Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-11-19 09:25:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
55155d1207
smallstep-certificates/authority/claims.go

115 lines
2.9 KiB
Go
Raw Normal View History

first commit
2018-10-05 21:48:36 +00:00
package authority
import (
"net"
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
"time"
first commit
2018-10-05 21:48:36 +00:00
"github.com/pkg/errors"
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
x509 "github.com/smallstep/cli/pkg/x509"
first commit
2018-10-05 21:48:36 +00:00
)
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
// certClaim interface is implemented by types used to validate specific claims in a
// certificate request.
type certClaim interface {
Valid(crt *x509.Certificate) error
}
first commit
2018-10-05 21:48:36 +00:00
// ValidateClaims returns nil if all the claims are validated, it will return
// the first error if a claim fails.
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
func validateClaims(crt *x509.Certificate, claims []certClaim) (err error) {
first commit
2018-10-05 21:48:36 +00:00
for _, c := range claims {
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
if err = c.Valid(crt); err != nil {
first commit
2018-10-05 21:48:36 +00:00
return err
}
}
return
}
// commonNameClaim validates the common name of a certificate request.
type commonNameClaim struct {
name string
}
// Valid checks that certificate request common name matches the one configured.
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
func (c *commonNameClaim) Valid(crt *x509.Certificate) error {
if crt.Subject.CommonName == "" {
first commit
2018-10-05 21:48:36 +00:00
return errors.New("common name cannot be empty")
}
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
if crt.Subject.CommonName != c.name {
return errors.Errorf("common name claim failed - got %s, want %s", crt.Subject.CommonName, c.name)
first commit
2018-10-05 21:48:36 +00:00
}
return nil
}
type dnsNamesClaim struct {
name string
}
// Valid checks that certificate request common name matches the one configured.
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
func (c *dnsNamesClaim) Valid(crt *x509.Certificate) error {
if len(crt.DNSNames) == 0 {
first commit
2018-10-05 21:48:36 +00:00
return nil
}
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
for _, name := range crt.DNSNames {
first commit
2018-10-05 21:48:36 +00:00
if name != c.name {
return errors.Errorf("DNS names claim failed - got %s, want %s", name, c.name)
}
}
return nil
}
type ipAddressesClaim struct {
name string
}
// Valid checks that certificate request common name matches the one configured.
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
func (c *ipAddressesClaim) Valid(crt *x509.Certificate) error {
if len(crt.IPAddresses) == 0 {
first commit
2018-10-05 21:48:36 +00:00
return nil
}
// If it's an IP validate that only that ip is in IP addresses
if requestedIP := net.ParseIP(c.name); requestedIP != nil {
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
for _, ip := range crt.IPAddresses {
first commit
2018-10-05 21:48:36 +00:00
if !ip.Equal(requestedIP) {
return errors.Errorf("IP addresses claim failed - got %s, want %s", ip, requestedIP)
}
}
return nil
}
change sign + authorize authority api | add provisioners * authorize returns []interface{} - operators in this list can conform to any interface the user decides - our implementation has a combination of certificate claim validators and certificate template modifiers. * provisioners can set and enforce tls cert options
2018-10-19 05:26:39 +00:00
return errors.Errorf("IP addresses claim failed - got %v, want none", crt.IPAddresses)
}
// certTemporalClaim validates the certificate temporal validity settings.
type certTemporalClaim struct {
min time.Duration
max time.Duration
}
// Validate validates the certificate temporal validity settings.
func (ctc *certTemporalClaim) Valid(crt *x509.Certificate) error {
var (
na = crt.NotAfter
nb = crt.NotBefore
d = na.Sub(nb)
now = time.Now()
)
if na.Before(now) {
return errors.Errorf("NotAfter: %v cannot be in the past", na)
}
if na.Before(nb) {
return errors.Errorf("NotAfter: %v cannot be before NotBefore: %v", na, nb)
}
if d < ctc.min {
return errors.Errorf("requested duration of %v is less than the authorized minimum certificate duration of %v",
d, ctc.min)
}
if d > ctc.max {
return errors.Errorf("requested duration of %v is more than the authorized maximum certificate duration of %v",
d, ctc.max)
}
return nil
first commit
2018-10-05 21:48:36 +00:00
}
Reference in New Issue Copy Permalink