mirror of
https://github.com/smallstep/certificates.git
synced 2024-10-31 03:20:16 +00:00
Add support for the disableSmallstepExtensions claim
This commit adds a new claim to exclude the Smallstep provisioner extension from the generated certificates. Fixes #620
This commit is contained in:
parent
d7efceadb1
commit
c7c7decd5e
@ -35,6 +35,9 @@ var (
|
|||||||
// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
|
// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
|
||||||
// for all provisioners.
|
// for all provisioners.
|
||||||
DefaultEnableSSHCA = false
|
DefaultEnableSSHCA = false
|
||||||
|
// DefaultDisableSmallstepExtensions disables the Smallstep extensions in
|
||||||
|
// the certificate.
|
||||||
|
DefaultDisableSmallstepExtensions = false
|
||||||
// DefaultCRLCacheDuration is the default cache duration for the CRL.
|
// DefaultCRLCacheDuration is the default cache duration for the CRL.
|
||||||
DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour}
|
DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour}
|
||||||
// DefaultCRLExpiredDuration is the default duration in which expired
|
// DefaultCRLExpiredDuration is the default duration in which expired
|
||||||
@ -43,18 +46,19 @@ var (
|
|||||||
// GlobalProvisionerClaims is the default duration that expired certificates
|
// GlobalProvisionerClaims is the default duration that expired certificates
|
||||||
// remain in the CRL after expiration.
|
// remain in the CRL after expiration.
|
||||||
GlobalProvisionerClaims = provisioner.Claims{
|
GlobalProvisionerClaims = provisioner.Claims{
|
||||||
MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
|
MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
|
||||||
MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
||||||
DefaultTLSDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
DefaultTLSDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
||||||
MinUserSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
|
MinUserSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
|
||||||
MaxUserSSHDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
MaxUserSSHDur: &provisioner.Duration{Duration: 24 * time.Hour},
|
||||||
DefaultUserSSHDur: &provisioner.Duration{Duration: 16 * time.Hour},
|
DefaultUserSSHDur: &provisioner.Duration{Duration: 16 * time.Hour},
|
||||||
MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
|
MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
|
||||||
MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
||||||
DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour},
|
||||||
EnableSSHCA: &DefaultEnableSSHCA,
|
EnableSSHCA: &DefaultEnableSSHCA,
|
||||||
DisableRenewal: &DefaultDisableRenewal,
|
DisableRenewal: &DefaultDisableRenewal,
|
||||||
AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
|
AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
|
||||||
|
DisableSmallstepExtensions: &DefaultDisableSmallstepExtensions,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -257,7 +257,7 @@ func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
|
|||||||
opts := []SignOption{
|
opts := []SignOption{
|
||||||
p,
|
p,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeACME, p.Name, ""),
|
newProvisionerExtensionOption(TypeACME, p.Name, "").WithControllerOptions(p.ctl),
|
||||||
newForceCNOption(p.ForceCN),
|
newForceCNOption(p.ForceCN),
|
||||||
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
|
@ -515,7 +515,7 @@ func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
|
|||||||
p,
|
p,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID),
|
newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID).WithControllerOptions(p.ctl),
|
||||||
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
@ -398,7 +398,7 @@ func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
|
|||||||
p,
|
p,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID),
