diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 7371fa8d..ed481877 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -30,7 +30,7 @@ type stepPayload struct { } type cnfPayload struct { - Kid string `json:"kid,omitempty"` + Fingerprint string `json:"x5rt#S256,omitempty"` } // JWK is the default provisioner, an entity that can sign tokens necessary for @@ -191,7 +191,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er // Check the fingerprint of the certificate request if given. var fingerprint string if claims.Confirmation != nil { - fingerprint = claims.Confirmation.Kid + fingerprint = claims.Confirmation.Fingerprint } return []SignOption{ diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go index 2aa1969b..68fb7f47 100644 --- a/authority/provisioner/jwk_test.go +++ b/authority/provisioner/jwk_test.go @@ -249,7 +249,7 @@ func TestJWK_AuthorizeSign(t *testing.T) { t2, err := generateToken("subject", p1.Name, testAudiences.Sign[0], "name@smallstep.com", []string{}, time.Now(), key1) assert.FatalError(t, err) - t3, err := generateCustomToken("subject", p1.Name, testAudiences.Sign[0], key1, nil, map[string]any{"cnf": map[string]any{"kid": "fingerprint"}}) + t3, err := generateCustomToken("subject", p1.Name, testAudiences.Sign[0], key1, nil, map[string]any{"cnf": map[string]any{"x5rt#S256": "fingerprint"}}) assert.FatalError(t, err) // invalid signature diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index e426e4c6..fd77fe75 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -237,7 +237,7 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er // Check the fingerprint of the certificate request if given. var fingerprint string if claims.Confirmation != nil { - fingerprint = claims.Confirmation.Kid + fingerprint = claims.Confirmation.Fingerprint } return []SignOption{ diff --git a/authority/provisioner/x5c_test.go b/authority/provisioner/x5c_test.go index 2b1046bc..8f9c0adc 100644 --- a/authority/provisioner/x5c_test.go +++ b/authority/provisioner/x5c_test.go @@ -469,7 +469,7 @@ func TestX5C_AuthorizeSign(t *testing.T) { extraHeaders := map[string]any{"x5c": x5c} extraClaims := map[string]any{ "sans": []string{"127.0.0.1", "foo", "max@smallstep.com"}, - "cnf": map[string]any{"kid": "fingerprint"}, + "cnf": map[string]any{"x5rt#S256": "fingerprint"}, } tok, err := generateCustomToken("foo", p.GetName(), testAudiences.Sign[0], jwk, extraHeaders, extraClaims) @@ -814,7 +814,7 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) { Principals: []string{"host.smallstep.com"}, }}, Confirmation: &cnfPayload{ - Kid: "fingerprint", + Fingerprint: "fingerprint", }, } tok, err := generateX5CSSHToken(x5cJWK, claims, withX5CHdr(x5cCerts)) diff --git a/authority/tls_test.go b/authority/tls_test.go index e949c685..c7bd6f10 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -621,7 +621,7 @@ ZYtQ9Ot36qc= // Create a token with cnf tok, err := generateCustomToken("smallstep test", "step-cli", testAudiences.Sign[0], key, nil, map[string]any{ "sans": []string{"test.smallstep.com"}, - "cnf": map[string]any{"kid": "bad-fingerprint"}, + "cnf": map[string]any{"x5rt#S256": "bad-fingerprint"}, }) require.NoError(t, err) @@ -907,7 +907,7 @@ ZYtQ9Ot36qc= // Create a token with cnf tok, err := generateCustomToken("smallstep test", "step-cli", testAudiences.Sign[0], key, nil, map[string]any{ "sans": []string{"test.smallstep.com"}, - "cnf": map[string]any{"kid": fingerprint}, + "cnf": map[string]any{"x5rt#S256": fingerprint}, }) require.NoError(t, err)