alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Allow mTLS renewals if the provisioner extension does not exists.

Browse source 
This fixes a backward compatibility issue with with the new
LoadProvisionerByCertificate.
This commit is contained in:
Mariano Cano 2022-04-11 12:19:42 -07:00
parent 2fbff47acf
commit c8c59d68f5
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
authority/authorize.go
View file

@ -284,7 +284,13 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
} }
p, err := a.LoadProvisionerByCertificate(cert) p, err := a.LoadProvisionerByCertificate(cert)
if err != nil { if err != nil {
return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...) var ok bool
// For backward compatibility this method will also succeed if the
// provisioner does not have an extension. LoadByCertificate returns the
// noop provisioner if this happens, and it allow certificate renewals.
if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
}
} }
if err := p.AuthorizeRenew(context.Background(), cert); err != nil { if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...) return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)