From c13b1809c1483a3461ce469cbcdf56209338597e Mon Sep 17 00:00:00 2001 From: Misha Slavin Date: Tue, 10 Sep 2024 10:58:23 -0700 Subject: [PATCH 1/5] wire SkipValidation further into SCEP provisioner --- authority/authority.go | 5 +++-- scep/options.go | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/authority/authority.go b/authority/authority.go index 4a9123685..628bb9110 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -707,8 +707,9 @@ func (a *Authority) init() error { case a.requiresSCEP() && a.GetSCEP() == nil: if a.scepOptions == nil { options := &scep.Options{ - Roots: a.rootX509Certs, - Intermediates: a.intermediateX509Certs, + Roots: a.rootX509Certs, + Intermediates: a.intermediateX509Certs, + SkipValidation: a.config.SkipValidation, } // intermediate certificates can be empty in RA mode diff --git a/scep/options.go b/scep/options.go index d173a76c6..06f76dc4b 100644 --- a/scep/options.go +++ b/scep/options.go @@ -26,6 +26,9 @@ type Options struct { // are used to be able to load the provisioners when the SCEP authority is being // validated. SCEPProvisionerNames []string + // SkipValidation is used to skip the validation of the options, when implementing custom + // integrations + SkipValidation bool } type comparablePublicKey interface { @@ -34,6 +37,9 @@ type comparablePublicKey interface { // Validate checks the fields in Options. func (o *Options) Validate() error { + if o.SkipValidation { + return nil + } switch { case len(o.Intermediates) == 0: return errors.New("no intermediate certificate available for SCEP authority") From 6d9fa642239ce38df2b2914353bcad0c9d55aa91 Mon Sep 17 00:00:00 2001 From: Misha Slavin Date: Mon, 23 Sep 2024 16:33:48 -0700 Subject: [PATCH 2/5] Changing to SkipSCEPValidation & addressing code review comments --- authority/authority.go | 2 +- authority/config/config.go | 1 + scep/options.go | 9 +++------ 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/authority/authority.go b/authority/authority.go index 628bb9110..e342f871f 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -709,7 +709,7 @@ func (a *Authority) init() error { options := &scep.Options{ Roots: a.rootX509Certs, Intermediates: a.intermediateX509Certs, - SkipValidation: a.config.SkipValidation, + SkipValidation: a.config.SkipSCEPValidation, } // intermediate certificates can be empty in RA mode diff --git a/authority/config/config.go b/authority/config/config.go index ea7ce35da..5392d37eb 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -85,6 +85,7 @@ type Config struct { CRL *CRLConfig `json:"crl,omitempty"` MetricsAddress string `json:"metricsAddress,omitempty"` SkipValidation bool `json:"-"` + SkipSCEPValidation bool `json:"-"` // Keeps record of the filename the Config is read from loadedFromFilepath string diff --git a/scep/options.go b/scep/options.go index 06f76dc4b..a064fdfd2 100644 --- a/scep/options.go +++ b/scep/options.go @@ -26,8 +26,7 @@ type Options struct { // are used to be able to load the provisioners when the SCEP authority is being // validated. SCEPProvisionerNames []string - // SkipValidation is used to skip the validation of the options, when implementing custom - // integrations + // SkipValidation is used to skip the validation of the SCEP options. SkipValidation bool } @@ -37,12 +36,10 @@ type comparablePublicKey interface { // Validate checks the fields in Options. func (o *Options) Validate() error { - if o.SkipValidation { - return nil - } switch { + case o.SkipValidation: + return nil case len(o.Intermediates) == 0: - return errors.New("no intermediate certificate available for SCEP authority") case o.SignerCert == nil: return errors.New("no signer certificate available for SCEP authority") } From 