spiffe · amartinezfayo · Jun 10, 2024 · Jun 10, 2024
@@ -84,8 +84,6 @@ type serverConfig struct {
 	RateLimit          rateLimitConfig    `hcl:"ratelimit"`
 	SocketPath         string             `hcl:"socket_path"`
 	TrustDomain        string             `hcl:"trust_domain"`
-	// Temporary flag to allow disabling the inclusion of serial number in X509 CAs Subject field
-	ExcludeSNFromCASubject bool `hcl:"exclude_sn_from_ca_subject"`
 
 	ConfigPath string
 	ExpandEnv  bool
@@ -639,12 +637,6 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 		sc.CASubject = credtemplate.DefaultX509CASubject()
 	}
 
-	sc.ExcludeSNFromCASubject = c.Server.ExcludeSNFromCASubject
-	// TODO: remove exclude_sn_from_ca_subject in SPIRE v1.10.0
-	if sc.ExcludeSNFromCASubject {
-		sc.Log.Warn("The deprecated exclude_sn_from_ca_subject configurable will be removed in a future release")
-	}
-
 	sc.PluginConfigs, err = catalog.PluginConfigsFromHCLNode(c.Plugins)
 	if err != nil {
 		return nil, err

@@ -33,9 +33,6 @@ server {
         common_name = ""
     }
 
-    # Temporary flag to allow disabling the inclusion of serial number in X509 CAs Subject field
-    # exclude_sn_from_ca_subject = false
-
     # ca_ttl: The default CA/signing key TTL. Default: 24h.
     # ca_ttl = "24h"
 

@@ -81,7 +81,6 @@ This may be useful for templating configuration files, for example across differ
 | `ratelimit`                  | Rate limiting configurations, usually used when the server is behind a load balancer (see below)                                                                                                                                                    |                                                                |
 | `socket_path`                | Path to bind the SPIRE Server API socket to (Unix only)                                                                                                                                                                                             | /tmp/spire-server/private/api.sock                             |
 | `trust_domain`               | The trust domain that this server belongs to (should be no more than 255 characters)                                                                                                                                                                |                                                                |
-| `exclude_sn_from_ca_subject` | Do not include certificate serial number in the subject field                                                                                                                                                                                       | false                                                          |
 
 | ca_subject                  | Description                    | Default        |
 |:----------------------------|--------------------------------|----------------|

@@ -113,9 +113,6 @@ type Config struct {
 	// AdminIDs are a list of fixed IDs that when presented by a caller in an
 	// X509-SVID, are granted admin rights.
 	AdminIDs []spiffeid.ID
-
-	// Temporary flag to allow disabling the inclusion of serial number in X509 CAs Subject field
-	ExcludeSNFromCASubject bool
 }
 
 type ExperimentalConfig struct {

@@ -99,18 +99,17 @@ type WorkloadJWTSVIDParams struct {
 }
 
 type Config struct {
-	TrustDomain            spiffeid.TrustDomain
-	Clock                  clock.Clock
-	X509CASubject          pkix.Name
-	X509CATTL              time.Duration
-	X509SVIDSubject        pkix.Name
-	X509SVIDTTL            time.Duration
-	JWTSVIDTTL             time.Duration
-	JWTIssuer              string
-	AgentSVIDTTL           time.Duration
-	CredentialComposers    []credentialcomposer.CredentialComposer
-	NewSerialNumber        func() (*big.Int, error)
-	ExcludeSNFromCASubject bool
+	TrustDomain         spiffeid.TrustDomain
+	Clock               clock.Clock
+	X509CASubject       pkix.Name
+	X509CATTL           time.Duration
+	X509SVIDSubject     pkix.Name
+	X509SVIDTTL         time.Duration
+	JWTSVIDTTL          time.Duration
+	JWTIssuer           string
+	AgentSVIDTTL        time.Duration
+	CredentialComposers []credentialcomposer.CredentialComposer
+	NewSerialNumber     func() (*big.Int, error)
 }
 
 type Builder struct {
@@ -367,7 +366,7 @@ func (b *Builder) buildX509CATemplate(publicKey crypto.PublicKey, parentChain []
 	}
 
 	tmpl.Subject = b.config.X509CASubject
-	if tmpl.Subject.SerialNumber == "" && !b.config.ExcludeSNFromCASubject {
+	if tmpl.Subject.SerialNumber == "" {
 		tmpl.Subject.SerialNumber = tmpl.SerialNumber.String()
 	}
 	tmpl.NotBefore, tmpl.NotAfter = b.computeX509CALifetime(parentChain, ttl)

