Add ssh certificate template to X5C provisioner.

2020-07-27 16:03:16 -07:00 · 2020-07-27 16:03:16 -07:00 · c2dc76550c
commit c2dc76550c
parent 380a0d6daf
1 changed files with 37 additions and 21 deletions
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -9,6 +9,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
@ -25,14 +26,15 @@ type x5cPayload struct {
 // signature requests.
 type X5C struct {
 	*base
-	Type      string   `json:"type"`
+	Type       string      `json:"type"`
-	Name      string   `json:"name"`
+	Name       string      `json:"name"`
-	Roots     []byte   `json:"roots"`
+	Roots      []byte      `json:"roots"`
-	Claims    *Claims  `json:"claims,omitempty"`
+	Claims     *Claims     `json:"claims,omitempty"`
-	Options   *Options `json:"options,omitempty"`
+	Options    *Options    `json:"options,omitempty"`
-	claimer   *Claimer
+	SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
-	audiences Audiences
+	claimer    *Claimer
-	rootPool  *x509.CertPool
+	audiences  Audiences
 	rootPool   *x509.CertPool
 }
 // GetID returns the provisioner unique identifier. The name and credential id
@ -249,14 +251,37 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		sshCertOptionsValidator(*opts),
 	}
-	// Add modifiers from custom claims
+	// Default template attributes.
-	// FIXME: this is also set in the sign method using SSHOptions.Modify.
+	certType := sshutil.UserCert
 	keyID := claims.Subject
 	principals := []string{claims.Subject}
 	// Use options in the token.
 	if opts.CertType != "" {
-		signOptions = append(signOptions, sshCertTypeModifier(opts.CertType))
+		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
 			return nil, errs.Wrap(http.StatusBadRequest, err, "jwk.AuthorizeSSHSign")
 		}
 	}
 	if opts.KeyID != "" {
 		keyID = opts.KeyID
 	}
 	if len(opts.Principals) > 0 {
-		signOptions = append(signOptions, sshCertPrincipalsModifier(opts.Principals))
+		principals = opts.Principals
 	}
 	// Certificate templates.
 	data := sshutil.CreateTemplateData(certType, keyID, principals)
 	if v, err := unsafeParseSigned(token); err == nil {
 		data.SetToken(v)
 	}
 	templateOptions, err := TemplateSSHOptions(p.SSHOptions, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
 	}
 	signOptions = append(signOptions, templateOptions)
 	// Add modifiers from custom claims
 	t := now()
 	if !opts.ValidAfter.IsZero() {
 		signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
@ -264,17 +289,8 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	if !opts.ValidBefore.IsZero() {
 		signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
 	}
 	// Make sure to define the the KeyID
 	if opts.KeyID == "" {
 		signOptions = append(signOptions, sshCertKeyIDModifier(claims.Subject))
 	}
 	// Default to a user certificate with no principals if not set
 	signOptions = append(signOptions, sshCertDefaultsModifier{CertType: SSHUserCert})
 	return append(signOptions,
 		// Set the default extensions.
 		&sshDefaultExtensionModifier{},
 		// Checks the validity bounds, and set the validity if has not been set.
 		&sshLimitDuration{p.claimer, claims.chains[0][0].NotAfter},
 		// set the key id to the token subject