Add nebula header and use der version of certificate.

2 years ago · b424aa3dc1
parent f49a4b326f
commit b424aa3dc1
2 changed files with 12 additions and 12 deletions
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@ -20,7 +20,7 @@ import (

 const (
 	// NebulaCertHeader is the token header that contains a nebula certificate.
-	NebulaCertHeader jose.HeaderKey = "nbc"
+	NebulaCertHeader jose.HeaderKey = "nebula"
 )

 // Nebula is a provisioner that verifies tokens signed using nebula private
@ -308,21 +308,21 @@ func (p *Nebula) authorizeToken(token string, audiences []string) (*cert.NebulaC
 	}

 	// Extract nebula certificate
-	nbc, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader]
+	h, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader]
 	if !ok {
-		return nil, nil, errs.Unauthorized("failed to parse token: nbc header is missing")
+		return nil, nil, errs.Unauthorized("failed to parse token: nebula header is missing")
 	}
-	s, ok := nbc.(string)
+	s, ok := h.(string)
 	if !ok {
-		return nil, nil, errs.Unauthorized("failed to parse token: nbc header is not valid")
+		return nil, nil, errs.Unauthorized("failed to parse token: nebula header is not valid")
 	}
 	b, err := base64.StdEncoding.DecodeString(s)
 	if err != nil {
-		return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nbc header is not valid"))
+		return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nebula header is not valid"))
 	}
-	c, _, err := cert.UnmarshalNebulaCertificateFromPEM(b)
+	c, err := cert.UnmarshalNebulaCertificate(b)
 	if err != nil {
-		return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nbc header is not valid"))
+		return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nebula header is not valid"))
 	}

 	// Validate nebula certificate against CA
--- a/authority/provisioner/nebula_test.go
+++ b/authority/provisioner/nebula_test.go
@ -131,14 +131,14 @@ func mustNebulaProvisioner(t *testing.T) (*Nebula, *cert.NebulaCertificate, ed25

 func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []string, nc *cert.NebulaCertificate, key crypto.Signer) string {
 	t.Helper()
-	ncPEM, err := nc.MarshalToPEM()
+	ncDer, err := nc.Marshal()
 	if err != nil {
 		t.Fatal(err)
 	}

 	so := new(jose.SignerOptions)
 	so.WithType("JWT")
-	so.WithHeader(NebulaCertHeader, ncPEM)
+	so.WithHeader(NebulaCertHeader, ncDer)

 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
 	if err != nil {
@ -174,14 +174,14 @@ func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []s

 func mustNebulaSSHToken(t *testing.T, sub, iss, aud string, iat time.Time, opts *SignSSHOptions, nc *cert.NebulaCertificate, key crypto.Signer) string {
 	t.Helper()
-	ncPEM, err := nc.MarshalToPEM()
+	ncDer, err := nc.Marshal()
 	if err != nil {
 		t.Fatal(err)
 	}

 	so := new(jose.SignerOptions)
 	so.WithType("JWT")
-	so.WithHeader(NebulaCertHeader, ncPEM)
+	so.WithHeader(NebulaCertHeader, ncDer)

 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so)
 	if err != nil {