From 7a3d96b272937d7fc959f08c7fabffeeb1f095a5 Mon Sep 17 00:00:00 2001
From: Naomi Kirby <oskirby@gmail.com>
Date: Thu, 13 Jun 2024 12:40:13 -0700
Subject: [PATCH] Add certificate fingerprints and validity period to config

---
 docs/endpoints.md     | 11 ++++++++++-
 signer/signer_test.go |  6 +++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/docs/endpoints.md b/docs/endpoints.md
index 03cecd15f..f92fb8415 100644
--- a/docs/endpoints.md
+++ b/docs/endpoints.md
@@ -385,7 +385,7 @@ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="som
 
 ### Request
 
-Get the public configuration of a configured signer. For example:
+Get the sanitized configuration of a signer. For example:
 
 ```bash
 GET /config/dummyrsa
@@ -410,3 +410,12 @@ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="som
   "hash": "sha256"
 }
 ```
+
+The returned configuration should be a subset of the internal configuration with the following differences:
+ - Public values, such as the `id`, `publickey` and `certificate` are copied verbatim.
+ - Private keys are hashed, and return only the SHA256 checksum of the secret value.
+ - The `certificate`, if present is parsed and the following additional fields are added:
+   + `cert_sha1`: Contains the SHA1 fingerprint of the DER certificate.
+   + `cert_sha256`: Contains the SHA256 fingerprint of the DER certificate.
+   + `cert_start`: Contains the certificate `NotBefore` time in RFC 3339 format.
+   + `cert_end`: Contains the certificate `NotAfter` time in RFC 3339 format.
diff --git a/signer/signer_test.go b/signer/signer_test.go
index b01bcff84..6c66af06d 100644
--- a/signer/signer_test.go
+++ b/signer/signer_test.go
@@ -373,7 +373,7 @@ var sanitizerTestCases = []struct {
 			// echo -n "Lorem Ipsum" | sha256sum
 			IssuerPrivKey: "030dc1f936c3415aff3f3357163515190d347a28e758e1f717d17bae453541c9",
 		}},
-	// Certificates should parse out the fingerping and validity dates.
+	// Certificates should parse out the fingerprint and validity dates.
 	{cfg: Configuration{
 		ID: "cert-extra-data",
 		Certificate: `
@@ -413,10 +413,10 @@ mYigBlwySY+gTqsjuIrydWlKaOv1GU+PXbwX0cQuaN8=
 -----END CERTIFICATE-----`,
 			// openssl x509 -outform DER | shasum
 			CertFingerprintSha1: "793a92cb335c3846ffed7f8c112137cd8a75e7c7",
-			// openssl x509 -outform DER | sha256sum 
+			// openssl x509 -outform DER | sha256sum
 			CertFingerprintSha256: "61bd2500b732d2889a1b17c24365741550534fb715cd4f7c463a23a35bd931ee",
 			// openssl x509 -noout -text
 			CertDateStart: "2018-12-21T15:56:46Z",
-			CertDateEnd: "2029-02-22T15:56:46Z",
+			CertDateEnd:   "2029-02-22T15:56:46Z",
 		}},
 }