Fix PR comments

This commit is contained in:
Herman Slatman 2022-01-19 11:31:33 +01:00
parent 3612eefc31
commit 64680bb16d
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
5 changed files with 23 additions and 23 deletions

View file

@ -595,12 +595,6 @@ func (a *Authority) IsRevoked(sn string) (bool, error) {
return a.db.IsRevoked(sn) return a.db.IsRevoked(sn)
} }
// GetIntermediateCertificate returns the x509 intermediate CA
// certificate.
func (a *Authority) GetIntermediateCertificate() (*x509.Certificate, error) {
return pemutil.ReadCertificate(a.config.IntermediateCert)
}
// requiresDecrypter returns whether the Authority // requiresDecrypter returns whether the Authority
// requires a KMS that provides a crypto.Decrypter // requires a KMS that provides a crypto.Decrypter
// Currently this is only required when SCEP is // Currently this is only required when SCEP is

View file

@ -18,8 +18,9 @@ type SCEP struct {
ForceCN bool `json:"forceCN,omitempty"` ForceCN bool `json:"forceCN,omitempty"`
ChallengePassword string `json:"challenge,omitempty"` ChallengePassword string `json:"challenge,omitempty"`
Capabilities []string `json:"capabilities,omitempty"` Capabilities []string `json:"capabilities,omitempty"`
// IncludeRoots makes the provisioner return the CA root(s) in the GetCACerts response // IncludeRoot makes the provisioner return the CA root in addition to the
IncludeRoots bool `json:"includeRoots,omitempty"` // intermediate in the GetCACerts response
IncludeRoot bool `json:"includeRoot,omitempty"`
// MinimumPublicKeyLength is the minimum length for public keys in CSRs // MinimumPublicKeyLength is the minimum length for public keys in CSRs
MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"` MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"`
// Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7 // Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7
@ -107,7 +108,7 @@ func (s *SCEP) Init(config Config) (err error) {
return errors.Errorf("%d bits is not exactly divisible by 8", s.MinimumPublicKeyLength) return errors.Errorf("%d bits is not exactly divisible by 8", s.MinimumPublicKeyLength)
} }
s.encryptionAlgorithm = s.EncryptionAlgorithmIdentifier s.encryptionAlgorithm = s.EncryptionAlgorithmIdentifier // TODO(hs): we might want to upgrade the default security to AES-CBC?
if s.encryptionAlgorithm < 0 || s.encryptionAlgorithm > 4 { if s.encryptionAlgorithm < 0 || s.encryptionAlgorithm > 4 {
return errors.New("only encryption algorithm identifiers from 0 to 4 are valid") return errors.New("only encryption algorithm identifiers from 0 to 4 are valid")
} }
@ -142,12 +143,12 @@ func (s *SCEP) GetCapabilities() []string {
return s.Capabilities return s.Capabilities
} }
// ShouldIncludeRootsInChain indicates if the CA should // ShouldIncludeRootInChain indicates if the CA should
// return its intermediate, which is currently used for // return its intermediate, which is currently used for
// both signing and decryption, as well as the other certs // both signing and decryption, as well as the root in
// in its chain (usually a single root certificate). // its chain.
func (s *SCEP) ShouldIncludeRootsInChain() bool { func (s *SCEP) ShouldIncludeRootInChain() bool {
return s.IncludeRoots return s.IncludeRoot
} }
// GetContentEncryptionAlgorithm returns the numeric identifier // GetContentEncryptionAlgorithm returns the numeric identifier

View file

@ -427,18 +427,23 @@ func (ca *CA) getTLSConfig(auth *authority.Authority) (*tls.Config, error) {
tlsConfig.Certificates = []tls.Certificate{} tlsConfig.Certificates = []tls.Certificate{}
tlsConfig.GetCertificate = ca.renewer.GetCertificateForCA tlsConfig.GetCertificate = ca.renewer.GetCertificateForCA
// initialize a certificate pool with root CA certificates to trust when doing mTLS.
certPool := x509.NewCertPool() certPool := x509.NewCertPool()
for _, crt := range auth.GetRootCertificates() { for _, crt := range auth.GetRootCertificates() {
certPool.AddCert(crt) certPool.AddCert(crt)
} }
// adding the intermediate CA to the pool will allow clients that do not // adding the intermediate CA certificates to the pool will allow clients that
// send the intermediate for chain building to connect to the CA successfully. // do mTLS but don't send an intermediate to successfully connect. The intermediates
cert, err := auth.GetIntermediateCertificate() // added here are used when building a certificate chain.
if err != nil { intermediates := tlsCrt.Certificate[1:]
return nil, err for _, certBytes := range intermediates {
cert, err := x509.ParseCertificate(certBytes)
if err != nil {
return nil, err
}
certPool.AddCert(cert)
} }
certPool.AddCert(cert)
// Add support for mutual tls to renew certificates // Add support for mutual tls to renew certificates
tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven

View file

@ -168,8 +168,8 @@ func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate,
// NOTE: we're adding the CA roots here, but they are (highly likely) different than what the RFC means. // NOTE: we're adding the CA roots here, but they are (highly likely) different than what the RFC means.
// Clients are responsible to select the right cert(s) to use, though. // Clients are responsible to select the right cert(s) to use, though.
if p.ShouldIncludeRootsInChain() && len(a.caCerts) > 1 { if p.ShouldIncludeRootInChain() && len(a.caCerts) > 1 {
certs = append(certs, a.caCerts[1:]...) certs = append(certs, a.caCerts[1])
} }
return certs, nil return certs, nil

View file

@ -16,6 +16,6 @@ type Provisioner interface {
GetOptions() *provisioner.Options GetOptions() *provisioner.Options
GetChallengePassword() string GetChallengePassword() string
GetCapabilities() []string GetCapabilities() []string
ShouldIncludeRootsInChain() bool ShouldIncludeRootInChain() bool
GetContentEncryptionAlgorithm() int GetContentEncryptionAlgorithm() int
} }