ttyLP0
diff --git a/‎api/api.go
-108 b/‎api/api.go
-108
diff --git a/‎api/api_test.go
+19-12 b/‎api/api_test.go
+19-12
diff --git a/‎api/renew.go
+36 b/‎api/renew.go
+36
diff --git a/‎api/sign.go
+90 b/‎api/sign.go
+90
diff --git a/‎api/ssh.go
+1-1 b/‎api/ssh.go
+1-1
diff --git a/‎api/sshRekey.go
+2-2 b/‎api/sshRekey.go
+2-2
diff --git a/‎api/sshRenew.go
+2-2 b/‎api/sshRenew.go
+2-2
@@ -5,7 +5,6 @@ import (
 	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/rsa"
-	"crypto/tls"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
@@ -209,14 +208,6 @@ type RootResponse struct {
 	RootPEM Certificate `json:"ca"`
 }
 
-// SignRequest is the request body for a certificate signature request.
-type SignRequest struct {
-	CsrPEM    CertificateRequest `json:"csr"`
-	OTT       string             `json:"ott"`
-	NotAfter  TimeDuration       `json:"notAfter"`
-	NotBefore TimeDuration       `json:"notBefore"`
-}
-
 // ProvisionersResponse is the response object that returns the list of
 // provisioners.
 type ProvisionersResponse struct {
@@ -230,31 +221,6 @@ type ProvisionerKeyResponse struct {
 	Key string `json:"key"`
 }
 
-// Validate checks the fields of the SignRequest and returns nil if they are ok
-// or an error if something is wrong.
-func (s *SignRequest) Validate() error {
-	if s.CsrPEM.CertificateRequest == nil {
-		return errs.BadRequest(errors.New("missing csr"))
-	}
-	if err := s.CsrPEM.CertificateRequest.CheckSignature(); err != nil {
-		return errs.BadRequest(errors.Wrap(err, "invalid csr"))
-	}
-	if s.OTT == "" {
-		return errs.BadRequest(errors.New("missing ott"))
-	}
-
-	return nil
-}
-
-// SignResponse is the response object of the certificate signature request.
-type SignResponse struct {
-	ServerPEM    Certificate          `json:"crt"`
-	CaPEM        Certificate          `json:"ca"`
-	CertChainPEM []Certificate        `json:"certChain"`
-	TLSOptions   *tlsutil.TLSOptions  `json:"tlsOptions,omitempty"`
-	TLS          *tls.ConnectionState `json:"-"`
-}
-
 // RootsResponse is the response object of the roots request.
 type RootsResponse struct {
 	Certificates []Certificate `json:"crts"`
@@ -344,80 +310,6 @@ func certChainToPEM(certChain []*x509.Certificate) []Certificate {
 	return certChainPEM
 }
 
-// Sign is an HTTP handler that reads a certificate request and an
-// one-time-token (ott) from the body and creates a new certificate with the
-// information in the certificate request.
-func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {
-	var body SignRequest
-	if err := ReadJSON(r.Body, &body); err != nil {
-		WriteError(w, errs.BadRequest(errors.Wrap(err, "error reading request body")))
-		return
-	}
-
-	logOtt(w, body.OTT)
-	if err := body.Validate(); err != nil {
-		WriteError(w, err)
-		return
-	}
-
-	opts := provisioner.Options{
-		NotBefore: body.NotBefore,
-		NotAfter:  body.NotAfter,
-	}
-
-	signOpts, err := h.Authority.AuthorizeSign(body.OTT)
-	if err != nil {
-		WriteError(w, errs.Unauthorized(err))
-		return
-	}
-
-	certChain, err := h.Authority.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...)
-	if err != nil {
-		WriteError(w, errs.Forbidden(err))
-		return
-	}
-	certChainPEM := certChainToPEM(certChain)
-	var caPEM Certificate
-	if len(certChainPEM) > 0 {
-		caPEM = certChainPEM[1]
-	}
-	logCertificate(w, certChain[0])
-	JSONStatus(w, &SignResponse{
-		ServerPEM:    certChainPEM[0],
-		CaPEM:        caPEM,
-		CertChainPEM: certChainPEM,
-		TLSOptions:   h.Authority.GetTLSOptions(),
-	}, http.StatusCreated)
-}
-
-// Renew uses the information of certificate in the TLS connection to create a
-// new one.
-func (h *caHandler) Renew(w http.ResponseWriter, r *http.Request) {
-	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
-		WriteError(w, errs.BadRequest(errors.New("missing peer certificate")))
-		return
-	}
-
-	certChain, err := h.Authority.Renew(r.TLS.PeerCertificates[0])
-	if err != nil {
-		WriteError(w, errs.Forbidden(err))
-		return
-	}
-	certChainPEM := certChainToPEM(certChain)
-	var caPEM Certificate
-	if len(certChainPEM) > 0 {
-		caPEM = certChainPEM[1]
-	}
-
-	logCertificate(w, certChain[0])
-	JSONStatus(w, &SignResponse{
-		ServerPEM:    certChainPEM[0],
-		CaPEM:        caPEM,
-		CertChainPEM: certChainPEM,
-		TLSOptions:   h.Authority.GetTLSOptions(),
-	}, http.StatusCreated)
-}
-
 // Provisioners returns the list of provisioners configured in the authority.
 func (h *caHandler) Provisioners(w http.ResponseWriter, r *http.Request) {
 	cursor, limit, err := parseCursor(r)
 
