Skip to content

Commit

Permalink
Remove payload from webhooks
Browse files Browse the repository at this point in the history 
This commit removes the unnecessary payload from webhooks.
  • Loading branch information
@maraino
maraino committed Dec 26, 2024
1 parent a7b0c1f commit e209add
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 12 deletions.
17 changes: 17 additions & 0 deletions acme/challenge_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -820,6 +820,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewError(ErrorRejectedIdentifierType, "payload contained error: an error")

Expand Down Expand Up @@ -871,6 +872,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
assert.Equal(t, StatusValid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "1234", updch.Value)
assert.Equal(t, payload, updch.Payload)

return nil
},
Expand Down Expand Up @@ -4004,6 +4006,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewError(ErrorRejectedIdentifierType, "payload contained error: an error")

Expand Down Expand Up @@ -4042,6 +4045,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "failed base64 decoding attObj %q", "?!")

Expand Down Expand Up @@ -4080,6 +4084,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "attObj must not be empty")

Expand Down Expand Up @@ -4118,6 +4123,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "attObj must not be empty")

Expand Down Expand Up @@ -4156,6 +4162,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "attObj is not well formed CBOR: unexpected EOF")

Expand Down Expand Up @@ -4196,6 +4203,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "unsupported attestation object format %q", "unsupported-format")

Expand Down Expand Up @@ -4241,6 +4249,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", "step")

Expand Down Expand Up @@ -4296,6 +4305,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")

Expand Down Expand Up @@ -4343,6 +4353,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "serial-number", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "challenge token does not match")

Expand Down Expand Up @@ -4389,6 +4400,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "non-matching-value", updch.Value)
assert.Nil(t, updch.Payload)

subproblem := NewSubproblemWithIdentifier(
ErrorRejectedIdentifierType,
Expand Down Expand Up @@ -4467,6 +4479,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")

Expand Down Expand Up @@ -4521,6 +4534,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, "permanent identifier does not match").
AddSubproblems(NewSubproblemWithIdentifier(
Expand Down Expand Up @@ -4616,6 +4630,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusInvalid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Nil(t, updch.Payload)

err := NewDetailedError(ErrorBadAttestationStatementType, `unsupported attestation object format "bogus-format"`)

Expand Down Expand Up @@ -4708,6 +4723,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusValid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Equal(t, payload, updch.Payload)

return errors.New("force")
},
Expand Down Expand Up @@ -4754,6 +4770,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
assert.Equal(t, StatusValid, updch.Status)
assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
assert.Equal(t, "12345678", updch.Value)
assert.Equal(t, payload, updch.Payload)

return nil
},
Expand Down
12 changes: 3 additions & 9 deletions acme/order.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,9 +41,8 @@ const (

// Identifier encodes the type that an order pertains to.
type Identifier struct {
Type IdentifierType `json:"type"`
Value string `json:"value"`
Payload []byte `json:"-"`
Type IdentifierType `json:"type"`
Value string `json:"value"`
}

// Order contains order metadata for the ACME protocol order type.
Expand Down Expand Up @@ -241,14 +240,10 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
var extraOptions []provisioner.SignOption

// TODO: support for multiple identifiers?
var (
permanentIdentifier string
attestationPayload []byte
)
var permanentIdentifier string
for i := range o.Identifiers {
if o.Identifiers[i].Type == PermanentIdentifier {
permanentIdentifier = o.Identifiers[i].Value
attestationPayload = o.Identifiers[i].Payload
// the first (and only) Permanent Identifier that gets added to the certificate
// should be equal to the Subject Common Name if it's set. If not equal, the CSR
// is rejected, because the Common Name hasn't been challenged in that case. This
Expand All @@ -271,7 +266,6 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
})
extraOptions = append(extraOptions, provisioner.AttestationData{
PermanentIdentifier: permanentIdentifier,
Payload: attestationPayload,
})
} else {
defaultTemplate = x509util.DefaultLeafTemplate
Expand Down
1 change: 0 additions & 1 deletion authority/provisioner/sign_options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,6 @@ func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
// sign methods.
type AttestationData struct {
PermanentIdentifier string
Payload []byte
}

// defaultPublicKeyValidator validates the public key of a certificate request.
Expand Down
1 change: 0 additions & 1 deletion authority/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1029,7 +1029,6 @@ func (a *Authority) callEnrichingWebhooksX509(ctx context.Context, prov provisio
if attData != nil {
attested = &webhook.AttestationData{
PermanentIdentifier: attData.PermanentIdentifier,
Payload: attData.Payload,
}
}

Expand Down
1 change: 0 additions & 1 deletion webhook/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@ type SSHCertificate struct {
// AttestationData is data validated by acme device-attest-01 challenge
type AttestationData struct {
PermanentIdentifier string `json:"permanentIdentifier"`
Payload []byte `json:"payload,omitempty"`
}

// X5CCertificate is the authorization certificate sent to webhook servers for
Expand Down

0 comments on commit e209add

Please sign in to comment.