Merge pull request #41 from smallstep/feat/extraNames

Add ExtraNames
smallstep · Mar 31, 2022 · 10762eb · 10762eb
2 parents 7d0f0dd + 06fddec
commit 10762eb
Show file tree

Hide file tree

Showing 6 changed files with 190 additions and 38 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        go: [ '1.16', '1.17' ]
+        go: [ '1.17', '1.18' ]
     steps:
       -
         name: Checkout
@@ -26,7 +26,7 @@ jobs:
         name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
-          version: 'v1.44.0'
+          version: 'v1.45.2'
           args: --timeout=30m
       -
         name: Test, Build

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        go: [ '1.16', '1.17' ]
+        go: [ '1.17', '1.18' ]
     steps:
       -
         name: Checkout
@@ -28,7 +28,7 @@ jobs:
         name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
-          version: 'v1.44.0'
+          version: 'v1.45.2'
           args: --timeout=30m
       -
         name: Test, Build
@@ -37,7 +37,7 @@ jobs:
       -
         name: Codecov
         uses: codecov/codecov-action@v1.2.1
-        if: matrix.go == '1.17'
+        if: matrix.go == '1.18'
         with:
           file: ./coverage.out
           name: codecov-umbrella

diff --git a/minica/minica.go b/minica/minica.go
@@ -14,6 +14,7 @@ import (
 // CA is the implementation of a simple X.509 and SSH CA.
 type CA struct {
 	Root          *x509.Certificate
+	RootSigner    crypto.Signer
 	Intermediate  *x509.Certificate
 	Signer        crypto.Signer
 	SSHHostSigner ssh.Signer
@@ -92,6 +93,7 @@ func New(opts ...Option) (*CA, error) {
 
 	return &CA{
 		Root:          root,
+		RootSigner:    rootSigner,
 		Intermediate:  intermediate,
 		Signer:        intSigner,
 		SSHHostSigner: sshHostSigner,

diff --git a/x509util/certpool_test.go b/x509util/certpool_test.go
@@ -30,6 +30,9 @@ func TestReadCertPool(t *testing.T) {
 				return
 			}
 			if got != nil {
+				// nolint:staticcheck // there's no other way to compare two
+				// certpools, https://github.com/golang/go/issues/46057 might
+				// fix this.
 				subjects := got.Subjects()
 				if !reflect.DeepEqual(subjects, tt.wantSubjects) {
 					t.Errorf("x509.CertPool.Subjects() got = %v, want %v", subjects, tt.wantSubjects)

diff --git a/x509util/name.go b/x509util/name.go
@@ -3,6 +3,7 @@ package x509util
 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/json"
 
 	"github.com/pkg/errors"
@@ -11,15 +12,31 @@ import (
 // Name is the JSON representation of X.501 type Name, used in the X.509 subject
 // and issuer fields.
 type Name struct {
-	Country            MultiString `json:"country,omitempty"`
-	Organization       MultiString `json:"organization,omitempty"`
-	OrganizationalUnit MultiString `json:"organizationalUnit,omitempty"`
-	Locality           MultiString `json:"locality,omitempty"`
-	Province           MultiString `json:"province,omitempty"`
-	StreetAddress      MultiString `json:"streetAddress,omitempty"`
-	PostalCode         MultiString `json:"postalCode,omitempty"`
-	SerialNumber       string      `json:"serialNumber,omitempty"`
-	CommonName         string      `json:"commonName,omitempty"`
+	Country            MultiString         `json:"country,omitempty"`
+	Organization       MultiString         `json:"organization,omitempty"`
+	OrganizationalUnit MultiString         `json:"organizationalUnit,omitempty"`
+	Locality           MultiString         `json:"locality,omitempty"`
+	Province           MultiString         `json:"province,omitempty"`
+	StreetAddress      MultiString         `json:"streetAddress,omitempty"`
+	PostalCode         MultiString         `json:"postalCode,omitempty"`
+	SerialNumber       string              `json:"serialNumber,omitempty"`
+	CommonName         string              `json:"commonName,omitempty"`
+	ExtraNames         []DistinguishedName `json:"extraNames,omitempty"`
+}
+
+func newName(n pkix.Name) Name {
+	return Name{
+		Country:            n.Country,
+		Organization:       n.Organization,
+		OrganizationalUnit: n.OrganizationalUnit,
+		Locality:           n.Locality,
+		Province:           n.Province,
+		StreetAddress:      n.StreetAddress,
+		PostalCode:         n.PostalCode,
+		SerialNumber:       n.SerialNumber,
+		CommonName:         n.CommonName,
+		ExtraNames:         newDistinguisedNames(n.ExtraNames),
+	}
 }
 
 // UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON
@@ -43,17 +60,7 @@ func (n *Name) UnmarshalJSON(data []byte) error {
 type Subject Name
 
 func newSubject(n pkix.Name) Subject {
-	return Subject{
-		Country:            n.Country,
-		Organization:       n.Organization,
-		OrganizationalUnit: n.OrganizationalUnit,
-		Locality:           n.Locality,
-		Province:           n.Province,
-		StreetAddress:      n.StreetAddress,
-		PostalCode:         n.PostalCode,
-		SerialNumber:       n.SerialNumber,
-		CommonName:         n.CommonName,
-	}
+	return Subject(newName(n))
 }
 
 // UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON
@@ -79,24 +86,15 @@ func (s Subject) Set(c *x509.Certificate) {
 		PostalCode:         s.PostalCode,
 		SerialNumber:       s.SerialNumber,
 		CommonName:         s.CommonName,
+		ExtraNames:         fromDistinguisedNames(s.ExtraNames),
 	}
 }
 
 // Issuer is the JSON representation of the X.509 issuer field.
 type Issuer Name
 
 func newIssuer(n pkix.Name) Issuer {
-	return Issuer{
-		Country:            n.Country,
-		Organization:       n.Organization,
-		OrganizationalUnit: n.OrganizationalUnit,
-		Locality:           n.Locality,
-		Province:           n.Province,
-		StreetAddress:      n.StreetAddress,
-		PostalCode:         n.PostalCode,
-		SerialNumber:       n.SerialNumber,
-		CommonName:         n.CommonName,
-	}
+	return Issuer(newName(n))
 }
 
 // UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON
@@ -122,5 +120,35 @@ func (i Issuer) Set(c *x509.Certificate) {
 		PostalCode:         i.PostalCode,
 		SerialNumber:       i.SerialNumber,
 		CommonName:         i.CommonName,
+		ExtraNames:         fromDistinguisedNames(i.ExtraNames),
+	}
+}
+
+// DistinguishedName mirrors the ASN.1 structure AttributeTypeAndValue in RFC
+// 5280, Section 4.1.2.4.
+type DistinguishedName struct {
+	Type  ObjectIdentifier `json:"type"`
+	Value interface{}      `json:"value"`
+}
+
+func newDistinguisedNames(atvs []pkix.AttributeTypeAndValue) []DistinguishedName {
+	var extraNames []DistinguishedName
+	for _, atv := range atvs {
+		extraNames = append(extraNames, DistinguishedName{
+			Type:  ObjectIdentifier(atv.Type),
+			Value: atv.Value,
+		})
+	}
+	return extraNames
+}
+
+func fromDistinguisedNames(dns []DistinguishedName) []pkix.AttributeTypeAndValue {
+	var atvs []pkix.AttributeTypeAndValue
+	for _, dn := range dns {
+		atvs = append(atvs, pkix.AttributeTypeAndValue{
+			Type:  asn1.ObjectIdentifier(dn.Type),
+			Value: dn.Value,
+		})
 	}
+	return atvs
 }