|
|
|
@ -62,10 +62,9 @@ type Authority struct {
|
|
|
|
|
x509Enforcers []provisioner.CertificateEnforcer
|
|
|
|
|
|
|
|
|
|
// SCEP CA
|
|
|
|
|
scepAuthority *scep.Authority
|
|
|
|
|
scepCertificate *x509.Certificate
|
|
|
|
|
scepSigner crypto.Signer
|
|
|
|
|
scepDecrypter crypto.Decrypter
|
|
|
|
|
scepOptions *scep.Options
|
|
|
|
|
validateSCEP bool
|
|
|
|
|
scepAuthority *scep.Authority
|
|
|
|
|
|
|
|
|
|
// SSH CA
|
|
|
|
|
sshHostPassword []byte
|
|
|
|
@ -126,6 +125,7 @@ func New(cfg *config.Config, opts ...Option) (*Authority, error) {
|
|
|
|
|
var a = &Authority{
|
|
|
|
|
config: cfg,
|
|
|
|
|
certificates: new(sync.Map),
|
|
|
|
|
validateSCEP: true,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Apply options.
|
|
|
|
@ -674,15 +674,12 @@ func (a *Authority) init() error {
|
|
|
|
|
// update that.
|
|
|
|
|
switch {
|
|
|
|
|
case a.requiresSCEP() && a.GetSCEP() == nil:
|
|
|
|
|
var options scep.Options
|
|
|
|
|
options.Roots = a.rootX509Certs
|
|
|
|
|
options.Intermediates = a.intermediateX509Certs
|
|
|
|
|
options.SignerCert = options.Intermediates[0]
|
|
|
|
|
if a.scepSigner != nil {
|
|
|
|
|
options.Signer = a.scepSigner
|
|
|
|
|
options.Decrypter = a.scepDecrypter
|
|
|
|
|
options.DecrypterCert = a.scepCertificate
|
|
|
|
|
} else {
|
|
|
|
|
if a.scepOptions == nil {
|
|
|
|
|
options := &scep.Options{
|
|
|
|
|
Roots: a.rootX509Certs,
|
|
|
|
|
Intermediates: a.intermediateX509Certs,
|
|
|
|
|
SignerCert: a.intermediateX509Certs[0],
|
|
|
|
|
}
|
|
|
|
|
if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
|
|
|
|
SigningKey: a.config.IntermediateKey,
|
|
|
|
|
Password: a.password,
|
|
|
|
@ -709,21 +706,25 @@ func (a *Authority) init() error {
|
|
|
|
|
options.DecrypterCert = options.Intermediates[0]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// provide the current SCEP provisioner names, so that the provisioners
|
|
|
|
|
// can be validated when the CA is started.
|
|
|
|
|
options.SCEPProvisionerNames = a.getSCEPProvisionerNames()
|
|
|
|
|
// provide the current SCEP provisioner names, so that the provisioners
|
|
|
|
|
// can be validated when the CA is started.
|
|
|
|
|
options.SCEPProvisionerNames = a.getSCEPProvisionerNames()
|
|
|
|
|
|
|
|
|
|
a.scepOptions = options
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// create a new SCEP authority
|
|
|
|
|
scepAuthority, err := scep.New(a, options)
|
|
|
|
|
scepAuthority, err := scep.New(a, *a.scepOptions)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// validate the SCEP authority
|
|
|
|
|
if err := scepAuthority.Validate(); err != nil {
|
|
|
|
|
a.initLogf("failed validating SCEP authority: %v", err)
|
|
|
|
|
if a.validateSCEP {
|
|
|
|
|
// validate the SCEP authority
|
|
|
|
|
if err := scepAuthority.Validate(); err != nil {
|
|
|
|
|
a.initLogf("failed validating SCEP authority: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// set the SCEP authority
|
|
|
|
|