From a38132aa58c7d4c41fee955fa73d23a3e51a5f84 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 24 Jan 2024 20:28:45 +0100 Subject: [PATCH] Fix policy check for Wire user and device identifiers --- acme/order.go | 2 +- authority/provisioner/acme.go | 26 +++++++++++++++++--------- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/acme/order.go b/acme/order.go index 1e53eafe..974bac5f 100644 --- a/acme/order.go +++ b/acme/order.go @@ -376,7 +376,7 @@ func createWireSubject(o *Order, csr *x509.CertificateRequest) (subject x509util } if otherIDs > 0 || wireUserIDs != 1 && wireDeviceIDs != 1 { - return subject, NewErrorISE("there must only be 1 WireUser & 1 WireDevice identifiers") + return subject, NewErrorISE("order must have exactly one WireUser and WireDevice identifier") } return diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index 19880338..f338a78a 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -10,6 +10,7 @@ import ( "time" "github.com/pkg/errors" + "github.com/smallstep/certificates/acme/wire" "go.step.sm/linkedca" ) @@ -222,8 +223,10 @@ const ( IP ACMEIdentifierType = "ip" // DNS is the ACME dns identifier type DNS ACMEIdentifierType = "dns" - // WireID is the Wire user identifier type - WireID ACMEIdentifierType = "wireapp-id" + // WireUser is the Wire user identifier type + WireUser ACMEIdentifierType = "wireapp-user" + // WireDevice is the Wire device identifier type + WireDevice ACMEIdentifierType = "wireapp-device" ) // ACMEIdentifier encodes ACME Order Identifiers @@ -249,13 +252,18 @@ func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdenti err = x509Policy.IsIPAllowed(net.ParseIP(identifier.Value)) case DNS: err = x509Policy.IsDNSAllowed(identifier.Value) - case WireID: - // TODO: parse the value as user or device ID - // var wireID wire.ID - // if wireID, err = wire.ParseID([]byte(identifier.Value)); err != nil { - // return fmt.Errorf("failed parsing Wire SANs: %w", err) - // } - // err = x509Policy.AreSANsAllowed([]string{wireID.ClientID, wireID.Handle}) + case WireUser: + var wireID wire.UserID + if wireID, err = wire.ParseUserID([]byte(identifier.Value)); err != nil { + return fmt.Errorf("failed parsing Wire SANs: %w", err) + } + err = x509Policy.AreSANsAllowed([]string{wireID.Handle}) + case WireDevice: + var wireID wire.DeviceID + if wireID, err = wire.ParseDeviceID([]byte(identifier.Value)); err != nil { + return fmt.Errorf("failed parsing Wire SANs: %w", err) + } + err = x509Policy.AreSANsAllowed([]string{wireID.ClientID}) default: err = fmt.Errorf("invalid ACME identifier type '%s' provided", identifier.Type) }