alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Add ssh certificate templates to JWK provisioner.

Browse source
This commit is contained in:
Mariano Cano 2020-07-27 15:58:05 -07:00
parent f75a12e10a
commit 380a0d6daf
1 changed files with 30 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
authority/provisioner/jwk.go
View file

@ -8,6 +8,7 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/errs" "github.com/smallstep/certificates/errs"
"github.com/smallstep/certificates/sshutil"
"github.com/smallstep/certificates/x509util" "github.com/smallstep/certificates/x509util"
"github.com/smallstep/cli/jose" "github.com/smallstep/cli/jose"
) )
@ -33,6 +34,7 @@ type JWK struct {
EncryptedKey string `json:"encryptedKey,omitempty"` EncryptedKey string `json:"encryptedKey,omitempty"`
Claims *Claims `json:"claims,omitempty"` Claims *Claims `json:"claims,omitempty"`
Options *Options `json:"options,omitempty"` Options *Options `json:"options,omitempty"`
SSHOptions *SSHOptions `json:"sshOptions,omitempty"`
claimer *Claimer claimer *Claimer
audiences Audiences audiences Audiences
} }
@ -207,33 +209,46 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
sshCertOptionsValidator(*opts), sshCertOptionsValidator(*opts),
} }
t := now() // Default template attributes.
// Add modifiers from custom claims certType := sshutil.UserCert
// FIXME: this is also set in the sign method using SSHOptions.Modify. keyID := claims.Subject
principals := []string{claims.Subject}
// Use options in the token.
if opts.CertType != "" { if opts.CertType != "" {
signOptions = append(signOptions, sshCertTypeModifier(opts.CertType)) if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
return nil, errs.Wrap(http.StatusBadRequest, err, "jwk.AuthorizeSSHSign")
}
}
if opts.KeyID != "" {
keyID = opts.KeyID
} }
if len(opts.Principals) > 0 { if len(opts.Principals) > 0 {
signOptions = append(signOptions, sshCertPrincipalsModifier(opts.Principals)) principals = opts.Principals
} }
// Certificate templates.
data := sshutil.CreateTemplateData(certType, keyID, principals)
if v, err := unsafeParseSigned(token); err == nil {
data.SetToken(v)
}
templateOptions, err := TemplateSSHOptions(p.SSHOptions, data)
if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
}
signOptions = append(signOptions, templateOptions)
// Add modifiers from custom claims
t := now()
if !opts.ValidAfter.IsZero() { if !opts.ValidAfter.IsZero() {
signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix())) signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
} }
if !opts.ValidBefore.IsZero() { if !opts.ValidBefore.IsZero() {
signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix())) signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
} }
if opts.KeyID != "" {
signOptions = append(signOptions, sshCertKeyIDModifier(opts.KeyID))
} else {
signOptions = append(signOptions, sshCertKeyIDModifier(claims.Subject))
}
// Default to a user certificate with no principals if not set
signOptions = append(signOptions, sshCertDefaultsModifier{CertType: SSHUserCert})
return append(signOptions, return append(signOptions,
// Set the default extensions.
&sshDefaultExtensionModifier{},
// Set the validity bounds if not set. // Set the validity bounds if not set.
&sshDefaultDuration{p.claimer}, &sshDefaultDuration{p.claimer},
// Validate that the keyID is equivalent to the token subject. // Validate that the keyID is equivalent to the token subject.