From 7163c4f95f01dde54680d5c523608674a2c79d4f Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 2 Aug 2023 16:01:58 +0200 Subject: [PATCH] Add helper for getting the appropriate SCEP response signer --- scep/authority.go | 71 ++++++++++++++++++++++++++--------------------- 1 file changed, 40 insertions(+), 31 deletions(-) diff --git a/scep/authority.go b/scep/authority.go index 19a36c3a..b0a5420a 100644 --- a/scep/authority.go +++ b/scep/authority.go @@ -210,21 +210,6 @@ func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) err return nil } -func (a *Authority) selectDecrypter(ctx context.Context) (cert *x509.Certificate, pkey crypto.PrivateKey, err error) { - p := provisionerFromContext(ctx) - - // return provisioner specific decrypter, if available - if cert, pkey = p.GetDecrypter(); cert != nil && pkey != nil { - return - } - - // fallback to the CA wide decrypter - cert = a.signerCertificate - pkey = a.defaultDecrypter - - return -} - // SignCSR creates an x509.Certificate based on a CSR template and Cert Authority credentials // returns a new PKIMessage with CertRep data func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage) (*PKIMessage, error) { @@ -354,15 +339,13 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m // as the first certificate in the array signedData.AddCertificate(cert) - // authCert := a.signerCertificate - // signer := a.signer - - sc, sr := p.GetSigner() - authCert := sc - signer := sr + signerCert, signer, err := a.selectSigner(ctx) + if err != nil { + return nil, fmt.Errorf("failed selecting signer: %w", err) + } // sign the attributes - if err := signedData.AddSigner(authCert, signer, config); err != nil { + if err := signedData.AddSigner(signerCert, signer, config); err != nil { return nil, err } @@ -429,17 +412,13 @@ func (a *Authority) CreateFailureResponse(ctx context.Context, _ *x509.Certifica return nil, err } - p := provisionerFromContext(ctx) - - // authCert := a.signerCertificate - // signer := a.signer - - sc, sr := p.GetSigner() - authCert := sc - signer := sr + signerCert, signer, err := a.selectSigner(ctx) + if err != nil { + return nil, fmt.Errorf("failed selecting signer: %w", err) + } // sign the attributes - if err := signedData.AddSigner(authCert, signer, config); err != nil { + if err := signedData.AddSigner(signerCert, signer, config); err != nil { return nil, err } @@ -487,3 +466,33 @@ func (a *Authority) ValidateChallenge(ctx context.Context, challenge, transactio p := provisionerFromContext(ctx) return p.ValidateChallenge(ctx, challenge, transactionID) } + +func (a *Authority) selectDecrypter(ctx context.Context) (cert *x509.Certificate, pkey crypto.PrivateKey, err error) { + p := provisionerFromContext(ctx) + + // return provisioner specific decrypter, if available + if cert, pkey = p.GetDecrypter(); cert != nil && pkey != nil { + return + } + + // fallback to the CA wide decrypter + cert = a.signerCertificate + pkey = a.defaultDecrypter + + return +} + +func (a *Authority) selectSigner(ctx context.Context) (cert *x509.Certificate, pkey crypto.PrivateKey, err error) { + p := provisionerFromContext(ctx) + + // return provisioner specific decrypter, if available + if cert, pkey = p.GetSigner(); cert != nil && pkey != nil { + return + } + + // fallback to the CA wide signer + cert = a.signerCertificate + pkey = a.defaultDecrypter + + return +}