Skip to content

Commit

Permalink
Merge branch 'master' into adding-go-modules
Browse files Browse the repository at this point in the history
  • Loading branch information
@marcosy
marcosy committed Jan 3, 2019
2 parents d7bcda2 + a8aa4d0 commit 7fbe74b
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 6 deletions.
23 changes: 20 additions & 3 deletions pkg/server/ca/ca_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,18 @@ func (s *CATestSuite) TestSignX509SVIDValidatesCSR() {
s.Require().EqualError(err, `"spiffe://foo.com" does not belong to trust domain "example.org"`)
}

func (s *CATestSuite) TestSignX509SVIDWithEvilSubject() {
csr := &x509.CertificateRequest{
Subject: pkix.Name{
CommonName: "mybank.example.org",
},
URIs: []*url.URL{makeSpiffeID("example.org")},
}
certs, err := s.ca.SignX509SVID(ctx, s.signCSR(csr), 0)
s.Require().NoError(err)
s.Assert().NotEqual("mybank.example.org", certs[0].Subject.CommonName)
}

func (s *CATestSuite) TestSignX509SVIDIncrementsSerialNumber() {
svid1, err := s.ca.SignX509SVID(ctx, s.generateCSR("example.org"), 0)
s.Require().NoError(err)
Expand Down Expand Up @@ -205,11 +217,16 @@ func (s *CATestSuite) TestSignJWTSVIDValidatesJSR() {
}

func (s *CATestSuite) generateCSR(trustDomain string) []byte {
csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{
csr := &x509.CertificateRequest{
URIs: []*url.URL{makeSpiffeID(trustDomain)},
}, s.signer)
}
return s.signCSR(csr)
}

func (s *CATestSuite) signCSR(csr *x509.CertificateRequest) []byte {
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, csr, s.signer)
s.Require().NoError(err)
return csr
return csrBytes
}

func (s *CATestSuite) generateJSR(trustDomain string, ttl time.Duration) *node.JSR {
Expand Down
12 changes: 9 additions & 3 deletions pkg/server/ca/templates.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package ca

import (
"crypto/x509"
"crypto/x509/pkix"
"math/big"
"time"

Expand Down Expand Up @@ -32,8 +33,8 @@ func CreateServerCATemplate(csrDER []byte, trustDomain string, notBefore, notAft
x509.KeyUsageCertSign |
x509.KeyUsageCRLSign,
BasicConstraintsValid: true,
IsCA: true,
PublicKey: csr.PublicKey,
IsCA: true,
PublicKey: csr.PublicKey,
}, nil
}

Expand All @@ -43,14 +44,19 @@ func CreateX509SVIDTemplate(csrDER []byte, trustDomain string, notBefore, notAft
return nil, err
}

subject := pkix.Name{
Country: []string{"US"},
Organization: []string{"SPIRE"},
}

keyID, err := x509util.GetSubjectKeyId(csr.PublicKey)
if err != nil {
return nil, err
}

return &x509.Certificate{
SerialNumber: serialNumber,
Subject: csr.Subject,
Subject: subject,
URIs: csr.URIs,
NotBefore: notBefore,
NotAfter: notAfter,
Expand Down

0 comments on commit 7fbe74b

Please sign in to comment.