@@ -76,15 +76,14 @@ func TestNewBuilderSetsDefaults(t *testing.T) {
 	config.NewSerialNumber = nil
 
 	assert.Equal(t, credtemplate.Config{
-		TrustDomain:            td,
-		X509CASubject:          credtemplate.DefaultX509CASubject(),
-		X509CATTL:              credtemplate.DefaultX509CATTL,
-		X509SVIDSubject:        credtemplate.DefaultX509SVIDSubject(),
-		X509SVIDTTL:            credtemplate.DefaultX509SVIDTTL,
-		JWTSVIDTTL:             credtemplate.DefaultJWTSVIDTTL,
-		JWTIssuer:              "",
-		AgentSVIDTTL:           credtemplate.DefaultX509SVIDTTL,
-		ExcludeSNFromCASubject: false,
+		TrustDomain:     td,
+		X509CASubject:   credtemplate.DefaultX509CASubject(),
+		X509CATTL:       credtemplate.DefaultX509CATTL,
+		X509SVIDSubject: credtemplate.DefaultX509SVIDSubject(),
+		X509SVIDTTL:     credtemplate.DefaultX509SVIDTTL,
+		JWTSVIDTTL:      credtemplate.DefaultJWTSVIDTTL,
+		JWTIssuer:       "",
+		AgentSVIDTTL:    credtemplate.DefaultX509SVIDTTL,
 	}, config)
 }
 
@@ -150,15 +149,6 @@ func TestBuildSelfSignedX509CATemplate(t *testing.T) {
 				expected.NotAfter = now.Add(time.Minute * 23)
 			},
 		},
-		{
-			desc: "exclude serial number from subject",
-			overrideConfig: func(config *credtemplate.Config) {
-				config.ExcludeSNFromCASubject = true
-			},
-			overrideExpected: func(expected *x509.Certificate) {
-				expected.Subject = pkix.Name{Country: []string{"US"}, Organization: []string{"SPIFFE"}}
-			},
-		},
 		{
 			desc: "override X509CASubject",
 			overrideConfig: func(config *credtemplate.Config) {
@@ -274,15 +264,6 @@ func TestBuildUpstreamSignedX509CACSR(t *testing.T) {
 			},
 			expectErr: "x509: unsupported public key type: <nil>",
 		},
-		{
-			desc: "exclude serial number from subject",
-			overrideConfig: func(config *credtemplate.Config) {
-				config.ExcludeSNFromCASubject = true
-			},
-			overrideExpected: func(expected *x509.CertificateRequest) {
-				expected.Subject = pkix.Name{Country: []string{"US"}, Organization: []string{"SPIFFE"}}
-			},
-		},
 		{
 			desc: "override X509CASubject",
 			overrideConfig: func(config *credtemplate.Config) {

@@ -295,15 +295,14 @@ func (s *Server) loadCatalog(ctx context.Context, metrics telemetry.Metrics, ide
 
 func (s *Server) newCredBuilder(cat catalog.Catalog) (*credtemplate.Builder, error) {
 	return credtemplate.NewBuilder(credtemplate.Config{
-		TrustDomain:            s.config.TrustDomain,
-		X509CASubject:          s.config.CASubject,
-		X509CATTL:              s.config.CATTL,
-		AgentSVIDTTL:           s.config.AgentTTL,
-		X509SVIDTTL:            s.config.X509SVIDTTL,
-		JWTSVIDTTL:             s.config.JWTSVIDTTL,
-		JWTIssuer:              s.config.JWTIssuer,
-		ExcludeSNFromCASubject: s.config.ExcludeSNFromCASubject,
-		CredentialComposers:    cat.GetCredentialComposers(),
+		TrustDomain:         s.config.TrustDomain,
+		X509CASubject:       s.config.CASubject,
+		X509CATTL:           s.config.CATTL,
+		AgentSVIDTTL:        s.config.AgentTTL,
+		X509SVIDTTL:         s.config.X509SVIDTTL,
+		JWTSVIDTTL:          s.config.JWTSVIDTTL,
+		JWTIssuer:           s.config.JWTIssuer,
+		CredentialComposers: cat.GetCredentialComposers(),
 	})
 }