58bc8aa554e587bca38224c2fde0bebc62acaeb8 Mon Sep 17 00:00:00 2001 From: Misha Slavin Date: Mon, 23 Sep 2024 16:39:14 -0700 Subject: [PATCH 3/5] formatting --- authority/config/config.go | 40 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/authority/config/config.go b/authority/config/config.go index 5392d37eb..d2692c20b 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -65,26 +65,26 @@ var ( // Config represents the CA configuration and it's mapped to a JSON object. type Config struct { - Root multiString `json:"root"` - FederatedRoots []string `json:"federatedRoots"` - IntermediateCert string `json:"crt"` - IntermediateKey string `json:"key"` - Address string `json:"address"` - InsecureAddress string `json:"insecureAddress"` - DNSNames []string `json:"dnsNames"` - KMS *kms.Options `json:"kms,omitempty"` - SSH *SSHConfig `json:"ssh,omitempty"` - Logger json.RawMessage `json:"logger,omitempty"` - DB *db.Config `json:"db,omitempty"` - Monitoring json.RawMessage `json:"monitoring,omitempty"` - AuthorityConfig *AuthConfig `json:"authority,omitempty"` - TLS *TLSOptions `json:"tls,omitempty"` - Password string `json:"password,omitempty"` - Templates *templates.Templates `json:"templates,omitempty"` - CommonName string `json:"commonName,omitempty"` - CRL *CRLConfig `json:"crl,omitempty"` - MetricsAddress string `json:"metricsAddress,omitempty"` - SkipValidation bool `json:"-"` + Root multiString `json:"root"` + FederatedRoots []string `json:"federatedRoots"` + IntermediateCert string `json:"crt"` + IntermediateKey string `json:"key"` + Address string `json:"address"` + InsecureAddress string `json:"insecureAddress"` + DNSNames []string `json:"dnsNames"` + KMS *kms.Options `json:"kms,omitempty"` + SSH *SSHConfig `json:"ssh,omitempty"` + Logger json.RawMessage `json:"logger,omitempty"` + DB *db.Config `json:"db,omitempty"` + Monitoring json.RawMessage `json:"monitoring,omitempty"` + AuthorityConfig *AuthConfig `json:"authority,omitempty"` + TLS *TLSOptions `json:"tls,omitempty"` + Password string `json:"password,omitempty"` + Templates *templates.Templates `json:"templates,omitempty"` + CommonName string `json:"commonName,omitempty"` + CRL *CRLConfig `json:"crl,omitempty"` + MetricsAddress string `json:"metricsAddress,omitempty"` + SkipValidation bool `json:"-"` SkipSCEPValidation bool `json:"-"` // Keeps record of the filename the Config is read from From 4888a60c7653962e158657596a8b3d475953a2f4 Mon Sep 17 00:00:00 2001 From: Misha Slavin Date: Mon, 23 Sep 2024 16:40:33 -0700 Subject: [PATCH 4/5] formatting --- authority/config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authority/config/config.go b/authority/config/config.go index d2692c20b..9ded399bc 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -85,7 +85,7 @@ type Config struct { CRL *CRLConfig `json:"crl,omitempty"` MetricsAddress string `json:"metricsAddress,omitempty"` SkipValidation bool `json:"-"` - SkipSCEPValidation bool `json:"-"` + SkipSCEPValidation bool `json:"-"` // Keeps record of the filename the Config is read from loadedFromFilepath string From 97aeb8d1965ef6eb12b67c2e5246401da9fa954e Mon Sep 17 00:00:00 2001 From: Misha Slavin Date: Tue, 24 Sep 2024 11:14:04 -0700 Subject: [PATCH 5/5] fix errant deletion --- scep/options.go | 1 + 1 file changed, 1 insertion(+) diff --git a/scep/options.go b/scep/options.go index a064fdfd2..81cf86d97 100644 --- a/scep/options.go +++ b/scep/options.go @@ -40,6 +40,7 @@ func (o *Options) Validate() error { case o.SkipValidation: return nil case len(o.Intermediates) == 0: + return errors.New("no intermediate certificate available for SCEP authority") case o.SignerCert == nil: return errors.New("no signer certificate available for SCEP authority") }