Add back the support for ca.json DN template.

4 years ago · 4795e371bd
parent e6fed5e0aa
commit 4795e371bd
2 changed files with 30 additions and 7 deletions
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -20,10 +20,10 @@ import (
 // Options contains the options that can be passed to the Sign method. Backdate
 // is automatically filled and can only be configured in the CA.
 type Options struct {
-	NotAfter  TimeDuration    `json:"notAfter"`
-	NotBefore TimeDuration    `json:"notBefore"`
-	TemplateData  json.RawMessage `json:"templateData"`
-	Backdate  time.Duration   `json:"-"`
+	NotAfter     TimeDuration    `json:"notAfter"`
+	NotBefore    TimeDuration    `json:"notBefore"`
+	TemplateData json.RawMessage `json:"templateData"`
+	Backdate     time.Duration   `json:"-"`
 }

 // SignOption is the interface used to collect all extra options used in the
@ -54,6 +54,24 @@ type CertificateEnforcer interface {
 	Enforce(cert *x509.Certificate) error
 }

+// CertificateModifierFunc allows to create simple certificate modifiers just
+// with a function.
+type CertificateModifierFunc func(cert *x509.Certificate, opts Options) error
+
+// Modify implements CertificateModifier and just calls the defined function.
+func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts Options) error {
+	return fn(cert, opts)
+}
+
+// CertificateEnforcerFunc allows to create simple certificate enforcer just
+// with a function.
+type CertificateEnforcerFunc func(cert *x509.Certificate) error
+
+// Modify implements CertificateEnforcer and just calls the defined function.
+func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
+	return fn(cert)
+}
+
 // emailOnlyIdentity is a CertificateRequestValidator that checks that the only
 // SAN provided is the given email address.
 type emailOnlyIdentity string
--- a/authority/tls.go
+++ b/authority/tls.go
@ -31,12 +31,11 @@ func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions {
 var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
 var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14}

-func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
-	return func(p x509util.Profile) error {
+func withDefaultASN1DN(def *x509util.ASN1DN) provisioner.CertificateModifierFunc {
+	return func(crt *x509.Certificate, opts provisioner.Options) error {
 		if def == nil {
 			return errors.New("default ASN1DN template cannot be nil")
 		}
-		crt := p.Subject()

 		if len(crt.Subject.Country) == 0 && def.Country != "" {
 			crt.Subject.Country = append(crt.Subject.Country, def.Country)
@ -114,6 +113,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti

 	// Certificate modifiers before validation
 	leaf := cert.GetCertificate()
+
+	// Set default subject
+	if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
+		return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+	}
+
 	for _, m := range certModifiers {
 		if err := m.Modify(leaf, signOpts); err != nil {
 			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)