On JWK and X5C validate the key id on the request.

4 years ago · 8ff8d90f8c
parent 3b19bb9796
commit 8ff8d90f8c
2 changed files with 4 additions and 4 deletions
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -207,6 +207,8 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	signOptions := []SignOption{
 		// validates user's SSHOptions with the ones in the token
 		sshCertOptionsValidator(*opts),
+		// validate users's KeyID is the token subject.
+		sshCertOptionsValidator(SignSSHOptions{KeyID: claims.Subject}),
 	}

 	// Default template attributes.
@ -251,8 +253,6 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	return append(signOptions,
 		// Set the validity bounds if not set.
 		&sshDefaultDuration{p.claimer},
-		// Validate that the keyID is equivalent to the token subject.
-		sshCertKeyIDValidator(claims.Subject),
 		// Validate public key
 		&sshDefaultPublicKeyValidator{},
 		// Validate the validity period.
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -249,6 +249,8 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	signOptions := []SignOption{
 		// validates user's SSHOptions with the ones in the token
 		sshCertOptionsValidator(*opts),
+		// validate users's KeyID is the token subject.
+		sshCertOptionsValidator(SignSSHOptions{KeyID: claims.Subject}),
 	}

 	// Default template attributes.
@ -293,8 +295,6 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 	return append(signOptions,
 		// Checks the validity bounds, and set the validity if has not been set.
 		&sshLimitDuration{p.claimer, claims.chains[0][0].NotAfter},
-		// set the key id to the token subject
-		sshCertKeyIDValidator(claims.Subject),
 		// Validate public key.
 		&sshDefaultPublicKeyValidator{},
 		// Validate the validity period.