Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Defer missing decrypter/signer configuration errors to SCEP authority

Browse Source
pull/1523/head
Herman Slatman 10 months ago
parent fc1fb51854
commit 0f35bb1af5
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
1 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File

24
scep/authority.go
Unescape Escape View File

@ -23,7 +23,7 @@ type Authority struct {
roots []*x509.Certificate
intermediates []*x509.Certificate
signerCertificate *x509.Certificate
signer crypto.Signer
defaultSigner crypto.Signer
defaultDecrypter crypto.Decrypter
scepProvisionerNames []string
@ -69,7 +69,7 @@ func New(signAuth SignAuthority, opts Options) (*Authority, error) {
roots: opts.Roots,
intermediates: opts.Intermediates,
signerCertificate: opts.SignerCert,
signer: opts.Signer,
defaultSigner: opts.Signer,
defaultDecrypter: opts.Decrypter,
scepProvisionerNames: opts.SCEPProvisionerNames,
}
@ -484,7 +484,7 @@ func (a *Authority) ValidateChallenge(ctx context.Context, challenge, transactio
return p.ValidateChallenge(ctx, challenge, transactionID)
}
func (a *Authority) selectDecrypter(ctx context.Context) (cert *x509.Certificate, pkey crypto.PrivateKey, err error) {
func (a *Authority) selectDecrypter(ctx context.Context) (cert *x509.Certificate, pkey crypto.Decrypter, err error) {
p := provisionerFromContext(ctx)
// return provisioner specific decrypter, if available
@ -492,24 +492,34 @@ func (a *Authority) selectDecrypter(ctx context.Context) (cert *x509.Certificate
return
}
// fallback to the CA wide decrypter
// fallback to the CA wide RSA decrypter, which is the
// intermediate CA.
cert = a.signerCertificate
pkey = a.defaultDecrypter
if cert == nil || pkey == nil {
return nil, nil, fmt.Errorf("provisioner %q does not have a decrypter available", p.GetName())
}
return
}
func (a *Authority) selectSigner(ctx context.Context) (cert *x509.Certificate, pkey crypto.PrivateKey, err error) {
p := provisionerFromContext(ctx)
// return provisioner specific decrypter, if available
// return provisioner specific signer, if available
if cert, pkey = p.GetSigner(); cert != nil && pkey != nil {
return
}
// fallback to the CA wide signer
// fallback to the CA wide RSA signer, which is the
// intermediate CA.
cert = a.signerCertificate
pkey = a.defaultDecrypter
pkey = a.defaultSigner
if cert == nil || pkey == nil {
return nil, nil, fmt.Errorf("provisioner %q does not have a signer available", p.GetName())
}
return
}

Write Preview
Loading…
Cancel
Save