search

Venafi / vcert

Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.
https://support.venafi.com/hc/en-us/articles/217991528
Apache License 2.0
88 stars 64 forks source link

Only call DEK endpoints if the CSR is a ServiceGeneratedCSR #450

Closed inteon closed 4 months ago

inteon commented 5 months ago

For the VaaS integration, vcert unconditionally calls the DEK API endpoints. Similarly to the TPP implementation, we can only call the DEK API calls when a ServiceGeneratedCSR is requested. This reduces the number of API requests made by vcert.

See the TPP equivalent of this check: https://github.com/Venafi/vcert/blob/21228d0e0de959feddf95acb7d7a22402e2edd23/pkg/venafi/tpp/connector.go#L1359-L1365

rvelaVenafi commented 4 months ago

A little improvement on the code:

    if req.CsrOrigin == certificate.ServiceGeneratedCSR || req.FetchPrivateKey {
        var currentId string
        if req.CertID != "" {
            currentId = req.CertID
        } else if certificateId != "" {
            currentId = certificateId
        }

        dekInfo, err := getDekInfo(c, currentId)
        if err != nil  {
                 return nil, err
        }

        req.CertID = currentId
        return retrieveServiceGeneratedCertData(c, req, dekInfo)
    }

The reason we had this conditional

    if err == nil && dekInfo.Key != "" {
        req.CertID = currentId
        return retrieveServiceGeneratedCertData(c, req, dekInfo)
    }

was to allow the function to continue if the DEKInfo call failed. Now that we are going to make it fail anyways, it is better to use a common err != nil validation