From fc3173c43d9a6bd8f72f2191e4628dac3b7c534c Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core Date: Tue, 24 Sep 2024 16:36:15 -0400 Subject: [PATCH] backport of commit 5da8750a9338aab885c82cc380e2f5d7be6249c5 (#28502) Co-authored-by: Kit Haines --- builtin/logical/pki/fields.go | 44 +++++++++++++++------- builtin/logical/pki/path_manage_issuers.go | 2 + builtin/logical/pki/path_sign_issuers.go | 2 + builtin/logical/pki/storage_test.go | 1 + 4 files changed, 35 insertions(+), 14 deletions(-) diff --git a/builtin/logical/pki/fields.go b/builtin/logical/pki/fields.go index 7e666d9c299a..dfeec9df4bb3 100644 --- a/builtin/logical/pki/fields.go +++ b/builtin/logical/pki/fields.go @@ -275,20 +275,6 @@ this value.`, }, } - fields["key_usage"] = &framework.FieldSchema{ // Same Name as Leaf-Cert Field, but Description and Default Differ - Type: framework.TypeCommaStringSlice, - Default: []string{"CertSign", "CRLSign"}, - Description: `A comma-separated string or list of key usages (not extended -key usages). Valid values can be found at -https://golang.org/pkg/crypto/x509/#KeyUsage --- simply drop the "KeyUsage" part of the name. -To remove all key usages from being set, set -this value to an empty list. This defaults to -CertSign, CRLSign for CAs. If neither of those -two set, a warning will be thrown. To use the -issuer for CMPv2, DigitalSignature must be set.`, - } // TODO: Fix Description Here - fields["serial_number"] = &framework.FieldSchema{ Type: framework.TypeString, Description: `The Subject's requested serial number, if any. @@ -675,3 +661,33 @@ RSA key-type issuer. Defaults to false.`, return fields } + +func addCACertKeyUsage(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema { + fields["key_usage"] = &framework.FieldSchema{ // Same Name as Leaf-Cert Field, and CA CSR Field, but Description and Default Differ + Type: framework.TypeCommaStringSlice, + Default: []string{"CertSign", "CRLSign"}, + Description: `This list of key usages (not extended key usages) will be +added to the existing set of key usages, CRL,CertSign, on +the generated certificate. Valid values can be found at +https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop +the "KeyUsage" part of the name. To use the issuer for +CMPv2, DigitalSignature must be set.`, + } + + return fields +} + +func addCaCsrKeyUsage(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema { + fields["key_usage"] = &framework.FieldSchema{ // Same Name as Leaf-Cert, CA-Cert Field, but Description and Default Differ + Type: framework.TypeCommaStringSlice, + Default: []string{}, + Description: `Specifies key_usage to encode in the certificate signing +request. This is a comma-separated string or list of key +usages (not extended key usages). Valid values can be found +at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply +drop the "KeyUsage" part of the name. If not set, key +usage will not appear on the CSR.`, + } + + return fields +} diff --git a/builtin/logical/pki/path_manage_issuers.go b/builtin/logical/pki/path_manage_issuers.go index 0a0d4ff21b05..01c0d6653063 100644 --- a/builtin/logical/pki/path_manage_issuers.go +++ b/builtin/logical/pki/path_manage_issuers.go @@ -117,6 +117,7 @@ func buildPathGenerateRoot(b *backend, pattern string, displayAttrs *framework.D ret.Fields = addCACommonFields(map[string]*framework.FieldSchema{}) ret.Fields = addCAKeyGenerationFields(ret.Fields) ret.Fields = addCAIssueFields(ret.Fields) + ret.Fields = addCACertKeyUsage(ret.Fields) return ret } @@ -197,6 +198,7 @@ extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.`, } + ret.Fields = addCaCsrKeyUsage(ret.Fields) // At this time Go does not support signing CSRs using PSS signatures, see // https://github.com/golang/go/issues/45990 diff --git a/builtin/logical/pki/path_sign_issuers.go b/builtin/logical/pki/path_sign_issuers.go index 2367a54a8178..b620ac4bbfb0 100644 --- a/builtin/logical/pki/path_sign_issuers.go +++ b/builtin/logical/pki/path_sign_issuers.go @@ -149,6 +149,8 @@ in the above RFC section.`, RSA key-type issuer. Defaults to false.`, } + fields = addCACertKeyUsage(fields) + return path } diff --git a/builtin/logical/pki/storage_test.go b/builtin/logical/pki/storage_test.go index 3ace55e51c12..f51ed6b496d3 100644 --- a/builtin/logical/pki/storage_test.go +++ b/builtin/logical/pki/storage_test.go @@ -242,6 +242,7 @@ func genCertBundle(t *testing.T, b *backend, s logical.Storage) *certutil.CertBu fields := addCACommonFields(map[string]*framework.FieldSchema{}) fields = addCAKeyGenerationFields(fields) fields = addCAIssueFields(fields) + fields = addCACertKeyUsage(fields) apiData := &framework.FieldData{ Schema: fields, Raw: map[string]interface{}{