Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move certificate check to the right place.

Browse Source
pull/55/head
Mariano Cano 5 years ago
parent 30a6889d1f
commit a3e2b4a552
1 changed files with 11 additions and 13 deletions
Show Stats Download Patch File Download Diff File

24
authority/tls.go
Unescape Escape View File

@ -59,6 +59,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
errContext = context{"csr": csr, "signOptions": signOpts}
mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
certValidators = []provisioner.CertificateValidator{}
issIdentity = a.intermediateIdentity
)
for _, op := range extraOpts {
switch k := op.(type) {
@ -76,18 +77,22 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
}
}
stepCSR, err := x509.ParseCertificateRequest(csr.Raw)
if err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: error converting x509 csr to stepx509 csr"),
http.StatusInternalServerError, errContext}
if err := csr.CheckSignature(); err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: invalid certificate request"),
http.StatusBadRequest, errContext}
}
issIdentity := a.intermediateIdentity
leaf, err := x509util.NewLeafProfileWithCSR(stepCSR, issIdentity.Crt, issIdentity.Key, mods...)
leaf, err := x509util.NewLeafProfileWithCSR(csr, issIdentity.Crt, issIdentity.Key, mods...)
if err != nil {
return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext}
}
for _, v := range certValidators {
if err := v.Valid(leaf.Subject()); err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
}
}
crtBytes, err := leaf.CreateCertificate()
if err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"),
@ -100,13 +105,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
http.StatusInternalServerError, errContext}
}
// FIXME: This should be before creating the certificate.
for _, v := range certValidators {
if err := v.Valid(serverCert); err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
}
}
caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw)
if err != nil {
return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"),

Write Preview
Loading…
Cancel
Save