Skip to content

Commit d578daa

Browse files
author
KEYFACTOR\jkilgall
committed
persist cert chain
1 parent 55d1605 commit d578daa

File tree

1 file changed

+14
-8
lines changed

1 file changed

+14
-8
lines changed

backend.go

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,6 @@ import (
3030

3131
var config map[string]string
3232
var roles map[string]map[string]bool
33-
var issuer string
3433
var issuer_chain []string
3534

3635
// Factory configures and returns backend
@@ -141,8 +140,11 @@ func (b *backend) load(ctx context.Context, req *logical.Request) {
141140
var certObj interface{}
142141
jsonutil.DecodeJSON(certBuf.Value, &certObj)
143142
if certObj != nil {
144-
issuer_chain = certObj.([]string)
145-
issuer = issuer_chain[0]
143+
certArr := certObj.([]interface{})
144+
issuer_chain = make([]string, len(certArr))
145+
for k := range certArr {
146+
issuer_chain[k] = certArr[k].(string)
147+
}
146148
}
147149
}
148150
}
@@ -246,6 +248,7 @@ func (b *backend) readRole(roleName string) (*logical.Response, error) {
246248
// Lookup certificate by serial number
247249
func (b *backend) handleRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
248250
b.load(ctx, req)
251+
249252
// Get and canonicalize serial number from Vault path
250253
path := data.Get("path").(string)
251254
path = strings.ReplaceAll(path, "-","")
@@ -383,13 +386,12 @@ func (b* backend) submitCSR(csr string) ([]string, string, error) {
383386
b.store[serial] = []byte(certs[0])
384387

385388
// Retain the issuer cert for calls to "vault read keyfactor/cert/ca" - TODO Get via Keyfactor API
386-
issuer = certs[1]
387389
issuer_chain = certs[1:]
388390

389391
return certs, serial, nil
390392
}
391393

392-
func (b *backend) requestCert(req *logical.Request, data *framework.FieldData, role string) (*logical.Response, error) {
394+
func (b *backend) requestCert(ctx context.Context, req *logical.Request, data *framework.FieldData, role string) (*logical.Response, error) {
393395
arg, _ := json.Marshal(req.Data)
394396
b.Logger().Debug(string(arg))
395397
cn := ""
@@ -426,6 +428,7 @@ func (b *backend) requestCert(req *logical.Request, data *framework.FieldData, r
426428
if err != nil {
427429
return nil, fmt.Errorf("Could not enroll certificate: {{err}}", err)
428430
}
431+
b.save(ctx, req)
429432

430433
// Conform response to Vault PKI API
431434
response := &logical.Response{
@@ -443,10 +446,13 @@ func (b *backend) requestCert(req *logical.Request, data *framework.FieldData, r
443446
}
444447

445448
func (b* backend) getCACert() (*logical.Response, error) {
446-
b.Logger().Debug("issuer: " + issuer)
449+
if len(issuer_chain) == 0 {
450+
return nil, fmt.Errorf("CA certificate unknown")
451+
}
452+
b.Logger().Debug("issuer: " + issuer_chain[0])
447453
response := &logical.Response{
448454
Data: map[string]interface{}{
449-
"certificate": issuer,
455+
"certificate": issuer_chain[0],
450456
},
451457
}
452458
return response, nil
@@ -502,7 +508,7 @@ func (b *backend) handleWrite(ctx context.Context, req *logical.Request, data *f
502508
if !b.checkRoleExists(path[1]) {
503509
return nil, fmt.Errorf("Cannot find provided role")
504510
}
505-
return b.requestCert(req, data, path[1])
511+
return b.requestCert(ctx, req, data, path[1])
506512
}
507513

508514
// Sign a CSR that's provided to vault

0 commit comments

Comments
 (0)