diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 2d07d2da..75115154 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -284,7 +284,11 @@ func (p *AWS) GetTokenID(token string) (string, error) { sum := sha256.Sum256([]byte(token)) return strings.ToLower(hex.EncodeToString(sum[:])), nil } - return payload.ID, nil + + // Use provisioner + instance-id as the identifier. + unique := fmt.Sprintf("%s.%s", p.GetID(), payload.document.InstanceID) + sum := sha256.Sum256([]byte(unique)) + return strings.ToLower(hex.EncodeToString(sum[:])), nil } // GetName returns the name of the provisioner. @@ -631,13 +635,6 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) { return nil, errs.Unauthorized("aws.authorizeToken; aws identity document region cannot be empty") } - // Recalculate and validate payload.ID - unique := fmt.Sprintf("%s.%s", p.GetID(), doc.InstanceID) - sum := sha256.Sum256([]byte(unique)) - if payload.ID != strings.ToLower(hex.EncodeToString(sum[:])) { - return nil, errs.Unauthorized("aws.authorizeToken; invalid token id") - } - // According to "rfc7519 JSON Web Token" acceptable skew should be no // more than a few minutes. now := time.Now().UTC() diff --git a/authority/provisioner/aws_test.go b/authority/provisioner/aws_test.go index 3feeed1f..dadf1f17 100644 --- a/authority/provisioner/aws_test.go +++ b/authority/provisioner/aws_test.go @@ -470,22 +470,6 @@ func TestAWS_authorizeToken(t *testing.T) { err: errors.New("aws.authorizeToken; aws identity document pendingTime is too old"), } }, - "fail/payloadId": func(t *testing.T) test { - p, err := generateAWS() - assert.FatalError(t, err) - p2, err := generateAWS() - assert.FatalError(t, err) - tok, err := generateAWSToken( - p2, "instance-id", awsIssuer, p.GetID(), p.Accounts[0], "instance-id", - "127.0.0.1", "us-west-1", time.Now(), key) - assert.FatalError(t, err) - return test{ - p: p, - token: tok, - code: http.StatusUnauthorized, - err: errors.New("aws.authorizeToken; invalid token id"), - } - }, "ok": func(t *testing.T) test { p, err := generateAWS() assert.FatalError(t, err)