Attestation payload on webhooks

This commit allows passing the attestation payload to webhooks with a custom database implementation.
smallstep · Dec 21, 2024 · a7b0c1f · a7b0c1f
1 parent cba7add
commit a7b0c1f
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 3 deletions.
diff --git a/acme/challenge.go b/acme/challenge.go
@@ -88,6 +88,7 @@ type Challenge struct {
 	URL             string        `json:"url"`
 	Target          string        `json:"target,omitempty"`
 	Error           *Error        `json:"error,omitempty"`
+	Payload         []byte        `json:"-"`
 }
 
 // ToLog enables response logging.
@@ -942,6 +943,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 	ch.Status = StatusValid
 	ch.Error = nil
 	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
+	ch.Payload = payload
 
 	// Store the fingerprint in the authorization.
 	//

diff --git a/acme/order.go b/acme/order.go
@@ -41,8 +41,9 @@ const (
 
 // Identifier encodes the type that an order pertains to.
 type Identifier struct {
-	Type  IdentifierType `json:"type"`
-	Value string         `json:"value"`
+	Type    IdentifierType `json:"type"`
+	Value   string         `json:"value"`
+	Payload []byte         `json:"-"`
 }
 
 // Order contains order metadata for the ACME protocol order type.
@@ -240,10 +241,14 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	var extraOptions []provisioner.SignOption
 
 	// TODO: support for multiple identifiers?
-	var permanentIdentifier string
+	var (
+		permanentIdentifier string
+		attestationPayload  []byte
+	)
 	for i := range o.Identifiers {
 		if o.Identifiers[i].Type == PermanentIdentifier {
 			permanentIdentifier = o.Identifiers[i].Value
+			attestationPayload = o.Identifiers[i].Payload
 			// the first (and only) Permanent Identifier that gets added to the certificate
 			// should be equal to the Subject Common Name if it's set. If not equal, the CSR
 			// is rejected, because the Common Name hasn't been challenged in that case. This
@@ -266,6 +271,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 		})
 		extraOptions = append(extraOptions, provisioner.AttestationData{
 			PermanentIdentifier: permanentIdentifier,
+			Payload:             attestationPayload,
 		})
 	} else {
 		defaultTemplate = x509util.DefaultLeafTemplate

diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go
@@ -85,6 +85,7 @@ func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
 // sign methods.
 type AttestationData struct {
 	PermanentIdentifier string
+	Payload             []byte
 }
 
 // defaultPublicKeyValidator validates the public key of a certificate request.

diff --git a/authority/tls.go b/authority/tls.go
@@ -1029,6 +1029,7 @@ func (a *Authority) callEnrichingWebhooksX509(ctx context.Context, prov provisio
 	if attData != nil {
 		attested = &webhook.AttestationData{
 			PermanentIdentifier: attData.PermanentIdentifier,
+			Payload:             attData.Payload,
 		}
 	}
 

diff --git a/webhook/types.go b/webhook/types.go
@@ -67,6 +67,7 @@ type SSHCertificate struct {
 // AttestationData is data validated by acme device-attest-01 challenge
 type AttestationData struct {
 	PermanentIdentifier string `json:"permanentIdentifier"`
+	Payload             []byte `json:"payload,omitempty"`
 }
 
 // X5CCertificate is the authorization certificate sent to webhook servers for