Add GetFullCaChain method to PKI issuer (hashicorp#27451)

kosmos-education · Jun 11, 2024 · 405a3f4 · 405a3f4
1 parent 495d617
commit 405a3f4
Showing 1 changed file with 30 additions and 1 deletion.
diff --git a/builtin/logical/pki/issuing/issuers.go b/builtin/logical/pki/issuing/issuers.go
@@ -4,6 +4,7 @@
 package issuing
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"fmt"
@@ -139,15 +140,43 @@ type IssuerEntry struct {
 	Version              uint                      `json:"version"`
 }
 
+// GetCertificate returns a x509.Certificate of the CA certificate
+// represented by this issuer.
 func (i IssuerEntry) GetCertificate() (*x509.Certificate, error) {
-	cert, err := parsing.ParseCertificateFromBytes([]byte(i.Certificate))
+	cert, err := parsing.ParseCertificateFromString(i.Certificate)
 	if err != nil {
 		return nil, errutil.InternalError{Err: fmt.Sprintf("unable to parse certificate from issuer: %s: %v", err.Error(), i.ID)}
 	}
 
 	return cert, nil
 }
 
+// GetFullCaChain returns a slice of x509.Certificate values of this issuer full ca chain,
+// which starts with the CA certificate represented by this issuer followed by the entire CA chain
+func (i IssuerEntry) GetFullCaChain() ([]*x509.Certificate, error) {
+	var chains []*x509.Certificate
+	issuerCert, err := i.GetCertificate()
+	if err != nil {
+		return nil, err
+	}
+
+	chains = append(chains, issuerCert)
+
+	for rangeI, chainVal := range i.CAChain {
+		parsedChainVal, err := parsing.ParseCertificateFromString(chainVal)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing issuer %s ca chain index value [%d]: %w", i.ID, rangeI, err)
+		}
+
+		if bytes.Equal(parsedChainVal.Raw, issuerCert.Raw) {
+			continue
+		}
+		chains = append(chains, parsedChainVal)
+	}
+
+	return chains, nil
+}
+
 func (i IssuerEntry) EnsureUsage(usage IssuerUsage) error {
 	// We want to spit out a nice error message about missing usages.
 	if i.Usage.HasUsage(usage) {