Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Y10K value in notAfter field when signing non-CA certificates #13736

Merged
merged 9 commits into from
Jan 31, 2022
Merged

Support Y10K value in notAfter field when signing non-CA certificates #13736

merged 9 commits into from
Jan 31, 2022

Conversation

gsharris
Copy link
Contributor

Issue #12795 supports the Y10K value through a new "not_after" field to be compliant with the IEEE 802.1AR-2018 standard. The existing PR supports the not_after field when calling the API to generate CA certificates, but is not supported when signing non-CA certificates. This PR enhances the new feature to support signing non-CA certificates through use of the not_after field the same way the existing PR supports signing CA certificates with the not_after field.

@hashicorp-cla
Copy link

hashicorp-cla commented Jan 20, 2022
edited

CLA assistant check
All committers have signed the CLA.

@vercel vercel bot temporarily deployed to Preview – vault-storybook January 20, 2022 22:26 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 20, 2022 22:28 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 21, 2022 04:53 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 21, 2022 05:00 Inactive
@hsimon-hashicorp hsimon-hashicorp added auth/cert Authentication - certificates cryptosec enhancement labels Jan 21, 2022
@hsimon-hashicorp
Copy link
Contributor

Hi @gsharris! Just a note to please sign the CLA. The bot checks to see that your GitHub handle and your email address match, depending on how you submitted the PR, as well as if your "organization" is publicly viewable, in the case of Corporate CLAs. If you could also add a changelog entry, that'd be appreciated too!

@gsharris
Copy link
Contributor Author

Hi @gsharris! Just a note to please sign the CLA. The bot checks to see that your GitHub handle and your email address match, depending on how you submitted the PR, as well as if your "organization" is publicly viewable, in the case of Corporate CLAs. If you could also add a changelog entry, that'd be appreciated too!

Hi @hsimon-hashicorp I have signed the CLA and resolved the merge conflicts. This PR is ready for review, thanks!

rculpepper
rculpepper requested changes Jan 28, 2022
View reviewed changes
Copy link
Contributor

@rculpepper rculpepper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @gsharris! Just one thing: can you add a unit test to verify the new field works with leaf certificates? If you'd like an example to refer to, you can look at this test from the previous PR: https://github.com/hashicorp/vault/pull/12795/files#diff-b2444759cbec0bce772f8da68de238c7cb6e6f065c29b5ab05880124f0ede220R229.

@vercel vercel bot temporarily deployed to Preview – vault-storybook January 31, 2022 17:49 Inactive
@gsharris
Copy link
Contributor Author

Hi, I have added the requested test for using the not_after value for non-CA certificates when using the sign operation (the test for the role operation was already there from the prior PR you referenced).

@vercel vercel bot temporarily deployed to Preview – vault-storybook January 31, 2022 19:30 Inactive
cipherboy
cipherboy suggested changes Jan 31, 2022
View reviewed changes
Copy link
Contributor

@cipherboy cipherboy left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah sorry to bother but I realized the check's failing due to changelog entry. CHANGELOG.md is mostly auto-generated, you'd just need to drop an entry in changelog/13736.txt with value similar to 12795.txt, but with your new entry.

Edit And you added it right as I mentioned it. :-D But I'd still revert the changes to CHANGELOG.md IMO.

@vercel vercel bot temporarily deployed to Preview – vault-storybook January 31, 2022 20:11 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 31, 2022 20:17 Inactive
@gsharris
Copy link
Contributor Author

@cipherboy Yes, I saw that job failing right when you said that ;) I have the changelog cleaned up now.

@rculpepper rculpepper merged commit 634e54a into hashicorp:main Jan 31, 2022
@cipherboy
Copy link
Contributor

Thank you for your contribution @gsharris :)

qk4l pushed a commit to qk4l/vault that referenced this pull request Feb 4, 2022
@gsharris
Support Y10K value in notAfter field when signing non-CA certificates (
918d51e 
…hashicorp#13736)

* Support Y10K value in notAfter field when signing non-CA certificates

* Add changelog entry for 13736

* Add test for using not_after parameter for non-CA certificates that are being signed

* Fix CA value for test for not_after value when signing non-CA certs

* Address formatting

* Add changelog file

* Revert changelog entry commit f28b54e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy cipherboy approved these changes

@rculpepper rculpepper rculpepper approved these changes

Assignees
No one assigned
Labels
auth/cert Authentication - certificates cryptosec enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@gsharris @hashicorp-cla @hsimon-hashicorp @cipherboy @rculpepper