From 4795e371bd6d0fe43ae7ac768535b22c67f00301 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 13 Jul 2020 11:39:28 -0700 Subject: [PATCH] Add back the support for ca.json DN template. --- authority/provisioner/sign_options.go | 26 ++++++++++++++++++++++---- authority/tls.go | 11 ++++++++--- 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index bcf19ff2..1dd7b05d 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -20,10 +20,10 @@ import ( // Options contains the options that can be passed to the Sign method. Backdate // is automatically filled and can only be configured in the CA. type Options struct { - NotAfter TimeDuration `json:"notAfter"` - NotBefore TimeDuration `json:"notBefore"` - TemplateData json.RawMessage `json:"templateData"` - Backdate time.Duration `json:"-"` + NotAfter TimeDuration `json:"notAfter"` + NotBefore TimeDuration `json:"notBefore"` + TemplateData json.RawMessage `json:"templateData"` + Backdate time.Duration `json:"-"` } // SignOption is the interface used to collect all extra options used in the @@ -54,6 +54,24 @@ type CertificateEnforcer interface { Enforce(cert *x509.Certificate) error } +// CertificateModifierFunc allows to create simple certificate modifiers just +// with a function. +type CertificateModifierFunc func(cert *x509.Certificate, opts Options) error + +// Modify implements CertificateModifier and just calls the defined function. +func (fn CertificateModifierFunc) Modify(cert *x509.Certificate, opts Options) error { + return fn(cert, opts) +} + +// CertificateEnforcerFunc allows to create simple certificate enforcer just +// with a function. +type CertificateEnforcerFunc func(cert *x509.Certificate) error + +// Modify implements CertificateEnforcer and just calls the defined function. +func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error { + return fn(cert) +} + // emailOnlyIdentity is a CertificateRequestValidator that checks that the only // SAN provided is the given email address. type emailOnlyIdentity string diff --git a/authority/tls.go b/authority/tls.go index 7b0d061d..463c84b3 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -31,12 +31,11 @@ func (a *Authority) GetTLSOptions() *tlsutil.TLSOptions { var oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35} var oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14} -func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption { - return func(p x509util.Profile) error { +func withDefaultASN1DN(def *x509util.ASN1DN) provisioner.CertificateModifierFunc { + return func(crt *x509.Certificate, opts provisioner.Options) error { if def == nil { return errors.New("default ASN1DN template cannot be nil") } - crt := p.Subject() if len(crt.Subject.Country) == 0 && def.Country != "" { crt.Subject.Country = append(crt.Subject.Country, def.Country) @@ -114,6 +113,12 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti // Certificate modifiers before validation leaf := cert.GetCertificate() + + // Set default subject + if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil { + return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) + } + for _, m := range certModifiers { if err := m.Modify(leaf, signOpts); err != nil { return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)