+110
-9
lines changedFilter options
+110
-9
lines changed Original file line number Diff line number Diff line change
@@ -5,3 +5,5 @@ profile.out
5 5
bin
6 6
*.deb
7 7
*.rpm
8 +
test
9 + Original file line number Diff line number Diff line change
@@ -84,6 +84,7 @@ type SigningProfile struct {
84 84
ExpiryString string `json:"expiry"`
85 85
BackdateString string `json:"backdate"`
86 86
AuthKeyName string `json:"auth_key"`
87 +
CopyExtensions bool `json:"copy_extensions"`
87 88
PrevAuthKeyName string `json:"prev_auth_key"` // to suppport key rotation
88 89
RemoteName string `json:"remote"`
89 90
NotBefore time.Time `json:"not_before"`
@@ -257,6 +257,25 @@ var validLocalConfigsWithCAConstraint = []string{
257 257
}`,
258 258
}
259 259 260 +
var copyExtensionWantedlLocalConfig = `
261 +
{
262 +
"signing": {
263 +
"default": {
264 +
"expiry": "8000h",
265 +
"copy_extensions": true
266 +
}
267 +
}
268 +
}`
269 + 270 +
var copyExtensionNotWantedlLocalConfig = `
271 +
{
272 +
"signing": {
273 +
"default": {
274 +
"expiry": "8000h"
275 +
}
276 +
}
277 +
}`
278 + 260 279
func TestInvalidProfile(t *testing.T) {
261 280
if invalidProfileConfig.Signing.Profiles["invalid"].validProfile(false) {
262 281
t.Fatal("invalid profile accepted as valid")
@@ -580,3 +599,25 @@ func TestValidCAConstraint(t *testing.T) {
580 599
}
581 600
}
582 601
}
602 + 603 +
func TestWantCopyExtension(t *testing.T) {
604 +
localConfig, err := LoadConfig([]byte(copyExtensionWantedlLocalConfig))
605 +
if localConfig.Signing.Default.CopyExtensions != true {
606 +
t.Fatal("incorrect TestWantCopyExtension().")
607 +
}
608 + 609 +
if err != nil {
610 +
t.Fatal(err)
611 +
}
612 +
}
613 + 614 +
func TestDontWantCopyExtension(t *testing.T) {
615 +
localConfig, err := LoadConfig([]byte(copyExtensionNotWantedlLocalConfig))
616 +
if localConfig.Signing.Default.CopyExtensions != false {
617 +
t.Fatal("incorrect TestDontWantCopyExtension().")
618 +
}
619 + 620 +
if err != nil {
621 +
t.Fatal(err)
622 +
}
623 +
}
Original file line number Diff line number Diff line change
@@ -138,6 +138,7 @@ type CertificateRequest struct {
138 138
KeyRequest *KeyRequest `json:"key,omitempty" yaml:"key,omitempty"`
139 139
CA *CAConfig `json:"ca,omitempty" yaml:"ca,omitempty"`
140 140
SerialNumber string `json:"serialnumber,omitempty" yaml:"serialnumber,omitempty"`
141 +
Extensions []pkix.Extension `json:"extensions,omitempty" yaml:"extensions,omitempty"`
141 142
}
142 143 143 144
// New returns a new, empty CertificateRequest with a
@@ -382,6 +383,8 @@ func Generate(priv crypto.Signer, req *CertificateRequest) (csr []byte, err erro
382 383
}
383 384
}
384 385 386 +
tpl.ExtraExtensions = []pkix.Extension{}
387 + 385 388
if req.CA != nil {
386 389
err = appendCAInfoToCSR(req.CA, &tpl)
387 390
if err != nil {
@@ -390,6 +393,14 @@ func Generate(priv crypto.Signer, req *CertificateRequest) (csr []byte, err erro
390 393
}
391 394
}
392 395 396 +
if req.Extensions != nil {
397 +
err = appendExtensionsToCSR(req.Extensions, &tpl)
398 +
if err != nil {
399 +
err = cferr.Wrap(cferr.CSRError, cferr.GenerationFailed, err)
400 +
return
401 +
}
402 +
}
403 + 393 404
csr, err = x509.CreateCertificateRequest(rand.Reader, &tpl, priv)
394 405
if err != nil {
395 406
log.Errorf("failed to generate a CSR: %v", err)
@@ -418,13 +429,19 @@ func appendCAInfoToCSR(reqConf *CAConfig, csr *x509.CertificateRequest) error {
418 429
return err
419 430
}
420 431 421 -
csr.ExtraExtensions = []pkix.Extension{
422 -
{
423 -
Id: asn1.ObjectIdentifier{2, 5, 29, 19},
432 +
csr.ExtraExtensions = append(csr.ExtraExtensions, pkix.Extension{
433 +
Id: asn1.ObjectIdentifier{2, 5, 29, 19},
424 434
Value: val,
425 -
Critical: true,
426 -
},
