-
Notifications
You must be signed in to change notification settings - Fork 121
/
challenge.go
32 lines (28 loc) · 899 Bytes
/
challenge.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// Package challenge defines an interface for a dynamic challenge password cache.
package challenge
import (
"context"
"crypto/x509"
"errors"
"github.com/micromdm/scep/v2/scep"
scepserver "github.com/micromdm/scep/v2/server"
)
// Store is a dynamic challenge password cache.
type Store interface {
SCEPChallenge() (string, error)
HasChallenge(pw string) (bool, error)
}
// Middleware wraps next in a CSRSigner that verifies and invalidates the challenge
func Middleware(store Store, next scepserver.CSRSignerContext) scepserver.CSRSignerContextFunc {
return func(ctx context.Context, m *scep.CSRReqMessage) (*x509.Certificate, error) {
// TODO: compare challenge only for PKCSReq?
valid, err := store.HasChallenge(m.ChallengePassword)
if err != nil {
return nil, err
}
if !valid {
return nil, errors.New("invalid challenge")
}
return next.SignCSRContext(ctx, m)
}
}