summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2020-08-20 19:28:25 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2020-08-20 19:28:25 -0600
commit997ef522bc636bd2485408e63f55b9b043b2d975 (patch)
treeff9b8193377eeeb80967f14b80e433aa74c5287f /modules/caddytls
parent0279a57ac465b2920abf71d86203d9feac2015b5 (diff)
go.mod: Use v0.15(.1) of smallstep libs
Update internal issuer for compatibility -- yay simpler code! The .1 version also fixes non-critical SAN extensions that caused trust issues on several clients.
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/internalissuer.go45
1 files changed, 12 insertions, 33 deletions
diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go
index d70b8ca..6f228ea 100644
--- a/modules/caddytls/internalissuer.go
+++ b/modules/caddytls/internalissuer.go
@@ -27,7 +27,6 @@ import (
"github.com/caddyserver/caddy/v2/modules/caddypki"
"github.com/caddyserver/certmagic"
"github.com/smallstep/certificates/authority/provisioner"
- "github.com/smallstep/cli/crypto/x509util"
)
func init() {
@@ -120,9 +119,7 @@ func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateReques
lifetime = issuerCert.NotAfter.Sub(time.Now())
}
- certChain, err := auth.Sign(csr, provisioner.Options{},
- profileDefaultDuration(iss.Lifetime),
- )
+ certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(iss.Lifetime))
if err != nil {
return nil, err
}
@@ -160,33 +157,14 @@ func (iss *InternalIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return nil
}
-// profileDefaultDuration is a wrapper against x509util.WithOption to conform
-// the SignOption interface.
-//
-// This type is borrowed from the smallstep libraries:
-// https://github.com/smallstep/certificates/blob/806abb6232a5691198b891d76b9898ea7f269da0/authority/provisioner/sign_options.go#L191-L211
-// as per https://github.com/smallstep/certificates/issues/198.
-//
-// TODO: In the future, this approach to custom cert lifetimes may not be necessary
-type profileDefaultDuration time.Duration
-
-func (d profileDefaultDuration) Option(so provisioner.Options) x509util.WithOption {
- var backdate time.Duration
- notBefore := so.NotBefore.Time()
- if notBefore.IsZero() {
- notBefore = time.Now().Truncate(time.Second)
- backdate = -1 * so.Backdate
- }
- notAfter := so.NotAfter.RelativeTime(notBefore)
- return func(p x509util.Profile) error {
- fn := x509util.WithNotBeforeAfterDuration(notBefore, notAfter, time.Duration(d))
- if err := fn(p); err != nil {
- return err
- }
- crt := p.Subject()
- crt.NotBefore = crt.NotBefore.Add(backdate)
- return nil
- }
+// customCertLifetime allows us to customize certificates that are issued
+// by Smallstep libs, particularly the NotBefore & NotAfter dates.
+type customCertLifetime time.Duration
+
+func (d customCertLifetime) Modify(cert *x509.Certificate, _ provisioner.SignOptions) error {
+ cert.NotBefore = time.Now()
+ cert.NotAfter = cert.NotBefore.Add(time.Duration(d))
+ return nil
}
const (
@@ -195,6 +173,7 @@ const (
// Interface guards
var (
- _ caddy.Provisioner = (*InternalIssuer)(nil)
- _ certmagic.Issuer = (*InternalIssuer)(nil)
+ _ caddy.Provisioner = (*InternalIssuer)(nil)
+ _ certmagic.Issuer = (*InternalIssuer)(nil)
+ _ provisioner.CertificateModifier = (*customCertLifetime)(nil)
)