forked from TrueCloudLab/certificates
Change the default error type to forbidden in Sign.
The errors will also be propagated from sign options.
This commit is contained in:
parent
b9beab071d
commit
ff04873a2a
2 changed files with 25 additions and 10 deletions
|
@ -94,7 +94,10 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
|
||||||
// Validate the given certificate request.
|
// Validate the given certificate request.
|
||||||
case provisioner.CertificateRequestValidator:
|
case provisioner.CertificateRequestValidator:
|
||||||
if err := k.Valid(csr); err != nil {
|
if err := k.Valid(csr); err != nil {
|
||||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
return nil, errs.ApplyOptions(
|
||||||
|
errs.ForbiddenErr(err, "error validating certificate"),
|
||||||
|
opts...,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validates the unsigned certificate template.
|
// Validates the unsigned certificate template.
|
||||||
|
@ -131,26 +134,38 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
|
||||||
|
|
||||||
// Set default subject
|
// Set default subject
|
||||||
if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
|
if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
|
||||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
return nil, errs.ApplyOptions(
|
||||||
|
errs.ForbiddenErr(err, "error creating certificate"),
|
||||||
|
opts...,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, m := range certModifiers {
|
for _, m := range certModifiers {
|
||||||
if err := m.Modify(leaf, signOpts); err != nil {
|
if err := m.Modify(leaf, signOpts); err != nil {
|
||||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
return nil, errs.ApplyOptions(
|
||||||
|
errs.ForbiddenErr(err, "error creating certificate"),
|
||||||
|
opts...,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Certificate validation.
|
// Certificate validation.
|
||||||
for _, v := range certValidators {
|
for _, v := range certValidators {
|
||||||
if err := v.Valid(leaf, signOpts); err != nil {
|
if err := v.Valid(leaf, signOpts); err != nil {
|
||||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
return nil, errs.ApplyOptions(
|
||||||
|
errs.ForbiddenErr(err, "error validating certificate"),
|
||||||
|
opts...,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Certificate modifiers after validation
|
// Certificate modifiers after validation
|
||||||
for _, m := range certEnforcers {
|
for _, m := range certEnforcers {
|
||||||
if err := m.Enforce(leaf); err != nil {
|
if err := m.Enforce(leaf); err != nil {
|
||||||
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
|
return nil, errs.ApplyOptions(
|
||||||
|
errs.ForbiddenErr(err, "error creating certificate"),
|
||||||
|
opts...,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -281,8 +281,8 @@ func TestAuthority_Sign(t *testing.T) {
|
||||||
csr: csr,
|
csr: csr,
|
||||||
extraOpts: extraOpts,
|
extraOpts: extraOpts,
|
||||||
signOpts: signOpts,
|
signOpts: signOpts,
|
||||||
err: errors.New("authority.Sign: default ASN1DN template cannot be nil"),
|
err: errors.New("default ASN1DN template cannot be nil"),
|
||||||
code: http.StatusUnauthorized,
|
code: http.StatusForbidden,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail create cert": func(t *testing.T) *signTest {
|
"fail create cert": func(t *testing.T) *signTest {
|
||||||
|
@ -309,7 +309,7 @@ func TestAuthority_Sign(t *testing.T) {
|
||||||
csr: csr,
|
csr: csr,
|
||||||
extraOpts: extraOpts,
|
extraOpts: extraOpts,
|
||||||
signOpts: _signOpts,
|
signOpts: _signOpts,
|
||||||
err: errors.New("authority.Sign: requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
|
err: errors.New("requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
|
||||||
code: http.StatusBadRequest,
|
code: http.StatusBadRequest,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -322,7 +322,7 @@ func TestAuthority_Sign(t *testing.T) {
|
||||||
csr: csr,
|
csr: csr,
|
||||||
extraOpts: extraOpts,
|
extraOpts: extraOpts,
|
||||||
signOpts: signOpts,
|
signOpts: signOpts,
|
||||||
err: errors.New("authority.Sign: certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
|
err: errors.New("certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
|
||||||
code: http.StatusBadRequest,
|
code: http.StatusBadRequest,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -348,7 +348,7 @@ ZYtQ9Ot36qc=
|
||||||
csr: csr,
|
csr: csr,
|
||||||
extraOpts: extraOpts,
|
extraOpts: extraOpts,
|
||||||
signOpts: signOpts,
|
signOpts: signOpts,
|
||||||
err: errors.New("authority.Sign: certificate request RSA key must be at least 2048 bits (256 bytes)"),
|
err: errors.New("certificate request RSA key must be at least 2048 bits (256 bytes)"),
|
||||||
code: http.StatusForbidden,
|
code: http.StatusForbidden,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in a new issue