mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Add support for emails, ips and uris.

Browse source
This commit is contained in:
Mariano Cano 2021-03-19 12:02:03 -07:00
parent 561341a6f2
commit ae4b8f58b8
2 changed files with 51 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
cas/stepcas/stepcas.go
View file

@ -4,6 +4,7 @@ import (
"context" "context"
"crypto/x509" "crypto/x509"
"net/url" "net/url"
"time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
@ -70,25 +71,11 @@ func (s *StepCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1
return nil, errors.New("createCertificateRequest `lifetime` cannot be 0") return nil, errors.New("createCertificateRequest `lifetime` cannot be 0")
} }
token, err := s.signToken(req.CSR.Subject.CommonName, req.CSR.DNSNames) cert, chain, err := s.createCertificate(req.CSR, req.Lifetime)
if err != nil { if err != nil {
return nil, err return nil, err
} }
resp, err := s.client.Sign(&api.SignRequest{
CsrPEM: api.CertificateRequest{CertificateRequest: req.CSR},
OTT: token,
})
if err != nil {
return nil, err
}
var chain []*x509.Certificate
cert := resp.CertChainPEM[0].Certificate
for _, c := range resp.CertChainPEM[1:] {
chain = append(chain, c.Certificate)
}
return &apiv1.CreateCertificateResponse{ return &apiv1.CreateCertificateResponse{
Certificate: cert, Certificate: cert,
CertificateChain: chain, CertificateChain: chain,
@ -98,30 +85,16 @@ func (s *StepCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1
func (s *StepCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { func (s *StepCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) {
switch { switch {
case req.CSR == nil: case req.CSR == nil:
return nil, errors.New("createCertificateRequest `template` cannot be nil") return nil, errors.New("renewCertificateRequest `template` cannot be nil")
case req.Lifetime == 0: case req.Lifetime == 0:
return nil, errors.New("createCertificateRequest `lifetime` cannot be 0") return nil, errors.New("renewCertificateRequest `lifetime` cannot be 0")
} }
token, err := s.signToken(req.CSR.Subject.CommonName, req.CSR.DNSNames) cert, chain, err := s.createCertificate(req.CSR, req.Lifetime)
if err != nil { if err != nil {
return nil, err return nil, err
} }
resp, err := s.client.Sign(&api.SignRequest{
CsrPEM: api.CertificateRequest{CertificateRequest: req.CSR},
OTT: token,
})
if err != nil {
return nil, err
}
var chain []*x509.Certificate
cert := resp.CertChainPEM[0].Certificate
for _, c := range resp.CertChainPEM[1:] {
chain = append(chain, c.Certificate)
}
return &apiv1.RenewCertificateResponse{ return &apiv1.RenewCertificateResponse{
Certificate: cert, Certificate: cert,
CertificateChain: chain, CertificateChain: chain,
@ -173,6 +146,48 @@ func (s *StepCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequ
}, nil }, nil
} }
func (s *StepCAS) createCertificate(cr *x509.CertificateRequest, lifetime time.Duration) (*x509.Certificate, []*x509.Certificate, error) {
sans := make([]string, 0, len(cr.DNSNames)+len(cr.EmailAddresses)+len(cr.IPAddresses)+len(cr.URIs))
for _, s := range cr.DNSNames {
sans = append(sans, s)
}
for _, s := range cr.EmailAddresses {
sans = append(sans, s)
}
for _, ip := range cr.IPAddresses {
sans = append(sans, ip.String())
}
for _, u := range cr.URIs {
sans = append(sans, u.String())
}
commonName := cr.Subject.CommonName
if commonName == "" && len(sans) > 0 {
commonName = sans[0]
}
token, err := s.signToken(commonName, sans)
if err != nil {
return nil, nil, err
}
resp, err := s.client.Sign(&api.SignRequest{
CsrPEM: api.CertificateRequest{CertificateRequest: cr},
OTT: token,
})
if err != nil {
return nil, nil, err
}
var chain []*x509.Certificate
cert := resp.CertChainPEM[0].Certificate
for _, c := range resp.CertChainPEM[1:] {
chain = append(chain, c.Certificate)
}
return cert, chain, nil
}
func (s *StepCAS) signToken(subject string, sans []string) (string, error) { func (s *StepCAS) signToken(subject string, sans []string) (string, error) {
if s.x5c != nil { if s.x5c != nil {
return s.x5c.SignToken(subject, sans) return s.x5c.SignToken(subject, sans)

7
cas/stepcas/stepcas_test.go
View file

@ -174,14 +174,15 @@ func TestMain(m *testing.M) {
// Final certificate. // Final certificate.
var err error var err error
testCrt, testKey = mustSignCertificate("Test Certificate", []string{"doe.org"}, x509util.DefaultLeafTemplate, testIssCrt, testIssKey) sans := []string{"doe.org", "jane@doe.org", "127.0.0.1", "::1", "localhost", "uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6;name=value"}
testCR, err = x509util.CreateCertificateRequest("Test Certificate", []string{"doe.org"}, testKey) testCrt, testKey = mustSignCertificate("Test Certificate", sans, x509util.DefaultLeafTemplate, testIssCrt, testIssKey)
testCR, err = x509util.CreateCertificateRequest("Test Certificate", sans, testKey)
if err != nil { if err != nil {
panic(err) panic(err)
} }
// CR used in errors. // CR used in errors.
testFailCR, err = x509util.CreateCertificateRequest("Test Certificate", []string{"fail.doe.org"}, testKey) testFailCR, err = x509util.CreateCertificateRequest("", []string{"fail.doe.org"}, testKey)
if err != nil { if err != nil {
panic(err) panic(err)
} }