forked from TrueCloudLab/certificates
Use provisioner sign options.
This commit is contained in:
parent
9d4034fbf6
commit
57b705f6cf
2 changed files with 19 additions and 21 deletions
|
@ -81,6 +81,7 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// This method will also validate the audiences for JWK provisioners.
|
||||||
p, ok := a.provisioners.LoadByToken(token, &claims.Claims)
|
p, ok := a.provisioners.LoadByToken(token, &claims.Claims)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, &apiError{errors.Errorf("authorize: provisioner not found"),
|
return nil, &apiError{errors.Errorf("authorize: provisioner not found"),
|
||||||
|
|
|
@ -11,6 +11,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
"github.com/smallstep/certificates/authority/provisioner"
|
||||||
"github.com/smallstep/cli/crypto/pemutil"
|
"github.com/smallstep/cli/crypto/pemutil"
|
||||||
"github.com/smallstep/cli/crypto/tlsutil"
|
"github.com/smallstep/cli/crypto/tlsutil"
|
||||||
"github.com/smallstep/cli/crypto/x509util"
|
"github.com/smallstep/cli/crypto/x509util"
|
||||||
|
@ -96,28 +97,22 @@ func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sign creates a signed certificate from a certificate signing request.
|
// Sign creates a signed certificate from a certificate signing request.
|
||||||
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...interface{}) (*x509.Certificate, *x509.Certificate, error) {
|
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error) {
|
||||||
var (
|
var (
|
||||||
errContext = context{"csr": csr, "signOptions": signOpts}
|
errContext = context{"csr": csr, "signOptions": signOpts}
|
||||||
claims = []certClaim{}
|
|
||||||
mods = []x509util.WithOption{}
|
mods = []x509util.WithOption{}
|
||||||
|
certValidators = []provisioner.CertificateValidator{}
|
||||||
)
|
)
|
||||||
for _, op := range extraOpts {
|
for _, op := range extraOpts {
|
||||||
switch k := op.(type) {
|
switch k := op.(type) {
|
||||||
case certClaim:
|
case provisioner.CertificateValidator:
|
||||||
claims = append(claims, k)
|
certValidators = append(certValidators, k)
|
||||||
case x509util.WithOption:
|
case provisioner.CertificateRequestValidator:
|
||||||
mods = append(mods, k)
|
if err := k.Valid(csr); err != nil {
|
||||||
case *Provisioner:
|
return nil, nil, err
|
||||||
m, c, err := k.getTLSApps(signOpts)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, &apiError{err, http.StatusInternalServerError, errContext}
|
|
||||||
}
|
}
|
||||||
mods = append(mods, m...)
|
case provisioner.ProfileWithOption:
|
||||||
mods = append(mods, []x509util.WithOption{
|
mods = append(mods, k.Option())
|
||||||
withDefaultASN1DN(a.config.AuthorityConfig.Template),
|
|
||||||
}...)
|
|
||||||
claims = append(claims, c...)
|
|
||||||
default:
|
default:
|
||||||
return nil, nil, &apiError{errors.Errorf("sign: invalid extra option type %T", k),
|
return nil, nil, &apiError{errors.Errorf("sign: invalid extra option type %T", k),
|
||||||
http.StatusInternalServerError, errContext}
|
http.StatusInternalServerError, errContext}
|
||||||
|
@ -137,10 +132,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext
|
||||||
return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext}
|
return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := validateClaims(leaf.Subject(), claims); err != nil {
|
|
||||||
return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusUnauthorized, errContext}
|
|
||||||
}
|
|
||||||
|
|
||||||
crtBytes, err := leaf.CreateCertificate()
|
crtBytes, err := leaf.CreateCertificate()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"),
|
return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"),
|
||||||
|
@ -153,6 +144,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext
|
||||||
http.StatusInternalServerError, errContext}
|
http.StatusInternalServerError, errContext}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for _, v := range certValidators {
|
||||||
|
if err := v.Valid(serverCert); err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw)
|
caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"),
|
return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"),
|
||||||
|
|
Loading…
Reference in a new issue