Add back the support for ca.json DN template.
This commit is contained in:
parent
e6fed5e0aa
commit
4795e371bd
2 changed files with 30 additions and 7 deletions
|
@ -20,10 +20,10 @@ import (
|
||||||
// Options contains the options that can be passed to the Sign method. Backdate
|
// Options contains the options that can be passed to the Sign method. Backdate
|
||||||
// is automatically filled and can only be configured in the CA.
|
// is automatically filled and can only be configured in the CA.
|
||||||
type Options struct {
|
type Options struct {
|
||||||
NotAfter TimeDuration `json:"notAfter"`
|
NotAfter TimeDuration `json:"notAfter"`
|
||||||
NotBefore TimeDuration `json:"notBefore"`
|
NotBefore TimeDuration `json:"notBefore"`
|
||||||
TemplateData json.RawMessage `json:"templateData"`
|
TemplateData json.RawMessage `json:"templateData"`
|
||||||
Backdate time.Duration `json:"-"`
|
Backdate time.Duration `json:"-"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignOption is the interface used to collect all extra options used in the
|
// SignOption is the interface used to collect all extra options used in the
|
||||||
|
@ -54,6 +54,24 @@ type CertificateEnforcer interface {
|
||||||
Enforce(cert *x509.Certificate) error
|
Enforce(cert *x509.Certificate) error
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CertificateModifierFunc allows to create simple certificate modifiers just
|
||||||
|
// with a function.
|
||||||
|
type CertificateModifierFunc func(cert *x509.Certificate, opts Options) error
|
||||||
|
|
||||||
|
// Modify implements CertificateModifier and just calls the defined function.
|
||||||
|
func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts Options) error {
|
||||||
|
return fn(cert, opts)
|
||||||
|
}
|
||||||
|
|
||||||
|
// CertificateEnforcerFunc allows to create simple certificate enforcer just
|
||||||
|
// with a function.
|
||||||
|
type CertificateEnforcerFunc func(cert *x509.Certificate) error
|
||||||
|
|
||||||
|
// Modify implements CertificateEnforcer and just calls the defined function.
|
||||||
|
func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
|
||||||
|
return fn(cert)
|
||||||
|
}
|
||||||
|
|
||||||
// emailOnlyIdentity is a CertificateRequestValidator that checks that the only
|
// emailOnlyIdentity is a CertificateRequestValidator that checks that the only
|
||||||
// SAN provided is the given email address.
|
// SAN provided is the given email address.
|
||||||
type emailOnlyIdentity string
|
type emailOnlyIdentity string
|
||||||
|
|
|
@ -31,12 +31,11 @@ func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions {
|
||||||
var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
|
var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
|
||||||
var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14}
|
var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14}
|
||||||
|
|
||||||
func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
|
func withDefaultASN1DN(def *x509util.ASN1DN) provisioner.CertificateModifierFunc {
|
||||||
return func(p x509util.Profile) error {
|
return func(crt *x509.Certificate, opts provisioner.Options) error {
|
||||||
if def == nil {
|
if def == nil {
|
||||||
return errors.New("default ASN1DN template cannot be nil")
|
return errors.New("default ASN1DN template cannot be nil")
|
||||||
}
|
}
|
||||||
crt := p.Subject()
|
|
||||||
|
|
||||||
if len(crt.Subject.Country) == 0 && def.Country != "" {
|
if len(crt.Subject.Country) == 0 && def.Country != "" {
|
||||||
crt.Subject.Country = append(crt.Subject.Country, def.Country)
|
crt.Subject.Country = append(crt.Subject.Country, def.Country)
|
||||||
|
@ -114,6 +113,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
|
||||||
|
|
||||||
// Certificate modifiers before validation
|
// Certificate modifiers before validation
|
||||||
leaf := cert.GetCertificate()
|
leaf := cert.GetCertificate()
|
||||||
|
|
||||||
|
// Set default subject
|
||||||
|
if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
|
||||||
|
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
||||||
|
}
|
||||||
|
|
||||||
for _, m := range certModifiers {
|
for _, m := range certModifiers {
|
||||||
if err := m.Modify(leaf, signOpts); err != nil {
|
if err := m.Modify(leaf, signOpts); err != nil {
|
||||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
||||||
|
|
Loading…
Reference in a new issue