consul icon indicating copy to clipboard operation
consul copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

ca: remove unused SigningKey field

Open dnephin opened this issue 3 years ago • 5 comments

Related to #11347

Best viewed by individual commit.

This PR removes the CARoot.SigningKey field, which was only ever used by tests. It also removes the use of CARoot.SigningCert in tests, so that we can re-purpose that field in production to store the leaf signing cert.

The change required updates to a few test helpers, and many tests. Comments inline.

dnephin avatar Dec 22 '21 20:12 dnephin

We may not use it internally but I have used it a few times to verify that the right intermediate had signed a leaf. The cert contains an x509v3 extension which has the authority key id of the key used to sign the cert. This can be correlated with the signing key id in the root.

Not saying that is reason alone to keep it just that we may desire alternative easy means of verifying which cert was the one to sign a leaf.

mkeeler avatar Jan 10 '22 21:01 mkeeler

I have used it a few times to verify that the right intermediate had signed a leaf

I think you're referring to the SigningKeyID , right? We need to keep that field, it is used by clients. The SigningKey field being removed here was never populated outside of tests, so I don't think it could be used for anything.

dnephin avatar Jan 10 '22 21:01 dnephin

hm, the case-wanfed-gw integration tests seem to be broken here. But I don't think this PR broke it -- might need a rebase? Seems a perm issue w the test certs.

Here's a sample container failing to load up (depending on when you click this link, the link may be expired, see circle ci run for the test case and look at artifacts)

==> Failed to load cert/key pair: open /workdir/primary/tls/primary-server-consul-0-key.pem: permission denied

acpana avatar Jan 19 '22 18:01 acpana

Ya, that test failure should be fixed in main. Let me rebase this to be sure.

dnephin avatar Jan 26 '22 23:01 dnephin

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Mar 12 '22 16:03 hashicorp-cla

This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.

github-actions[bot] avatar Sep 30 '22 01:09 github-actions[bot]

Closing as this is over two years old.

jmurret avatar May 09 '23 23:05 jmurret