Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds "raw(/pem)" format to individual cert routes closes #10947 #10948

Merged
merged 1 commit into from Feb 7, 2022
Merged

Adds "raw(/pem)" format to individual cert routes closes #10947 #10948

merged 1 commit into from Feb 7, 2022

Conversation

abriening
Copy link
Contributor

Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.

@hashicorp-cla
Copy link

hashicorp-cla commented Feb 19, 2021
edited

CLA assistant check
All committers have signed the CLA.

@vercel vercel bot temporarily deployed to Preview – vault-storybook February 19, 2021 19:25 Inactive
@vercel vercel bot temporarily deployed to Preview – vault February 19, 2021 19:25 Inactive
@abriening
Copy link
Contributor Author

I did not see any existing tests for the raw(/pem) routes so I didn't add any. The existing builtin/logical/pki/backend_test.go tests are passing. Looks like build-common-layers depends on inaccessible SSH Keys so the build is failing.

@cipherboy
Copy link
Contributor

\o Greetings @abriening, sorry about the delay. We've discussed this PR and are happy to accept it.

Do you have time to add a changelog entry, tests, and docs? Former would probably be something like:

```release-note:improvement
secrets/pki: Add ability to fetch individual certificate DER and PEM
```

Or something similar, in a file named /changelog/10948.txt.

For docs, you could add it to website/content/api-docs/secret/pki.mdx near the top, after Read Certificate.

For tests, in builtin/logical/pki/backend_test.go, you could add one there since the certificate has a known serial number... It looks like req := client.NewRequest("GET", "/pki/cert/f00bar/raw/pem") would do what you need, plus client.RawRequest(req). This'll give you a Response object you can read for the PEM/DER. :-)

Let me know if you're not interested and I'll add these and cherry-pick. Thank you!

@abriening
Copy link
Contributor Author

Will do.

@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from 528f5e6 to e64a017 Compare February 7, 2022 01:14
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 01:14 Inactive
@abriening
Copy link
Contributor Author

abriening commented Feb 7, 2022
edited

@cipherboy Rebased against master main since it's been a while. Added docs, changelog entry & backend test. Tested directly against the Backend, since that's how most other tests in that suite were running.

Not really needed for this PR but testing content-type == "application/pkix-cert" does have me wondering if that is correct for PEM. Should it be application/x-pem-file? But that's another MR for another day.

@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from e64a017 to 9af47db Compare February 7, 2022 01:26
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 01:26 Inactive
@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from 9af47db to 97ce3a5 Compare February 7, 2022 01:30
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 01:30 Inactive
@abriening
Adds "raw(/pem)" format to individual cert routes (hashicorp#10947)
abfeb56 
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.
@abriening abriening force-pushed the allow-raw-pem-routes-for-any-cert branch from 97ce3a5 to abfeb56 Compare February 7, 2022 14:00
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 7, 2022 14:00 Inactive
@abriening
Copy link
Contributor Author

pushed make fmt change that was failing CI.

@cipherboy cipherboy merged commit 1c7ce15 into hashicorp:main Feb 7, 2022
@cipherboy
Copy link
Contributor

Many thanks for your contribution @abriening! :-)

cipherboy added a commit to cipherboy/vault that referenced this pull request Feb 7, 2022
@cipherboy
Use application/pem-certificate-chain for PEMs
9150abf 
As mentioned in hashicorp#10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy added a commit to cipherboy/vault that referenced this pull request Feb 7, 2022
@cipherboy
Use application/pem-certificate-chain for PEMs
6dc2795 
As mentioned in hashicorp#10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy mentioned this pull request Feb 7, 2022
Merged
@abriening abriening deleted the allow-raw-pem-routes-for-any-cert branch February 7, 2022 20:25
cipherboy added a commit that referenced this pull request Feb 8, 2022
@cipherboy
Use application/pem-certificate-chain for PEMs (#13927)
f267c3a 
* Use application/pem-certificate-chain for PEMs

As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
fairclothjm pushed a commit that referenced this pull request Feb 12, 2022
@abriening @fairclothjm
Adds "raw(/pem)" format to individual cert routes (#10947) (#10948)
dd43a65 
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.
fairclothjm pushed a commit that referenced this pull request Feb 12, 2022
@cipherboy @fairclothjm
Use application/pem-certificate-chain for PEMs (#13927)
1f151d9 
* Use application/pem-certificate-chain for PEMs

As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy cipherboy approved these changes

@sgmiller sgmiller sgmiller approved these changes

@acahn acahn Awaiting requested review from acahn

@taoism4504 taoism4504 Awaiting requested review from taoism4504

Assignees
No one assigned
Labels
cryptosec secret/pki
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@abriening @hashicorp-cla @cipherboy @sgmiller