Rename intermediary CA to subordinate CA

This refactoring commit renames all occurrences of the term "intermediary CA"
to "subordinate CA" for better alignment with the terms used in RFC-5280 and
other standard documents.

docs/config.sample.yaml

@@ -17,7 +17,7 @@ Settings:
   # define how long CA certificates should be valid
   validity-years:
     root: 20
-    intermediary: 5
+    subordinate: 5
   # URL patterns used for certificate fields. The first %s is replaced with
   # the identifier of a CA certificate
   url-patterns:
@@ -45,7 +45,7 @@ KeyStorage:
     module: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so
     label: smartcard
 
-# CAs defines the CA hierarchy of root and intermediary CA certificates
+# CAs defines the CA hierarchy of root and subordinate CA certificates
 CAs:
   # a root CA, the map key will be used as a label for PKCS11 and URLs
   ecc_root_2022:

pkg/config/config.go

@@ -40,7 +40,7 @@ type Serial struct {
 type Settings struct {
 	Organization  *pkix.Name
 	ValidityYears struct {
-		Root, Intermediary int
+		Root, Subordinate int
 	}
 	URLPatterns struct {
 		Ocsp, CRL, Issuer string
@@ -66,8 +66,8 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error {
 			PostalCode    []string `yaml:"postal-code"`
 		} `yaml:"organization"`
 		ValidityYears struct {
-			Root         int `yaml:"root"`
-			Intermediary int `yaml:"intermediary"`
+			Root        int `yaml:"root"`
+			Subordinate int `yaml:"subordinate"`
 		} `yaml:"validity-years"`
 		URLPatterns struct {
 			Ocsp   string `yaml:"ocsp"`
@@ -90,13 +90,13 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error {
 		return SettingsError{"you need to specify 'organization'"}
 	}
 
-	if data.ValidityYears.Root == 0 || data.ValidityYears.Intermediary == 0 {
-		return SettingsError{"you must specify validity years for 'root' and 'intermediary'"}
+	if data.ValidityYears.Root == 0 || data.ValidityYears.Subordinate == 0 {
+		return SettingsError{"you must specify validity years for 'root' and 'subordinate'"}
 	}
 
-	if data.ValidityYears.Root < data.ValidityYears.Intermediary {
+	if data.ValidityYears.Root < data.ValidityYears.Subordinate {
 		return SettingsError{"validity of root CA certificates must be equal or greater than those of" +
-			" intermediary CA certificates"}
+			" subordinate CA certificates"}
 	}
 
 	if data.URLPatterns.Ocsp == "" {
@@ -143,7 +143,7 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error {
 	s.Organization.PostalCode = data.Organization.PostalCode
 
 	s.ValidityYears.Root = data.ValidityYears.Root
-	s.ValidityYears.Intermediary = data.ValidityYears.Intermediary
+	s.ValidityYears.Subordinate = data.ValidityYears.Subordinate
 
 	s.URLPatterns.Ocsp = data.URLPatterns.Ocsp
 	s.URLPatterns.CRL = data.URLPatterns.CRL
@@ -219,7 +219,7 @@ func (c *SignerConfig) CalculateValidity(cert *CaCertificateEntry, relativeTo ti
 	if cert.IsRoot() {
 		notAfter = notBefore.AddDate(c.global.ValidityYears.Root, 0, 0)
 	} else {
-		notAfter = notBefore.AddDate(c.global.ValidityYears.Intermediary, 0, 0)
+		notAfter = notBefore.AddDate(c.global.ValidityYears.Subordinate, 0, 0)
 	}
 
 	return notBefore, notAfter
@@ -294,17 +294,17 @@ func (c *SignerConfig) RootCAs() []string {
 	return roots
 }
 
-// IntermediaryCAs returns the labels of all configured intermediary CAs
-func (c *SignerConfig) IntermediaryCAs() []string {
-	intermediaries := make([]string, 0)
+// SubordinateCAs returns the labels of all configured subordinate CAs
+func (c *SignerConfig) SubordinateCAs() []string {
+	subordinates := make([]string, 0)
 
 	for label, entry := range c.caMap {
 		if !entry.IsRoot() {
-			intermediaries = append(intermediaries, label)
+			subordinates = append(subordinates, label)
 		}
 	}
 
-	return intermediaries
+	return subordinates
 }
 
 func (c *SignerConfig) GetKeyStorage(label string) (*KeyStorage, error) {

pkg/config/config_test.go

@@ -416,7 +416,7 @@ Settings:
     organization: ["Acme CAs Ltd."]
   validity-years:
     root: 20
-    intermediary: 5
+    subordinate: 5
   url-patterns:
     ocsp: http://ocsp.example.org/
     crl: http://crl.example.org/%s
@@ -473,7 +473,7 @@ Settings:
     organization: ["Acme CAs Ltd."]
   validity-years:
     root: 20
-    intermediary: 5
+    subordinate: 5
   url-patterns:
     ocsp: http://ocsp.example.org/
     crl: http://crl.example.org/%s.crl
@@ -496,7 +496,7 @@ Settings:
     organization: ["Acme CAs Ltd."]
   validity-years:
     root: 20
-    intermediary: 5
+    subordinate: 5
   url-patterns:
     ocsp: http://ocsp.example.org/
     crl: http://crl.example.org/%s.crl
@@ -534,7 +534,7 @@ Settings:
     organization: ["Acme CAs Ltd."]
   validity-years:
     root: 20
-    intermediary: 5
+    subordinate: 5
   url-patterns:
     ocsp: http://ocsp.example.org/
     crl: http://crl.example.org/%s.crl
@@ -582,10 +582,10 @@ func TestSignerConfig_RootCAs(t *testing.T) {
 	assert.Equal(t, roots, []string{"root"})
 }
 
