Make API responses aware of the new SCEP decrypter properties

8 months ago · 5fd70af2c8
parent 3ade92f8d5
commit 5fd70af2c8
3 changed files with 35 additions and 14 deletions
--- a/api/api_test.go
+++ b/api/api_test.go
@ -1569,7 +1569,6 @@ func mustCertificate(t *testing.T, pub, priv interface{}) *x509.Certificate {
 }
 func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	k := map[string]any{
 		"use": "sig",
 		"kty": "EC",
@ -1581,9 +1580,14 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	}
 	key := squarejose.JSONWebKey{}
 	b, err := json.Marshal(k)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	err = json.Unmarshal(b, &key)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	var encodedPassword bytes.Buffer
 	enc := base64.NewEncoder(base64.StdEncoding, &encodedPassword)
 	_, err = enc.Write([]byte("super-secret-password"))
 	require.NoError(t, err)
 	r := ProvisionersResponse{
 		Provisioners: provisioner.List{
@ -1593,9 +1597,12 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 				ChallengePassword:             "not-so-secret",
 				MinimumPublicKeyLength:        2048,
 				EncryptionAlgorithmIdentifier: 2,
 				IncludeRoot:                   true,
 				ExcludeIntermediate:           true,
 				DecrypterCertificate:          []byte{1, 2, 3, 4},
-				DecrypterKey:                  "softkms:path=/path/to/private.key",
+				DecrypterKeyPEM:               []byte{5, 6, 7, 8},
-				DecrypterKeyPassword:          "super-secret-password",
+				DecrypterKeyURI:               "softkms:path=/path/to/private.key",
 				DecrypterKeyPassword:          encodedPassword.Bytes(),
 			},
 			&provisioner.JWK{
 				EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
@ -1612,9 +1619,13 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 			{
 				"type":                          "scep",
 				"name":                          "scep",
 				"forceCN":                       false,
 				"includeRoot":                   true,
 				"excludeIntermediate":           true,
 				"challenge":                     "*** REDACTED ***",
 				"decrypterCertificate":          "*** REDACTED ***",
 				"decrypterKey":                  "*** REDACTED ***",
 				"decrypterKeyPEM":               "*** REDACTED ***",
 				"decrypterKeyPassword":          "*** REDACTED ***",
 				"minimumPublicKeyLength":        2048,
 				"encryptionAlgorithmIdentifier": 2,
@ -1652,9 +1663,12 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 			ChallengePassword:             "not-so-secret",
 			MinimumPublicKeyLength:        2048,
 			EncryptionAlgorithmIdentifier: 2,
 			IncludeRoot:                   true,
 			ExcludeIntermediate:           true,
 			DecrypterCertificate:          []byte{1, 2, 3, 4},
-			DecrypterKey:                  "softkms:path=/path/to/private.key",
+			DecrypterKeyPEM:               []byte{5, 6, 7, 8},
-			DecrypterKeyPassword:          "super-secret-password",
+			DecrypterKeyURI:               "softkms:path=/path/to/private.key",
 			DecrypterKeyPassword:          encodedPassword.Bytes(),
 		},
 		&provisioner.JWK{
 			EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
--- a/api/models/scep.go
+++ b/api/models/scep.go
@ -19,17 +19,17 @@ type SCEP struct {
 	ID                            string               `json:"-"`
 	Type                          string               `json:"type"`
 	Name                          string               `json:"name"`
-	ForceCN                       bool                 `json:"forceCN,omitempty"`
+	ForceCN                       bool                 `json:"forceCN"`
-	ChallengePassword             string               `json:"challenge,omitempty"`
+	ChallengePassword             string               `json:"challenge"`
 	Capabilities                  []string             `json:"capabilities,omitempty"`
-	IncludeRoot                   bool                 `json:"includeRoot,omitempty"`
+	IncludeRoot                   bool                 `json:"includeRoot"`
-	ExcludeIntermediate           bool                 `json:"excludeIntermediate,omitempty"`
+	ExcludeIntermediate           bool                 `json:"excludeIntermediate"`
-	MinimumPublicKeyLength        int                  `json:"minimumPublicKeyLength,omitempty"`
+	MinimumPublicKeyLength        int                  `json:"minimumPublicKeyLength"`
 	DecrypterCertificate          string               `json:"decrypterCertificate"`
 	DecrypterKeyPEM               string               `json:"decrypterKeyPEM"`
 	DecrypterKeyURI               string               `json:"decrypterKey"`
 	DecrypterKeyPassword          string               `json:"decrypterKeyPassword"`
-	EncryptionAlgorithmIdentifier int                  `json:"encryptionAlgorithmIdentifier,omitempty"`
+	EncryptionAlgorithmIdentifier int                  `json:"encryptionAlgorithmIdentifier"`
 	Options                       *provisioner.Options `json:"options,omitempty"`
 	Claims                        *provisioner.Claims  `json:"claims,omitempty"`
 }
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -990,7 +990,8 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 		}
 		if decrypter := cfg.GetDecrypter(); decrypter != nil {
 			s.DecrypterCertificate = decrypter.DecrypterCertificate
-			s.DecrypterKey = decrypter.DecrypterKey
+			s.DecrypterKeyPEM = decrypter.DecrypterKey
 			s.DecrypterKeyURI = decrypter.DecrypterKeyUri
 			s.DecrypterKeyPassword = decrypter.DecrypterKeyPassword
 		}
 		return s, nil
@ -1250,6 +1251,12 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 						IncludeRoot:                   p.IncludeRoot,
 						ExcludeIntermediate:           p.ExcludeIntermediate,
 						EncryptionAlgorithmIdentifier: int32(p.EncryptionAlgorithmIdentifier),
 						Decrypter: &linkedca.SCEPDecrypter{
 							DecrypterCertificate: p.DecrypterCertificate,
 							DecrypterKey:         p.DecrypterKeyPEM,
 							DecrypterKeyUri:      p.DecrypterKeyURI,
 							DecrypterKeyPassword: p.DecrypterKeyPassword,
 						},
 					},
 				},
 			},