_FetchCertBySerial(t *testing.T) { }{ "valid cert": { &logical.Request{ - Operation: logical.ReadOperation, - Storage: storage, + Storage: storage, }, "certs/", "00:00:00:00:00:00:00:00", }, "revoked cert": { &logical.Request{ - Operation: logical.ReadOperation, - Storage: storage, + Storage: storage, }, "revoked/", "11:11:11:11:11:11:11:11", @@ -82,13 +80,45 @@ func TestPki_FetchCertBySerial(t *testing.T) { } certEntry, err := fetchCertBySerial(tc.Req, tc.Prefix, tc.Serial) + if err != nil || certEntry == nil { + t.Fatalf("error on %s for hyphen-based storage path: err: %v, entry: %v", name, err, certEntry) + } + } + + noConvCases := map[string]struct { + Req *logical.Request + Prefix string + Serial string + }{ + "ca": { + &logical.Request{ + Storage: storage, + }, + "", + "ca", + }, + "crl": { + &logical.Request{ + Storage: storage, + }, + "", + "crl", + }, + } + + // Test for ca and crl case + for name, tc := range noConvCases { + err := storage.Put(&logical.StorageEntry{ + Key: tc.Serial, + Value: []byte("some data"), + }) if err != nil { - t.Fatalf("error on %s for hyphen-based storage path: %s", name, err) + t.Fatalf("error writing to storage on %s: %s", name, err) } - // Check for non-nil on valid/revoked certs - if certEntry == nil { - t.Fatalf("nil on %s for hyphen-based storage path", name) + certEntry, err := fetchCertBySerial(tc.Req, tc.Prefix, tc.Serial) + if err != nil || certEntry == nil { + t.Fatalf("error on %s: err: %v, entry: %v", name, err, certEntry) } } } From 8c03765bb5787c6050a63eb1a4ec7586c286f9d3 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Tue, 2 May 2017 14:11:57 -0400 Subject: [PATCH 09/11] Use variables for string replacements on cert_util --- builtin/logical/pki/cert_util.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index e632aaa5b492..e15173c76b35 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -188,17 +188,20 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St var err error var certEntry *logical.StorageEntry + hyphenSerial := strings.Replace(strings.ToLower(serial), ":", "-", -1) + colonSerial := strings.Replace(strings.ToLower(serial), "-", ":", -1) + switch { // Revoked goes first as otherwise ca/crl get hardcoded paths which fail if // we actually want revocation info case strings.HasPrefix(prefix, "revoked/"): - path = "revoked/" + strings.Replace(strings.ToLower(serial), ":", "-", -1) + path = "revoked/" + hyphenSerial case serial == "ca": path = "ca" case serial == "crl": path = "crl" default: - path = "certs/" + strings.Replace(strings.ToLower(serial), ":", "-", -1) + path = "certs/" + hyphenSerial } certEntry, err = req.Storage.Get(path) @@ -223,9 +226,9 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St // If we get here we need to check for old-style paths using colons switch { case strings.HasPrefix(prefix, "revoked/"): - path = "revoked/" + strings.Replace(strings.ToLower(serial), "-", ":", -1) + path = "revoked/" + colonSerial default: - path = "certs/" + strings.Replace(strings.ToLower(serial), "-", ":", -1) + path = "certs/" + colonSerial } certEntry, err = req.Storage.Get(path) From 96bcd50de02134d3c9bef8cae5d6653da083f6f6 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Wed, 3 May 2017 10:12:58 -0400 Subject: [PATCH 10/11] Include and use normalizeSerial func --- builtin/logical/pki/cert_util.go | 2 +- builtin/logical/pki/cert_util_test.go | 4 ++-- builtin/logical/pki/crl_util.go | 3 +-- builtin/logical/pki/path_intermediate.go | 3 +-- builtin/logical/pki/path_issue_sign.go | 3 +-- builtin/logical/pki/path_root.go | 5 ++--- builtin/logical/pki/util.go | 7 +++++++ 7 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 builtin/logical/pki/util.go diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index e15173c76b35..b14e3b9b726a 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -188,7 +188,7 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St var err error var certEntry *logical.StorageEntry - hyphenSerial := strings.Replace(strings.ToLower(serial), ":", "-", -1) + hyphenSerial := normalizeSerial(serial) colonSerial := strings.Replace(strings.ToLower(serial), "-", ":", -1) switch { diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go index 33cf2210d608..068a0a69a757 100644 --- a/builtin/logical/pki/cert_util_test.go +++ b/builtin/logical/pki/cert_util_test.go @@ -55,7 +55,7 @@ func TestPki_FetchCertBySerial(t *testing.T) { } // Ensure that cert serials are converted/updated after fetch - expectedKey := fmt.Sprintf("%s%s", tc.Prefix, strings.Replace(strings.ToLower(tc.Serial), ":", "-", -1)) + expectedKey := tc.Prefix + normalizeSerial(tc.Serial) se, err := storage.Get(expectedKey) if err != nil { t.Fatalf("error on %s for colon-based storage path:%s", name, err) @@ -70,7 +70,7 @@ func TestPki_FetchCertBySerial(t *testing.T) { // Test for hyphen-base paths in storage for name, tc := range cases { - storageKey := fmt.Sprintf("%s%s", tc.Prefix, strings.Replace(strings.ToLower(tc.Serial), ":", "-", -1)) + storageKey := tc.Prefix + normalizeSerial(tc.Serial) err := storage.Put(&logical.StorageEntry{ Key: storageKey, Value: []byte("some data"), diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index dedba708a6be..c40e759aab0f 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -5,7 +5,6 @@ import ( "crypto/x509" "crypto/x509/pkix" "fmt" - "strings" "time" "github.com/hashicorp/vault/helper/errutil" @@ -87,7 +86,7 @@ func revokeCert(b *backend, req *logical.Request, serial