Closed inteon closed 4 months ago
A little improvement on the code:
if req.CsrOrigin == certificate.ServiceGeneratedCSR || req.FetchPrivateKey {
var currentId string
if req.CertID != "" {
currentId = req.CertID
} else if certificateId != "" {
currentId = certificateId
}
dekInfo, err := getDekInfo(c, currentId)
if err != nil {
return nil, err
}
req.CertID = currentId
return retrieveServiceGeneratedCertData(c, req, dekInfo)
}
The reason we had this conditional
if err == nil && dekInfo.Key != "" {
req.CertID = currentId
return retrieveServiceGeneratedCertData(c, req, dekInfo)
}
was to allow the function to continue if the DEKInfo call failed. Now that we are going to make it fail anyways, it is better to use a common err != nil
validation
For the VaaS integration, vcert unconditionally calls the DEK API endpoints. Similarly to the TPP implementation, we can only call the DEK API calls when a ServiceGeneratedCSR is requested. This reduces the number of API requests made by vcert.
See the TPP equivalent of this check: https://github.com/Venafi/vcert/blob/21228d0e0de959feddf95acb7d7a22402e2edd23/pkg/venafi/tpp/connector.go#L1359-L1365