-func TestSignerConfig_IntermediaryCAs(t *testing.T) {
+func TestSignerConfig_SubordinateCAs(t *testing.T) {
 	sc := loadSignerConfig(t)
 
-	cAs := sc.IntermediaryCAs()
+	cAs := sc.SubordinateCAs()
 	assert.ElementsMatch(t, cAs, []string{"sub1", "sub2"})
 }
 
@@ -659,7 +659,7 @@ Settings:
     organization: ["Acme CAs Ltd."]
   validity-years:
     root: 20
-    intermediary: 5
+    subordinate: 5
   url-patterns:
     ocsp: http://ocsp.example.org/%s
     crl: http://crl.example.org/%s.crl
@@ -715,7 +715,7 @@ func TestSettings_UnmarshalYAML(t *testing.T) {
 			yaml: `
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 url-patterns:
   ocsp: http://ocsp.example.org/
   crl: http://crl.example.org/%s.crl
@@ -732,7 +732,7 @@ url-patterns:
   crl: http://crl.example.org/%s.crl
   issuer: http://issuer.example.org/%s.crt
 `,
-			errMsg: "invalid Settings you must specify validity years for 'root' and 'intermediary'",
+			errMsg: "invalid Settings you must specify validity years for 'root' and 'subordinate'",
 		},
 		"missing url-patterns": {
 			yaml: `
@@ -740,7 +740,7 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 `,
 			errMsg: "invalid Settings",
 		},
@@ -750,14 +750,14 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 5
-  intermediary: 10
+  subordinate: 10
 url-patterns:
   ocsp: http://ocsp.example.org/
   crl: http://crl.example.org/%s.crl
   issuer: http://issuer.example.org/%s.crt
 `,
 			errMsg: "invalid Settings validity of root CA certificates must be equal or greater than" +
-				" those of intermediary CA certificates",
+				" those of subordinate CA certificates",
 		},
 		"no OCSP pattern": {
 			yaml: ` 
@@ -765,7 +765,7 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 url-patterns:
   crl: http://crl.example.org/%s.crl
   issuer: http://issuer.example.org/%s.crt
@@ -778,7 +778,7 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 url-patterns:
   ocsp: http://ocsp.example.org/%s_%s
   crl: http://crl.example.org/%s.crl
@@ -792,7 +792,7 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 url-patterns:
   ocsp: http://ocsp.example.org/
   issuer: http://issuer.example.org/%s.crt
@@ -805,7 +805,7 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 url-patterns:
   ocsp: http://ocsp.example.org/
   crl: http://crl.example.org/
@@ -819,7 +819,7 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 url-patterns:
   crl: http://crl.example.org/%s.crl
   ocsp: http://ocsp.example.org/
@@ -832,7 +832,7 @@ organization:
   organization: ["Acme CAs Ltd."]
 validity-years:
   root: 10
-  intermediary: 5
+  subordinate: 5
 url-patterns:
   ocsp: http://ocsp.example.org/
   crl: http://crl.example.org/%s.crl

pkg/hsm/context_test.go

@@ -178,7 +178,7 @@ Settings:
     organization: ["Acme CAs Ltd."]
   validity-years:
     root: 30
-    intermediary: 10
+    subordinate: 10
   url-patterns:
     ocsp: http://ocsp.example.org/
     crl: http://crl.example.org/%s.crl

pkg/hsm/hsm.go

@@ -84,10 +84,10 @@ func (a *Access) Healthy() (*health.Info, error) {
 		moreInfo[infoKey] = fmt.Sprintf("ok, valid until %s", cert.NotAfter.UTC().Format(time.RFC3339))
 	}
 
-	for _, ca := range a.signerConfig.IntermediaryCAs() {
+	for _, ca := range a.signerConfig.SubordinateCAs() {
 		infoKey := fmt.Sprintf("sub-%s", ca)
 
-		cert, err := a.GetIntermediaryCACertificate(ca)
+		cert, err := a.GetSubordinateCACertificate(ca)
 		if err != nil {
 			healthy = false
 
@@ -269,7 +269,7 @@ func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) {
 	return certificate, nil
 }
 
-func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certificate, error) {
+func (a *Access) GetSubordinateCACertificate(certLabel string) (*x509.Certificate, error) {
 	var (
 		certificate *x509.Certificate
 		keyPair     crypto.Signer
@@ -284,7 +284,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica
 
 	if caCert.IsRoot() {
 		return nil, fmt.Errorf(
-			"CA definition %s is a root CA definition, intermediary expected",
+			"CA definition %s is a root CA definition, subordinate expected",
 			certLabel,
 		)
 	}
@@ -317,7 +317,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica
 	notBefore, notAfter := sc.CalculateValidity(caCert, time.Now())
 	subject := sc.CalculateSubject(caCert)
 
-	certificate, err = a.generateIntermediaryCACertificate(
+	certificate, err = a.generateSubordinateCACertificate(
 		certFile,
 		sc,
 		certLabel,
@@ -361,7 +361,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica
 	return certificate, nil
 }
 
-func (a *Access) generateIntermediaryCACertificate(
+func (a *Access) generateSubordinateCACertificate(
 	certFile *caFile,
 	config *config.SignerConfig,
 	certLabel string,
@@ -393,7 +393,7 @@ func (a *Access) generateIntermediaryCACertificate(
 		parent.KeyPair,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("could not create intermediary CA certificate: %w", err)
+		return nil, fmt.Errorf("could not create subordinate CA certificate: %w", err)
 	}
 
 	certBlock := &pem.Block{

pkg/hsm/hsm_test.go

@@ -90,7 +90,7 @@ func TestGetRootCACertificate(t *testing.T) {
 			label:  "unknown",
 			errMsg: "could not get CA definition for label unknown",
 		},
-		"known intermediary": {
+		"known subordinate": {
 			label:  "sub1",
 			errMsg: "CA definition sub1 is not a root CA definition",
 		},
@@ -111,28 +111,28 @@ func TestGetRootCACertificate(t *testing.T) {
 	}
 }
 
-func TestGetIntermediaryCACertificate(t *testing.T) {
+func TestGetSubordinateCACertificate(t *testing.T) {
 	acc := prepareSoftHSM(t)
 
 	testData := map[string]struct {
 		label, errMsg string
 	}{
-		"known intermediary": {
+		"known subordinate": {
 			label: "sub1",
 		},
-		"unknown intermediary": {
+		"unknown subordinate": {
 			label:  "unknown",
 			errMsg: "could not get CA definition for label unknown",
 		},
 		"known root": {
 			label:  "root",
-			errMsg: "CA definition root is a root CA definition, intermediary expected",
+			errMsg: "CA definition root is a root CA definition, subordinate expected",
 		},
 	}
 
 	for name, item := range testData {
 		t.Run(name, func(t *testing.T) {
-			root, err := acc.GetIntermediaryCACertificate(item.label)
+			root, err := acc.GetSubordinateCACertificate(item.label)
 
 			if item.errMsg != "" {
 				assert.ErrorContains(t, err, item.errMsg)
@@ -152,7 +152,7 @@ Settings:
     organization: ["Acme CAs Ltd."]
   validity-years:
     root: 30
-    intermediary: 10
+    subordinate: 10
   url-patterns:
     ocsp: http://ocsp.example.org/
     crl: http://crl.example.org/%s.crl

pkg/hsm/setup.go

@@ -42,15 +42,15 @@ func (a *Access) EnsureCAKeysAndCertificates() error {
 		}
 	}
 
-	for _, label = range conf.IntermediaryCAs() {
-		crt, err := a.GetIntermediaryCACertificate(label)
+	for _, label = range conf.SubordinateCAs() {
+		crt, err := a.GetSubordinateCACertificate(label)
 		if err != nil {
 			return err
 		}
 
 		if a.IsVerbose() {
 			a.infoLog.Printf(
-				"found intermediary CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
+				"found subordinate CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
 				label,
 				crt.Subject,
 				crt.Issuer,
@@ -58,7 +58,7 @@ func (a *Access) EnsureCAKeysAndCertificates() error {
 				crt.NotAfter,
 				crt.SerialNumber)
 		} else {
-			a.infoLog.Printf("found intermediary CA certificate %s: %s", label, crt.Subject.CommonName)
+			a.infoLog.Printf("found subordinate CA certificate %s: %s", label, crt.Subject.CommonName)
 		}
 	}
 

pkg/hsm/setup_test.go

@@ -55,7 +55,7 @@ func TestEnsureCAKeysAndCertificates(t *testing.T) {
 
 	assert.NoError(t, err)
 	assert.Contains(t, output, "found root CA certificate root: Acme CAs root")
-	assert.Contains(t, output, "found intermediary CA certificate sub1: Acme CAs server sub CA")
+	assert.Contains(t, output, "found subordinate CA certificate sub1: Acme CAs server sub CA")
 }
 
 func TestEnsureCAKeysAndCertificates_verbose(t *testing.T) {
@@ -85,5 +85,5 @@ func TestEnsureCAKeysAndCertificates_verbose(t *testing.T) {
 
 	assert.NoError(t, err)
 	assert.Contains(t, output, "found root CA certificate root:\n Subject")
-	assert.Contains(t, output, "found intermediary CA certificate sub1:\n Subject")
+	assert.Contains(t, output, "found subordinate CA certificate sub1:\n Subject")
 }