Rename intermediary CA to subordinate CA

This refactoring commit renames all occurrences of the term "intermediary CA"
to "subordinate CA" for better alignment with the terms used in RFC-5280 and
other standard documents.
This commit is contained in:
Jan Dittberner 2022-08-03 16:01:06 +02:00
parent 60be959c24
commit 82a1284073
8 changed files with 55 additions and 55 deletions

View file

@ -17,7 +17,7 @@ Settings:
# define how long CA certificates should be valid
validity-years:
root: 20
intermediary: 5
subordinate: 5
# URL patterns used for certificate fields. The first %s is replaced with
# the identifier of a CA certificate
url-patterns:
@ -45,7 +45,7 @@ KeyStorage:
module: /usr/lib/x86_64-linux-gnu/pkcs11/onepin-opensc-pkcs11.so
label: smartcard
# CAs defines the CA hierarchy of root and intermediary CA certificates
# CAs defines the CA hierarchy of root and subordinate CA certificates
CAs:
# a root CA, the map key will be used as a label for PKCS11 and URLs
ecc_root_2022:

View file

@ -40,7 +40,7 @@ type Serial struct {
type Settings struct {
Organization *pkix.Name
ValidityYears struct {
Root, Intermediary int
Root, Subordinate int
}
URLPatterns struct {
Ocsp, CRL, Issuer string
@ -66,8 +66,8 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error {
PostalCode []string `yaml:"postal-code"`
} `yaml:"organization"`
ValidityYears struct {
Root int `yaml:"root"`
Intermediary int `yaml:"intermediary"`
Root int `yaml:"root"`
Subordinate int `yaml:"subordinate"`
} `yaml:"validity-years"`
URLPatterns struct {
Ocsp string `yaml:"ocsp"`
@ -90,13 +90,13 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error {
return SettingsError{"you need to specify 'organization'"}
}
if data.ValidityYears.Root == 0 || data.ValidityYears.Intermediary == 0 {
return SettingsError{"you must specify validity years for 'root' and 'intermediary'"}
if data.ValidityYears.Root == 0 || data.ValidityYears.Subordinate == 0 {
return SettingsError{"you must specify validity years for 'root' and 'subordinate'"}
}
if data.ValidityYears.Root < data.ValidityYears.Intermediary {
if data.ValidityYears.Root < data.ValidityYears.Subordinate {
return SettingsError{"validity of root CA certificates must be equal or greater than those of" +
" intermediary CA certificates"}
" subordinate CA certificates"}
}
if data.URLPatterns.Ocsp == "" {
@ -143,7 +143,7 @@ func (s *Settings) UnmarshalYAML(n *yaml.Node) error {
s.Organization.PostalCode = data.Organization.PostalCode
s.ValidityYears.Root = data.ValidityYears.Root
s.ValidityYears.Intermediary = data.ValidityYears.Intermediary
s.ValidityYears.Subordinate = data.ValidityYears.Subordinate
s.URLPatterns.Ocsp = data.URLPatterns.Ocsp
s.URLPatterns.CRL = data.URLPatterns.CRL
@ -219,7 +219,7 @@ func (c *SignerConfig) CalculateValidity(cert *CaCertificateEntry, relativeTo ti
if cert.IsRoot() {
notAfter = notBefore.AddDate(c.global.ValidityYears.Root, 0, 0)
} else {
notAfter = notBefore.AddDate(c.global.ValidityYears.Intermediary, 0, 0)
notAfter = notBefore.AddDate(c.global.ValidityYears.Subordinate, 0, 0)
}
return notBefore, notAfter
@ -294,17 +294,17 @@ func (c *SignerConfig) RootCAs() []string {
return roots
}
// IntermediaryCAs returns the labels of all configured intermediary CAs
func (c *SignerConfig) IntermediaryCAs() []string {
intermediaries := make([]string, 0)
// SubordinateCAs returns the labels of all configured subordinate CAs
func (c *SignerConfig) SubordinateCAs() []string {
subordinates := make([]string, 0)
for label, entry := range c.caMap {
if !entry.IsRoot() {
intermediaries = append(intermediaries, label)
subordinates = append(subordinates, label)
}
}
return intermediaries
return subordinates
}
func (c *SignerConfig) GetKeyStorage(label string) (*KeyStorage, error) {

