|
|
|
@ -143,12 +143,14 @@ var (
|
|
|
|
|
// that case, the other webhooks will be skipped. If none of
|
|
|
|
|
// the webhooks indicates the value of the challenge was accepted,
|
|
|
|
|
// an error is returned.
|
|
|
|
|
func (c *challengeValidationController) Validate(ctx context.Context, challenge, transactionID string) error {
|
|
|
|
|
func (c *challengeValidationController) Validate(ctx context.Context, csr *x509.CertificateRequest, challenge, transactionID string) error {
|
|
|
|
|
for _, wh := range c.webhooks {
|
|
|
|
|
req := &webhook.RequestBody{
|
|
|
|
|
SCEPChallenge: challenge,
|
|
|
|
|
SCEPTransactionID: transactionID,
|
|
|
|
|
req, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed creating new webhook request: %w", err)
|
|
|
|
|
}
|
|
|
|
|
req.SCEPChallenge = challenge
|
|
|
|
|
req.SCEPTransactionID = transactionID
|
|
|
|
|
resp, err := wh.DoWithContext(ctx, c.client, req, nil) // TODO(hs): support templated URL? Requires some refactoring
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed executing webhook request: %w", err)
|
|
|
|
@ -329,13 +331,13 @@ func (s *SCEP) GetContentEncryptionAlgorithm() int {
|
|
|
|
|
// ValidateChallenge validates the provided challenge. It starts by
|
|
|
|
|
// selecting the validation method to use, then performs validation
|
|
|
|
|
// according to that method.
|
|
|
|
|
func (s *SCEP) ValidateChallenge(ctx context.Context, challenge, transactionID string) error {
|
|
|
|
|
func (s *SCEP) ValidateChallenge(ctx context.Context, csr *x509.CertificateRequest, challenge, transactionID string) error {
|
|
|
|
|
if s.challengeValidationController == nil {
|
|
|
|
|
return fmt.Errorf("provisioner %q wasn't initialized", s.Name)
|
|
|
|
|
}
|
|
|
|
|
switch s.selectValidationMethod() {
|
|
|
|
|
case validationMethodWebhook:
|
|
|
|
|
return s.challengeValidationController.Validate(ctx, challenge, transactionID)
|
|
|
|
|
return s.challengeValidationController.Validate(ctx, csr, challenge, transactionID)
|
|
|
|
|
default:
|
|
|
|
|
if subtle.ConstantTimeCompare([]byte(s.ChallengePassword), []byte(challenge)) == 0 {
|
|
|
|
|
return errors.New("invalid challenge password provided")
|
|
|
|
|