From a7b0c1f4cff6ebd4f8c0ff643fbf20ca5ceedc84 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 20 Dec 2024 16:37:29 -0800 Subject: [PATCH] Attestation payload on webhooks This commit allows passing the attestation payload to webhooks with a custom database implementation. --- acme/challenge.go | 2 ++ acme/order.go | 12 +++++++++--- authority/provisioner/sign_options.go | 1 + authority/tls.go | 1 + webhook/types.go | 1 + 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/acme/challenge.go b/acme/challenge.go index cf658cf7b..1dc39bf27 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -88,6 +88,7 @@ type Challenge struct { URL string `json:"url"` Target string `json:"target,omitempty"` Error *Error `json:"error,omitempty"` + Payload []byte `json:"-"` } // ToLog enables response logging. @@ -942,6 +943,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose ch.Status = StatusValid ch.Error = nil ch.ValidatedAt = clock.Now().Format(time.RFC3339) + ch.Payload = payload // Store the fingerprint in the authorization. // diff --git a/acme/order.go b/acme/order.go index c23befd91..43bcc51bd 100644 --- a/acme/order.go +++ b/acme/order.go @@ -41,8 +41,9 @@ const ( // Identifier encodes the type that an order pertains to. type Identifier struct { - Type IdentifierType `json:"type"` - Value string `json:"value"` + Type IdentifierType `json:"type"` + Value string `json:"value"` + Payload []byte `json:"-"` } // Order contains order metadata for the ACME protocol order type. @@ -240,10 +241,14 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques var extraOptions []provisioner.SignOption // TODO: support for multiple identifiers? - var permanentIdentifier string + var ( + permanentIdentifier string + attestationPayload []byte + ) for i := range o.Identifiers { if o.Identifiers[i].Type == PermanentIdentifier { permanentIdentifier = o.Identifiers[i].Value + attestationPayload = o.Identifiers[i].Payload // the first (and only) Permanent Identifier that gets added to the certificate // should be equal to the Subject Common Name if it's set. If not equal, the CSR // is rejected, because the Common Name hasn't been challenged in that case. This @@ -266,6 +271,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques }) extraOptions = append(extraOptions, provisioner.AttestationData{ PermanentIdentifier: permanentIdentifier, + Payload: attestationPayload, }) } else { defaultTemplate = x509util.DefaultLeafTemplate diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index fc842c43a..5c9dc0643 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -85,6 +85,7 @@ func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error { // sign methods. type AttestationData struct { PermanentIdentifier string + Payload []byte } // defaultPublicKeyValidator validates the public key of a certificate request. diff --git a/authority/tls.go b/authority/tls.go index 320eb5961..f099f1bc0 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -1029,6 +1029,7 @@ func (a *Authority) callEnrichingWebhooksX509(ctx context.Context, prov provisio if attData != nil { attested = &webhook.AttestationData{ PermanentIdentifier: attData.PermanentIdentifier, + Payload: attData.Payload, } } diff --git a/webhook/types.go b/webhook/types.go index c60de7099..e5695dcc5 100644 --- a/webhook/types.go +++ b/webhook/types.go @@ -67,6 +67,7 @@ type SSHCertificate struct { // AttestationData is data validated by acme device-attest-01 challenge type AttestationData struct { PermanentIdentifier string `json:"permanentIdentifier"` + Payload []byte `json:"payload,omitempty"` } // X5CCertificate is the authorization certificate sent to webhook servers for