mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Make clearer what's an unsigned cert.

Browse source
This commit is contained in:
Mariano Cano 2020-08-28 14:29:18 -07:00
parent b7269b6579
commit 4d375a06f5
1 changed files with 10 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
authority/ssh.go
View file

@ -280,24 +280,24 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
} }
// Get actual *ssh.Certificate and continue with provisioner modifiers. // Get actual *ssh.Certificate and continue with provisioner modifiers.
cert := certificate.GetCertificate() certTpl := certificate.GetCertificate()
// Use SignSSHOptions to modify the certificate validity. It will be later // Use SignSSHOptions to modify the certificate validity. It will be later
// checked or set if not defined. // checked or set if not defined.
if err := opts.ModifyValidity(cert); err != nil { if err := opts.ModifyValidity(certTpl); err != nil {
return nil, errs.Wrap(http.StatusBadRequest, err, "authority.SignSSH") return nil, errs.Wrap(http.StatusBadRequest, err, "authority.SignSSH")
} }
// Use provisioner modifiers. // Use provisioner modifiers.
for _, m := range mods { for _, m := range mods {
if err := m.Modify(cert, opts); err != nil { if err := m.Modify(certTpl, opts); err != nil {
return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH") return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH")
} }
} }
// Get signer from authority keys // Get signer from authority keys
var signer ssh.Signer var signer ssh.Signer
switch cert.CertType { switch certTpl.CertType {
case ssh.UserCert: case ssh.UserCert:
if a.sshCAUserCertSignKey == nil { if a.sshCAUserCertSignKey == nil {
return nil, errs.NotImplemented("authority.SignSSH: user certificate signing is not enabled") return nil, errs.NotImplemented("authority.SignSSH: user certificate signing is not enabled")
@ -309,11 +309,11 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
} }
signer = a.sshCAHostCertSignKey signer = a.sshCAHostCertSignKey
default: default:
return nil, errs.InternalServer("authority.SignSSH: unexpected ssh certificate type: %d", cert.CertType) return nil, errs.InternalServer("authority.SignSSH: unexpected ssh certificate type: %d", certTpl.CertType)
} }
// Sign certificate. // Sign certificate.
cert, err = sshutil.CreateCertificate(cert, signer) cert, err := sshutil.CreateCertificate(certTpl, signer)
if err != nil { if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.SignSSH: error signing certificate") return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.SignSSH: error signing certificate")
} }
@ -346,7 +346,7 @@ func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ss
// Build base certificate with the old key. // Build base certificate with the old key.
// Nonce and serial will be automatically generated on signing. // Nonce and serial will be automatically generated on signing.
cert := &ssh.Certificate{ certTpl := &ssh.Certificate{
Key: oldCert.Key, Key: oldCert.Key,
CertType: oldCert.CertType, CertType: oldCert.CertType,
KeyId: oldCert.KeyId, KeyId: oldCert.KeyId,
@ -359,7 +359,7 @@ func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ss
// Get signer from authority keys // Get signer from authority keys
var signer ssh.Signer var signer ssh.Signer
switch cert.CertType { switch certTpl.CertType {
case ssh.UserCert: case ssh.UserCert:
if a.sshCAUserCertSignKey == nil { if a.sshCAUserCertSignKey == nil {
return nil, errs.NotImplemented("renewSSH: user certificate signing is not enabled") return nil, errs.NotImplemented("renewSSH: user certificate signing is not enabled")
@ -371,12 +371,11 @@ func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ss
} }
signer = a.sshCAHostCertSignKey signer = a.sshCAHostCertSignKey
default: default:
return nil, errs.InternalServer("renewSSH: unexpected ssh certificate type: %d", cert.CertType) return nil, errs.InternalServer("renewSSH: unexpected ssh certificate type: %d", certTpl.CertType)
} }
var err error
// Sign certificate. // Sign certificate.
cert, err = sshutil.CreateCertificate(cert, signer) cert, err := sshutil.CreateCertificate(certTpl, signer)
if err != nil { if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "signSSH: error signing certificate") return nil, errs.Wrap(http.StatusInternalServerError, err, "signSSH: error signing certificate")
} }