Move certificate check to the right place.

This commit is contained in:
Mariano Cano 2019-03-20 17:36:45 -07:00
parent 30a6889d1f
commit a3e2b4a552

View file

@ -59,6 +59,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
errContext = context{"csr": csr, "signOptions": signOpts} errContext = context{"csr": csr, "signOptions": signOpts}
mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)} mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
certValidators = []provisioner.CertificateValidator{} certValidators = []provisioner.CertificateValidator{}
issIdentity = a.intermediateIdentity
) )
for _, op := range extraOpts { for _, op := range extraOpts {
switch k := op.(type) { switch k := op.(type) {
@ -76,18 +77,22 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
} }
} }
stepCSR, err := x509.ParseCertificateRequest(csr.Raw) if err := csr.CheckSignature(); err != nil {
if err != nil { return nil, nil, &apiError{errors.Wrap(err, "sign: invalid certificate request"),
return nil, nil, &apiError{errors.Wrap(err, "sign: error converting x509 csr to stepx509 csr"), http.StatusBadRequest, errContext}
http.StatusInternalServerError, errContext}
} }
issIdentity := a.intermediateIdentity leaf, err := x509util.NewLeafProfileWithCSR(csr, issIdentity.Crt, issIdentity.Key, mods...)
leaf, err := x509util.NewLeafProfileWithCSR(stepCSR, issIdentity.Crt, issIdentity.Key, mods...)
if err != nil { if err != nil {
return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext} return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext}
} }
for _, v := range certValidators {
if err := v.Valid(leaf.Subject()); err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
}
}
crtBytes, err := leaf.CreateCertificate() crtBytes, err := leaf.CreateCertificate()
if err != nil { if err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"), return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"),
@ -100,13 +105,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
http.StatusInternalServerError, errContext} http.StatusInternalServerError, errContext}
} }
// FIXME: This should be before creating the certificate.
for _, v := range certValidators {
if err := v.Valid(serverCert); err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
}
}
caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw) caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw)
if err != nil { if err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"), return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"),