From 34c6c65671ec59fc63a045bd128d3a35a6f4fb7b Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 16 Sep 2022 12:37:41 -0700 Subject: [PATCH] Pass attestation information to the Sign method Attestation information might be useful in authorizing webhooks --- acme/order.go | 10 ++++++++++ authority/provisioner/sign_options.go | 6 ++++++ authority/tls.go | 6 ++++++ 3 files changed, 22 insertions(+) diff --git a/acme/order.go b/acme/order.go index ee76a364..2eddad53 100644 --- a/acme/order.go +++ b/acme/order.go @@ -157,6 +157,9 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques data := x509util.NewTemplateData() data.SetCommonName(csr.Subject.CommonName) + // Custom sign options passed to authority.Sign + var extraOptions []provisioner.SignOption + // TODO: support for multiple identifiers? var permanentIdentifier string for i := range o.Identifiers { @@ -173,6 +176,9 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques Type: x509util.PermanentIdentifierType, Value: permanentIdentifier, }) + extraOptions = append(extraOptions, provisioner.AttestationData{ + PermanentIdentifier: permanentIdentifier, + }) } else { defaultTemplate = x509util.DefaultLeafTemplate sans, err := o.sans(csr) @@ -193,7 +199,11 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques if err != nil { return WrapErrorISE(err, "error creating template options from ACME provisioner") } + + // Build extra signing options. signOps = append(signOps, templateOptions) + signOps = append(signOps, extraOptions...) + // Sign a new certificate. certChain, err := auth.Sign(csr, provisioner.SignOptions{ NotBefore: provisioner.NewTimeDuration(o.NotBefore), diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index c3868e5f..8a0363a6 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -77,6 +77,12 @@ func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error { return fn(cert) } +// AttestationData is a SignOption used to pass attestation information to the +// sign methods. +type AttestationData struct { + PermanentIdentifier string +} + // emailOnlyIdentity is a CertificateRequestValidator that checks that the only // SAN provided is the given email address. type emailOnlyIdentity string diff --git a/authority/tls.go b/authority/tls.go index c7e2dd09..632ac238 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -94,6 +94,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign var prov provisioner.Interface var pInfo *casapi.ProvisionerInfo + var attData provisioner.AttestationData for _, op := range extraOpts { switch k := op.(type) { // Capture current provisioner @@ -129,6 +130,11 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign case provisioner.CertificateEnforcer: certEnforcers = append(certEnforcers, k) + // Extra information from ACME attestations. + case provisioner.AttestationData: + attData = k + // TODO(mariano,areed): remove me once attData is used. + _ = attData default: return nil, errs.InternalServer("authority.Sign; invalid extra option type %T", append([]interface{}{k}, opts...)...) }