Add handling of options

3 years ago · 4322933588
parent 19f0397fe9
commit 4322933588
3 changed files with 57 additions and 40 deletions
--- a/scep/api/api.go
+++ b/scep/api/api.go
@ -235,12 +235,12 @@ func (h *Handler) GetCACert(w http.ResponseWriter, r *http.Request, scepResponse

 func (h *Handler) GetCACaps(w http.ResponseWriter, r *http.Request, scepResponse SCEPResponse) error {

-	ctx := r.Context()
+	//ctx := r.Context()

-	_, err := ProvisionerFromContext(ctx)
-	if err != nil {
-		return err
-	}
+	// _, err := ProvisionerFromContext(ctx)
+	// if err != nil {
+	// 	return err
+	// }

 	// TODO: get the actual capabilities from provisioner config
 	scepResponse.Data = formatCapabilities(defaultCapabilities)
@ -250,6 +250,8 @@ func (h *Handler) GetCACaps(w http.ResponseWriter, r *http.Request, scepResponse

 func (h *Handler) PKIOperation(w http.ResponseWriter, r *http.Request, scepRequest SCEPRequest, scepResponse SCEPResponse) error {

+	ctx := r.Context()
+
 	msg, err := microscep.ParsePKIMessage(scepRequest.Message)
 	if err != nil {
 		return err
@ -262,7 +264,7 @@ func (h *Handler) PKIOperation(w http.ResponseWriter, r *http.Request, scepReque
 		Raw:           msg.Raw,
 	}

-	if err := h.Auth.DecryptPKIEnvelope(pkimsg); err != nil {
+	if err := h.Auth.DecryptPKIEnvelope(ctx, pkimsg); err != nil {
 		return err
 	}

@ -271,7 +273,7 @@ func (h *Handler) PKIOperation(w http.ResponseWriter, r *http.Request, scepReque
 	}

 	csr := pkimsg.CSRReqMessage.CSR
-	id, err := createKeyIdentifier(csr.PublicKey)
+	subjectKeyID, err := createKeyIdentifier(csr.PublicKey)
 	if err != nil {
 		return err
 	}
@ -286,16 +288,17 @@ func (h *Handler) PKIOperation(w http.ResponseWriter, r *http.Request, scepReque
 		Subject:      csr.Subject,
 		NotBefore:    time.Now().Add(-600).UTC(),
 		NotAfter:     time.Now().AddDate(0, 0, days).UTC(),
-		SubjectKeyId: id,
+		SubjectKeyId: subjectKeyID,
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
 		},
 		SignatureAlgorithm: csr.SignatureAlgorithm,
 		EmailAddresses:     csr.EmailAddresses,
+		DNSNames:           csr.DNSNames,
 	}

-	certRep, err := h.Auth.SignCSR(pkimsg, template)
+	certRep, err := h.Auth.SignCSR(ctx, pkimsg, template)
 	if err != nil {
 		return err
 	}
@ -381,17 +384,3 @@ func contentHeader(operation string, certNum int) string {
 		return "text/plain"
 	}
 }
-
-// ProvisionerFromContext searches the context for a provisioner. Returns the
-// provisioner or an error.
-func ProvisionerFromContext(ctx context.Context) (scep.Provisioner, error) {
-	val := ctx.Value(acme.ProvisionerContextKey)
-	if val == nil {
-		return nil, errors.New("provisioner expected in request context")
-	}
-	p, ok := val.(scep.Provisioner)
-	if !ok || p == nil {
-		return nil, errors.New("provisioner in context is not a SCEP provisioner")
-	}
-	return p, nil
-}
--- a/scep/authority.go
+++ b/scep/authority.go
@ -2,6 +2,7 @@ package scep

 import (
 	"bytes"
+	"context"
 	"crypto/x509"
 	"errors"
 	"fmt"
@ -54,8 +55,8 @@ type Interface interface {
 	GetCACertificates() ([]*x509.Certificate, error)
 	//GetSigningKey() (*rsa.PrivateKey, error)

