forked from TrueCloudLab/certificates
Make serving SCEP endpoints optional
Only when a SCEP provisioner is enabled, the SCEP endpoints will now be available. The SCEP endpoints will be served on an "insecure" server, without TLS, only when an additional "insecureAddress" and a SCEP provisioner are configured for the CA.
This commit is contained in:
parent
bcacd2f4da
commit
13fe7a0121
3 changed files with 10 additions and 7 deletions
|
@ -575,6 +575,8 @@ func (a *Authority) CloseForReload() {
|
|||
|
||||
// requiresDecrypter returns whether the Authority
|
||||
// requires a KMS that provides a crypto.Decrypter
|
||||
// Currently this is only required when SCEP is
|
||||
// enabled.
|
||||
func (a *Authority) requiresDecrypter() bool {
|
||||
return a.requiresSCEPService()
|
||||
}
|
||||
|
|
14
ca/ca.go
14
ca/ca.go
|
@ -118,6 +118,7 @@ func (ca *CA) Init(config *config.Config) (*CA, error) {
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ca.auth = auth
|
||||
|
||||
tlsConfig, err := ca.getTLSConfig(auth)
|
||||
if err != nil {
|
||||
|
@ -233,14 +234,15 @@ func (ca *CA) Init(config *config.Config) (*CA, error) {
|
|||
handler = logger.Middleware(handler)
|
||||
}
|
||||
|
||||
ca.auth = auth
|
||||
ca.srv = server.New(config.Address, handler, tlsConfig)
|
||||
|
||||
// TODO: instead opt for having a single server.Server but two
|
||||
// http.Servers handling the HTTP and HTTPS handler? The latter
|
||||
// will probably introduce more complexity in terms of graceful
|
||||
// reload.
|
||||
if config.InsecureAddress != "" {
|
||||
// only start the insecure server if the insecure address is configured
|
||||
// and, currently, also only when it should serve SCEP endpoints.
|
||||
if ca.shouldServeSCEPEndpoints() && config.InsecureAddress != "" {
|
||||
// TODO: instead opt for having a single server.Server but two
|
||||
// http.Servers handling the HTTP and HTTPS handler? The latter
|
||||
// will probably introduce more complexity in terms of graceful
|
||||
// reload.
|
||||
ca.insecureSrv = server.New(config.InsecureAddress, insecureHandler, nil)
|
||||
}
|
||||
|
||||
|
|
|
@ -33,7 +33,6 @@ var (
|
|||
oidSCEPtransactionID = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 7}
|
||||
oidSCEPfailInfoText = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 24}
|
||||
//oidChallengePassword = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}
|
||||
|
||||
)
|
||||
|
||||
// PKIMessage defines the possible SCEP message types
|
||||
|
|
Loading…
Reference in a new issue