Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
tl;dr Changes internal API for how signing of certificates works in the scep server.
This PR changes the core organization of the SCEP server service in support of #112. The service itself (in
server/service.go
) is much simplified due to removing all CA functionality. In lieu of CA implementation details being in the server service we opted for a way to modularlize certificate signing (and any other duties that need to inspect and take action on the CSR). Thus thescepserver.CSRSigner
interface:Due to the interface and associated adapter functions this also makes it possible to chain together these
CSRSigner
s to modularize most of the functionality we need — not so dissimilar from howhttp.HandlerFunc
works. For example becausescep.CSRReqMessage
contains the parsed and raw CSR as well as the challenge password, the SCEP challenge password checking can just be a middleware over the actual CA implementation.The other (minor, compared to the above) change is a separation of "service" certificates from the CA certificates. While for most users these are the same certs and keys (i.e. the SCEP protocol exchanges just use the same keypair as the CA) some users may want to use the SCEP service with another CA that has its own keypair, or as an RA (Registration Authority — a "proxy" of sorts). This change allows that.