From e62d7988b836e660500718bf78e362054d159c37 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 28 Jul 2021 15:22:21 -0700 Subject: [PATCH] Do not store password on exports. --- authority/export.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/authority/export.go b/authority/export.go index 4c5059ea..b8679ac6 100644 --- a/authority/export.go +++ b/authority/export.go @@ -13,6 +13,11 @@ import ( "google.golang.org/protobuf/types/known/structpb" ) +// Export creates a linkedca configuration form the current ca.json and loaded +// authorities. +// +// Note that export will not export neither the pki password nor the certificate +// issuer password. func (a *Authority) Export() (c *config.Configuration, err error) { // Recover from panics defer func() { @@ -22,6 +27,8 @@ func (a *Authority) Export() (c *config.Configuration, err error) { }() files := make(map[string][]byte) + + // The exported configuration should not include the password in it. c = &config.Configuration{ Version: "1.0", Root: mustReadFilesOrUris(a.config.Root, files), @@ -40,8 +47,7 @@ func (a *Authority) Export() (c *config.Configuration, err error) { DisableIssuedAtCheck: a.config.AuthorityConfig.DisableIssuedAtCheck, Backdate: a.config.AuthorityConfig.Backdate.String(), }, - Password: mustPassword(a.config.Password), - Files: files, + Files: files, } // SSH @@ -109,12 +115,12 @@ func (a *Authority) Export() (c *config.Configuration, err error) { if !ok { return nil, errors.Errorf("unknown certificate issuer type %s", iss.Type) } + // The exporte certificate issuer should not include the password. c.Authority.CertificateIssuer = &config.CertificateIssuer{ Type: config.CertificateIssuer_Type(typ), Provisioner: iss.Provisioner, Certificate: mustReadFileOrUri(iss.Certificate, files), Key: mustReadFileOrUri(iss.Key, files), - Password: mustPassword(iss.Password), } } }