-	DecryptPKIEnvelope(*PKIMessage) error
-	SignCSR(msg *PKIMessage, template *x509.Certificate) (*PKIMessage, error)
+	DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error
+	SignCSR(ctx context.Context, msg *PKIMessage, template *x509.Certificate) (*PKIMessage, error)
 }

 // Authority is the layer that handles all SCEP interactions.
@ -156,7 +157,7 @@ func (a *Authority) GetCACertificates() ([]*x509.Certificate, error) {
 }

 // DecryptPKIEnvelope decrypts an enveloped message
-func (a *Authority) DecryptPKIEnvelope(msg *PKIMessage) error {
+func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error {

 	data := msg.Raw

@ -221,14 +222,19 @@ func (a *Authority) DecryptPKIEnvelope(msg *PKIMessage) error {
 	return nil
 }

-// SignCSR creates an x509.Certificate based on a template and Cert Authority credentials
+// SignCSR creates an x509.Certificate based on a CSR template and Cert Authority credentials
 // returns a new PKIMessage with CertRep data
 //func (msg *PKIMessage) SignCSR(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, template *x509.Certificate) (*PKIMessage, error) {
-func (a *Authority) SignCSR(msg *PKIMessage, template *x509.Certificate) (*PKIMessage, error) {
+func (a *Authority) SignCSR(ctx context.Context, msg *PKIMessage, template *x509.Certificate) (*PKIMessage, error) {
+
+	p, err := ProvisionerFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}

 	// check if CSRReqMessage has already been decrypted
 	if msg.CSRReqMessage.CSR == nil {
-		if err := a.DecryptPKIEnvelope(msg); err != nil {
+		if err := a.DecryptPKIEnvelope(ctx, msg); err != nil {
 			return nil, err
 		}
 	}
@ -238,13 +244,17 @@ func (a *Authority) SignCSR(msg *PKIMessage, template *x509.Certificate) (*PKIMe
 	// Template data
 	data := x509util.NewTemplateData()
 	data.SetCommonName(csr.Subject.CommonName)
-	//data.Set(x509util.SANsKey, sans)
+	data.SetSANs(csr.DNSNames)

-	// templateOptions, err := provisioner.TemplateOptions(p.GetOptions(), data)
-	// if err != nil {
-	// 	return nil, ServerInternalErr(errors.Wrapf(err, "error creating template options from ACME provisioner"))
-	// }
-	// signOps = append(signOps, templateOptions)
+	// TODO: proper options
+	opts := provisioner.SignOptions{}
+	signOps := []provisioner.SignOption{}
+
+	templateOptions, err := provisioner.TemplateOptions(p.GetOptions(), data)
+	if err != nil {
+		return nil, fmt.Errorf("error creating template options from SCEP provisioner")
+	}
+	signOps = append(signOps, templateOptions)

 	// // Create and store a new certificate.
 	// certChain, err := auth.Sign(csr, provisioner.SignOptions{
@ -255,11 +265,7 @@ func (a *Authority) SignCSR(msg *PKIMessage, template *x509.Certificate) (*PKIMe
 	// 	return nil, ServerInternalErr(errors.Wrapf(err, "error generating certificate for order %s", o.ID))
 	// }

-	// TODO: proper options
-	signOps := provisioner.SignOptions{}
-	signOps2 := []provisioner.SignOption{}
-
-	certs, err := a.signAuth.Sign(csr, signOps, signOps2...)
+	certs, err := a.signAuth.Sign(csr, opts, signOps...)
 	if err != nil {
 		return nil, err
 	}
--- a/scep/common.go
+++ b/scep/common.go
@ -0,0 +1,22 @@
+package scep
+
+import (
+	"context"
+	"errors"
+
+	"github.com/smallstep/certificates/acme"
+)
+
+// ProvisionerFromContext searches the context for a SCEP provisioner.
+// Returns the provisioner or an error.
+func ProvisionerFromContext(ctx context.Context) (Provisioner, error) {
+	val := ctx.Value(acme.ProvisionerContextKey)
+	if val == nil {
+		return nil, errors.New("provisioner expected in request context")
+	}
+	p, ok := val.(Provisioner)
+	if !ok || p == nil {
+		return nil, errors.New("provisioner in context is not a SCEP provisioner")
+	}
+	return p, nil
+}