Make API responses aware of the new SCEP decrypter properties

hslatman · hslatman · commit 5fd70af2c81e · 2023-09-22T11:38:03.000+02:00
diff --git a/api/api_test.go b/api/api_test.go
@@ -1569,7 +1569,6 @@ func mustCertificate(t *testing.T, pub, priv interface{}) *x509.Certificate {
 }
 
 func TestProvisionersResponse_MarshalJSON(t *testing.T) {
-
 	k := map[string]any{
 		"use": "sig",
 		"kty": "EC",
@@ -1581,9 +1580,14 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	}
 	key := squarejose.JSONWebKey{}
 	b, err := json.Marshal(k)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	err = json.Unmarshal(b, &key)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
+
+	var encodedPassword bytes.Buffer
+	enc := base64.NewEncoder(base64.StdEncoding, &encodedPassword)
+	_, err = enc.Write([]byte("super-secret-password"))
+	require.NoError(t, err)
 
 	r := ProvisionersResponse{
 		Provisioners: provisioner.List{
@@ -1593,9 +1597,12 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 				ChallengePassword:             "not-so-secret",
 				MinimumPublicKeyLength:        2048,
 				EncryptionAlgorithmIdentifier: 2,
+				IncludeRoot:                   true,
+				ExcludeIntermediate:           true,
 				DecrypterCertificate:          []byte{1, 2, 3, 4},
-				DecrypterKey:                  "softkms:path=/path/to/private.key",
-				DecrypterKeyPassword:          "super-secret-password",
+				DecrypterKeyPEM:               []byte{5, 6, 7, 8},
+				DecrypterKeyURI:               "softkms:path=/path/to/private.key",
+				DecrypterKeyPassword:          encodedPassword.Bytes(),
 			},
 			&provisioner.JWK{
 				EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
@@ -1612,9 +1619,13 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 			{
 				"type":                          "scep",
 				"name":                          "scep",
+				"forceCN":                       false,
+				"includeRoot":                   true,
+				"excludeIntermediate":           true,
 				"challenge":                     "*** REDACTED ***",
 				"decrypterCertificate":          "*** REDACTED ***",
 				"decrypterKey":                  "*** REDACTED ***",
+				"decrypterKeyPEM":               "*** REDACTED ***",
 				"decrypterKeyPassword":          "*** REDACTED ***",
 				"minimumPublicKeyLength":        2048,
 				"encryptionAlgorithmIdentifier": 2,
@@ -1652,9 +1663,12 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 			ChallengePassword:             "not-so-secret",
 			MinimumPublicKeyLength:        2048,
 			EncryptionAlgorithmIdentifier: 2,
+			IncludeRoot:                   true,
+			ExcludeIntermediate:           true,
 			DecrypterCertificate:          []byte{1, 2, 3, 4},
-			DecrypterKey:                  "softkms:path=/path/to/private.key",
-			DecrypterKeyPassword:          "super-secret-password",
+			DecrypterKeyPEM:               []byte{5, 6, 7, 8},
+			DecrypterKeyURI:               "softkms:path=/path/to/private.key",
+			DecrypterKeyPassword:          encodedPassword.Bytes(),
 		},
 		&provisioner.JWK{
 			EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
diff --git a/api/models/scep.go b/api/models/scep.go
@@ -19,17 +19,17 @@ type SCEP struct {
 	ID                            string               `json:"-"`
 	Type                          string               `json:"type"`
 	Name                          string               `json:"name"`
-	ForceCN                       bool                 `json:"forceCN,omitempty"`
-	ChallengePassword             string               `json:"challenge,omitempty"`
+	ForceCN                       bool                 `json:"forceCN"`
+	ChallengePassword             string               `json:"challenge"`
 	Capabilities                  []string             `json:"capabilities,omitempty"`
-	IncludeRoot                   bool                 `json:"includeRoot,omitempty"`
-	ExcludeIntermediate           bool                 `json:"excludeIntermediate,omitempty"`
-	MinimumPublicKeyLength        int                  `json:"minimumPublicKeyLength,omitempty"`
+	IncludeRoot                   bool                 `json:"includeRoot"`
+	ExcludeIntermediate           bool                 `json:"excludeIntermediate"`
+	MinimumPublicKeyLength        int                  `json:"minimumPublicKeyLength"`
 	DecrypterCertificate          string               `json:"decrypterCertificate"`
 	DecrypterKeyPEM               string               `json:"decrypterKeyPEM"`
 	DecrypterKeyURI               string               `json:"decrypterKey"`
 	DecrypterKeyPassword          string               `json:"decrypterKeyPassword"`
-	EncryptionAlgorithmIdentifier int                  `json:"encryptionAlgorithmIdentifier,omitempty"`
+	EncryptionAlgorithmIdentifier int                  `json:"encryptionAlgorithmIdentifier"`
 	Options                       *provisioner.Options `json:"options,omitempty"`
 	Claims                        *provisioner.Claims  `json:"claims,omitempty"`
 }
diff --git a/authority/provisioners.go b/authority/provisioners.go
@@ -990,7 +990,8 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 		}
 		if decrypter := cfg.GetDecrypter(); decrypter != nil {
 			s.DecrypterCertificate = decrypter.DecrypterCertificate
-			s.DecrypterKey = decrypter.DecrypterKey
+			s.DecrypterKeyPEM = decrypter.DecrypterKey
+			s.DecrypterKeyURI = decrypter.DecrypterKeyUri
 			s.DecrypterKeyPassword = decrypter.DecrypterKeyPassword
 		}
 		return s, nil
@@ -1250,6 +1251,12 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 						IncludeRoot:                   p.IncludeRoot,
 						ExcludeIntermediate:           p.ExcludeIntermediate,
 						EncryptionAlgorithmIdentifier: int32(p.EncryptionAlgorithmIdentifier),
+						Decrypter: &linkedca.SCEPDecrypter{
+							DecrypterCertificate: p.DecrypterCertificate,
+							DecrypterKey:         p.DecrypterKeyPEM,
+							DecrypterKeyUri:      p.DecrypterKeyURI,
+							DecrypterKeyPassword: p.DecrypterKeyPassword,
+						},
 					},
 				},
 			},
