mirror of https://github.com/status-im/consul.git
agent/connect: use proper keyusage fields for CA and leaf
This commit is contained in:
parent
73442ada5a
commit
0cbcb07d61
|
@ -6,7 +6,6 @@ import (
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"crypto/elliptic"
|
"crypto/elliptic"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/sha256"
|
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
|
@ -67,7 +66,9 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
|
||||||
PermittedDNSDomainsCritical: true,
|
PermittedDNSDomainsCritical: true,
|
||||||
PermittedDNSDomains: []string{uri.Hostname()},
|
PermittedDNSDomains: []string{uri.Hostname()},
|
||||||
BasicConstraintsValid: true,
|
BasicConstraintsValid: true,
|
||||||
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
|
KeyUsage: x509.KeyUsageCertSign |
|
||||||
|
x509.KeyUsageCRLSign |
|
||||||
|
x509.KeyUsageDigitalSignature,
|
||||||
IsCA: true,
|
IsCA: true,
|
||||||
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
|
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
|
||||||
NotBefore: time.Now(),
|
NotBefore: time.Now(),
|
||||||
|
@ -100,7 +101,11 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
|
||||||
t.Fatalf("error parsing signing key: %s", err)
|
t.Fatalf("error parsing signing key: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set the authority key to be the previous one
|
// Set the authority key to be the previous one.
|
||||||
|
// NOTE(mitchellh): From Paul Banks: if we have to cross-sign a cert
|
||||||
|
// that came from outside (e.g. vault) we can't rely on them using the
|
||||||
|
// same KeyID hashing algo we do so we'd need to actually copy this
|
||||||
|
// from the xc cert's subjectKeyIdentifier extension.
|
||||||
template.AuthorityKeyId = testKeyID(t, xcsigner.Public())
|
template.AuthorityKeyId = testKeyID(t, xcsigner.Public())
|
||||||
|
|
||||||
// Create the new certificate where the parent is the previous
|
// Create the new certificate where the parent is the previous
|
||||||
|
@ -161,7 +166,10 @@ func TestLeaf(t testing.T, service string, root *structs.CARoot) string {
|
||||||
URIs: []*url.URL{spiffeId.URI()},
|
URIs: []*url.URL{spiffeId.URI()},
|
||||||
SignatureAlgorithm: x509.ECDSAWithSHA256,
|
SignatureAlgorithm: x509.ECDSAWithSHA256,
|
||||||
BasicConstraintsValid: true,
|
BasicConstraintsValid: true,
|
||||||
KeyUsage: x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement,
|
KeyUsage: x509.KeyUsageDataEncipherment |
|
||||||
|
x509.KeyUsageKeyAgreement |
|
||||||
|
x509.KeyUsageDigitalSignature |
|
||||||
|
x509.KeyUsageKeyEncipherment,
|
||||||
ExtKeyUsage: []x509.ExtKeyUsage{
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
||||||
x509.ExtKeyUsageClientAuth,
|
x509.ExtKeyUsageClientAuth,
|
||||||
x509.ExtKeyUsageServerAuth,
|
x509.ExtKeyUsageServerAuth,
|
||||||
|
@ -230,23 +238,15 @@ func TestCSR(t testing.T, id SpiffeID) (string, string) {
|
||||||
return csrBuf.String(), pkBuf.String()
|
return csrBuf.String(), pkBuf.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
// testKeyID returns a KeyID from the given public key. The "raw" must be
|
// testKeyID returns a KeyID from the given public key. This just calls
|
||||||
// an *ecdsa.PublicKey, but is an interface type to suppot crypto.Signer.Public
|
// KeyId but handles errors for tests.
|
||||||
// values.
|
|
||||||
func testKeyID(t testing.T, raw interface{}) []byte {
|
func testKeyID(t testing.T, raw interface{}) []byte {
|
||||||
pub, ok := raw.(*ecdsa.PublicKey)
|
result, err := KeyId(raw)
|
||||||
if !ok {
|
if err != nil {
|
||||||
t.Fatalf("raw is type %T, expected *ecdsa.PublicKey", raw)
|
t.Fatalf("KeyId error: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// This is not standard; RFC allows any unique identifier as long as they
|
return result
|
||||||
// match in subject/authority chains but suggests specific hashing of DER
|
|
||||||
// bytes of public key including DER tags. I can't be bothered to do esp.
|
|
||||||
// since ECDSA keys don't have a handy way to marshal the publick key alone.
|
|
||||||
h := sha256.New()
|
|
||||||
h.Write(pub.X.Bytes())
|
|
||||||
h.Write(pub.Y.Bytes())
|
|
||||||
return h.Sum([]byte{})
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// testMemoizePK is the private key that we memoize once we generate it
|
// testMemoizePK is the private key that we memoize once we generate it
|
||||||
|
|
|
@ -232,7 +232,10 @@ func (s *ConnectCA) Sign(
|
||||||
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
|
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
|
||||||
PublicKey: csr.PublicKey,
|
PublicKey: csr.PublicKey,
|
||||||
BasicConstraintsValid: true,
|
BasicConstraintsValid: true,
|
||||||
KeyUsage: x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement,
|
KeyUsage: x509.KeyUsageDataEncipherment |
|
||||||
|
x509.KeyUsageKeyAgreement |
|
||||||
|
x509.KeyUsageDigitalSignature |
|
||||||
|
x509.KeyUsageKeyEncipherment,
|
||||||
ExtKeyUsage: []x509.ExtKeyUsage{
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
||||||
x509.ExtKeyUsageClientAuth,
|
x509.ExtKeyUsageClientAuth,
|
||||||
x509.ExtKeyUsageServerAuth,
|
x509.ExtKeyUsageServerAuth,
|
||||||
|
|
Loading…
Reference in New Issue