This commit is contained in:
max furman 2020-06-23 17:13:39 -07:00
parent 1951669e13
commit 3636ba3228
4 changed files with 22 additions and 10 deletions

View file

@ -151,15 +151,16 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
claims.SANs = []string{claims.Subject}
}
return append([]SignOption{
return []SignOption{
// modifiers / withOptions
newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
// validators
commonNameValidator(claims.Subject),
defaultSANsValidator(claims.SANs),
defaultPublicKeyValidator{},
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
}, sansValidators(claims.SANs)), nil
}, nil
}
// AuthorizeRenew returns an error if the renewal is disabled.

View file

@ -216,10 +216,20 @@ func (v urisValidator) Valid(req *x509.CertificateRequest) error {
return nil
}
func sansValidators(sans []string) []SignOption {
dnsNames, ips, emails, uris := x509util.SplitSANs(sans)
return []SignOption{dnsNamesValidator(dnsNames), emailAddressesValidator(emails),
ipAddressesValidator(ips), urisValidator(uris)}
type defaultSANsValidator []string
func (v defaultSANsValidator) Valid(req *x509.CertificateRequest) (err error) {
dnsNames, ips, emails, uris := x509util.SplitSANs(v)
if err = dnsNamesValidator(dnsNames).Valid(req); err != nil {
return
} else if err = emailAddressesValidator(emails).Valid(req); err != nil {
return
} else if err = ipAddressesValidator(ips).Valid(req); err != nil {
return
} else if err = urisValidator(uris).Valid(req); err != nil {
return
}
return
}
// ExtraExtensionsEnforcer enforces only those extra extensions that are strictly

View file

@ -193,16 +193,17 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
claims.SANs = []string{claims.Subject}
}
return append([]SignOption{
return []SignOption{
// modifiers / withOptions
newProvisionerExtensionOption(TypeX5C, p.Name, ""),
profileLimitDuration{p.claimer.DefaultTLSCertDuration(),
claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter},
// validators
commonNameValidator(claims.Subject),
defaultSANsValidator(claims.SANs),
defaultPublicKeyValidator{},
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
}, sansValidators(claims.SANs)), nil
}, nil
}
// AuthorizeRenew returns an error if the renewal is disabled.

View file

@ -64,7 +64,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
opts = []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)}
mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
certValidators = []provisioner.CertificateValidator{}
forcedModifiers = []provisioner.CertificateEnforcer{}
forcedModifiers = []provisioner.CertificateEnforcer{provisioner.ExtraExtensionsEnforcer{}}
)
// Set backdate with the configured value
@ -104,7 +104,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
}
// Certificate modifiers after validation
for _, m := range append(forcedModifiers, provisioner.ExtraExtensionsEnforcer{}) {
for _, m := range forcedModifiers {
if err := m.Enforce(leaf.Subject()); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
}