From a3cda9c3d7a21e427f2e6752b2676e5b3977c895 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Mon, 7 Mar 2022 13:16:53 +0100 Subject: [PATCH 1/3] Add configuration for custom path segment To support SCEP clients that expect a specific path segment in a SCEP URL, a new "customPath" option was added to the SCEP provisioner configuration. The configuration can be used to set a specific path (segment) that the SCEP provisioner will respond to. --- authority/provisioner/scep.go | 16 ++++++++++++---- scep/api/api.go | 15 +++++++++++++++ 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index 5d67762c..05802ffb 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -26,10 +26,18 @@ type SCEP struct { // Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7 // at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63 // Defaults to 0, being DES-CBC - EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"` - Options *Options `json:"options,omitempty"` - Claims *Claims `json:"claims,omitempty"` - claimer *Claimer + EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"` + // CustomPath is used to specify a custom path on which the SCEP provisioner will be made + // available. By default a SCEP provisioner is available at + // https://
:/scep/ and requests performed looking similar + // to https://
:/scep/?operations=GetCACert. When CustomPath + // is set, the SCEP URL will be https://
:/scep//, + // resulting in SCEP clients that expect a specific path, such as "/pkiclient.exe", to be + // able to interact with the SCEP provisioner. + CustomPath string `json:"customPath,omitempty"` + Options *Options `json:"options,omitempty"` + Claims *Claims `json:"claims,omitempty"` + claimer *Claimer secretChallengePassword string encryptionAlgorithm int diff --git a/scep/api/api.go b/scep/api/api.go index 4f8d897b..9b48187a 100644 --- a/scep/api/api.go +++ b/scep/api/api.go @@ -66,7 +66,9 @@ func New(scepAuth scep.Interface) api.RouterHandler { // Route traffic and implement the Router interface. func (h *Handler) Route(r api.Router) { getLink := h.Auth.GetLinkExplicit + r.MethodFunc(http.MethodGet, getLink("{provisionerName}/{customPath}*", false, nil), h.lookupProvisioner(h.Get)) r.MethodFunc(http.MethodGet, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Get)) + r.MethodFunc(http.MethodPost, getLink("{provisionerName}/{customPath}*", false, nil), h.lookupProvisioner(h.Post)) r.MethodFunc(http.MethodPost, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Post)) } @@ -191,6 +193,13 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP { return } + customPathParam := chi.URLParam(r, "customPath") + customPath, err := url.PathUnescape(customPathParam) + if err != nil { + api.WriteError(w, err) + return + } + p, err := h.Auth.LoadProvisionerByName(provisionerName) if err != nil { api.WriteError(w, err) @@ -203,6 +212,12 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP { return } + configuredCustomPath := strings.Trim(prov.CustomPath, "/") + if customPath != configuredCustomPath { + api.WriteError(w, errors.Errorf("custom path requested '%s' is not the expected path '%s'", customPath, configuredCustomPath)) + return + } + ctx := r.Context() ctx = context.WithValue(ctx, scep.ProvisionerContextKey, scep.Provisioner(prov)) next(w, r.WithContext(ctx)) From 15477f6d7be0525574776264205ce8f6ab7a52d7 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 15 Mar 2022 23:28:56 +0100 Subject: [PATCH 2/3] Make custom SCEP CA paths automagic --- authority/provisioner/scep.go | 16 ++++------------ scep/api/api.go | 17 ++--------------- 2 files changed, 6 insertions(+), 27 deletions(-) diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index 05802ffb..5d67762c 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -26,18 +26,10 @@ type SCEP struct { // Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7 // at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63 // Defaults to 0, being DES-CBC - EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"` - // CustomPath is used to specify a custom path on which the SCEP provisioner will be made - // available. By default a SCEP provisioner is available at - // https://
:/scep/ and requests performed looking similar - // to https://
:/scep/?operations=GetCACert. When CustomPath - // is set, the SCEP URL will be https://
:/scep//, - // resulting in SCEP clients that expect a specific path, such as "/pkiclient.exe", to be - // able to interact with the SCEP provisioner. - CustomPath string `json:"customPath,omitempty"` - Options *Options `json:"options,omitempty"` - Claims *Claims `json:"claims,omitempty"` - claimer *Claimer + EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"` + Options *Options `json:"options,omitempty"` + Claims *Claims `json:"claims,omitempty"` + claimer *Claimer secretChallengePassword string encryptionAlgorithm int diff --git a/scep/api/api.go b/scep/api/api.go index 9b48187a..77c683ee 100644 --- a/scep/api/api.go +++ b/scep/api/api.go @@ -66,9 +66,9 @@ func New(scepAuth scep.Interface) api.RouterHandler { // Route traffic and implement the Router interface. func (h *Handler) Route(r api.Router) { getLink := h.Auth.GetLinkExplicit - r.MethodFunc(http.MethodGet, getLink("{provisionerName}/{customPath}*", false, nil), h.lookupProvisioner(h.Get)) + r.MethodFunc(http.MethodGet, getLink("{provisionerName}/*", false, nil), h.lookupProvisioner(h.Get)) r.MethodFunc(http.MethodGet, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Get)) - r.MethodFunc(http.MethodPost, getLink("{provisionerName}/{customPath}*", false, nil), h.lookupProvisioner(h.Post)) + r.MethodFunc(http.MethodPost, getLink("{provisionerName}/*", false, nil), h.lookupProvisioner(h.Post)) r.MethodFunc(http.MethodPost, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Post)) } @@ -193,13 +193,6 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP { return } - customPathParam := chi.URLParam(r, "customPath") - customPath, err := url.PathUnescape(customPathParam) - if err != nil { - api.WriteError(w, err) - return - } - p, err := h.Auth.LoadProvisionerByName(provisionerName) if err != nil { api.WriteError(w, err) @@ -212,12 +205,6 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP { return } - configuredCustomPath := strings.Trim(prov.CustomPath, "/") - if customPath != configuredCustomPath { - api.WriteError(w, errors.Errorf("custom path requested '%s' is not the expected path '%s'", customPath, configuredCustomPath)) - return - } - ctx := r.Context() ctx = context.WithValue(ctx, scep.ProvisionerContextKey, scep.Provisioner(prov)) next(w, r.WithContext(ctx)) From dcbcd88a62cfa452da2fb1d2a9b049cdc735159d Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 16 Mar 2022 00:04:15 +0100 Subject: [PATCH 3/3] Add changelog item for dynamic SCEP CA URL paths --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 44c713d7..b43a5f7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased - 0.18.3] - DATE ### Added ### Changed +- Made SCEP CA URL paths dynamic ### Deprecated ### Removed ### Fixed