Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix policy check for Wire user and device identifiers

Browse Source
pull/1689/head
Herman Slatman 4 months ago
parent 93ba1654ea
commit a38132aa58
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
2 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File

2
acme/order.go
Unescape Escape View File

@ -376,7 +376,7 @@ func createWireSubject(o *Order, csr *x509.CertificateRequest) (subject x509util
} }
if otherIDs > 0 || wireUserIDs != 1 && wireDeviceIDs != 1 { if otherIDs > 0 || wireUserIDs != 1 && wireDeviceIDs != 1 {
return subject, NewErrorISE("there must only be 1 WireUser & 1 WireDevice identifiers") return subject, NewErrorISE("order must have exactly one WireUser and WireDevice identifier")
} }
return return

26
authority/provisioner/acme.go
Unescape Escape View File

@ -10,6 +10,7 @@ import (
"time" "time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/acme/wire"
"go.step.sm/linkedca" "go.step.sm/linkedca"
) )
@ -222,8 +223,10 @@ const (
IP ACMEIdentifierType = "ip" IP ACMEIdentifierType = "ip"
// DNS is the ACME dns identifier type // DNS is the ACME dns identifier type
DNS ACMEIdentifierType = "dns" DNS ACMEIdentifierType = "dns"
// WireID is the Wire user identifier type // WireUser is the Wire user identifier type
WireID ACMEIdentifierType = "wireapp-id" WireUser ACMEIdentifierType = "wireapp-user"
// WireDevice is the Wire device identifier type
WireDevice ACMEIdentifierType = "wireapp-device"
) )
// ACMEIdentifier encodes ACME Order Identifiers // ACMEIdentifier encodes ACME Order Identifiers
@ -249,13 +252,18 @@ func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdenti
err = x509Policy.IsIPAllowed(net.ParseIP(identifier.Value)) err = x509Policy.IsIPAllowed(net.ParseIP(identifier.Value))
case DNS: case DNS:
err = x509Policy.IsDNSAllowed(identifier.Value) err = x509Policy.IsDNSAllowed(identifier.Value)
case WireID: case WireUser:
// TODO: parse the value as user or device ID var wireID wire.UserID
// var wireID wire.ID if wireID, err = wire.ParseUserID([]byte(identifier.Value)); err != nil {
// if wireID, err = wire.ParseID([]byte(identifier.Value)); err != nil { return fmt.Errorf("failed parsing Wire SANs: %w", err)
// return fmt.Errorf("failed parsing Wire SANs: %w", err) }
// } err = x509Policy.AreSANsAllowed([]string{wireID.Handle})
// err = x509Policy.AreSANsAllowed([]string{wireID.ClientID, wireID.Handle}) case WireDevice:
var wireID wire.DeviceID
if wireID, err = wire.ParseDeviceID([]byte(identifier.Value)); err != nil {
return fmt.Errorf("failed parsing Wire SANs: %w", err)
}
err = x509Policy.AreSANsAllowed([]string{wireID.ClientID})
default: default:
err = fmt.Errorf("invalid ACME identifier type '%s' provided", identifier.Type) err = fmt.Errorf("invalid ACME identifier type '%s' provided", identifier.Type)
} }

Write Preview
Loading…
Cancel
Save