Remove some duplicate and unnecessary logic

This commit is contained in:
Herman Slatman 2021-03-06 23:24:49 +01:00
parent 99654f0efe
commit 2d21b09d41
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
4 changed files with 12 additions and 25 deletions

View file

@ -156,7 +156,6 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
// well as certificates via SCEP. // well as certificates via SCEP.
tlsConfig = nil tlsConfig = nil
// TODO: get the SCEP service
scepPrefix := "scep" scepPrefix := "scep"
scepAuthority, err := scep.New(auth, scep.AuthorityOptions{ scepAuthority, err := scep.New(auth, scep.AuthorityOptions{
IntermediateCertificatePath: config.IntermediateCert, IntermediateCertificatePath: config.IntermediateCert,

View file

@ -16,6 +16,7 @@ import (
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/scep" "github.com/smallstep/certificates/scep"
"go.mozilla.org/pkcs7"
microscep "github.com/micromdm/scep/scep" microscep "github.com/micromdm/scep/scep"
) )
@ -269,16 +270,24 @@ func (h *Handler) PKIOperation(ctx context.Context, request SCEPRequest) (SCEPRe
response := SCEPResponse{Operation: opnPKIOperation} response := SCEPResponse{Operation: opnPKIOperation}
// parse the message using microscep implementation
microMsg, err := microscep.ParsePKIMessage(request.Message) microMsg, err := microscep.ParsePKIMessage(request.Message)
if err != nil { if err != nil {
return SCEPResponse{}, err return SCEPResponse{}, err
} }
p7, err := pkcs7.Parse(microMsg.Raw)
if err != nil {
return SCEPResponse{}, err
}
// copy over properties to our internal PKIMessage
msg := &scep.PKIMessage{ msg := &scep.PKIMessage{
TransactionID: microMsg.TransactionID, TransactionID: microMsg.TransactionID,
MessageType: microMsg.MessageType, MessageType: microMsg.MessageType,
SenderNonce: microMsg.SenderNonce, SenderNonce: microMsg.SenderNonce,
Raw: microMsg.Raw, Raw: microMsg.Raw,
P7: p7,
} }
if err := h.Auth.DecryptPKIEnvelope(ctx, msg); err != nil { if err := h.Auth.DecryptPKIEnvelope(ctx, msg); err != nil {

View file

@ -198,27 +198,7 @@ func (a *Authority) GetCACertificates() ([]*x509.Certificate, error) {
// DecryptPKIEnvelope decrypts an enveloped message // DecryptPKIEnvelope decrypts an enveloped message
func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error { func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error {
data := msg.Raw p7c, err := pkcs7.Parse(msg.P7.Content)
p7, err := pkcs7.Parse(data)
if err != nil {
return err
}
var tID microscep.TransactionID
if err := p7.UnmarshalSignedAttribute(oidSCEPtransactionID, &tID); err != nil {
return err
}
var msgType microscep.MessageType
if err := p7.UnmarshalSignedAttribute(oidSCEPmessageType, &msgType); err != nil {
return err
}
msg.p7 = p7
//p7c, err := pkcs7.Parse(p7.Content)
p7c, err := pkcs7.Parse(p7.Content)
if err != nil { if err != nil {
return err return err
} }
@ -253,7 +233,6 @@ func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) err
CSR: csr, CSR: csr,
ChallengePassword: cp, ChallengePassword: cp,
} }
//msg.Certificate = p7.Certificates[0] // TODO: check if this is necessary to add (again)
return nil return nil
case microscep.GetCRL, microscep.GetCert, microscep.CertPoll: case microscep.GetCRL, microscep.GetCert, microscep.CertPoll:
return fmt.Errorf("not implemented") //errNotImplemented return fmt.Errorf("not implemented") //errNotImplemented
@ -355,7 +334,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m
return nil, err return nil, err
} }
e7, err := pkcs7.Encrypt(deg, msg.p7.Certificates) e7, err := pkcs7.Encrypt(deg, msg.P7.Certificates)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View file

@ -35,7 +35,7 @@ type PKIMessage struct {
Raw []byte Raw []byte
// parsed // parsed
p7 *pkcs7.PKCS7 P7 *pkcs7.PKCS7
// decrypted enveloped content // decrypted enveloped content
pkiEnvelope []byte pkiEnvelope []byte