string, fromLease bool) revInfo.RevocationTime = currTime.Unix() revInfo.RevocationTimeUTC = currTime.UTC() - revEntry, err = logical.StorageEntryJSON("revoked/"+strings.ToLower(strings.Replace(serial, ":", "-", -1)), revInfo) + revEntry, err = logical.StorageEntryJSON("revoked/"+normalizeSerial(serial), revInfo) if err != nil { return nil, fmt.Errorf("Error creating revocation entry") } diff --git a/builtin/logical/pki/path_intermediate.go b/builtin/logical/pki/path_intermediate.go index 6887e97ae104..71a04555ebf5 100644 --- a/builtin/logical/pki/path_intermediate.go +++ b/builtin/logical/pki/path_intermediate.go @@ -3,7 +3,6 @@ package pki import ( "encoding/base64" "fmt" - "strings" "github.com/hashicorp/vault/helper/certutil" "github.com/hashicorp/vault/helper/errutil" @@ -197,7 +196,7 @@ func (b *backend) pathSetSignedIntermediate( return nil, err } - entry.Key = "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)) + entry.Key = "certs/" + normalizeSerial(cb.SerialNumber) entry.Value = inputBundle.CertificateBytes err = req.Storage.Put(entry) if err != nil { diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 3759d4d99c90..feabfdedd83f 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -3,7 +3,6 @@ package pki import ( "encoding/base64" "fmt" - "strings" "time" "github.com/hashicorp/vault/helper/certutil" @@ -243,7 +242,7 @@ func (b *backend) pathIssueSignCert( if !role.NoStore { err = req.Storage.Put(&logical.StorageEntry{ - Key: "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)), + Key: "certs/" + normalizeSerial(cb.SerialNumber), Value: parsedBundle.CertificateBytes, }) if err != nil { diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index c10d462b0751..d02953133cb5 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -3,7 +3,6 @@ package pki import ( "encoding/base64" "fmt" - "strings" "github.com/hashicorp/vault/helper/errutil" "github.com/hashicorp/vault/logical" @@ -146,7 +145,7 @@ func (b *backend) pathCAGenerateRoot( // Also store it as just the certificate identified by serial number, so it // can be revoked err = req.Storage.Put(&logical.StorageEntry{ - Key: "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)), + Key: "certs/" + normalizeSerial(cb.SerialNumber), Value: parsedBundle.CertificateBytes, }) if err != nil { @@ -278,7 +277,7 @@ func (b *backend) pathCASignIntermediate( } err = req.Storage.Put(&logical.StorageEntry{ - Key: "certs/" + strings.ToLower(strings.Replace(cb.SerialNumber, ":", "-", -1)), + Key: "certs/" + normalizeSerial(cb.SerialNumber), Value: parsedBundle.CertificateBytes, }) if err != nil { diff --git a/builtin/logical/pki/util.go b/builtin/logical/pki/util.go new file mode 100644 index 000000000000..3dffb536bd85 --- /dev/null +++ b/builtin/logical/pki/util.go @@ -0,0 +1,7 @@ +package pki + +import "strings" + +func normalizeSerial(serial string) string { + return strings.Replace(strings.ToLower(serial), ":", "-", -1) +} From 29e5ce66bbb6b0a113679bb58c8aba1f0de2b959 Mon Sep 17 00:00:00 2001 From: Chris Hoffman Date: Wed, 3 May 2017 14:58:22 -0400 Subject: [PATCH 11/11] Minor readability enhancements for migration path from old to new --- builtin/logical/pki/cert_util.go | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index b14e3b9b726a..df93018d0870 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -184,7 +184,7 @@ func fetchCAInfo(req *logical.Request) (*caInfoBundle, error) { // Allows fetching certificates from the backend; it handles the slightly // separate pathing for CA, CRL, and revoked certificates. func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.StorageEntry, error) { - var path string + var path, legacyPath string var err error var certEntry *logical.StorageEntry @@ -195,12 +195,14 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St // Revoked goes first as otherwise ca/crl get hardcoded paths which fail if // we actually want revocation info case strings.HasPrefix(prefix, "revoked/"): + legacyPath = "revoked/" + colonSerial path = "revoked/" + hyphenSerial case serial == "ca": path = "ca" case serial == "crl": path = "crl" default: + legacyPath = "certs/" + colonSerial path = "certs/" + hyphenSerial } @@ -216,22 +218,12 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St } // No point checking these, no old/new style colons/hyphens - if path == "ca" || path == "crl" { + if legacyPath == "" { return nil, nil } - // Save the desired path - desiredPath := path - - // If we get here we need to check for old-style paths using colons - switch { - case strings.HasPrefix(prefix, "revoked/"): - path = "revoked/" + colonSerial - default: - path = "certs/" + colonSerial - } - - certEntry, err = req.Storage.Get(path) + // Retrieve the old-style path + certEntry, err = req.Storage.Get(legacyPath) if err != nil { return nil, errutil.InternalError{Err: fmt.Sprintf("error fetching certificate %s: %s", serial, err)} } @@ -243,11 +235,11 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St } // Update old-style paths to new-style paths - certEntry.Key = desiredPath + certEntry.Key = path if err = req.Storage.Put(certEntry); err != nil { return nil, errutil.InternalError{Err: fmt.Sprintf("error saving certificate with serial %s to new location", serial)} } - if err = req.Storage.Delete(path); err != nil { + if err = req.Storage.Delete(legacyPath); err != nil { return nil, errutil.InternalError{Err: fmt.Sprintf("error deleting certificate with serial %s from old location", serial)} }