From 8ff8d90f8ccfdb17f93956f9eee9a6276478473c Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 30 Jul 2020 14:59:54 -0700 Subject: [PATCH] On JWK and X5C validate the key id on the request. --- authority/provisioner/jwk.go | 4 ++-- authority/provisioner/x5c.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 1769860a..e8caa25d 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -207,6 +207,8 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, signOptions := []SignOption{ // validates user's SSHOptions with the ones in the token sshCertOptionsValidator(*opts), + // validate users's KeyID is the token subject. + sshCertOptionsValidator(SignSSHOptions{KeyID: claims.Subject}), } // Default template attributes. @@ -251,8 +253,6 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, return append(signOptions, // Set the validity bounds if not set. &sshDefaultDuration{p.claimer}, - // Validate that the keyID is equivalent to the token subject. - sshCertKeyIDValidator(claims.Subject), // Validate public key &sshDefaultPublicKeyValidator{}, // Validate the validity period. diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index 69d5ba59..281ab625 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -249,6 +249,8 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, signOptions := []SignOption{ // validates user's SSHOptions with the ones in the token sshCertOptionsValidator(*opts), + // validate users's KeyID is the token subject. + sshCertOptionsValidator(SignSSHOptions{KeyID: claims.Subject}), } // Default template attributes. @@ -293,8 +295,6 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, return append(signOptions, // Checks the validity bounds, and set the validity if has not been set. &sshLimitDuration{p.claimer, claims.chains[0][0].NotAfter}, - // set the key id to the token subject - sshCertKeyIDValidator(claims.Subject), // Validate public key. &sshDefaultPublicKeyValidator{}, // Validate the validity period.