Add handling of cnf claim
#1092
Conversation
github-actions
bot
added
the
needs triage
This commit allows to generate fingerprints for CSR files to the `step certificate fingerprint` command.
This commit allows passing confirmation claims to tokens to tie the tokens with a provided CSR or SSH public key. The confirmation claim is implemented in the token command as well as the com commands that uses a given CSR or ssh public key. Those are: - step ca token - step ca sign - step ssh certificate --sign Fixes smallstep/certificates#1637
| // Confirmation is a cli.Flag used to add a confirmation claim in the token. | ||
| Confirmation = cli.StringFlag{ | ||
| Name: "cnf", | ||
| Usage: `The <fingerprint> of the CSR to restrict this token for.`, | ||
| } | ||
|
|
||
| // ConfirmationFile is a cli.Flag used to add a confirmation claim in the | ||
| // tokens. It will add a confirmation kid with the fingerprint of the CSR. | ||
| ConfirmationFile = cli.StringFlag{ | ||
| Name: "cnf-file", | ||
| Usage: `The CSR <file> to restrict this token for.`, | ||
| } | ||
|
|
There was a problem hiding this comment.
Should these include something about the SSH public key, or want to keep it simple?
There was a problem hiding this comment.
They used to include it, but due to a comment in the certificates PR that suggested removing the cnf for SSH, I've removed it from here. Although I kept the SSH public key in the context.
| if isSSH { | ||
| sshPub, _, _, _, err := ssh.ParseAuthorizedKey(in) | ||
| if err != nil { | ||
| return errors.Wrap(err, "error parsing ssh public key") | ||
| } | ||
| tokenOpts = append(tokenOpts, cautils.WithSSHPublicKey(sshPub)) | ||
| } else { | ||
| csr, err := pemutil.ParseCertificateRequest(in) | ||
| if err != nil { | ||
| return errors.Wrap(err, "error parsing certificate request") | ||
| } | ||
| tokenOpts = append(tokenOpts, cautils.WithCertificateRequest(csr)) |
There was a problem hiding this comment.
Instead of passing the CSR or SSH public key, the claim itself could be calculated here, and just pass it as the fingerprint directly? Or is there some flow in which to defer calculation of the fingerprint is necessary? step ca sign, maybe?
There was a problem hiding this comment.
step ca sign use cautils.WithCertificateRequest(csr) and step ssh certificate use cautils.WithSSHPublicKey(sshPub), although the SSH one is currently totally ignored. These fields go to the shared context of the cautils package and end up in the token package, which takes care of calculating the fingerprint and adding the proper attribute to the final token. Right now, only the CSR gets into the token package, but sending the type allows us to specify the right attribute now that we don't share just kid.
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
Allow to add confirmation claims to tokens
This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.
Fixes smallstep/certificates#1637
Related PR: