Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add rudimentary (and incomplete) support for SCEP
- Loading branch information
Showing
10 changed files
with
698 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
package provisioner | ||
|
||
import ( | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"encoding/pem" | ||
"fmt" | ||
"io/ioutil" | ||
|
||
"github.com/pkg/errors" | ||
) | ||
|
||
// SCEP is the SCEP provisioner type, an entity that can authorize the | ||
// SCEP provisioning flow | ||
type SCEP struct { | ||
*base | ||
Type string `json:"type"` | ||
Name string `json:"name"` | ||
// ForceCN bool `json:"forceCN,omitempty"` | ||
// Claims *Claims `json:"claims,omitempty"` | ||
// Options *Options `json:"options,omitempty"` | ||
// claimer *Claimer | ||
|
||
IntermediateCert string | ||
SigningKey string | ||
CACertificates []*x509.Certificate | ||
} | ||
|
||
// GetID returns the provisioner unique identifier. | ||
func (s SCEP) GetID() string { | ||
return "scep/" + s.Name | ||
} | ||
|
||
// GetName returns the name of the provisioner. | ||
func (s *SCEP) GetName() string { | ||
return s.Name | ||
} | ||
|
||
// GetType returns the type of provisioner. | ||
func (s *SCEP) GetType() Type { | ||
return TypeSCEP | ||
} | ||
|
||
// GetEncryptedKey returns the base provisioner encrypted key if it's defined. | ||
func (s *SCEP) GetEncryptedKey() (string, string, bool) { | ||
return "", "", false | ||
} | ||
|
||
// GetTokenID returns the identifier of the token. | ||
func (s *SCEP) GetTokenID(ott string) (string, error) { | ||
return "", errors.New("scep provisioner does not implement GetTokenID") | ||
} | ||
|
||
// GetCACertificates returns the CA certificate chain | ||
// TODO: this should come from the authority instead? | ||
func (s *SCEP) GetCACertificates() []*x509.Certificate { | ||
|
||
pemtxt, _ := ioutil.ReadFile(s.IntermediateCert) // TODO: move reading key to init? That's probably safer. | ||
block, _ := pem.Decode([]byte(pemtxt)) | ||
cert, err := x509.ParseCertificate(block.Bytes) | ||
if err != nil { | ||
fmt.Println(err) | ||
} | ||
|
||
// TODO: return chain? I'm not sure if the client understands it correctly | ||
return []*x509.Certificate{cert} | ||
} | ||
|
||
func (s *SCEP) GetSigningKey() *rsa.PrivateKey { | ||
|
||
keyBytes, err := ioutil.ReadFile(s.SigningKey) | ||
if err != nil { | ||
return nil | ||
} | ||
|
||
block, _ := pem.Decode([]byte(keyBytes)) | ||
if block == nil { | ||
return nil | ||
} | ||
|
||
key, err := x509.ParsePKCS1PrivateKey(block.Bytes) | ||
if err != nil { | ||
fmt.Println(err) | ||
return nil | ||
} | ||
|
||
return key | ||
} | ||
|
||
// Init initializes and validates the fields of a JWK type. | ||
func (s *SCEP) Init(config Config) (err error) { | ||
|
||
switch { | ||
case s.Type == "": | ||
return errors.New("provisioner type cannot be empty") | ||
case s.Name == "": | ||
return errors.New("provisioner name cannot be empty") | ||
} | ||
|
||
// // Update claims with global ones | ||
// if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil { | ||
// return err | ||
// } | ||
|
||
s.IntermediateCert = config.IntermediateCert | ||
s.SigningKey = config.SigningKey | ||
s.CACertificates = config.CACertificates | ||
|
||
return err | ||
} | ||
|
||
// Interface guards | ||
var ( | ||
_ Interface = (*SCEP)(nil) | ||
//_ scep.Provisioner = (*SCEP)(nil) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.