Use x5rt#S256 claim instead of kid

3 months ago · 656a03e5d1
parent 6c6ed46fef
commit 656a03e5d1
5 changed files with 8 additions and 8 deletions
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -30,7 +30,7 @@ type stepPayload struct {
 }

 type cnfPayload struct {
-	Kid string `json:"kid,omitempty"`
+	Fingerprint string `json:"x5rt#S256,omitempty"`
 }

 // JWK is the default provisioner, an entity that can sign tokens necessary for
@ -191,7 +191,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	// Check the fingerprint of the certificate request if given.
 	var fingerprint string
 	if claims.Confirmation != nil {
-		fingerprint = claims.Confirmation.Kid
+		fingerprint = claims.Confirmation.Fingerprint
 	}

 	return []SignOption{
--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@ -249,7 +249,7 @@ func TestJWK_AuthorizeSign(t *testing.T) {
 	t2, err := generateToken("subject", p1.Name, testAudiences.Sign[0], "name@smallstep.com", []string{}, time.Now(), key1)
 	assert.FatalError(t, err)

-	t3, err := generateCustomToken("subject", p1.Name, testAudiences.Sign[0], key1, nil, map[string]any{"cnf": map[string]any{"kid": "fingerprint"}})
+	t3, err := generateCustomToken("subject", p1.Name, testAudiences.Sign[0], key1, nil, map[string]any{"cnf": map[string]any{"x5rt#S256": "fingerprint"}})
 	assert.FatalError(t, err)

 	// invalid signature
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -237,7 +237,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	// Check the fingerprint of the certificate request if given.
 	var fingerprint string
 	if claims.Confirmation != nil {
-		fingerprint = claims.Confirmation.Kid
+		fingerprint = claims.Confirmation.Fingerprint
 	}

 	return []SignOption{
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@ -469,7 +469,7 @@ func TestX5C_AuthorizeSign(t *testing.T) {
 			extraHeaders := map[string]any{"x5c": x5c}
 			extraClaims := map[string]any{
 				"sans": []string{"127.0.0.1", "foo", "max@smallstep.com"},
-				"cnf":  map[string]any{"kid": "fingerprint"},
+				"cnf":  map[string]any{"x5rt#S256": "fingerprint"},
 			}

 			tok, err := generateCustomToken("foo", p.GetName(), testAudiences.Sign[0], jwk, extraHeaders, extraClaims)
@ -814,7 +814,7 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 					Principals: []string{"host.smallstep.com"},
 				}},
 				Confirmation: &cnfPayload{
-					Kid: "fingerprint",
+					Fingerprint: "fingerprint",
 				},
 			}
 			tok, err := generateX5CSSHToken(x5cJWK, claims, withX5CHdr(x5cCerts))
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -621,7 +621,7 @@ ZYtQ9Ot36qc=
 			// Create a token with cnf
 			tok, err := generateCustomToken("smallstep test", "step-cli", testAudiences.Sign[0], key, nil, map[string]any{
 				"sans": []string{"test.smallstep.com"},
-				"cnf":  map[string]any{"kid": "bad-fingerprint"},
+				"cnf":  map[string]any{"x5rt#S256": "bad-fingerprint"},
 			})
 			require.NoError(t, err)

@ -907,7 +907,7 @@ ZYtQ9Ot36qc=
 			// Create a token with cnf
 			tok, err := generateCustomToken("smallstep test", "step-cli", testAudiences.Sign[0], key, nil, map[string]any{
 				"sans": []string{"test.smallstep.com"},
-				"cnf":  map[string]any{"kid": fingerprint},
+				"cnf":  map[string]any{"x5rt#S256": fingerprint},
 			})
 			require.NoError(t, err)