From b424aa3dc13f1571e76353520c8281e9606da52f Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 6 Jan 2022 11:19:46 -0800 Subject: [PATCH] Add nebula header and use der version of certificate. --- authority/provisioner/nebula.go | 16 ++++++++-------- authority/provisioner/nebula_test.go | 8 ++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index 55142e55..ec0aaeee 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -20,7 +20,7 @@ import ( const ( // NebulaCertHeader is the token header that contains a nebula certificate. - NebulaCertHeader jose.HeaderKey = "nbc" + NebulaCertHeader jose.HeaderKey = "nebula" ) // Nebula is a provisioner that verifies tokens signed using nebula private @@ -308,21 +308,21 @@ func (p *Nebula) authorizeToken(token string, audiences []string) (*cert.NebulaC } // Extract nebula certificate - nbc, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader] + h, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader] if !ok { - return nil, nil, errs.Unauthorized("failed to parse token: nbc header is missing") + return nil, nil, errs.Unauthorized("failed to parse token: nebula header is missing") } - s, ok := nbc.(string) + s, ok := h.(string) if !ok { - return nil, nil, errs.Unauthorized("failed to parse token: nbc header is not valid") + return nil, nil, errs.Unauthorized("failed to parse token: nebula header is not valid") } b, err := base64.StdEncoding.DecodeString(s) if err != nil { - return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nbc header is not valid")) + return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nebula header is not valid")) } - c, _, err := cert.UnmarshalNebulaCertificateFromPEM(b) + c, err := cert.UnmarshalNebulaCertificate(b) if err != nil { - return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nbc header is not valid")) + return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nebula header is not valid")) } // Validate nebula certificate against CA diff --git a/authority/provisioner/nebula_test.go b/authority/provisioner/nebula_test.go index a5925b7d..bc539af1 100644 --- a/authority/provisioner/nebula_test.go +++ b/authority/provisioner/nebula_test.go @@ -131,14 +131,14 @@ func mustNebulaProvisioner(t *testing.T) (*Nebula, *cert.NebulaCertificate, ed25 func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []string, nc *cert.NebulaCertificate, key crypto.Signer) string { t.Helper() - ncPEM, err := nc.MarshalToPEM() + ncDer, err := nc.Marshal() if err != nil { t.Fatal(err) } so := new(jose.SignerOptions) so.WithType("JWT") - so.WithHeader(NebulaCertHeader, ncPEM) + so.WithHeader(NebulaCertHeader, ncDer) sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so) if err != nil { @@ -174,14 +174,14 @@ func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []s func mustNebulaSSHToken(t *testing.T, sub, iss, aud string, iat time.Time, opts *SignSSHOptions, nc *cert.NebulaCertificate, key crypto.Signer) string { t.Helper() - ncPEM, err := nc.MarshalToPEM() + ncDer, err := nc.Marshal() if err != nil { t.Fatal(err) } so := new(jose.SignerOptions) so.WithType("JWT") - so.WithHeader(NebulaCertHeader, ncPEM) + so.WithHeader(NebulaCertHeader, ncDer) sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.XEdDSA, Key: key}, so) if err != nil {