427 -
}
435 +
Critical: true,
436 +
})
428 437 438 +
return nil
439 +
}
440 + 441 +
// appendCAInfoToCSR appends user-defined extension to a CSR
442 +
func appendExtensionsToCSR(extensions []pkix.Extension, csr *x509.CertificateRequest) error {
443 +
for _, extension := range extensions {
444 +
csr.ExtraExtensions = append(csr.ExtraExtensions, extension)
445 +
}
429 446
return nil
430 447
}
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ import (
6 6
"crypto/elliptic"
7 7
"crypto/rsa"
8 8
"crypto/x509"
9 +
"crypto/x509/pkix"
9 10
"encoding/asn1"
10 11
"encoding/pem"
11 12
"io/ioutil"
@@ -110,12 +111,44 @@ func TestParseRequest(t *testing.T) {
110 111
},
111 112
Hosts: []string{"cloudflare.com", "www.cloudflare.com", "192.168.0.1", "jdoe@example.com", "https://www.cloudflare.com"},
112 113
KeyRequest: NewKeyRequest(),
114 +
Extensions: []pkix.Extension{
115 +
pkix.Extension{
116 +
Id: asn1.ObjectIdentifier{1, 2, 3, 4, 5},
117 +
Value: []byte("AgEB"),
118 +
},
119 +
},
120 +
}
121 + 122 +
csrBytes, _, err := ParseRequest(cr)
123 +
if err != nil {
124 +
t.Fatalf("%v", err)
125 +
}
126 + 127 +
block, _ := pem.Decode(csrBytes)
128 +
if block == nil {
129 +
t.Fatalf("%v", err)
130 +
}
131 + 132 +
if block.Type != "CERTIFICATE REQUEST" {
133 +
t.Fatalf("Incorrect block type: %s", block.Type)
113 134
}
114 135 115 -
_, _, err := ParseRequest(cr)
136 +
csr, err := x509.ParseCertificateRequest(block.Bytes)
116 137
if err != nil {
117 138
t.Fatalf("%v", err)
118 139
}
140 + 141 +
found := false
142 +
for _, ext := range csr.Extensions {
143 +
if ext.Id.Equal(asn1.ObjectIdentifier{1, 2, 3, 4, 5}) {
144 +
found = true
145 +
break
146 +
}
147 +
}
148 + 149 +
if !found {
150 +
t.Fatalf("CSR did not include Custom Extension")
151 +
}
119 152
}
120 153 121 154
// TestParseRequestCA ensures that a valid CA certificate request does not
@@ -298,7 +298,7 @@ func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
298 298
cferr.BadRequest, errors.New("not a csr"))
299 299
}
300 300 301 -
csrTemplate, err := signer.ParseCertificateRequest(s, block.Bytes)
301 +
csrTemplate, err := signer.ParseCertificateRequest(s, profile, block.Bytes)
302 302
if err != nil {
303 303
return nil, err
304 304
}
@@ -171,7 +171,7 @@ func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm {
171 171 172 172
// ParseCertificateRequest takes an incoming certificate request and
173 173
// builds a certificate template from it.
174 -
func ParseCertificateRequest(s Signer, csrBytes []byte) (template *x509.Certificate, err error) {
174 +
func ParseCertificateRequest(s Signer, p *config.SigningProfile, csrBytes []byte) (template *x509.Certificate, err error) {
175 175
csrv, err := x509.ParseCertificateRequest(csrBytes)
176 176
if err != nil {
177 177
err = cferr.Wrap(cferr.CSRError, cferr.ParseFailed, err)
@@ -193,6 +193,8 @@ func ParseCertificateRequest(s Signer, csrBytes []byte) (template *x509.Certific
193 193
IPAddresses: csrv.IPAddresses,
194 194
EmailAddresses: csrv.EmailAddresses,
195 195
URIs: csrv.URIs,
196 +
Extensions: csrv.Extensions,
197 +
ExtraExtensions: []pkix.Extension{},
196 198
}
197 199 198 200
for _, val := range csrv.Extensions {
@@ -212,6 +214,11 @@ func ParseCertificateRequest(s Signer, csrBytes []byte) (template *x509.Certific
212 214
template.IsCA = constraints.IsCA
213 215
template.MaxPathLen = constraints.MaxPathLen
214 216
template.MaxPathLenZero = template.MaxPathLen == 0
217 +
} else {
218 +
// If the profile has 'copy_extensions' to true then lets add it
219 +
if (p.CopyExtensions) {
220 +
template.ExtraExtensions = append(template.ExtraExtensions, val)
221 +
}
215 222
}
216 223
}
217 224 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4