2023-08-03 15:21:50 +00:00
|
|
|
package models
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/x509"
|
|
|
|
"errors"
|
|
|
|
|
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
)
|
|
|
|
|
|
|
|
var errDummyImplementation = errors.New("dummy implementation")
|
|
|
|
|
|
|
|
// SCEP is the SCEP provisioner model used solely in CA API
|
|
|
|
// responses. All methods for the [provisioner.Interface] interface
|
|
|
|
// are implemented, but return a dummy error.
|
|
|
|
// TODO(hs): remove reliance on the interface for the API responses
|
|
|
|
type SCEP struct {
|
|
|
|
ID string `json:"-"`
|
|
|
|
Type string `json:"type"`
|
|
|
|
Name string `json:"name"`
|
2023-09-22 09:38:03 +00:00
|
|
|
ForceCN bool `json:"forceCN"`
|
|
|
|
ChallengePassword string `json:"challenge"`
|
2023-08-03 15:21:50 +00:00
|
|
|
Capabilities []string `json:"capabilities,omitempty"`
|
2023-09-22 09:38:03 +00:00
|
|
|
IncludeRoot bool `json:"includeRoot"`
|
|
|
|
ExcludeIntermediate bool `json:"excludeIntermediate"`
|
|
|
|
MinimumPublicKeyLength int `json:"minimumPublicKeyLength"`
|
2023-09-25 22:49:45 +00:00
|
|
|
DecrypterCertificate []byte `json:"decrypterCertificate"`
|
|
|
|
DecrypterKeyPEM []byte `json:"decrypterKeyPEM"`
|
2023-09-22 09:10:22 +00:00
|
|
|
DecrypterKeyURI string `json:"decrypterKey"`
|
2023-09-26 17:36:58 +00:00
|
|
|
DecrypterKeyPassword string `json:"decrypterKeyPassword"`
|
2023-09-22 09:38:03 +00:00
|
|
|
EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier"`
|
2023-08-03 15:21:50 +00:00
|
|
|
Options *provisioner.Options `json:"options,omitempty"`
|
|
|
|
Claims *provisioner.Claims `json:"claims,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetID returns the provisioner unique identifier.
|
|
|
|
func (s *SCEP) GetID() string {
|
|
|
|
if s.ID != "" {
|
|
|
|
return s.ID
|
|
|
|
}
|
|
|
|
return s.GetIDForToken()
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetIDForToken returns an identifier that will be used to load the provisioner
|
|
|
|
// from a token.
|
|
|
|
func (s *SCEP) GetIDForToken() string {
|
|
|
|
return "scep/" + s.Name
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetName returns the name of the provisioner.
|
|
|
|
func (s *SCEP) GetName() string {
|
|
|
|
return s.Name
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetType returns the type of provisioner.
|
|
|
|
func (s *SCEP) GetType() provisioner.Type {
|
|
|
|
return provisioner.TypeSCEP
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
|
|
|
|
func (s *SCEP) GetEncryptedKey() (string, string, bool) {
|
|
|
|
return "", "", false
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetTokenID returns the identifier of the token.
|
|
|
|
func (s *SCEP) GetTokenID(string) (string, error) {
|
|
|
|
return "", errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
// Init initializes and validates the fields of a SCEP type.
|
2023-09-04 13:36:37 +00:00
|
|
|
func (s *SCEP) Init(_ provisioner.Config) (err error) {
|
2023-08-03 15:21:50 +00:00
|
|
|
return errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizeSign returns an unimplemented error. Provisioners should overwrite
|
|
|
|
// this method if they will support authorizing tokens for signing x509 Certificates.
|
|
|
|
func (s *SCEP) AuthorizeSign(context.Context, string) ([]provisioner.SignOption, error) {
|
|
|
|
return nil, errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
|
|
|
|
// this method if they will support authorizing tokens for revoking x509 Certificates.
|
|
|
|
func (s *SCEP) AuthorizeRevoke(context.Context, string) error {
|
|
|
|
return errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizeRenew returns an unimplemented error. Provisioners should overwrite
|
|
|
|
// this method if they will support authorizing tokens for renewing x509 Certificates.
|
|
|
|
func (s *SCEP) AuthorizeRenew(context.Context, *x509.Certificate) error {
|
|
|
|
return errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite
|
|
|
|
// this method if they will support authorizing tokens for signing SSH Certificates.
|
|
|
|
func (s *SCEP) AuthorizeSSHSign(context.Context, string) ([]provisioner.SignOption, error) {
|
|
|
|
return nil, errDummyImplementation
|
|
|
|
}
|
|
|
|
|
2024-04-09 09:48:50 +00:00
|
|
|
// AuthorizeSSHRevoke returns an unimplemented error. Provisioners should overwrite
|
2023-08-03 15:21:50 +00:00
|
|
|
// this method if they will support authorizing tokens for revoking SSH Certificates.
|
|
|
|
func (s *SCEP) AuthorizeSSHRevoke(context.Context, string) error {
|
|
|
|
return errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite
|
|
|
|
// this method if they will support authorizing tokens for renewing SSH Certificates.
|
|
|
|
func (s *SCEP) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
|
|
|
|
return nil, errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite
|
|
|
|
// this method if they will support authorizing tokens for rekeying SSH Certificates.
|
|
|
|
func (s *SCEP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []provisioner.SignOption, error) {
|
|
|
|
return nil, nil, errDummyImplementation
|
|
|
|
}
|
|
|
|
|
|
|
|
var _ provisioner.Interface = (*SCEP)(nil)
|