|
newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID).WithControllerOptions(p.ctl),
|
||||||
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
@ -26,6 +26,9 @@ type Claims struct {
|
|||||||
// Renewal properties
|
// Renewal properties
|
||||||
DisableRenewal *bool `json:"disableRenewal,omitempty"`
|
DisableRenewal *bool `json:"disableRenewal,omitempty"`
|
||||||
AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`
|
AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"`
|
||||||
|
|
||||||
|
// Other properties
|
||||||
|
DisableSmallstepExtensions *bool `json:"disableSmallstepExtensions,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Claimer is the type that controls claims. It provides an interface around the
|
// Claimer is the type that controls claims. It provides an interface around the
|
||||||
@ -47,20 +50,22 @@ func (c *Claimer) Claims() Claims {
|
|||||||
disableRenewal := c.IsDisableRenewal()
|
disableRenewal := c.IsDisableRenewal()
|
||||||
allowRenewalAfterExpiry := c.AllowRenewalAfterExpiry()
|
allowRenewalAfterExpiry := c.AllowRenewalAfterExpiry()
|
||||||
enableSSHCA := c.IsSSHCAEnabled()
|
enableSSHCA := c.IsSSHCAEnabled()
|
||||||
|
disableSmallstepExtensions := c.IsDisableSmallstepExtensions()
|
||||||
|
|
||||||
return Claims{
|
return Claims{
|
||||||
MinTLSDur: &Duration{c.MinTLSCertDuration()},
|
MinTLSDur: &Duration{c.MinTLSCertDuration()},
|
||||||
MaxTLSDur: &Duration{c.MaxTLSCertDuration()},
|
MaxTLSDur: &Duration{c.MaxTLSCertDuration()},
|
||||||
DefaultTLSDur: &Duration{c.DefaultTLSCertDuration()},
|
DefaultTLSDur: &Duration{c.DefaultTLSCertDuration()},
|
||||||
MinUserSSHDur: &Duration{c.MinUserSSHCertDuration()},
|
MinUserSSHDur: &Duration{c.MinUserSSHCertDuration()},
|
||||||
MaxUserSSHDur: &Duration{c.MaxUserSSHCertDuration()},
|
MaxUserSSHDur: &Duration{c.MaxUserSSHCertDuration()},
|
||||||
DefaultUserSSHDur: &Duration{c.DefaultUserSSHCertDuration()},
|
DefaultUserSSHDur: &Duration{c.DefaultUserSSHCertDuration()},
|
||||||
MinHostSSHDur: &Duration{c.MinHostSSHCertDuration()},
|
MinHostSSHDur: &Duration{c.MinHostSSHCertDuration()},
|
||||||
MaxHostSSHDur: &Duration{c.MaxHostSSHCertDuration()},
|
MaxHostSSHDur: &Duration{c.MaxHostSSHCertDuration()},
|
||||||
DefaultHostSSHDur: &Duration{c.DefaultHostSSHCertDuration()},
|
DefaultHostSSHDur: &Duration{c.DefaultHostSSHCertDuration()},
|
||||||
EnableSSHCA: &enableSSHCA,
|
EnableSSHCA: &enableSSHCA,
|
||||||
DisableRenewal: &disableRenewal,
|
DisableRenewal: &disableRenewal,
|
||||||
AllowRenewalAfterExpiry: &allowRenewalAfterExpiry,
|
AllowRenewalAfterExpiry: &allowRenewalAfterExpiry,
|
||||||
|
DisableSmallstepExtensions: &disableSmallstepExtensions,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -110,6 +115,15 @@ func (c *Claimer) IsDisableRenewal() bool {
|
|||||||
return *c.claims.DisableRenewal
|
return *c.claims.DisableRenewal
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsDisableSmallstepExtensions returns if the Smallstep extensions, like the
|
||||||
|
// provisioner extension, should be excluded from the certificate.
|
||||||
|
func (c *Claimer) IsDisableSmallstepExtensions() bool {
|
||||||
|
if c.claims == nil || c.claims.DisableSmallstepExtensions == nil {
|
||||||
|
return *c.global.DisableSmallstepExtensions
|
||||||
|
}
|
||||||
|
return *c.claims.DisableSmallstepExtensions
|
||||||
|
}
|
||||||
|
|
||||||
// AllowRenewalAfterExpiry returns if the renewal flow is authorized if the
|
// AllowRenewalAfterExpiry returns if the renewal flow is authorized if the
|
||||||
// certificate is expired. If the property is not set within the provisioner
|
// certificate is expired. If the property is not set within the provisioner
|
||||||
// then the global value from the authority configuration will be used.
|
// then the global value from the authority configuration will be used.
