Do not store password on exports.

This commit is contained in:
Mariano Cano 2021-07-28 15:22:21 -07:00
parent ac363d7824
commit e62d7988b8

View file

@ -13,6 +13,11 @@ import (
"google.golang.org/protobuf/types/known/structpb"
)
// Export creates a linkedca configuration form the current ca.json and loaded
// authorities.
//
// Note that export will not export neither the pki password nor the certificate
// issuer password.
func (a *Authority) Export() (c *config.Configuration, err error) {
// Recover from panics
defer func() {
@ -22,6 +27,8 @@ func (a *Authority) Export() (c *config.Configuration, err error) {
}()
files := make(map[string][]byte)
// The exported configuration should not include the password in it.
c = &config.Configuration{
Version: "1.0",
Root: mustReadFilesOrUris(a.config.Root, files),
@ -40,7 +47,6 @@ func (a *Authority) Export() (c *config.Configuration, err error) {
DisableIssuedAtCheck: a.config.AuthorityConfig.DisableIssuedAtCheck,
Backdate: a.config.AuthorityConfig.Backdate.String(),
},
Password: mustPassword(a.config.Password),
Files: files,
}
@ -109,12 +115,12 @@ func (a *Authority) Export() (c *config.Configuration, err error) {
if !ok {
return nil, errors.Errorf("unknown certificate issuer type %s", iss.Type)
}
// The exporte certificate issuer should not include the password.
c.Authority.CertificateIssuer = &config.CertificateIssuer{
Type: config.CertificateIssuer_Type(typ),
Provisioner: iss.Provisioner,
Certificate: mustReadFileOrUri(iss.Certificate, files),
Key: mustReadFileOrUri(iss.Key, files),
Password: mustPassword(iss.Password),
}
}
}