summaryrefslogtreecommitdiff
path: root/vendor/github.com/smallstep/scep/scep.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/smallstep/scep/scep.go')
-rw-r--r--vendor/github.com/smallstep/scep/scep.go47
1 files changed, 21 insertions, 26 deletions
diff --git a/vendor/github.com/smallstep/scep/scep.go b/vendor/github.com/smallstep/scep/scep.go
index 8004af2..d922866 100644
--- a/vendor/github.com/smallstep/scep/scep.go
+++ b/vendor/github.com/smallstep/scep/scep.go
@@ -14,6 +14,7 @@ import (
"errors"
"fmt"
+ "github.com/go-kit/kit/log/level"
"github.com/smallstep/pkcs7"
"github.com/smallstep/scep/cryptoutil"
@@ -26,6 +27,12 @@ var (
errUnknownMessageType = errors.New("scep: unknown messageType")
)
+// prepare the go-kit leveled logging configuration
+var (
+ levelKey = level.Key()
+ levelDebug = level.DebugValue()
+)
+
// The MessageType attribute specifies the type of operation performed
// by the transaction. This attribute MUST be included in all PKI
// messages.
@@ -142,7 +149,7 @@ func WithLogger(logger Logger) Option {
}
// WithCACerts adds option CA certificates to the SCEP operations.
-// Note: This changes the verification behavior of PKCS#7 messages. If this
+// Note: This changes the verification behavior of PKCS #7 messages. If this
// option is specified, only caCerts will be used as expected signers.
func WithCACerts(caCerts []*x509.Certificate) Option {
return func(c *config) {
@@ -154,7 +161,7 @@ func WithCACerts(caCerts []*x509.Certificate) Option {
// operations.
// This option is effective when used with NewCSRRequest function. In
// this case, only certificates selected with the certsSelector will be used
-// as the PKCS#7 message recipients.
+// as the PKCS #7 message recipients.
func WithCertsSelector(selector CertsSelector) Option {
return func(c *config) {
c.certsSelector = selector
@@ -191,7 +198,7 @@ type PKIMessage struct {
Recipients []*x509.Certificate
// Signer info
- SignerKey crypto.PrivateKey
+ SignerKey *rsa.PrivateKey
SignerCert *x509.Certificate
logger Logger
@@ -240,7 +247,7 @@ func ParsePKIMessage(data []byte, opts ...Option) (*PKIMessage, error) {
// signatures have an alternate means of obtaining necessary certificates.
// In SCEP case, an alternate means is to use GetCaCert request.
// Note: The https://github.com/jscep/jscep implementation logs a warning if
- // no certificates were found for signers in the PKCS#7 received from the
+ // no certificates were found for signers in the PKCS #7 received from the
// server, but the certificates obtained from GetCaCert request are still
// used for decoding the message.
p7.Certificates = conf.caCerts
@@ -269,6 +276,7 @@ func ParsePKIMessage(data []byte, opts ...Option) (*PKIMessage, error) {
}
msg.logger.Log(
+ levelKey, levelDebug,
"msg", "parsed scep pkiMessage",
"scep_message_type", msgType,
"transaction_id", tID,
@@ -335,22 +343,8 @@ func (msg *PKIMessage) parseMessageType() error {
}
}
-// DecryptPKIEnvelope decrypts the PKCS#7 envelopedData inside the SCEP PKIMessage
-func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key crypto.PrivateKey) error {
- if cert == nil {
- return errors.New("scep: cert must not be nil")
- }
- if key == nil {
- return errors.New("scep: key must not be nil")
- }
- decrypter, ok := key.(crypto.Decrypter)
- if !ok {
- return errors.New("scep: private key does not implement crypto.Decrypter")
- }
- if _, ok := decrypter.Public().(*rsa.PublicKey); !ok {
- return fmt.Errorf("scep: key.Public() returned type %T; expected *rsa.PublicKey", decrypter.Public())
- }
-
+// DecryptPKIEnvelope decrypts the pkcs envelopedData inside the SCEP PKIMessage
+func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key *rsa.PrivateKey) error {
p7, err := pkcs7.Parse(msg.p7.Content)
if err != nil {
return err
@@ -361,6 +355,7 @@ func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key crypto.Pri
}
logKeyVals := []interface{}{
+ levelKey, levelDebug,
"msg", "decrypt pkiEnvelope",
}
defer func() { msg.logger.Log(logKeyVals...) }()
@@ -398,8 +393,7 @@ func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key crypto.Pri
}
}
-// Fail returns a new PKIMessage with CertRep data indicating a failure
-func (msg *PKIMessage) Fail(crtAuth *x509.Certificate, keyAuth crypto.PrivateKey, info FailInfo) (*PKIMessage, error) {
+func (msg *PKIMessage) Fail(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, info FailInfo) (*PKIMessage, error) {
config := pkcs7.SignerInfoConfig{
ExtraSignedAttributes: []pkcs7.Attribute{
{
@@ -462,9 +456,9 @@ func (msg *PKIMessage) Fail(crtAuth *x509.Certificate, keyAuth crypto.PrivateKey
}
// Success returns a new PKIMessage with CertRep data using an already-issued certificate
-func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth crypto.PrivateKey, crt *x509.Certificate) (*PKIMessage, error) {
+func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, crt *x509.Certificate) (*PKIMessage, error) {
// check if CSRReqMessage has already been decrypted
- if msg.CSRReqMessage.CSR == nil { // TODO(hslatman): remove this; just require decryption before, so that we can make keyAuth a crypto.Signer
+ if msg.CSRReqMessage.CSR == nil {
if err := msg.DecryptPKIEnvelope(crtAuth, keyAuth); err != nil {
return nil, err
}
@@ -544,7 +538,7 @@ func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth crypto.Private
return crepMsg, nil
}
-// DegenerateCertificates creates degenerate certificates PKCS#7 type
+// DegenerateCertificates creates degenerate certificates pkcs#7 type
func DegenerateCertificates(certs []*x509.Certificate) ([]byte, error) {
var buf bytes.Buffer
for _, cert := range certs {
@@ -557,7 +551,7 @@ func DegenerateCertificates(certs []*x509.Certificate) ([]byte, error) {
return degenerate, nil
}
-// CACerts extract CA Certificate or chain from PKCS#7 degenerate signed data
+// CACerts extract CA Certificate or chain from pkcs7 degenerate signed data
func CACerts(data []byte) ([]*x509.Certificate, error) {
p7, err := pkcs7.Parse(data)
if err != nil {
@@ -604,6 +598,7 @@ func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Optio
}
conf.logger.Log(
+ levelKey, levelDebug,
"msg", "creating SCEP CSR request",
"transaction_id", tID,
"signer_cn", tmpl.SignerCert.Subject.CommonName,
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-11 03:14:54 +0000