Add certificate fingerprints and validity period to config

mozilla-services · Jun 13, 2024 · 7a3d96b · 7a3d96b
1 parent 04953fb
commit 7a3d96b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/docs/endpoints.md b/docs/endpoints.md
@@ -385,7 +385,7 @@ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="som
 
 ### Request
 
-Get the public configuration of a configured signer. For example:
+Get the sanitized configuration of a signer. For example:
 
 ```bash
 GET /config/dummyrsa
@@ -410,3 +410,12 @@ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="som
   "hash": "sha256"
 }
 ```
+
+The returned configuration should be a subset of the internal configuration with the following differences:
+ - Public values, such as the `id`, `publickey` and `certificate` are copied verbatim.
+ - Private keys are hashed, and return only the SHA256 checksum of the secret value.
+ - The `certificate`, if present is parsed and the following additional fields are added:
+   + `cert_sha1`: Contains the SHA1 fingerprint of the DER certificate.
+   + `cert_sha256`: Contains the SHA256 fingerprint of the DER certificate.
+   + `cert_start`: Contains the certificate `NotBefore` time in RFC 3339 format.
+   + `cert_end`: Contains the certificate `NotAfter` time in RFC 3339 format.
diff --git a/signer/signer_test.go b/signer/signer_test.go
@@ -373,7 +373,7 @@ var sanitizerTestCases = []struct {
 			// echo -n "Lorem Ipsum" | sha256sum
 			IssuerPrivKey: "030dc1f936c3415aff3f3357163515190d347a28e758e1f717d17bae453541c9",
 		}},
-	// Certificates should parse out the fingerping and validity dates.
+	// Certificates should parse out the fingerprint and validity dates.
 	{cfg: Configuration{
 		ID: "cert-extra-data",
 		Certificate: `
@@ -413,10 +413,10 @@ mYigBlwySY+gTqsjuIrydWlKaOv1GU+PXbwX0cQuaN8=
 -----END CERTIFICATE-----`,
 			// openssl x509 -outform DER | shasum
 			CertFingerprintSha1: "793a92cb335c3846ffed7f8c112137cd8a75e7c7",
-			// openssl x509 -outform DER | sha256sum 
+			// openssl x509 -outform DER | sha256sum
 			CertFingerprintSha256: "61bd2500b732d2889a1b17c24365741550534fb715cd4f7c463a23a35bd931ee",
 			// openssl x509 -noout -text
 			CertDateStart: "2018-12-21T15:56:46Z",
-			CertDateEnd: "2029-02-22T15:56:46Z",
+			CertDateEnd:   "2029-02-22T15:56:46Z",
 		}},
 }