-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add handling of cnf
claim
#1092
base: master
Are you sure you want to change the base?
Conversation
This commit allows to generate fingerprints for CSR files to the `step certificate fingerprint` command.
This commit allows passing confirmation claims to tokens to tie the tokens with a provided CSR or SSH public key. The confirmation claim is implemented in the token command as well as the com commands that uses a given CSR or ssh public key. Those are: - step ca token - step ca sign - step ssh certificate --sign Fixes smallstep/certificates#1637
''' | ||
|
||
Get the fingerprint for a CSR using base64-url without padding encoding: | ||
''' | ||
$ step certificate fingerprint --format base64-url-raw hello.csr | ||
PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
''' | |
Get the fingerprint for a CSR using base64-url without padding encoding: | |
''' | |
$ step certificate fingerprint --format base64-url-raw hello.csr | |
PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw | |
''' | |
Get the fingerprint for a CSR using base64-url encoding without padding: | |
''' | |
$ step certificate fingerprint --format base64-url-raw hello.csr | |
PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw |
default: | ||
return fmt.Errorf("unsupported fingerprint for %T", vv) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
default: | |
return fmt.Errorf("unsupported fingerprint for %T", vv) | |
} | |
default: | |
return fmt.Errorf("unsupported fingerprint for %T", v) | |
} |
@@ -186,6 +200,8 @@ multiple principals.`, | |||
flags.SSHPOPKey, | |||
flags.NebulaCert, | |||
flags.NebulaKey, | |||
flags.ConfirmationFile, | |||
flags.ConfirmationKid, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add an example for --cnf-kid
?
// ConfirmationKid is a cli.Flag used to add a confirmation claim in the | ||
// token. | ||
ConfirmationKid = cli.StringFlag{ | ||
Name: "cnf-kid", | ||
Usage: `The <fingerprint> of the CSR or SSH public key to restrict this token for.`, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be just --cnf
? Do we expect different types of values in there? See my note about using kid
too.
kid, err := fingerprint.New(data, crypto.SHA256, fingerprint.Base64RawURLFingerprint) | ||
if err != nil { | ||
return err | ||
} | ||
c.Set(ConfirmationClaim, map[string]string{ | ||
"kid": kid, | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the X509 case, the value maybe shouldn't be put in kid
, as we generally use that claim to carry the thumbprint of a JWK (used as key identifier); not the hash of a full request. Arguably, the kid
can be filled arbitrarily, as long as it identifiers the key, so it's not wrong to put the hash of the CSR in there, but I think using a different name might be better.
There's "cnf":{"x5t#S256":"...."}
in https://datatracker.ietf.org/doc/html/rfc8705#section-appendix.a, which is for certificates. Can we find/use/create a (custom) variant of that for certificate requests? E.g. "x5rt#S256"
, or something like that?
Allow to add confirmation claims to tokens
This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.
Fixes smallstep/certificates#1637
Related PR: