slawek/lab-ca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Fixes for bugs related to rendering certificate templates from defaults and variables.

Browse Source
This commit is contained in:
Sławek Koszewski
2025-07-28 21:26:52 +02:00
parent 71412ace5e
commit 9d226df44f
1 changed files with 24 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
ca.go
View File

@@ -412,8 +412,9 @@ func InitCA() error {
NotBefore: now, NotBefore: now,
NotAfter: now.Add(validity), NotAfter: now.Add(validity),
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
BasicConstraintsValid: true, BasicConstraintsValid: true, // This is a CA certificate
IsCA: true, IsCA: true, // This is a CA certificate
MaxPathLenZero: true, // Allow issuing end-entity certificates
} }
// Add email if present // Add email if present
if caConfig.Email != "" { if caConfig.Email != "" {
@@ -517,6 +518,8 @@ func issueSingleCertificate(def CertificateDefinition) error {
NotBefore: dateIssued, NotBefore: dateIssued,
NotAfter: expires, NotAfter: expires,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
IsCA: false,
BasicConstraintsValid: true,
} }
for _, s := range def.SAN { for _, s := range def.SAN {
@@ -584,6 +587,7 @@ Certificate:
def.SAN, def.SAN,
) )
} }
caState.UpdateCAStateAfterIssue( caState.UpdateCAStateAfterIssue(
caConfig.SerialType, caConfig.SerialType,
def.Name, def.Name,
@@ -624,26 +628,26 @@ func ProvisionCertificates(filePath string, overwrite bool, dryRun bool, verbose
// Loop through all certificate definitions // Loop through all certificate definitions
// to render templates and fill missing fields from defaults // to render templates and fill missing fields from defaults
for _, def := range certDefs.Certificates { for i := range certDefs.Certificates {
// Fill missing fields from defaults, if provided // Fill missing fields from defaults, if provided
def.FillDefaultValues(certDefs.Defaults) certDefs.Certificates[i].FillDefaultValues(certDefs.Defaults)
// Render templates in the definition using the variables map // Render templates in the definition using the variables map
// with added definition name. // with added definition name.
variables := certDefs.Variables variables := certDefs.Variables
if variables == nil { if variables == nil {
variables = make(map[string]string) variables = make(map[string]string)
} }
variables["Name"] = def.Name variables["Name"] = certDefs.Certificates[i].Name
err = def.RenderTemplates(variables) err = certDefs.Certificates[i].RenderTemplates(variables)
if err != nil { if err != nil {
return fmt.Errorf("failed to render templates for certificate %s: %v", def.Name, err) return fmt.Errorf("failed to render templates for certificate %s: %v", certDefs.Certificates[i].Name, err)
} }
} }
n := len(certDefs.Certificates) n := len(certDefs.Certificates)
// No errors so far, now we can issue certificates // No errors so far, now we can issue certificates
for i, def := range certDefs.Certificates { for i := range certDefs.Certificates {
fmt.Printf("[%d/%d] Issuing %s... ", i+1, n, def.Name) fmt.Printf("[%d/%d] Issuing %s... ", i+1, n, certDefs.Certificates[i].Name)
if dryRun { if dryRun {
fmt.Printf("(dry run)\n") fmt.Printf("(dry run)\n")
@@ -651,7 +655,7 @@ func ProvisionCertificates(filePath string, overwrite bool, dryRun bool, verbose
continue continue
} }
err = issueSingleCertificate(def) err = issueSingleCertificate(certDefs.Certificates[i])
if err != nil { if err != nil {
fmt.Printf("error: %v\n", err) fmt.Printf("error: %v\n", err)
errors++ errors++