mirror of
https://github.com/outbackdingo/estserver.git
synced 2026-03-21 15:41:39 +00:00
Merge pull request #9 from foundriesio/cert-expiry
Allow cert duration to be configurable
This commit is contained in:
Andy Doan
@@ -12,6 +12,7 @@ import (
|
||||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
est "github.com/foundriesio/estserver"
|
||||
"github.com/labstack/echo/v4"
|
||||
@@ -33,6 +34,7 @@ func main() {
|
||||
{name: "root-cert", help: "EST CA PEM encoded root certificate"},
|
||||
}
|
||||
port := flag.Int("port", 8443, "Port to listen on")
|
||||
certDuration := flag.Duration("cert-duration", time.Hour*24*365*3, "How long new certs should be valid for. e.g. such as '1.5h' or '2h45m'. 3 years is default")
|
||||
clientCas := flag.String("client-cas", "", "PEM encoded list of device CA's to allow. The device must present a certificate signed by a CA in this list or the `ca-cert` to authenticate")
|
||||
|
||||
for _, opt := range required {
|
||||
@@ -83,7 +85,7 @@ func main() {
|
||||
log.Fatal().Err(err).Msg("Unable to create tls cert handler")
|
||||
}
|
||||
|
||||
svcHandler := est.NewStaticServiceHandler(est.NewService(rootCert, caCert, caKey))
|
||||
svcHandler := est.NewStaticServiceHandler(est.NewService(rootCert, caCert, caKey, *certDuration))
|
||||
|
||||
e := echo.New()
|
||||
s := http.Server{
|
||||
|
||||
@@ -33,7 +33,7 @@ func RegisterEchoHandlers(svcHandler ServiceHandler, e *echo.Echo) {
|
||||
}
|
||||
bytes, err = svc.Enroll(c.Request().Context(), bytes)
|
||||
if err != nil {
|
||||
if errors.Is(err, EstError) {
|
||||
if errors.Is(err, ErrEst) {
|
||||
return c.String(http.StatusBadRequest, err.Error())
|
||||
}
|
||||
return c.String(http.StatusInternalServerError, err.Error())
|
||||
@@ -52,7 +52,7 @@ func RegisterEchoHandlers(svcHandler ServiceHandler, e *echo.Echo) {
|
||||
peerCerts := c.Request().TLS.PeerCertificates
|
||||
bytes, err = svc.ReEnroll(c.Request().Context(), bytes, peerCerts[0])
|
||||
if err != nil {
|
||||
if errors.Is(err, EstError) {
|
||||
if errors.Is(err, ErrEst) {
|
||||
return c.String(http.StatusBadRequest, err.Error())
|
||||
}
|
||||
return c.String(http.StatusInternalServerError, err.Error())
|
||||
|
||||
12
service.go
12
service.go
@@ -19,7 +19,7 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
EstError = errors.New("Base EstError")
|
||||
ErrEst = errors.New("base EstError")
|
||||
)
|
||||
|
||||
type EstErrorType int
|
||||
@@ -34,7 +34,7 @@ const (
|
||||
)
|
||||
|
||||
func (e EstErrorType) Unwrap() error {
|
||||
return EstError
|
||||
return ErrEst
|
||||
}
|
||||
func (e EstErrorType) Error() string {
|
||||
switch e {
|
||||
@@ -96,14 +96,18 @@ type Service struct {
|
||||
// ca and key are the EST7030 keypair used for signing EST7030 requests
|
||||
ca *x509.Certificate
|
||||
key crypto.Signer
|
||||
|
||||
certDuration time.Duration
|
||||
}
|
||||
|
||||
// NewService creates an EST7030 API for a Factory
|
||||
func NewService(rootCa *x509.Certificate, ca *x509.Certificate, key crypto.Signer) Service {
|
||||
func NewService(rootCa *x509.Certificate, ca *x509.Certificate, key crypto.Signer, certDuration time.Duration) Service {
|
||||
return Service{
|
||||
rootCa: rootCa,
|
||||
ca: ca,
|
||||
key: key,
|
||||
|
||||
certDuration: certDuration,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -207,7 +211,7 @@ func (s Service) signCsr(ctx context.Context, csr *x509.CertificateRequest) ([]b
|
||||
}
|
||||
|
||||
now := time.Now()
|
||||
notAfter := now.Add(time.Hour * 24 * 365)
|
||||
notAfter := now.Add(s.certDuration)
|
||||
if notAfter.After(s.ca.NotAfter) {
|
||||
log.Warn().Msg("Adjusting default cert expiry")
|
||||
notAfter = s.ca.NotAfter
|
||||
|
||||
@@ -71,7 +71,7 @@ func createService(t *testing.T) Service {
|
||||
cert, err := x509.ParseCertificate(der)
|
||||
require.Nil(t, err)
|
||||
|
||||
return Service{cert, cert, key}
|
||||
return Service{cert, cert, key, time.Hour * 24}
|
||||
}
|
||||
|
||||
func TestService_CA(t *testing.T) {
|
||||
@@ -102,7 +102,7 @@ func TestService_loadCsrBase64(t *testing.T) {
|
||||
content := base64.StdEncoding.EncodeToString([]byte("not a valid CSR"))
|
||||
_, err = Service{}.loadCsr(ctx, []byte(content))
|
||||
require.True(t, errors.Is(err, ErrInvalidCsr))
|
||||
require.True(t, errors.Is(err, EstError))
|
||||
require.True(t, errors.Is(err, ErrEst))
|
||||
|
||||
// valid Csr
|
||||
cn := random.String(12)
|
||||
|
||||
@@ -9,7 +9,7 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
errNoCerts = errors.New("Unable to find certs for this server")
|
||||
errNoCerts = errors.New("unable to find certs for this server")
|
||||
)
|
||||
|
||||
// TlsCerts represents the Server TLS keypair to advertise and CA roots we trust
|
||||
@@ -30,7 +30,7 @@ type TlsCertHandler interface {
|
||||
// Apply the TlsCertHandler logic to the tlsConfig
|
||||
func ApplyTlsCertHandler(tlsConfig *tls.Config, handler TlsCertHandler) error {
|
||||
if tlsConfig.ClientAuth != tls.VerifyClientCertIfGiven {
|
||||
return fmt.Errorf("Invalid TLS ClientAuth value: %d. It must be `tls.VerifyClientCertIfGiven` to fulfill EST requirements", tlsConfig.ClientAuth)
|
||||
return fmt.Errorf("invalid TLS ClientAuth value: %d. It must be `tls.VerifyClientCertIfGiven` to fulfill EST requirements", tlsConfig.ClientAuth)
|
||||
}
|
||||
tlsConfig.GetConfigForClient = func(helloInfo *tls.ClientHelloInfo) (*tls.Config, error) {
|
||||
return getConfigForClient(tlsConfig, handler, helloInfo)
|
||||
|
||||
Reference in New Issue
Block a user