Add back the support for ca.json DN template.
This commit is contained in:
parent
e6fed5e0aa
commit
4795e371bd
2 changed files with 30 additions and 7 deletions
|
@ -20,10 +20,10 @@ import (
|
|||
// Options contains the options that can be passed to the Sign method. Backdate
|
||||
// is automatically filled and can only be configured in the CA.
|
||||
type Options struct {
|
||||
NotAfter TimeDuration `json:"notAfter"`
|
||||
NotBefore TimeDuration `json:"notBefore"`
|
||||
TemplateData json.RawMessage `json:"templateData"`
|
||||
Backdate time.Duration `json:"-"`
|
||||
NotAfter TimeDuration `json:"notAfter"`
|
||||
NotBefore TimeDuration `json:"notBefore"`
|
||||
TemplateData json.RawMessage `json:"templateData"`
|
||||
Backdate time.Duration `json:"-"`
|
||||
}
|
||||
|
||||
// SignOption is the interface used to collect all extra options used in the
|
||||
|
@ -54,6 +54,24 @@ type CertificateEnforcer interface {
|
|||
Enforce(cert *x509.Certificate) error
|
||||
}
|
||||
|
||||
// CertificateModifierFunc allows to create simple certificate modifiers just
|
||||
// with a function.
|
||||
type CertificateModifierFunc func(cert *x509.Certificate, opts Options) error
|
||||
|
||||
// Modify implements CertificateModifier and just calls the defined function.
|
||||
func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts Options) error {
|
||||
return fn(cert, opts)
|
||||
}
|
||||
|
||||
// CertificateEnforcerFunc allows to create simple certificate enforcer just
|
||||
// with a function.
|
||||
type CertificateEnforcerFunc func(cert *x509.Certificate) error
|
||||
|
||||
// Modify implements CertificateEnforcer and just calls the defined function.
|
||||
func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
|
||||
return fn(cert)
|
||||
}
|
||||
|
||||
// emailOnlyIdentity is a CertificateRequestValidator that checks that the only
|
||||
// SAN provided is the given email address.
|
||||
type emailOnlyIdentity string
|
||||
|
|
|
@ -31,12 +31,11 @@ func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions {
|
|||
var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
|
||||
var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14}
|
||||
|
||||
func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
|
||||
return func(p x509util.Profile) error {
|
||||
func withDefaultASN1DN(def *x509util.ASN1DN) provisioner.CertificateModifierFunc {
|
||||
return func(crt *x509.Certificate, opts provisioner.Options) error {
|
||||
if def == nil {
|
||||
return errors.New("default ASN1DN template cannot be nil")
|
||||
}
|
||||
crt := p.Subject()
|
||||
|
||||
if len(crt.Subject.Country) == 0 && def.Country != "" {
|
||||
crt.Subject.Country = append(crt.Subject.Country, def.Country)
|
||||
|
@ -114,6 +113,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
|
|||
|
||||
// Certificate modifiers before validation
|
||||
leaf := cert.GetCertificate()
|
||||
|
||||
// Set default subject
|
||||
if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
|
||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
||||
}
|
||||
|
||||
for _, m := range certModifiers {
|
||||
if err := m.Modify(leaf, signOpts); err != nil {
|
||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
||||
|
|
Loading…
Reference in a new issue