Reject not enabled attestation formats

This commit is contained in:
Mariano Cano 2022-09-08 17:38:05 -07:00
parent 53ad3a9dbe
commit 0f651799d0
3 changed files with 23 additions and 2 deletions

View file

@ -45,6 +45,10 @@ func (*fakeProvisioner) IsChallengeEnabled(ctx context.Context, challenge provis
return true
}
func (*fakeProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
return true
}
func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil }
func (*fakeProvisioner) GetID() string { return "" }
func (*fakeProvisioner) GetName() string { return "" }

View file

@ -26,6 +26,7 @@ import (
"time"
"github.com/fxamacker/cbor/v2"
"github.com/smallstep/certificates/authority/provisioner"
"go.step.sm/crypto/jose"
"go.step.sm/crypto/pemutil"
)
@ -341,6 +342,12 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
return WrapErrorISE(err, "error unmarshalling CBOR")
}
prov := MustProvisionerFromContext(ctx)
if !prov.IsAttestationFormatEnabled(ctx, provisioner.ACMEAttestationFormat(att.Format)) {
return storeError(ctx, db, ch, true,
NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", att.Format))
}
switch att.Format {
case "apple":
data, err := doAppleAttestationFormat(ctx, ch, db, &att)

View file

@ -72,6 +72,7 @@ type Provisioner interface {
AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
AuthorizeRevoke(ctx context.Context, token string) error
IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
GetID() string
GetName() string
DefaultTLSCertDuration() time.Duration
@ -110,7 +111,8 @@ type MockProvisioner struct {
MauthorizeOrderIdentifier func(ctx context.Context, identifier provisioner.ACMEIdentifier) error
MauthorizeSign func(ctx context.Context, ott string) ([]provisioner.SignOption, error)
MauthorizeRevoke func(ctx context.Context, token string) error
MisChallengeEnabled func(Ctx context.Context, challenge provisioner.ACMEChallenge) bool
MisChallengeEnabled func(ctx context.Context, challenge provisioner.ACMEChallenge) bool
MisAttFormatEnabled func(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
MdefaultTLSCertDuration func() time.Duration
MgetOptions func() *provisioner.Options
}
@ -147,7 +149,7 @@ func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) err
return m.Merr
}
// AuthorizeChallenge mock
// IsChallengeEnabled mock
func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool {
if m.MisChallengeEnabled != nil {
return m.MisChallengeEnabled(ctx, challenge)
@ -155,6 +157,14 @@ func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge prov
return m.Merr == nil
}
// IsAttestationFormatEnabled mock
func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
if m.MisAttFormatEnabled != nil {
return m.MisAttFormatEnabled(ctx, format)
}
return m.Merr == nil
}
// DefaultTLSCertDuration mock
func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration {
if m.MdefaultTLSCertDuration != nil {