|
||||||
|
@ -270,7 +270,7 @@ func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
|
|||||||
p,
|
p,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName),
|
newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName).WithControllerOptions(p.ctl),
|
||||||
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
@ -187,7 +187,7 @@ func (p *JWK) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
|
|||||||
self,
|
self,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),
|
newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID).WithControllerOptions(p.ctl),
|
||||||
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
commonNameValidator(claims.Subject),
|
commonNameValidator(claims.Subject),
|
||||||
|
@ -238,7 +238,7 @@ func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
|
|||||||
p,
|
p,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeK8sSA, p.Name, ""),
|
newProvisionerExtensionOption(TypeK8sSA, p.Name, "").WithControllerOptions(p.ctl),
|
||||||
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
@ -150,7 +150,7 @@ func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, e
|
|||||||
p,
|
p,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeNebula, p.Name, ""),
|
newProvisionerExtensionOption(TypeNebula, p.Name, "").WithControllerOptions(p.ctl),
|
||||||
profileLimitDuration{
|
profileLimitDuration{
|
||||||
def: p.ctl.Claimer.DefaultTLSCertDuration(),
|
def: p.ctl.Claimer.DefaultTLSCertDuration(),
|
||||||
notBefore: crt.Details.NotBefore,
|
notBefore: crt.Details.NotBefore,
|
||||||
|
@ -351,7 +351,7 @@ func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, err
|
|||||||
o,
|
o,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),
|
newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID).WithControllerOptions(o.ctl),
|
||||||
profileDefaultDuration(o.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(o.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
@ -190,7 +190,7 @@ func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) {
|
|||||||
return []SignOption{
|
return []SignOption{
|
||||||
s,
|
s,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeSCEP, s.Name, ""),
|
newProvisionerExtensionOption(TypeSCEP, s.Name, "").WithControllerOptions(s.ctl),
|
||||||
newForceCNOption(s.ForceCN),
|
newForceCNOption(s.ForceCN),
|
||||||
profileDefaultDuration(s.ctl.Claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(s.ctl.Claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
|
@ -430,6 +430,7 @@ func (o *forceCNOption) Modify(cert *x509.Certificate, _ SignOptions) error {
|
|||||||
|
|
||||||
type provisionerExtensionOption struct {
|
type provisionerExtensionOption struct {
|
||||||
Extension
|
Extension
|
||||||
|
Disabled bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValuePairs ...string) *provisionerExtensionOption {
|
func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValuePairs ...string) *provisionerExtensionOption {
|
||||||
@ -443,7 +444,18 @@ func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValue
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithControllerOptions returns the provisionerExtensionOption options from the
|
||||||
|
// controller. Currently only the claim DisableSmallstepExtensions is used.
|
||||||
|
func (o *provisionerExtensionOption) WithControllerOptions(c *Controller) *provisionerExtensionOption {
|
||||||
|
o.Disabled = c.Claimer.IsDisableSmallstepExtensions()
|
||||||
|
return o
|
||||||
|
}
|
||||||
|
|
||||||
func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOptions) error {
|
func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOptions) error {
|
||||||
|
if o.Disabled {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
ext, err := o.ToExtension()
|
ext, err := o.ToExtension()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errs.NewError(http.StatusInternalServerError, err, "error creating certificate")
|
return errs.NewError(http.StatusInternalServerError, err, "error creating certificate")
|
||||||
|
@ -604,14 +604,24 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Claims with smallstep extensions disabled.
|
||||||
|
claimer, err := NewClaimer(&Claims{
|
||||||
|
DisableSmallstepExtensions: &trueValue,
|
||||||
|
}, globalProvisionerClaims)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
type test struct {
|
type test struct {
|
||||||
cert *x509.Certificate
|
modifier *provisionerExtensionOption
