From e2ba4159c3af6f559a148c793276bb17081b56f9 Mon Sep 17 00:00:00 2001 From: Miclain Keffeler Date: Tue, 22 Dec 2020 16:39:39 -0600 Subject: [PATCH 1/2] Begins to fix issue 87 --- api/sign.go | 18 ++++++++------- authority/provisioner/sign_options.go | 9 ++++---- authority/tls.go | 33 +++++++++++++++++++++++++-- 3 files changed, 46 insertions(+), 14 deletions(-) diff --git a/api/sign.go b/api/sign.go index 69e9a1a5..7687015d 100644 --- a/api/sign.go +++ b/api/sign.go @@ -12,11 +12,12 @@ import ( // SignRequest is the request body for a certificate signature request. type SignRequest struct { - CsrPEM CertificateRequest `json:"csr"` - OTT string `json:"ott"` - NotAfter TimeDuration `json:"notAfter,omitempty"` - NotBefore TimeDuration `json:"notBefore,omitempty"` - TemplateData json.RawMessage `json:"templateData,omitempty"` + CsrPEM CertificateRequest `json:"csr"` + OTT string `json:"ott"` + NotAfter TimeDuration `json:"notAfter,omitempty"` + NotBefore TimeDuration `json:"notBefore,omitempty"` + AppendedCertsFile string `json:"AppendedCertsFile,omitempty"` + TemplateData json.RawMessage `json:"templateData,omitempty"` } // Validate checks the fields of the SignRequest and returns nil if they are ok @@ -61,9 +62,10 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) { } opts := provisioner.SignOptions{ - NotBefore: body.NotBefore, - NotAfter: body.NotAfter, - TemplateData: body.TemplateData, + NotBefore: body.NotBefore, + NotAfter: body.NotAfter, + TemplateData: body.TemplateData, + AppendedCertsFile: body.AppendedCertsFile, } signOpts, err := h.Authority.AuthorizeSign(body.OTT) diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index 9bfe8529..b32b3c6c 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -23,10 +23,11 @@ const DefaultCertValidity = 24 * time.Hour // SignOptions contains the options that can be passed to the Sign method. Backdate // is automatically filled and can only be configured in the CA. type SignOptions struct { - NotAfter TimeDuration `json:"notAfter"` - NotBefore TimeDuration `json:"notBefore"` - TemplateData json.RawMessage `json:"templateData"` - Backdate time.Duration `json:"-"` + NotAfter TimeDuration `json:"notAfter"` + NotBefore TimeDuration `json:"notBefore"` + AppendedCertsFile string `json:"AppendedCertsFile"` + TemplateData json.RawMessage `json:"templateData"` + Backdate time.Duration `json:"-"` } // SignOption is the interface used to collect all extra options used in the diff --git a/authority/tls.go b/authority/tls.go index f22f4624..43a593f7 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -8,6 +8,8 @@ import ( "encoding/asn1" "encoding/base64" "encoding/pem" + "io/ioutil" + "log" "net/http" "time" @@ -67,7 +69,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign certModifiers []provisioner.CertificateModifier certEnforcers []provisioner.CertificateEnforcer ) - + var thecertfile = signOpts.AppendedCertsFile opts := []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)} if err := csr.CheckSignature(); err != nil { return nil, errs.Wrap(http.StatusBadRequest, err, "authority.Sign; invalid certificate request", opts...) @@ -161,8 +163,35 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign "authority.Sign; error storing certificate in db", opts...) } } + //If the user defined a file to append to in ca.json + //log.Fatal(string(thecertfile)) + if thecertfile != "" { + content, err := ioutil.ReadFile(string(thecertfile)) + if err != nil { + log.Fatal(err) + } + block, _ := pem.Decode([]byte(content)) + if block == nil { + log.Fatal(err) + } + certs, err := x509.ParseCertificate(block.Bytes) + if err != nil { + log.Fatal(err) + } + var thecert = make([]*x509.Certificate, len(resp.CertificateChain)+1) + for i, aid := range resp.CertificateChain { + //log.wr(aid) + thecert[i] = aid + } + thecert[len(resp.CertificateChain)] = certs + return append([]*x509.Certificate{resp.Certificate}, thecert...), nil + } + var thecert = make([]*x509.Certificate, len(resp.CertificateChain)) + for i, aid := range resp.CertificateChain { + thecert[i] = aid + } + return append([]*x509.Certificate{resp.Certificate}, thecert...), nil - return append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...), nil } // Renew creates a new Certificate identical to the old certificate, except From bfd13f1f72799a727f9c0ba7fb6ccf149fd0c6d8 Mon Sep 17 00:00:00 2001 From: Miclain Keffeler Date: Wed, 23 Dec 2020 22:43:47 -0600 Subject: [PATCH 2/2] Revert "Begins to fix issue 87" This reverts commit e2ba4159c3af6f559a148c793276bb17081b56f9. --- api/sign.go | 18 +++++++-------- authority/provisioner/sign_options.go | 9 ++++---- authority/tls.go | 33 ++------------------------- 3 files changed, 14 insertions(+), 46 deletions(-) diff --git a/api/sign.go b/api/sign.go index 7687015d..69e9a1a5 100644 --- a/api/sign.go +++ b/api/sign.go @@ -12,12 +12,11 @@ import ( // SignRequest is the request body for a certificate signature request. type SignRequest struct { - CsrPEM CertificateRequest `json:"csr"` - OTT string `json:"ott"` - NotAfter TimeDuration `json:"notAfter,omitempty"` - NotBefore TimeDuration `json:"notBefore,omitempty"` - AppendedCertsFile string `json:"AppendedCertsFile,omitempty"` - TemplateData json.RawMessage `json:"templateData,omitempty"` + CsrPEM CertificateRequest `json:"csr"` + OTT string `json:"ott"` + NotAfter TimeDuration `json:"notAfter,omitempty"` + NotBefore TimeDuration `json:"notBefore,omitempty"` + TemplateData json.RawMessage `json:"templateData,omitempty"` } // Validate checks the fields of the SignRequest and returns nil if they are ok @@ -62,10 +61,9 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) { } opts := provisioner.SignOptions{ - NotBefore: body.NotBefore, - NotAfter: body.NotAfter, - TemplateData: body.TemplateData, - AppendedCertsFile: body.AppendedCertsFile, + NotBefore: body.NotBefore, + NotAfter: body.NotAfter, + TemplateData: body.TemplateData, } signOpts, err := h.Authority.AuthorizeSign(body.OTT) diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index b32b3c6c..9bfe8529 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -23,11 +23,10 @@ const DefaultCertValidity = 24 * time.Hour // SignOptions contains the options that can be passed to the Sign method. Backdate // is automatically filled and can only be configured in the CA. type SignOptions struct { - NotAfter TimeDuration `json:"notAfter"` - NotBefore TimeDuration `json:"notBefore"` - AppendedCertsFile string `json:"AppendedCertsFile"` - TemplateData json.RawMessage `json:"templateData"` - Backdate time.Duration `json:"-"` + NotAfter TimeDuration `json:"notAfter"` + NotBefore TimeDuration `json:"notBefore"` + TemplateData json.RawMessage `json:"templateData"` + Backdate time.Duration `json:"-"` } // SignOption is the interface used to collect all extra options used in the diff --git a/authority/tls.go b/authority/tls.go index 43a593f7..f22f4624 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -8,8 +8,6 @@ import ( "encoding/asn1" "encoding/base64" "encoding/pem" - "io/ioutil" - "log" "net/http" "time" @@ -69,7 +67,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign certModifiers []provisioner.CertificateModifier certEnforcers []provisioner.CertificateEnforcer ) - var thecertfile = signOpts.AppendedCertsFile + opts := []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)} if err := csr.CheckSignature(); err != nil { return nil, errs.Wrap(http.StatusBadRequest, err, "authority.Sign; invalid certificate request", opts...) @@ -163,35 +161,8 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign "authority.Sign; error storing certificate in db", opts...) } } - //If the user defined a file to append to in ca.json - //log.Fatal(string(thecertfile)) - if thecertfile != "" { - content, err := ioutil.ReadFile(string(thecertfile)) - if err != nil { - log.Fatal(err) - } - block, _ := pem.Decode([]byte(content)) - if block == nil { - log.Fatal(err) - } - certs, err := x509.ParseCertificate(block.Bytes) - if err != nil { - log.Fatal(err) - } - var thecert = make([]*x509.Certificate, len(resp.CertificateChain)+1) - for i, aid := range resp.CertificateChain { - //log.wr(aid) - thecert[i] = aid - } - thecert[len(resp.CertificateChain)] = certs - return append([]*x509.Certificate{resp.Certificate}, thecert...), nil - } - var thecert = make([]*x509.Certificate, len(resp.CertificateChain)) - for i, aid := range resp.CertificateChain { - thecert[i] = aid - } - return append([]*x509.Certificate{resp.Certificate}, thecert...), nil + return append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...), nil } // Renew creates a new Certificate identical to the old certificate, except