TrueCloudLab/certificates
17
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions

change step provisioner OID and ASN1 representation

Browse source
This commit is contained in:
max furman 2018-10-26 14:24:16 -07:00
parent 71a3587b76
commit 7fa06643b2
2 changed files with 24 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
authority/tls.go
View file

@ -30,35 +30,34 @@ type SignOptions struct {
} }
var ( var (
stepOIDRoot = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 37476, 9000, 64}) stepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64}
stepOIDProvisioner = asn1.ObjectIdentifier(append([]int(nil), append(stepOIDRoot, 1)...)) stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...)
stepOIDProvisionerName = asn1.ObjectIdentifier(append([]int(nil), append(stepOIDProvisioner, 1)...))
stepOIDProvisionerKeyID = asn1.ObjectIdentifier(append([]int(nil), append(stepOIDProvisioner, 2)...))
) )
type stepProvisionerASN1 struct {
Type int
Name []byte
CredentialID []byte
}
const provisionerTypeJWK = 1
func withProvisionerOID(name, kid string) x509util.WithOption { func withProvisionerOID(name, kid string) x509util.WithOption {
return func(p x509util.Profile) error { return func(p x509util.Profile) error {
crt := p.Subject() crt := p.Subject()
irw := asn1.RawValue{Tag: asn1.TagGeneralString, Class: asn1.ClassPrivate, Bytes: []byte(name)} b, err := asn1.Marshal(stepProvisionerASN1{
krw := asn1.RawValue{Tag: asn1.TagGeneralString, Class: asn1.ClassPrivate, Bytes: []byte(kid)} Type: provisionerTypeJWK,
Name: []byte(name),
irwb, err := asn1.Marshal(irw) CredentialID: []byte(kid),
if err != nil { })
return err
}
krwb, err := asn1.Marshal(krw)
if err != nil { if err != nil {
return err return err
} }
crt.ExtraExtensions = append(crt.ExtraExtensions, pkix.Extension{ crt.ExtraExtensions = append(crt.ExtraExtensions, pkix.Extension{
Id: stepOIDProvisionerName, Id: stepOIDProvisioner,
Critical: false, Critical: false,
Value: irwb, Value: b,
}, pkix.Extension{
Id: stepOIDProvisionerKeyID,
Critical: false,
Value: krwb,
}) })
return nil return nil

21
authority/tls_test.go
View file

@ -148,9 +148,6 @@ func TestSign(t *testing.T) {
} }
for name, genTestCase := range tests { for name, genTestCase := range tests {
if name != "ok" {
continue
}
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
tc := genTestCase(t) tc := genTestCase(t)
@ -199,22 +196,18 @@ func TestSign(t *testing.T) {
found := 0 found := 0
for _, ext := range leaf.Extensions { for _, ext := range leaf.Extensions {
id := ext.Id.String() id := ext.Id.String()
if id != stepOIDProvisionerName.String() && id != stepOIDProvisionerKeyID.String() { if id != stepOIDProvisioner.String() {
continue continue
} }
found++ found++
rw := asn1.RawValue{} val := stepProvisionerASN1{}
_, err := asn1.Unmarshal(ext.Value, &rw) _, err := asn1.Unmarshal(ext.Value, &val)
assert.FatalError(t, err) assert.FatalError(t, err)
assert.Equals(t, rw.Tag, asn1.TagGeneralString) assert.Equals(t, val.Type, provisionerTypeJWK)
assert.Equals(t, rw.Class, asn1.ClassPrivate) assert.Equals(t, val.Name, []byte(p.Issuer))
if id == stepOIDProvisionerName.String() { assert.Equals(t, val.CredentialID, []byte(p.Key.KeyID))
assert.Equals(t, string(rw.Bytes), p.Issuer)
} else {
assert.Equals(t, string(rw.Bytes), p.Key.KeyID)
}
} }
assert.Equals(t, found, 2) assert.Equals(t, found, 1)
realIntermediate, err := x509.ParseCertificate(a.intermediateIdentity.Crt.Raw) realIntermediate, err := x509.ParseCertificate(a.intermediateIdentity.Crt.Raw)
assert.FatalError(t, err) assert.FatalError(t, err)