Add handling of cnf claim
#1092
Conversation
github-actions
bot
added
the
needs triage
This commit allows to generate fingerprints for CSR files to the `step certificate fingerprint` command.
This commit allows passing confirmation claims to tokens to tie the tokens with a provided CSR or SSH public key. The confirmation claim is implemented in the token command as well as the com commands that uses a given CSR or ssh public key. Those are: - step ca token - step ca sign - step ssh certificate --sign Fixes smallstep/certificates#1637
| ''' | ||
|
|
||
| Get the fingerprint for a CSR using base64-url without padding encoding: | ||
| ''' | ||
| $ step certificate fingerprint --format base64-url-raw hello.csr | ||
| PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw |
There was a problem hiding this comment.
| ''' | |
| Get the fingerprint for a CSR using base64-url without padding encoding: | |
| ''' | |
| $ step certificate fingerprint --format base64-url-raw hello.csr | |
| PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw | |
| ''' | |
| Get the fingerprint for a CSR using base64-url encoding without padding: | |
| ''' | |
| $ step certificate fingerprint --format base64-url-raw hello.csr | |
| PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw |
| default: | ||
| return fmt.Errorf("unsupported fingerprint for %T", vv) | ||
| } |
There was a problem hiding this comment.
| default: | |
| return fmt.Errorf("unsupported fingerprint for %T", vv) | |
| } | |
| default: | |
| return fmt.Errorf("unsupported fingerprint for %T", v) | |
| } |
| @@ -186,6 +200,8 @@ multiple principals.`, | |||
| flags.SSHPOPKey, | |||
| flags.NebulaCert, | |||
| flags.NebulaKey, | |||
| flags.ConfirmationFile, | |||
| flags.ConfirmationKid, | |||
There was a problem hiding this comment.
Can you add an example for --cnf-kid?
| // ConfirmationKid is a cli.Flag used to add a confirmation claim in the | ||
| // token. | ||
| ConfirmationKid = cli.StringFlag{ | ||
| Name: "cnf-kid", | ||
| Usage: `The <fingerprint> of the CSR or SSH public key to restrict this token for.`, | ||
| } |
There was a problem hiding this comment.
Should this be just --cnf? Do we expect different types of values in there? See my note about using kid too.
| kid, err := fingerprint.New(data, crypto.SHA256, fingerprint.Base64RawURLFingerprint) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| c.Set(ConfirmationClaim, map[string]string{ | ||
| "kid": kid, | ||
| }) |
There was a problem hiding this comment.
For the X509 case, the value maybe shouldn't be put in kid, as we generally use that claim to carry the thumbprint of a JWK (used as key identifier); not the hash of a full request. Arguably, the kid can be filled arbitrarily, as long as it identifiers the key, so it's not wrong to put the hash of the CSR in there, but I think using a different name might be better.
There's "cnf":{"x5t#S256":"...."} in https://datatracker.ietf.org/doc/html/rfc8705#section-appendix.a, which is for certificates. Can we find/use/create a (custom) variant of that for certificate requests? E.g. "x5rt#S256", or something like that?
Allow to add confirmation claims to tokens
This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.
Fixes smallstep/certificates#1637
Related PR: