From 82a1284073bbfcbb9a655c1197dfb4dd5e485980 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Wed, 3 Aug 2022 16:01:06 +0200 Subject: [PATCH] Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. --- docs/config.sample.yaml | 4 ++-- pkg/config/config.go | 28 ++++++++++++++-------------- pkg/config/config_test.go | 36 ++++++++++++++++++------------------ pkg/hsm/context_test.go | 2 +- pkg/hsm/hsm.go | 14 +++++++------- pkg/hsm/hsm_test.go | 14 +++++++------- pkg/hsm/setup.go | 8 ++++---- pkg/hsm/setup_test.go | 4 ++-- 8 files changed, 55 insertions(+), 55 deletions(-) diff --git a/docs/config.sample.yaml b/docs/config.sample.yaml index 553a81d..3995e96 100644 --- a/docs/config.sample.yaml +++ b/docs/config.sample.yaml @@ -17,7 +17,7 @@ Settings: # define how long CA certificates should be valid validity-years: root: 20 - intermediary: 5 + subordinate: 5 # URL patterns used for certificate fields. The first %s is replaced with # the identifier of a CA certificate url-patterns: @@ -45,7 +45,7 @@ KeyStorage: module: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so label: smartcard -# CAs defines the CA hierarchy of root and intermediary CA certificates +# CAs defines the CA hierarchy of root and subordinate CA certificates CAs: # a root CA, the map key will be used as a label for PKCS11 and URLs ecc_root_2022: diff --git a/pkg/config/config.go b/pkg/config/config.go index 435529d..a09647f 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -40,7 +40,7 @@ type Serial struct { type Settings struct { Organization *pkix.Name ValidityYears struct { - Root, Intermediary int + Root, Subordinate int } URLPatterns struct { Ocsp, CRL, Issuer string @@ -66,8 +66,8 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error { PostalCode []string `yaml:"postal-code"` } `yaml:"organization"` ValidityYears struct { - Root int `yaml:"root"` - Intermediary int `yaml:"intermediary"` + Root int `yaml:"root"` + Subordinate int `yaml:"subordinate"` } `yaml:"validity-years"` URLPatterns struct { Ocsp string `yaml:"ocsp"` @@ -90,13 +90,13 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error { return SettingsError{"you need to specify 'organization'"} } - if data.ValidityYears.Root == 0 || data.ValidityYears.Intermediary == 0 { - return SettingsError{"you must specify validity years for 'root' and 'intermediary'"} + if data.ValidityYears.Root == 0 || data.ValidityYears.Subordinate == 0 { + return SettingsError{"you must specify validity years for 'root' and 'subordinate'"} } - if data.ValidityYears.Root < data.ValidityYears.Intermediary { + if data.ValidityYears.Root < data.ValidityYears.Subordinate { return SettingsError{"validity of root CA certificates must be equal or greater than those of" + - " intermediary CA certificates"} + " subordinate CA certificates"} } if data.URLPatterns.Ocsp == "" { @@ -143,7 +143,7 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error { s.Organization.PostalCode = data.Organization.PostalCode s.ValidityYears.Root = data.ValidityYears.Root - s.ValidityYears.Intermediary = data.ValidityYears.Intermediary + s.ValidityYears.Subordinate = data.ValidityYears.Subordinate s.URLPatterns.Ocsp = data.URLPatterns.Ocsp s.URLPatterns.CRL = data.URLPatterns.CRL @@ -219,7 +219,7 @@ func (c *SignerConfig) CalculateValidity(cert *CaCertificateEntry, relativeTo ti if cert.IsRoot() { notAfter = notBefore.AddDate(c.global.ValidityYears.Root, 0, 0) } else { - notAfter = notBefore.AddDate(c.global.ValidityYears.Intermediary, 0, 0) + notAfter = notBefore.AddDate(c.global.ValidityYears.Subordinate, 0, 0) } return notBefore, notAfter @@ -294,17 +294,17 @@ func (c *SignerConfig) RootCAs() []string { return roots } -// IntermediaryCAs returns the labels of all configured intermediary CAs -func (c *SignerConfig) IntermediaryCAs() []string { - intermediaries := make([]string, 0) +// SubordinateCAs returns the labels of all configured subordinate CAs +func (c *SignerConfig) SubordinateCAs() []string { + subordinates := make([]string, 0) for label, entry := range c.caMap { if !entry.IsRoot() { - intermediaries = append(intermediaries, label) + subordinates = append(subordinates, label) } } - return intermediaries + return subordinates } func (c *SignerConfig) GetKeyStorage(label string) (*KeyStorage, error) { diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 658750a..4c0c798 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -416,7 +416,7 @@ Settings: organization: ["Acme CAs Ltd."] validity-years: root: 20 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s @@ -473,7 +473,7 @@ Settings: organization: ["Acme CAs Ltd."] validity-years: root: 20 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl @@ -496,7 +496,7 @@ Settings: organization: ["Acme CAs Ltd."] validity-years: root: 20 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl @@ -534,7 +534,7 @@ Settings: organization: ["Acme CAs Ltd."] validity-years: root: 20 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl @@ -582,10 +582,10 @@ func TestSignerConfig_RootCAs(t *testing.T) { assert.Equal(t, roots, []string{"root"}) } -func TestSignerConfig_IntermediaryCAs(t *testing.T) { +func TestSignerConfig_SubordinateCAs(t *testing.T) { sc := loadSignerConfig(t) - cAs := sc.IntermediaryCAs() + cAs := sc.SubordinateCAs() assert.ElementsMatch(t, cAs, []string{"sub1", "sub2"}) } @@ -659,7 +659,7 @@ Settings: organization: ["Acme CAs Ltd."] validity-years: root: 20 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/%s crl: http://crl.example.org/%s.crl @@ -715,7 +715,7 @@ func TestSettings_UnmarshalYAML(t *testing.T) { yaml: ` validity-years: root: 10 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl @@ -732,7 +732,7 @@ url-patterns: crl: http://crl.example.org/%s.crl issuer: http://issuer.example.org/%s.crt `, - errMsg: "invalid Settings you must specify validity years for 'root' and 'intermediary'", + errMsg: "invalid Settings you must specify validity years for 'root' and 'subordinate'", }, "missing url-patterns": { yaml: ` @@ -740,7 +740,7 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 10 - intermediary: 5 + subordinate: 5 `, errMsg: "invalid Settings", }, @@ -750,14 +750,14 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 5 - intermediary: 10 + subordinate: 10 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl issuer: http://issuer.example.org/%s.crt `, errMsg: "invalid Settings validity of root CA certificates must be equal or greater than" + - " those of intermediary CA certificates", + " those of subordinate CA certificates", }, "no OCSP pattern": { yaml: ` @@ -765,7 +765,7 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 10 - intermediary: 5 + subordinate: 5 url-patterns: crl: http://crl.example.org/%s.crl issuer: http://issuer.example.org/%s.crt @@ -778,7 +778,7 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 10 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/%s_%s crl: http://crl.example.org/%s.crl @@ -792,7 +792,7 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 10 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ issuer: http://issuer.example.org/%s.crt @@ -805,7 +805,7 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 10 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/ @@ -819,7 +819,7 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 10 - intermediary: 5 + subordinate: 5 url-patterns: crl: http://crl.example.org/%s.crl ocsp: http://ocsp.example.org/ @@ -832,7 +832,7 @@ organization: organization: ["Acme CAs Ltd."] validity-years: root: 10 - intermediary: 5 + subordinate: 5 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl diff --git a/pkg/hsm/context_test.go b/pkg/hsm/context_test.go index 835e913..1178fc5 100644 --- a/pkg/hsm/context_test.go +++ b/pkg/hsm/context_test.go @@ -178,7 +178,7 @@ Settings: organization: ["Acme CAs Ltd."] validity-years: root: 30 - intermediary: 10 + subordinate: 10 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl diff --git a/pkg/hsm/hsm.go b/pkg/hsm/hsm.go index ac20999..d023373 100644 --- a/pkg/hsm/hsm.go +++ b/pkg/hsm/hsm.go @@ -84,10 +84,10 @@ func (a *Access) Healthy() (*health.Info, error) { moreInfo[infoKey] = fmt.Sprintf("ok, valid until %s", cert.NotAfter.UTC().Format(time.RFC3339)) } - for _, ca := range a.signerConfig.IntermediaryCAs() { + for _, ca := range a.signerConfig.SubordinateCAs() { infoKey := fmt.Sprintf("sub-%s", ca) - cert, err := a.GetIntermediaryCACertificate(ca) + cert, err := a.GetSubordinateCACertificate(ca) if err != nil { healthy = false @@ -269,7 +269,7 @@ func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) { return certificate, nil } -func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certificate, error) { +func (a *Access) GetSubordinateCACertificate(certLabel string) (*x509.Certificate, error) { var ( certificate *x509.Certificate keyPair crypto.Signer @@ -284,7 +284,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica if caCert.IsRoot() { return nil, fmt.Errorf( - "CA definition %s is a root CA definition, intermediary expected", + "CA definition %s is a root CA definition, subordinate expected", certLabel, ) } @@ -317,7 +317,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica notBefore, notAfter := sc.CalculateValidity(caCert, time.Now()) subject := sc.CalculateSubject(caCert) - certificate, err = a.generateIntermediaryCACertificate( + certificate, err = a.generateSubordinateCACertificate( certFile, sc, certLabel, @@ -361,7 +361,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica return certificate, nil } -func (a *Access) generateIntermediaryCACertificate( +func (a *Access) generateSubordinateCACertificate( certFile *caFile, config *config.SignerConfig, certLabel string, @@ -393,7 +393,7 @@ func (a *Access) generateIntermediaryCACertificate( parent.KeyPair, ) if err != nil { - return nil, fmt.Errorf("could not create intermediary CA certificate: %w", err) + return nil, fmt.Errorf("could not create subordinate CA certificate: %w", err) } certBlock := &pem.Block{ diff --git a/pkg/hsm/hsm_test.go b/pkg/hsm/hsm_test.go index cc54c1d..699e936 100644 --- a/pkg/hsm/hsm_test.go +++ b/pkg/hsm/hsm_test.go @@ -90,7 +90,7 @@ func TestGetRootCACertificate(t *testing.T) { label: "unknown", errMsg: "could not get CA definition for label unknown", }, - "known intermediary": { + "known subordinate": { label: "sub1", errMsg: "CA definition sub1 is not a root CA definition", }, @@ -111,28 +111,28 @@ func TestGetRootCACertificate(t *testing.T) { } } -func TestGetIntermediaryCACertificate(t *testing.T) { +func TestGetSubordinateCACertificate(t *testing.T) { acc := prepareSoftHSM(t) testData := map[string]struct { label, errMsg string }{ - "known intermediary": { + "known subordinate": { label: "sub1", }, - "unknown intermediary": { + "unknown subordinate": { label: "unknown", errMsg: "could not get CA definition for label unknown", }, "known root": { label: "root", - errMsg: "CA definition root is a root CA definition, intermediary expected", + errMsg: "CA definition root is a root CA definition, subordinate expected", }, } for name, item := range testData { t.Run(name, func(t *testing.T) { - root, err := acc.GetIntermediaryCACertificate(item.label) + root, err := acc.GetSubordinateCACertificate(item.label) if item.errMsg != "" { assert.ErrorContains(t, err, item.errMsg) @@ -152,7 +152,7 @@ Settings: organization: ["Acme CAs Ltd."] validity-years: root: 30 - intermediary: 10 + subordinate: 10 url-patterns: ocsp: http://ocsp.example.org/ crl: http://crl.example.org/%s.crl diff --git a/pkg/hsm/setup.go b/pkg/hsm/setup.go index 39ac2fa..f0de1dc 100644 --- a/pkg/hsm/setup.go +++ b/pkg/hsm/setup.go @@ -42,15 +42,15 @@ func (a *Access) EnsureCAKeysAndCertificates() error { } } - for _, label = range conf.IntermediaryCAs() { - crt, err := a.GetIntermediaryCACertificate(label) + for _, label = range conf.SubordinateCAs() { + crt, err := a.GetSubordinateCACertificate(label) if err != nil { return err } if a.IsVerbose() { a.infoLog.Printf( - "found intermediary CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s", + "found subordinate CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s", label, crt.Subject, crt.Issuer, @@ -58,7 +58,7 @@ func (a *Access) EnsureCAKeysAndCertificates() error { crt.NotAfter, crt.SerialNumber) } else { - a.infoLog.Printf("found intermediary CA certificate %s: %s", label, crt.Subject.CommonName) + a.infoLog.Printf("found subordinate CA certificate %s: %s", label, crt.Subject.CommonName) } } diff --git a/pkg/hsm/setup_test.go b/pkg/hsm/setup_test.go index 93d2d26..96f985b 100644 --- a/pkg/hsm/setup_test.go +++ b/pkg/hsm/setup_test.go @@ -55,7 +55,7 @@ func TestEnsureCAKeysAndCertificates(t *testing.T) { assert.NoError(t, err) assert.Contains(t, output, "found root CA certificate root: Acme CAs root") - assert.Contains(t, output, "found intermediary CA certificate sub1: Acme CAs server sub CA") + assert.Contains(t, output, "found subordinate CA certificate sub1: Acme CAs server sub CA") } func TestEnsureCAKeysAndCertificates_verbose(t *testing.T) { @@ -85,5 +85,5 @@ func TestEnsureCAKeysAndCertificates_verbose(t *testing.T) { assert.NoError(t, err) assert.Contains(t, output, "found root CA certificate root:\n Subject") - assert.Contains(t, output, "found intermediary CA certificate sub1:\n Subject") + assert.Contains(t, output, "found subordinate CA certificate sub1:\n Subject") }