From 57b705f6cfa33b421b7dd307b7220c2b9d19b291 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 6 Mar 2019 17:37:49 -0800 Subject: [PATCH] Use provisioner sign options. --- authority/authorize.go | 1 + authority/tls.go | 39 ++++++++++++++++++--------------------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/authority/authorize.go b/authority/authorize.go index 48b5174f..75073626 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -81,6 +81,7 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) { } } + // This method will also validate the audiences for JWK provisioners. p, ok := a.provisioners.LoadByToken(token, &claims.Claims) if !ok { return nil, &apiError{errors.Errorf("authorize: provisioner not found"), diff --git a/authority/tls.go b/authority/tls.go index ad5ea808..a413f564 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -11,6 +11,7 @@ import ( "time" "github.com/pkg/errors" + "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/cli/crypto/pemutil" "github.com/smallstep/cli/crypto/tlsutil" "github.com/smallstep/cli/crypto/x509util" @@ -96,28 +97,22 @@ func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption { } // Sign creates a signed certificate from a certificate signing request. -func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...interface{}) (*x509.Certificate, *x509.Certificate, error) { +func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error) { var ( - errContext = context{"csr": csr, "signOptions": signOpts} - claims = []certClaim{} - mods = []x509util.WithOption{} + errContext = context{"csr": csr, "signOptions": signOpts} + mods = []x509util.WithOption{} + certValidators = []provisioner.CertificateValidator{} ) for _, op := range extraOpts { switch k := op.(type) { - case certClaim: - claims = append(claims, k) - case x509util.WithOption: - mods = append(mods, k) - case *Provisioner: - m, c, err := k.getTLSApps(signOpts) - if err != nil { - return nil, nil, &apiError{err, http.StatusInternalServerError, errContext} + case provisioner.CertificateValidator: + certValidators = append(certValidators, k) + case provisioner.CertificateRequestValidator: + if err := k.Valid(csr); err != nil { + return nil, nil, err } - mods = append(mods, m...) - mods = append(mods, []x509util.WithOption{ - withDefaultASN1DN(a.config.AuthorityConfig.Template), - }...) - claims = append(claims, c...) + case provisioner.ProfileWithOption: + mods = append(mods, k.Option()) default: return nil, nil, &apiError{errors.Errorf("sign: invalid extra option type %T", k), http.StatusInternalServerError, errContext} @@ -137,10 +132,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext} } - if err := validateClaims(leaf.Subject(), claims); err != nil { - return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusUnauthorized, errContext} - } - crtBytes, err := leaf.CreateCertificate() if err != nil { return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"), @@ -153,6 +144,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext http.StatusInternalServerError, errContext} } + for _, v := range certValidators { + if err := v.Valid(serverCert); err != nil { + return nil, nil, err + } + } + caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw) if err != nil { return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"),