Added support for signaturepolicy.hashalgorithm Atlas request require…

…ment
nhgs64 · Aug 1, 2023 · 2d89920 · 2d89920
1 parent ef44f70
commit 2d89920
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 9 deletions.
diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.17
 
 require (
 	github.com/cert-manager/cert-manager v1.8.0
-	github.com/globalsign/hvclient v1.4.0
+	github.com/globalsign/hvclient v1.5.0
 	github.com/go-logr/logr v1.2.0
 	github.com/stretchr/testify v1.7.0
 	k8s.io/api v0.23.4

diff --git a/go.sum b/go.sum
@@ -160,8 +160,8 @@ github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5
 github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/globalsign/hvclient v1.4.0 h1:qi8mss3GwjVVhOntZ4Eyoztt8IfGjH4aTE3ICIN93Ag=
-github.com/globalsign/hvclient v1.4.0/go.mod h1:n5Il4cZrUu4LHwZt4praoOhZqEnYqDOs83OD9c1DhrE=
+github.com/globalsign/hvclient v1.5.0 h1:cKZNKGGVhSq55Fbl+zKTCbhMaEssbVnwxjObvHELol8=
+github.com/globalsign/hvclient v1.5.0/go.mod h1:n5Il4cZrUu4LHwZt4praoOhZqEnYqDOs83OD9c1DhrE=
 github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=

diff --git a/internal/issuer/signer/signer.go b/internal/issuer/signer/signer.go
@@ -83,10 +83,11 @@ func (o *hvcaSigner) Sign(csrBytes []byte) ([]byte, error) {
 	}
 
 	var req = hvclient.Request{
-		CSR:      csr,
-		Subject:  &hvclient.DN{},
-		SAN:      &hvclient.SAN{},
-		Validity: &hvclient.Validity{NotBefore: time.Now(), NotAfter: time.Unix(0, 0)},
+		CSR:       csr,
+		Subject:   &hvclient.DN{},
+		SAN:       &hvclient.SAN{},
+		Validity:  &hvclient.Validity{NotBefore: time.Now(), NotAfter: time.Unix(0, 0)},
+		Signature: &hvclient.Signature{},
 	}
 	// Pull the validation policy and check it for required fields
 	vp, err := clnt.Policy(ctx)
@@ -138,13 +139,16 @@ func (o *hvcaSigner) Sign(csrBytes []byte) ([]byte, error) {
 	}
 	// Check key type
 	if vp.PublicKey.KeyType.String() != csr.PublicKeyAlgorithm.String() {
-		return nil, errors.New("CSR public key type doesn't match Atlas account pubic key type")
+		return nil, errors.New("csr public key type doesn't match Atlas account pubic key type: CSR - " + csr.PublicKeyAlgorithm.String() + "Atlas - " + vp.PublicKey.KeyType.String())
 	}
 	// Check PKCS type
 	if vp.PublicKey.KeyFormat != hvclient.PKCS10 {
 		return nil, errors.New("atlas account does not support pkcs10 key format, update atlas account")
 	}
-
+	// Check signature hash algorithm requirement and set to the first approved one
+	if vp.SignaturePolicy.HashAlgorithm.Presence == 2 { //Presence is required
+		req.Signature.HashAlgorithm = vp.SignaturePolicy.HashAlgorithm.List[0]
+	}
 	// Request cert
 	if serial, err = clnt.CertificateRequest(ctx, &req); err != nil {
 		return nil, err