VAULT-40835 Normalize serial numbers in PKI observations (#10788) (#10790)

* WIP

* cieps issue

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>

builtin/logical/pki/path_acme_order.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
@@ -342,8 +343,8 @@ func (b *backend) acmeFinalizeOrderHandler(ac *acmeContext, r *logical.Request,
 		observe.NewAdditionalPKIMetadata("authority_key_id", signedCertBundle.Certificate.AuthorityKeyId),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", signedCertBundle.Certificate.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(signedCertBundle.Certificate.PublicKey)),
-		observe.NewAdditionalPKIMetadata("common_name", csr.Subject.CommonName),
-		observe.NewAdditionalPKIMetadata("serial_number", order.CertificateSerialNumber),
+		observe.NewAdditionalPKIMetadata("common_name", signedCertBundle.Certificate.Subject.CommonName),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(signedCertBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("certificate_expiry", order.CertificateExpiry.String()),
 		observe.NewAdditionalPKIMetadata("status", ACMEOrderValid),
 		observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
@@ -888,6 +889,7 @@ func (b *backend) acmeNewOrderHandler(ac *acmeContext, req *logical.Request, _ *
 		observe.NewAdditionalPKIMetadata("not_before", notBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("not_after", notAfter.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("order_id", order.OrderId),
+		observe.NewAdditionalPKIMetadata("expires", order.Expires.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
 	)
 

builtin/logical/pki/path_acme_revoke.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -130,7 +131,7 @@ func (b *backend) acmeRevocationHandler(acmeCtx *acmeContext, req *logical.Reque
 	b.pkiObserver.RecordPKIObservation(acmeCtx, req, observe.ObservationTypePKIAcmeRevoke,
 		observe.NewAdditionalPKIMetadata("issuer_name", cert.Issuer.String()),
 		observe.NewAdditionalPKIMetadata("is_ca", cert.IsCA),
-		observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber.String()),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(cert)),
 	)
 
 	// Finally, do the relevant permissions/authorization check as

builtin/logical/pki/path_issue_sign.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -509,7 +510,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
 		observe.NewAdditionalPKIMetadata("authority_key_id", parsedBundle.Certificate.AuthorityKeyId),
-		observe.NewAdditionalPKIMetadata("serial_number", parsedBundle.Certificate.SerialNumber.String()),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(parsedBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", parsedBundle.Certificate.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(parsedBundle.Certificate.PublicKey)),
 		observe.NewAdditionalPKIMetadata("lease_generated", generateLease),

builtin/logical/pki/path_revoke.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
@@ -657,7 +658,7 @@ func (b *backend) pathRevokeWrite(ctx context.Context, req *logical.Request, dat
 	var akid []byte
 	var skid []byte
 	if cert != nil {
-		serialNumber = cert.SerialNumber.String()
+		serialNumber = parsing.SerialFromCert(cert)
 		isCa = cert.IsCA
 		akid = cert.AuthorityKeyId
 		skid = cert.SubjectKeyId

builtin/logical/pki/path_root.go

@@ -340,7 +340,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		observe.NewAdditionalPKIMetadata("key_name", myKey.Name),
 		observe.NewAdditionalPKIMetadata("key_type", myKey.PrivateKeyType),
 		observe.NewAdditionalPKIMetadata("role_name", role.Name),
-		observe.NewAdditionalPKIMetadata("serial_number", cb.SerialNumber),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(parsedBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("type", format),
 		observe.NewAdditionalPKIMetadata("common_name", parsedBundle.Certificate.Subject.CommonName),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
@@ -479,7 +479,7 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 		observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("common_name", parsedBundle.Certificate.Subject.CommonName),
-		observe.NewAdditionalPKIMetadata("serial_number", parsedBundle.Certificate.SerialNumber),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(parsedBundle.Certificate)),
 		observe.NewAdditionalPKIMetadata("public_key_algorithm", parsedBundle.Certificate.PublicKeyAlgorithm.String()),
 		observe.NewAdditionalPKIMetadata("public_key_size", certutil.GetPublicKeySize(parsedBundle.Certificate.PublicKey)),
 		observe.NewAdditionalPKIMetadata("subject_key_id", parsedBundle.Certificate.SubjectKeyId),
@@ -670,7 +670,7 @@ func (b *backend) pathIssuerSignSelfIssued(ctx context.Context, req *logical.Req
 		observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
 		observe.NewAdditionalPKIMetadata("issuer_id", issuerId.String()),
 		observe.NewAdditionalPKIMetadata("issuing_ca", signingCB.IssuingCA),
-		observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(cert)),
 		observe.NewAdditionalPKIMetadata("not_after", cert.NotAfter.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("not_before", cert.NotBefore.Format(time.RFC3339)),
 		observe.NewAdditionalPKIMetadata("common_name", cert.Subject.CommonName),

builtin/logical/pki/secret_certs.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/observe"
+	"github.com/hashicorp/vault/builtin/logical/pki/parsing"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -87,7 +88,7 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, _
 	b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRevoke,
 		observe.NewAdditionalPKIMetadata("issuer_name", cert.Issuer.String()),
 		observe.NewAdditionalPKIMetadata("is_ca", cert.IsCA),
-		observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber.String()),
+		observe.NewAdditionalPKIMetadata("serial_number", parsing.SerialFromCert(cert)),
 	)
 
 	return revokeCert(sc, config, cert)