Skip to content

Commit

Permalink
Allowing specifying signing algorithm for depot signer (#221)
Browse files Browse the repository at this point in the history
* Allowing specifying signing algorithm for depot signer

* gofmt

* Update depot/signer.go

Co-authored-by: Jesse Peterson <[email protected]>

---------

Co-authored-by: Jesse Peterson <[email protected]>
  • Loading branch information
venkyg-sec and jessepeterson authored Dec 1, 2023
1 parent ef6a180 commit 1ff3fe2
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 1 deletion.
18 changes: 17 additions & 1 deletion depot/signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ type Signer struct {
allowRenewalDays int
validityDays int
serverAttrs bool
signatureAlgo x509.SignatureAlgorithm
}

// Option customizes Signer
Expand All @@ -29,13 +30,23 @@ func NewSigner(depot Depot, opts ...Option) *Signer {
depot: depot,
allowRenewalDays: 14,
validityDays: 365,
signatureAlgo: 0,
}
for _, opt := range opts {
opt(s)
}
return s
}

// WithSignatureAlgorithm sets the signature algorithm to be used to sign certificates.
// When set to a non-zero value, this would take preference over the default behaviour of
// matching the signing algorithm from the x509 CSR.
func WithSignatureAlgorithm(a x509.SignatureAlgorithm) Option {
return func(s *Signer) {
s.signatureAlgo = a
}
}

// WithCAPass specifies the password to use with an encrypted CA key
func WithCAPass(pass string) Option {
return func(s *Signer) {
Expand Down Expand Up @@ -78,6 +89,11 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
return nil, err
}

var signatureAlgo x509.SignatureAlgorithm
if s.signatureAlgo != 0 {
signatureAlgo = s.signatureAlgo
}

// create cert template
tmpl := &x509.Certificate{
SerialNumber: serial,
Expand All @@ -89,7 +105,7 @@ func (s *Signer) SignCSR(m *scep.CSRReqMessage) (*x509.Certificate, error) {
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
SignatureAlgorithm: m.CSR.SignatureAlgorithm,
SignatureAlgorithm: signatureAlgo,
DNSNames: m.CSR.DNSNames,
EmailAddresses: m.CSR.EmailAddresses,
IPAddresses: m.CSR.IPAddresses,
Expand Down
6 changes: 6 additions & 0 deletions server/service_bolt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,12 @@ func TestCaCert(t *testing.T) {
t.Error("no established chain between issued cert and CA")
}

if csr.SignatureAlgorithm != respCert.SignatureAlgorithm {
t.Fatal(fmt.Errorf("cert signature algo %s different from csr signature algo %s",
csr.SignatureAlgorithm.String(),
respCert.SignatureAlgorithm.String()))
}

// verify unique certificate serials
for _, ser := range serCollector {
if respCert.SerialNumber.Cmp(ser) == 0 {
Expand Down

0 comments on commit 1ff3fe2

Please sign in to comment.