View file

@ -416,7 +416,7 @@ Settings:
organization: ["Acme CAs Ltd."]
validity-years:
root: 20
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s
@ -473,7 +473,7 @@ Settings:
organization: ["Acme CAs Ltd."]
validity-years:
root: 20
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl
@ -496,7 +496,7 @@ Settings:
organization: ["Acme CAs Ltd."]
validity-years:
root: 20
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl
@ -534,7 +534,7 @@ Settings:
organization: ["Acme CAs Ltd."]
validity-years:
root: 20
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl
@ -582,10 +582,10 @@ func TestSignerConfig_RootCAs(t *testing.T) {
assert.Equal(t, roots, []string{"root"})
}
func TestSignerConfig_IntermediaryCAs(t *testing.T) {
func TestSignerConfig_SubordinateCAs(t *testing.T) {
sc := loadSignerConfig(t)
cAs := sc.IntermediaryCAs()
cAs := sc.SubordinateCAs()
assert.ElementsMatch(t, cAs, []string{"sub1", "sub2"})
}
@ -659,7 +659,7 @@ Settings:
organization: ["Acme CAs Ltd."]
validity-years:
root: 20
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/%s
crl: http://crl.example.org/%s.crl
@ -715,7 +715,7 @@ func TestSettings_UnmarshalYAML(t *testing.T) {
yaml: `
validity-years:
root: 10
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl
@ -732,7 +732,7 @@ url-patterns:
crl: http://crl.example.org/%s.crl
issuer: http://issuer.example.org/%s.crt
`,
errMsg: "invalid Settings you must specify validity years for 'root' and 'intermediary'",
errMsg: "invalid Settings you must specify validity years for 'root' and 'subordinate'",
},
"missing url-patterns": {
yaml: `
@ -740,7 +740,7 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 10
intermediary: 5
subordinate: 5
`,
errMsg: "invalid Settings",
},
@ -750,14 +750,14 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 5
intermediary: 10
subordinate: 10
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl
issuer: http://issuer.example.org/%s.crt
`,
errMsg: "invalid Settings validity of root CA certificates must be equal or greater than" +
" those of intermediary CA certificates",
" those of subordinate CA certificates",
},
"no OCSP pattern": {
yaml: `
@ -765,7 +765,7 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 10
intermediary: 5
subordinate: 5
url-patterns:
crl: http://crl.example.org/%s.crl
issuer: http://issuer.example.org/%s.crt
@ -778,7 +778,7 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 10
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/%s_%s
crl: http://crl.example.org/%s.crl
@ -792,7 +792,7 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 10
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
issuer: http://issuer.example.org/%s.crt
@ -805,7 +805,7 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 10
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/
@ -819,7 +819,7 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 10
intermediary: 5
subordinate: 5
url-patterns:
crl: http://crl.example.org/%s.crl
ocsp: http://ocsp.example.org/
@ -832,7 +832,7 @@ organization:
organization: ["Acme CAs Ltd."]
validity-years:
root: 10
intermediary: 5
subordinate: 5
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl

View file

@ -178,7 +178,7 @@ Settings:
organization: ["Acme CAs Ltd."]
validity-years:
root: 30
intermediary: 10
subordinate: 10
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl

View file

@ -84,10 +84,10 @@ func (a *Access) Healthy() (*health.Info, error) {
moreInfo[infoKey] = fmt.Sprintf("ok, valid until %s", cert.NotAfter.UTC().Format(time.RFC3339))
}
for _, ca := range a.signerConfig.IntermediaryCAs() {
for _, ca := range a.signerConfig.SubordinateCAs() {
infoKey := fmt.Sprintf("sub-%s", ca)
cert, err := a.GetIntermediaryCACertificate(ca)
cert, err := a.GetSubordinateCACertificate(ca)
if err != nil {
healthy = false
@ -269,7 +269,7 @@ func (a *Access) GetRootCACertificate(label string) (*x509.Certificate, error) {
return certificate, nil
}
func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certificate, error) {
func (a *Access) GetSubordinateCACertificate(certLabel string) (*x509.Certificate, error) {
var (
certificate *x509.Certificate
keyPair crypto.Signer
@ -284,7 +284,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica
if caCert.IsRoot() {
return nil, fmt.Errorf(
"CA definition %s is a root CA definition, intermediary expected",
"CA definition %s is a root CA definition, subordinate expected",
certLabel,
)
}
@ -317,7 +317,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica
notBefore, notAfter := sc.CalculateValidity(caCert, time.Now())
subject := sc.CalculateSubject(caCert)
certificate, err = a.generateIntermediaryCACertificate(
certificate, err = a.generateSubordinateCACertificate(
certFile,
sc,
certLabel,
@ -361,7 +361,7 @@ func (a *Access) GetIntermediaryCACertificate(certLabel string) (*x509.Certifica
return certificate, nil
}
func (a *Access) generateIntermediaryCACertificate(
func (a *Access) generateSubordinateCACertificate(
certFile *caFile,
config *config.SignerConfig,
certLabel string,
@ -393,7 +393,7 @@ func (a *Access) generateIntermediaryCACertificate(
parent.KeyPair,
)
if err != nil {
return nil, fmt.Errorf("could not create intermediary CA certificate: %w", err)
return nil, fmt.Errorf("could not create subordinate CA certificate: %w", err)
}
certBlock := &pem.Block{

