forked from TrueCloudLab/certificates
Add nebula header and use der version of certificate.
This commit is contained in:
Mariano Cano
parent
f49a4b326f
commit
b424aa3dc1
2 changed files with 12 additions and 12 deletions
|
|
@ -20,7 +20,7 @@ import (
|
|||
|
||||
const (
|
||||
// NebulaCertHeader is the token header that contains a nebula certificate.
|
||||
NebulaCertHeader jose.HeaderKey = "nbc"
|
||||
NebulaCertHeader jose.HeaderKey = "nebula"
|
||||
)
|
||||
|
||||
// Nebula is a provisioner that verifies tokens signed using nebula private
|
||||
|
|
@ -308,21 +308,21 @@ func (p *Nebula) authorizeToken(token string, audiences []string) (*cert.NebulaC
|
|||
}
|
||||
|
||||
// Extract nebula certificate
|
||||
nbc, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader]
|
||||
h, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader]
|
||||
if !ok {
|
||||
return nil, nil, errs.Unauthorized("failed to parse token: nbc header is missing")
|
||||
return nil, nil, errs.Unauthorized("failed to parse token: nebula header is missing")
|
||||
}
|
||||
s, ok := nbc.(string)
|
||||
s, ok := h.(string)
|
||||
if !ok {
|
||||
return nil, nil, errs.Unauthorized("failed to parse token: nbc header is not valid")
|
||||
return nil, nil, errs.Unauthorized("failed to parse token: nebula header is not valid")
|
||||
}
|
||||
b, err := base64.StdEncoding.DecodeString(s)
|
||||
if err != nil {
|
||||
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nbc header is not valid"))
|
||||
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nebula header is not valid"))
|
||||
}
|
||||
c, _, err := cert.UnmarshalNebulaCertificateFromPEM(b)
|
||||
c, err := cert.UnmarshalNebulaCertificate(b)
|
||||
if err != nil {
|
||||
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nbc header is not valid"))
|
||||
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nebula header is not valid"))
|
||||
}
|
||||
|
||||
// Validate nebula certificate against CA
|
||||
|
|
|
|||
|
|
@ -131,14 +131,14 @@ func mustNebulaProvisioner(t *testing.T) (*Nebula, *cert.NebulaCertificate, ed25
|
|||
|
||||
func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []string, nc *cert.NebulaCertificate, key crypto.Signer) string {
|
||||
t.Helper()
|
||||
ncPEM, err := nc.MarshalToPEM()
|
||||
ncDer, err := nc.Marshal()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
so := new(jose.SignerOptions)
|
||||
so.WithType("JWT")
|
||||
so.WithHeader(NebulaCertHeader, ncPEM)
|
||||
so.WithHeader(NebulaCertHeader, ncDer)
|
||||
|
||||
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
|
||||
if err != nil {
|
||||
|
|
@ -174,14 +174,14 @@ func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []s
|
|||
|
||||
func mustNebulaSSHToken(t *testing.T, sub, iss, aud string, iat time.Time, opts *SignSSHOptions, nc *cert.NebulaCertificate, key crypto.Signer) string {
|
||||
t.Helper()
|
||||
ncPEM, err := nc.MarshalToPEM()
|
||||
ncDer, err := nc.Marshal()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
so := new(jose.SignerOptions)
|
||||
so.WithType("JWT")
|
||||
so.WithHeader(NebulaCertHeader, ncPEM)
|
||||
so.WithHeader(NebulaCertHeader, ncDer)
|
||||
|
||||
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in a new issue