Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault 11795 vault cli verify s ign #18437

Merged
merged 9 commits into from
Jan 26, 2023
Merged

Vault 11795 vault cli verify s ign #18437

merged 9 commits into from
Jan 26, 2023

Conversation

kitography
Copy link
Contributor

@kitography kitography commented Dec 16, 2022
edited
Loading

New PKI CLI command that allows someone to check the relationship between a potential issuer, and a certificate it potentially issued.

[x] Tests Added - more ideas welcome
[x] Help (man?) pages exist

Functionality Test:

kit@kit-Q44CF1473K vault % vault pki verify-sign pki_root/issuer/default pki_root/issuer/default
issuer:pki_root/issuer/default
issued:pki_root/issuer/default

field              value
-----              -----
key_id_match       true
signature_match    true
subject_match      true
path_match         true
trust_match        true


kit@kit-Q44CF1473K vault %

Docs to come in a separate PR.

@kitography kitography requested a review from a team December 16, 2022 15:33
@cipherboy cipherboy added this to the 1.13.0-rc1 milestone Dec 16, 2022
cipherboy
cipherboy reviewed Dec 19, 2022
View reviewed changes
command/pki_verify_sign_command.go Outdated Show resolved Hide resolved
command/pki_verify_sign_command.go Show resolved Hide resolved
command/pki_verify_sign_command.go Outdated Show resolved Hide resolved
command/pki_verify_sign_command.go Outdated Show resolved Hide resolved
@cipherboy
Copy link
Contributor

Looking like a good start!

@kitography kitography self-assigned this Jan 25, 2023
@kitography kitography requested a review from cipherboy January 25, 2023 20:49
cipherboy
cipherboy approved these changes Jan 25, 2023
View reviewed changes
Copy link
Contributor

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like Steve to take a look still, but I think this addresses my earlier review feedback. Looking good!

command/pki_verify_sign_command.go
return 0
}

func verifySignBetween(client *api.Client, issuerPath string, issuedPath string) (error, map[string]bool) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A nit for a future PR: Go return arg order is typically reversed, with the error/ok boolean being the last item.

stevendpclark
stevendpclark approved these changes Jan 26, 2023
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, a few nits but nothing preventing merging.

command/pki_verify_sign_command.go
return fmt.Errorf("error: unable to fetch issuer %v: %w", issuerPath, err), nil
}
if len(issuedPath) <= 2 {
return fmt.Errorf(fmt.Sprintf("%v", issuedPath)), nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: no need for fmt.Sprintf within a fmt.Errorf

command/pki_verify_sign_command.go

pathMatch := false
for _, cert := range caChain {
if strings.TrimSpace(cert) == strings.TrimSpace(issuerCertPem) { // TODO: Decode into ASN1 to Check
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Was this a future TODO or does this need to be addressed sooner? Similar for the TODO below on line 177

@kitography kitography merged commit be967f2 into main Jan 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@cipherboy cipherboy cipherboy approved these changes

Assignees

@kitography kitography

Labels
enhancement secret/pki
Projects
None yet
Milestone
1.13.0-rc1
Development

Successfully merging this pull request may close these issues.
3 participants
@kitography @cipherboy @stevendpclark