From 95f98896c76c1b8290afc9dcbdc2cb4aea137b5c Mon Sep 17 00:00:00 2001 From: "Steven E. Harris" Date: Mon, 17 Oct 2022 12:12:16 -0400 Subject: [PATCH] promote-keypair: Block items without certificates Forbid the "kops promote keypair" command from promoting a key pair item that lacks an associated X.509 certificate. Along with that prohibition, refuse to store a key set in a VFS whose primary key pair lacks a certificate. This allows us to continue storing such key pairs, but we will never allow them to serve as the primary key pair within the containing key set. --- cmd/kops/promote_keypair.go | 13 ++++++++----- upup/pkg/fi/vfs_castore.go | 3 +++ 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/cmd/kops/promote_keypair.go b/cmd/kops/promote_keypair.go index c8e42753f6..4dd6f109db 100644 --- a/cmd/kops/promote_keypair.go +++ b/cmd/kops/promote_keypair.go @@ -162,17 +162,17 @@ func promoteKeypair(out io.Writer, name string, keypairID string, keyStore fi.CA } if keypairID == "" { - highestTrustedId := big.NewInt(0) + highestCandidateId := big.NewInt(0) for id, item := range keyset.Items { - if item.PrivateKey != nil && item.DistrustTimestamp == nil { + if item.PrivateKey != nil && item.DistrustTimestamp == nil && item.Certificate != nil { itemId, ok := big.NewInt(0).SetString(id, 10) - if ok && highestTrustedId.Cmp(itemId) < 0 { - highestTrustedId = itemId + if ok && highestCandidateId.Cmp(itemId) < 0 { + highestCandidateId = itemId } } } - keypairID = highestTrustedId.String() + keypairID = highestCandidateId.String() if keypairID == keyset.Primary.Id { fmt.Fprintf(out, "No %s keypair newer than current primary %s\n", name, keypairID) return nil @@ -184,6 +184,9 @@ func promoteKeypair(out io.Writer, name string, keypairID string, keyStore fi.CA if item.PrivateKey == nil { return fmt.Errorf("keypair has no private key") } + if item.Certificate == nil { + return fmt.Errorf("keypair has no certificate") + } } else { return fmt.Errorf("keypair not found") } diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go index 43960d02a2..c05a562b61 100644 --- a/upup/pkg/fi/vfs_castore.go +++ b/upup/pkg/fi/vfs_castore.go @@ -347,6 +347,9 @@ func (c *VFSCAStore) StoreKeyset(name string, keyset *Keyset) error { if keyset.Items[primaryId].PrivateKey == nil { return fmt.Errorf("keyset's primary id %q must have a private key", primaryId) } + if keyset.Items[primaryId].Certificate == nil { + return fmt.Errorf("keyset's primary id %q must have a certificate", primaryId) + } { p := c.buildPrivateKeyPoolPath(name)