|
||||||
valid func(*x509.Certificate)
|
cert *x509.Certificate
|
||||||
|
valid func(*x509.Certificate)
|
||||||
}
|
}
|
||||||
tests := map[string]func() test{
|
tests := map[string]func() test{
|
||||||
"ok/one-element": func() test {
|
"ok/one-element": func() test {
|
||||||
return test{
|
return test{
|
||||||
cert: new(x509.Certificate),
|
modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"),
|
||||||
|
cert: new(x509.Certificate),
|
||||||
valid: func(cert *x509.Certificate) {
|
valid: func(cert *x509.Certificate) {
|
||||||
if assert.Len(t, 1, cert.ExtraExtensions) {
|
if assert.Len(t, 1, cert.ExtraExtensions) {
|
||||||
ext := cert.ExtraExtensions[0]
|
ext := cert.ExtraExtensions[0]
|
||||||
@ -625,7 +635,8 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"ok/replace": func() test {
|
"ok/replace": func() test {
|
||||||
return test{
|
return test{
|
||||||
cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
|
modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"),
|
||||||
|
cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
|
||||||
valid: func(cert *x509.Certificate) {
|
valid: func(cert *x509.Certificate) {
|
||||||
if assert.Len(t, 2, cert.ExtraExtensions) {
|
if assert.Len(t, 2, cert.ExtraExtensions) {
|
||||||
ext := cert.ExtraExtensions[0]
|
ext := cert.ExtraExtensions[0]
|
||||||
@ -636,11 +647,22 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"ok/disabled": func() test {
|
||||||
|
return test{
|
||||||
|
modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").WithControllerOptions(&Controller{
|
||||||
|
Claimer: claimer,
|
||||||
|
}),
|
||||||
|
cert: new(x509.Certificate),
|
||||||
|
valid: func(cert *x509.Certificate) {
|
||||||
|
assert.Len(t, 0, cert.ExtraExtensions)
|
||||||
|
},
|
||||||
|
}
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for name, run := range tests {
|
for name, run := range tests {
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
tt := run()
|
tt := run()
|
||||||
assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").Modify(tt.cert, SignOptions{}))
|
assert.FatalError(t, tt.modifier.Modify(tt.cert, SignOptions{}))
|
||||||
tt.valid(tt.cert)
|
tt.valid(tt.cert)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -24,22 +24,24 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
defaultDisableRenewal = false
|
defaultDisableRenewal = false
|
||||||
defaultAllowRenewalAfterExpiry = false
|
defaultAllowRenewalAfterExpiry = false
|
||||||
defaultEnableSSHCA = true
|
defaultEnableSSHCA = true
|
||||||
globalProvisionerClaims = Claims{
|
defaultDisableSmallstepExtensions = false
|
||||||
MinTLSDur: &Duration{5 * time.Minute},
|
globalProvisionerClaims = Claims{
|
||||||
MaxTLSDur: &Duration{24 * time.Hour},
|
MinTLSDur: &Duration{5 * time.Minute},
|
||||||
DefaultTLSDur: &Duration{24 * time.Hour},
|
MaxTLSDur: &Duration{24 * time.Hour},
|
||||||
MinUserSSHDur: &Duration{Duration: 5 * time.Minute}, // User SSH certs
|
DefaultTLSDur: &Duration{24 * time.Hour},
|
||||||
MaxUserSSHDur: &Duration{Duration: 24 * time.Hour},
|
MinUserSSHDur: &Duration{Duration: 5 * time.Minute}, // User SSH certs
|
||||||
DefaultUserSSHDur: &Duration{Duration: 16 * time.Hour},
|
MaxUserSSHDur: &Duration{Duration: 24 * time.Hour},
|
||||||
MinHostSSHDur: &Duration{Duration: 5 * time.Minute}, // Host SSH certs
|
DefaultUserSSHDur: &Duration{Duration: 16 * time.Hour},
|
||||||
MaxHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour},
|
MinHostSSHDur: &Duration{Duration: 5 * time.Minute}, // Host SSH certs
|
||||||
DefaultHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour},
|
MaxHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour},
|
||||||
EnableSSHCA: &defaultEnableSSHCA,
|
DefaultHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour},
|
||||||
DisableRenewal: &defaultDisableRenewal,
|
EnableSSHCA: &defaultEnableSSHCA,
|
||||||
AllowRenewalAfterExpiry: &defaultAllowRenewalAfterExpiry,
|
DisableRenewal: &defaultDisableRenewal,
|
||||||
|
AllowRenewalAfterExpiry: &defaultAllowRenewalAfterExpiry,
|
||||||
|
DisableSmallstepExtensions: &defaultDisableSmallstepExtensions,
|
||||||
}
|
}
|
||||||
testAudiences = Audiences{
|
testAudiences = Audiences{
|
||||||
Sign: []string{"https://ca.smallstep.com/1.0/sign", "https://ca.smallstep.com/sign"},
|
Sign: []string{"https://ca.smallstep.com/1.0/sign", "https://ca.smallstep.com/sign"},
|
||||||
|
