Add back the support for ca.json DN template.

This commit is contained in:
Mariano Cano 2020-07-13 11:39:28 -07:00
parent e6fed5e0aa
commit 4795e371bd
2 changed files with 30 additions and 7 deletions

View file

@ -20,10 +20,10 @@ import (
// Options contains the options that can be passed to the Sign method. Backdate // Options contains the options that can be passed to the Sign method. Backdate
// is automatically filled and can only be configured in the CA. // is automatically filled and can only be configured in the CA.
type Options struct { type Options struct {
NotAfter TimeDuration `json:"notAfter"` NotAfter TimeDuration `json:"notAfter"`
NotBefore TimeDuration `json:"notBefore"` NotBefore TimeDuration `json:"notBefore"`
TemplateData json.RawMessage `json:"templateData"` TemplateData json.RawMessage `json:"templateData"`
Backdate time.Duration `json:"-"` Backdate time.Duration `json:"-"`
} }
// SignOption is the interface used to collect all extra options used in the // SignOption is the interface used to collect all extra options used in the
@ -54,6 +54,24 @@ type CertificateEnforcer interface {
Enforce(cert *x509.Certificate) error Enforce(cert *x509.Certificate) error
} }
// CertificateModifierFunc allows to create simple certificate modifiers just
// with a function.
type CertificateModifierFunc func(cert *x509.Certificate, opts Options) error
// Modify implements CertificateModifier and just calls the defined function.
func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts Options) error {
return fn(cert, opts)
}
// CertificateEnforcerFunc allows to create simple certificate enforcer just
// with a function.
type CertificateEnforcerFunc func(cert *x509.Certificate) error
// Modify implements CertificateEnforcer and just calls the defined function.
func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
return fn(cert)
}
// emailOnlyIdentity is a CertificateRequestValidator that checks that the only // emailOnlyIdentity is a CertificateRequestValidator that checks that the only
// SAN provided is the given email address. // SAN provided is the given email address.
type emailOnlyIdentity string type emailOnlyIdentity string

View file

@ -31,12 +31,11 @@ func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions {
var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35} var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14} var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14}
func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption { func withDefaultASN1DN(def *x509util.ASN1DN) provisioner.CertificateModifierFunc {
return func(p x509util.Profile) error { return func(crt *x509.Certificate, opts provisioner.Options) error {
if def == nil { if def == nil {
return errors.New("default ASN1DN template cannot be nil") return errors.New("default ASN1DN template cannot be nil")
} }
crt := p.Subject()
if len(crt.Subject.Country) == 0 && def.Country != "" { if len(crt.Subject.Country) == 0 && def.Country != "" {
crt.Subject.Country = append(crt.Subject.Country, def.Country) crt.Subject.Country = append(crt.Subject.Country, def.Country)
@ -114,6 +113,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
// Certificate modifiers before validation // Certificate modifiers before validation
leaf := cert.GetCertificate() leaf := cert.GetCertificate()
// Set default subject
if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
}
for _, m := range certModifiers { for _, m := range certModifiers {
if err := m.Modify(leaf, signOpts); err != nil { if err := m.Modify(leaf, signOpts); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)