github-personal/certificates
1
0
Fork 0
mirror of https://github.com/outbackdingo/certificates.git synced 2026-01-27 10:18:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use x5rt#S256 claim instead of kid

Browse Source
This commit is contained in:
Mariano Cano
2024-07-23 12:51:11 -07:00
parent 6c6ed46fef
commit 656a03e5d1
5 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
authority/provisioner/jwk.go
View File

@@ -30,7 +30,7 @@ type stepPayload struct {
}
type cnfPayload struct {
Kid string `json:"kid,omitempty"`
Fingerprint string `json:"x5rt#S256,omitempty"`
}
// JWK is the default provisioner, an entity that can sign tokens necessary for
@@ -191,7 +191,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
// Check the fingerprint of the certificate request if given.
var fingerprint string
if claims.Confirmation != nil {
fingerprint = claims.Confirmation.Kid
fingerprint = claims.Confirmation.Fingerprint
}
return []SignOption{

2
authority/provisioner/jwk_test.go
View File

@@ -249,7 +249,7 @@ func TestJWK_AuthorizeSign(t *testing.T) {
t2, err := generateToken("subject", p1.Name, testAudiences.Sign[0], "name@smallstep.com", []string{}, time.Now(), key1)
assert.FatalError(t, err)
t3, err := generateCustomToken("subject", p1.Name, testAudiences.Sign[0], key1, nil, map[string]any{"cnf": map[string]any{"kid": "fingerprint"}})
t3, err := generateCustomToken("subject", p1.Name, testAudiences.Sign[0], key1, nil, map[string]any{"cnf": map[string]any{"x5rt#S256": "fingerprint"}})
assert.FatalError(t, err)
// invalid signature

2
authority/provisioner/x5c.go
View File

@@ -237,7 +237,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
// Check the fingerprint of the certificate request if given.
var fingerprint string
if claims.Confirmation != nil {
fingerprint = claims.Confirmation.Kid
fingerprint = claims.Confirmation.Fingerprint
}
return []SignOption{

4
authority/provisioner/x5c_test.go
View File

@@ -469,7 +469,7 @@ func TestX5C_AuthorizeSign(t *testing.T) {
extraHeaders := map[string]any{"x5c": x5c}
extraClaims := map[string]any{
"sans": []string{"127.0.0.1", "foo", "max@smallstep.com"},
"cnf": map[string]any{"kid": "fingerprint"},
"cnf": map[string]any{"x5rt#S256": "fingerprint"},
}
tok, err := generateCustomToken("foo", p.GetName(), testAudiences.Sign[0], jwk, extraHeaders, extraClaims)
@@ -814,7 +814,7 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
Principals: []string{"host.smallstep.com"},
}},
Confirmation: &cnfPayload{
Kid: "fingerprint",
Fingerprint: "fingerprint",
},
}
tok, err := generateX5CSSHToken(x5cJWK, claims, withX5CHdr(x5cCerts))

4
authority/tls_test.go
View File

@@ -621,7 +621,7 @@ ZYtQ9Ot36qc=
// Create a token with cnf
tok, err := generateCustomToken("smallstep test", "step-cli", testAudiences.Sign[0], key, nil, map[string]any{
"sans": []string{"test.smallstep.com"},
"cnf": map[string]any{"kid": "bad-fingerprint"},
"cnf": map[string]any{"x5rt#S256": "bad-fingerprint"},
})
require.NoError(t, err)
@@ -907,7 +907,7 @@ ZYtQ9Ot36qc=
// Create a token with cnf
tok, err := generateCustomToken("smallstep test", "step-cli", testAudiences.Sign[0], key, nil, map[string]any{
"sans": []string{"test.smallstep.com"},
"cnf": map[string]any{"kid": fingerprint},
"cnf": map[string]any{"x5rt#S256": fingerprint},
})
require.NoError(t, err)