Skip to content

Commit c1bd156

Browse files
marainodopey
maraino
authored and
dopey
committed
Renew identity certificate in /ssh/rekey and /ssh/renew
1 parent 47f4ac1 commit c1bd156

File tree

2 files changed

+35
-5
lines changed

2 files changed

+35
-5
lines changed

api/sshRekey.go

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,8 @@ func (s *SSHRekeyRequest) Validate() error {
3030

3131
// SSHRekeyResponse is the response object that returns the SSH certificate.
3232
type SSHRekeyResponse struct {
33-
Certificate SSHCertificate `json:"crt"`
33+
Certificate SSHCertificate `json:"crt"`
34+
IdentityCertificate []Certificate `json:"identityCrt,omitempty"`
3435
}
3536

3637
// SSHRekey is an HTTP handler that reads an RekeySSHRequest with a one-time-token
@@ -72,7 +73,14 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
7273
return
7374
}
7475

75-
JSONStatus(w, &SSHSignResponse{
76-
Certificate: SSHCertificate{newCert},
76+
identity, err := h.renewIdentityCertificate(r)
77+
if err != nil {
78+
WriteError(w, errs.Forbidden(err))
79+
return
80+
}
81+
82+
JSONStatus(w, &SSHRekeyResponse{
83+
Certificate: SSHCertificate{newCert},
84+
IdentityCertificate: identity,
7785
}, http.StatusCreated)
7886
}

api/sshRenew.go

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,8 @@ func (s *SSHRenewRequest) Validate() error {
2626

2727
// SSHRenewResponse is the response object that returns the SSH certificate.
2828
type SSHRenewResponse struct {
29-
Certificate SSHCertificate `json:"crt"`
29+
Certificate SSHCertificate `json:"crt"`
30+
IdentityCertificate []Certificate `json:"identityCrt,omitempty"`
3031
}
3132

3233
// SSHRenew is an HTTP handler that reads an RenewSSHRequest with a one-time-token
@@ -62,7 +63,28 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
6263
return
6364
}
6465

66+
identity, err := h.renewIdentityCertificate(r)
67+
if err != nil {
68+
WriteError(w, errs.Forbidden(err))
69+
return
70+
}
71+
6572
JSONStatus(w, &SSHSignResponse{
66-
Certificate: SSHCertificate{newCert},
73+
Certificate: SSHCertificate{newCert},
74+
IdentityCertificate: identity,
6775
}, http.StatusCreated)
6876
}
77+
78+
// renewIdentityCertificate request the client TLS certificate if present.
79+
func (h *caHandler) renewIdentityCertificate(r *http.Request) ([]Certificate, error) {
80+
if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
81+
return nil, nil
82+
}
83+
84+
certChain, err := h.Authority.Renew(r.TLS.PeerCertificates[0])
85+
if err != nil {
86+
return nil, err
87+
}
88+
89+
return certChainToPEM(certChain), nil
90+
}

0 commit comments

Comments
 (0)