View file

@ -90,7 +90,7 @@ func TestGetRootCACertificate(t *testing.T) {
label: "unknown",
errMsg: "could not get CA definition for label unknown",
},
"known intermediary": {
"known subordinate": {
label: "sub1",
errMsg: "CA definition sub1 is not a root CA definition",
},
@ -111,28 +111,28 @@ func TestGetRootCACertificate(t *testing.T) {
}
}
func TestGetIntermediaryCACertificate(t *testing.T) {
func TestGetSubordinateCACertificate(t *testing.T) {
acc := prepareSoftHSM(t)
testData := map[string]struct {
label, errMsg string
}{
"known intermediary": {
"known subordinate": {
label: "sub1",
},
"unknown intermediary": {
"unknown subordinate": {
label: "unknown",
errMsg: "could not get CA definition for label unknown",
},
"known root": {
label: "root",
errMsg: "CA definition root is a root CA definition, intermediary expected",
errMsg: "CA definition root is a root CA definition, subordinate expected",
},
}
for name, item := range testData {
t.Run(name, func(t *testing.T) {
root, err := acc.GetIntermediaryCACertificate(item.label)
root, err := acc.GetSubordinateCACertificate(item.label)
if item.errMsg != "" {
assert.ErrorContains(t, err, item.errMsg)
@ -152,7 +152,7 @@ Settings:
organization: ["Acme CAs Ltd."]
validity-years:
root: 30
intermediary: 10
subordinate: 10
url-patterns:
ocsp: http://ocsp.example.org/
crl: http://crl.example.org/%s.crl

View file

@ -42,15 +42,15 @@ func (a *Access) EnsureCAKeysAndCertificates() error {
}
}
for _, label = range conf.IntermediaryCAs() {
crt, err := a.GetIntermediaryCACertificate(label)
for _, label = range conf.SubordinateCAs() {
crt, err := a.GetSubordinateCACertificate(label)
if err != nil {
return err
}
if a.IsVerbose() {
a.infoLog.Printf(
"found intermediary CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
"found subordinate CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
label,
crt.Subject,
crt.Issuer,
@ -58,7 +58,7 @@ func (a *Access) EnsureCAKeysAndCertificates() error {
crt.NotAfter,
crt.SerialNumber)
} else {
a.infoLog.Printf("found intermediary CA certificate %s: %s", label, crt.Subject.CommonName)
a.infoLog.Printf("found subordinate CA certificate %s: %s", label, crt.Subject.CommonName)
}
}

View file

@ -55,7 +55,7 @@ func TestEnsureCAKeysAndCertificates(t *testing.T) {
assert.NoError(t, err)
assert.Contains(t, output, "found root CA certificate root: Acme CAs root")
assert.Contains(t, output, "found intermediary CA certificate sub1: Acme CAs server sub CA")
assert.Contains(t, output, "found subordinate CA certificate sub1: Acme CAs server sub CA")
}
func TestEnsureCAKeysAndCertificates_verbose(t *testing.T) {
@ -85,5 +85,5 @@ func TestEnsureCAKeysAndCertificates_verbose(t *testing.T) {
assert.NoError(t, err)
assert.Contains(t, output, "found root CA certificate root:\n Subject")
assert.Contains(t, output, "found intermediary CA certificate sub1:\n Subject")
assert.Contains(t, output, "found subordinate CA certificate sub1:\n Subject")
}