Use provisioner sign options.

This commit is contained in:
Mariano Cano 2019-03-06 17:37:49 -08:00
parent 9d4034fbf6
commit 57b705f6cf
2 changed files with 19 additions and 21 deletions

View file

@ -81,6 +81,7 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
} }
} }
// This method will also validate the audiences for JWK provisioners.
p, ok := a.provisioners.LoadByToken(token, &claims.Claims) p, ok := a.provisioners.LoadByToken(token, &claims.Claims)
if !ok { if !ok {
return nil, &apiError{errors.Errorf("authorize: provisioner not found"), return nil, &apiError{errors.Errorf("authorize: provisioner not found"),

View file

@ -11,6 +11,7 @@ import (
"time" "time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/cli/crypto/pemutil" "github.com/smallstep/cli/crypto/pemutil"
"github.com/smallstep/cli/crypto/tlsutil" "github.com/smallstep/cli/crypto/tlsutil"
"github.com/smallstep/cli/crypto/x509util" "github.com/smallstep/cli/crypto/x509util"
@ -96,28 +97,22 @@ func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
} }
// Sign creates a signed certificate from a certificate signing request. // Sign creates a signed certificate from a certificate signing request.
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...interface{}) (*x509.Certificate, *x509.Certificate, error) { func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error) {
var ( var (
errContext = context{"csr": csr, "signOptions": signOpts} errContext = context{"csr": csr, "signOptions": signOpts}
claims = []certClaim{}
mods = []x509util.WithOption{} mods = []x509util.WithOption{}
certValidators = []provisioner.CertificateValidator{}
) )
for _, op := range extraOpts { for _, op := range extraOpts {
switch k := op.(type) { switch k := op.(type) {
case certClaim: case provisioner.CertificateValidator:
claims = append(claims, k) certValidators = append(certValidators, k)
case x509util.WithOption: case provisioner.CertificateRequestValidator:
mods = append(mods, k) if err := k.Valid(csr); err != nil {
case *Provisioner: return nil, nil, err
m, c, err := k.getTLSApps(signOpts)
if err != nil {
return nil, nil, &apiError{err, http.StatusInternalServerError, errContext}
} }
mods = append(mods, m...) case provisioner.ProfileWithOption:
mods = append(mods, []x509util.WithOption{ mods = append(mods, k.Option())
withDefaultASN1DN(a.config.AuthorityConfig.Template),
}...)
claims = append(claims, c...)
default: default:
return nil, nil, &apiError{errors.Errorf("sign: invalid extra option type %T", k), return nil, nil, &apiError{errors.Errorf("sign: invalid extra option type %T", k),
http.StatusInternalServerError, errContext} http.StatusInternalServerError, errContext}
@ -137,10 +132,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext
return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext} return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext}
} }
if err := validateClaims(leaf.Subject(), claims); err != nil {
return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusUnauthorized, errContext}
}
crtBytes, err := leaf.CreateCertificate() crtBytes, err := leaf.CreateCertificate()
if err != nil { if err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"), return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"),
@ -153,6 +144,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext
http.StatusInternalServerError, errContext} http.StatusInternalServerError, errContext}
} }
for _, v := range certValidators {
if err := v.Valid(serverCert); err != nil {
return nil, nil, err
}
}
caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw) caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw)
if err != nil { if err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"), return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"),