Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix policy check for Wire user and device identifiers

Browse Source
pull/1689/head
Herman Slatman 4 months ago
parent 93ba1654ea
commit a38132aa58
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
2 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File

2
acme/order.go
Unescape Escape View File

@ -376,7 +376,7 @@ func createWireSubject(o *Order, csr *x509.CertificateRequest) (subject x509util
}
if otherIDs > 0 || wireUserIDs != 1 && wireDeviceIDs != 1 {
return subject, NewErrorISE("there must only be 1 WireUser & 1 WireDevice identifiers")
return subject, NewErrorISE("order must have exactly one WireUser and WireDevice identifier")
}
return

26
authority/provisioner/acme.go
Unescape Escape View File

@ -10,6 +10,7 @@ import (
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/acme/wire"
"go.step.sm/linkedca"
)
@ -222,8 +223,10 @@ const (
IP ACMEIdentifierType = "ip"
// DNS is the ACME dns identifier type
DNS ACMEIdentifierType = "dns"
// WireID is the Wire user identifier type
WireID ACMEIdentifierType = "wireapp-id"
// WireUser is the Wire user identifier type
WireUser ACMEIdentifierType = "wireapp-user"
// WireDevice is the Wire device identifier type
WireDevice ACMEIdentifierType = "wireapp-device"
)
// ACMEIdentifier encodes ACME Order Identifiers
@ -249,13 +252,18 @@ func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdenti
err = x509Policy.IsIPAllowed(net.ParseIP(identifier.Value))
case DNS:
err = x509Policy.IsDNSAllowed(identifier.Value)
case WireID:
// TODO: parse the value as user or device ID
// var wireID wire.ID
// if wireID, err = wire.ParseID([]byte(identifier.Value)); err != nil {
// return fmt.Errorf("failed parsing Wire SANs: %w", err)
// }
// err = x509Policy.AreSANsAllowed([]string{wireID.ClientID, wireID.Handle})
case WireUser:
var wireID wire.UserID
if wireID, err = wire.ParseUserID([]byte(identifier.Value)); err != nil {
return fmt.Errorf("failed parsing Wire SANs: %w", err)
}
err = x509Policy.AreSANsAllowed([]string{wireID.Handle})
case WireDevice:
var wireID wire.DeviceID
if wireID, err = wire.ParseDeviceID([]byte(identifier.Value)); err != nil {
return fmt.Errorf("failed parsing Wire SANs: %w", err)
}
err = x509Policy.AreSANsAllowed([]string{wireID.ClientID})
default:
err = fmt.Errorf("invalid ACME identifier type '%s' provided", identifier.Type)
}

Write Preview
Loading…
Cancel
Save