@ -237,7 +237,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
|
|||||||
self,
|
self,
|
||||||
templateOptions,
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeX5C, p.Name, ""),
|
newProvisionerExtensionOption(TypeX5C, p.Name, "").WithControllerOptions(p.ctl),
|
||||||
profileLimitDuration{
|
profileLimitDuration{
|
||||||
p.ctl.Claimer.DefaultTLSCertDuration(),
|
p.ctl.Claimer.DefaultTLSCertDuration(),
|
||||||
x5cLeaf.NotBefore, x5cLeaf.NotAfter,
|
x5cLeaf.NotBefore, x5cLeaf.NotAfter,
|
||||||
|
@ -646,8 +646,9 @@ func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pc := &provisioner.Claims{
|
pc := &provisioner.Claims{
|
||||||
DisableRenewal: &c.DisableRenewal,
|
DisableRenewal: &c.DisableRenewal,
|
||||||
AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry,
|
AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry,
|
||||||
|
DisableSmallstepExtensions: &c.DisableSmallstepExtensions,
|
||||||
}
|
}
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
@ -686,6 +687,7 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {
|
|||||||
|
|
||||||
disableRenewal := config.DefaultDisableRenewal
|
disableRenewal := config.DefaultDisableRenewal
|
||||||
allowRenewalAfterExpiry := config.DefaultAllowRenewalAfterExpiry
|
allowRenewalAfterExpiry := config.DefaultAllowRenewalAfterExpiry
|
||||||
|
disableSmallstepExtensions := config.DefaultDisableSmallstepExtensions
|
||||||
|
|
||||||
if c.DisableRenewal != nil {
|
if c.DisableRenewal != nil {
|
||||||
disableRenewal = *c.DisableRenewal
|
disableRenewal = *c.DisableRenewal
|
||||||
@ -693,10 +695,14 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims {
|
|||||||
if c.AllowRenewalAfterExpiry != nil {
|
if c.AllowRenewalAfterExpiry != nil {
|
||||||
allowRenewalAfterExpiry = *c.AllowRenewalAfterExpiry
|
allowRenewalAfterExpiry = *c.AllowRenewalAfterExpiry
|
||||||
}
|
}
|
||||||
|
if c.DisableSmallstepExtensions != nil {
|
||||||
|
disableSmallstepExtensions = *c.DisableSmallstepExtensions
|
||||||
|
}
|
||||||
|
|
||||||
lc := &linkedca.Claims{
|
lc := &linkedca.Claims{
|
||||||
DisableRenewal: disableRenewal,
|
DisableRenewal: disableRenewal,
|
||||||
AllowRenewalAfterExpiry: allowRenewalAfterExpiry,
|
AllowRenewalAfterExpiry: allowRenewalAfterExpiry,
|
||||||
|
DisableSmallstepExtensions: disableSmallstepExtensions,
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.DefaultTLSDur != nil || c.MinTLSDur != nil || c.MaxTLSDur != nil {
|
if c.DefaultTLSDur != nil || c.MinTLSDur != nil || c.MaxTLSDur != nil {
|
||||||
|
6
go.mod
6
go.mod
@ -140,11 +140,5 @@ require (
|
|||||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||||
)
|
)
|
||||||
|
|
||||||
// replace github.com/smallstep/nosql => ../nosql
|
|
||||||
// replace go.step.sm/crypto => ../crypto
|
|
||||||
|
|
||||||
// replace go.step.sm/cli-utils => ../cli-utils
|
|
||||||
// replace go.step.sm/linkedca => ../linkedca
|
|
||||||
|
|
||||||
// use github.com/smallstep/pkcs7 fork with patches applied
|
// use github.com/smallstep/pkcs7 fork with patches applied
|
||||||
replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20230302202335-4c094085c948
|
replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20230302202335-4c094085c948
|
||||||
|
2
pki/testdata/helm/with-ssh-and-acme.yml
vendored
2
pki/testdata/helm/with-ssh-and-acme.yml
vendored
@ -23,7 +23,7 @@ inject:
|
|||||||
authority:
|
authority:
|
||||||
enableAdmin: false
|
enableAdmin: false
|
||||||
provisioners:
|
provisioners:
|
||||||
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
|
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
|
||||||
- {"type":"ACME","name":"acme"}
|
- {"type":"ACME","name":"acme"}
|
||||||
- {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
|
- {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
|
||||||
tls:
|
tls:
|
||||||
|
2
pki/testdata/helm/with-ssh.yml
vendored
2
pki/testdata/helm/with-ssh.yml
vendored
@ -23,7 +23,7 @@ inject:
|
|||||||
authority:
|
authority:
|
||||||
enableAdmin: false
|
enableAdmin: false
|
||||||
provisioners:
|
provisioners:
|
||||||
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}}
|
- {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
|
||||||
- {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
|
- {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}}
|
||||||
tls:
|
tls:
|
||||||
cipherSuites:
|
cipherSuites:
|
||||||
|
Loading…
Reference in New Issue
Block a user