@@ -28,6 +28,7 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
 	"github.com/smallstep/certificates/sshutil"
 	"github.com/smallstep/certificates/templates"
@@ -914,7 +915,7 @@ func Test_caHandler_Renew(t *testing.T) {
 		{"ok", cs, parseCertificate(certPEM), parseCertificate(rootPEM), nil, http.StatusCreated},
 		{"no tls", nil, nil, nil, nil, http.StatusBadRequest},
 		{"no peer certificates", &tls.ConnectionState{}, nil, nil, nil, http.StatusBadRequest},
-		{"renew error", cs, nil, nil, fmt.Errorf("an error"), http.StatusForbidden},
+		{"renew error", cs, nil, nil, errs.Forbidden(fmt.Errorf("an error")), http.StatusForbidden},
 	}
 
 	expected := []byte(`{"crt":"` + strings.Replace(certPEM, "\n", `\n`, -1) + `\n","ca":"` + strings.Replace(rootPEM, "\n", `\n`, -1) + `\n","certChain":["` + strings.Replace(certPEM, "\n", `\n`, -1) + `\n","` + strings.Replace(rootPEM, "\n", `\n`, -1) + `\n"]}`)
@@ -934,13 +935,13 @@ func Test_caHandler_Renew(t *testing.T) {
 			res := w.Result()
 
 			if res.StatusCode != tt.statusCode {
-				t.Errorf("caHandler.Root StatusCode = %d, wants %d", res.StatusCode, tt.statusCode)
+				t.Errorf("caHandler.Renew StatusCode = %d, wants %d", res.StatusCode, tt.statusCode)
 			}
 
 			body, err := ioutil.ReadAll(res.Body)
 			res.Body.Close()
 			if err != nil {
-				t.Errorf("caHandler.Root unexpected error = %v", err)
+				t.Errorf("caHandler.Renew unexpected error = %v", err)
 			}
 			if tt.statusCode < http.StatusBadRequest {
 				if !bytes.Equal(bytes.TrimSpace(body), expected) {
@@ -1009,8 +1010,12 @@ func Test_caHandler_Provisioners(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	expectedError400 := []byte(`{"status":400,"message":"Bad Request"}`)
-	expectedError500 := []byte(`{"status":500,"message":"Internal Server Error"}`)
+	expectedError400 := errs.BadRequest(errors.New("force"))
+	expectedError400Bytes, err := json.Marshal(expectedError400)
+	assert.FatalError(t, err)
+	expectedError500 := errs.InternalServerError(errors.New("force"))
+	expectedError500Bytes, err := json.Marshal(expectedError500)
+	assert.FatalError(t, err)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			h := &caHandler{
@@ -1035,12 +1040,12 @@ func Test_caHandler_Provisioners(t *testing.T) {
 			} else {
 				switch tt.statusCode {
 				case 400:
-					if !bytes.Equal(bytes.TrimSpace(body), expectedError400) {
-						t.Errorf("caHandler.Provisioners Body = %s, wants %s", body, expectedError400)
+					if !bytes.Equal(bytes.TrimSpace(body), expectedError400Bytes) {
+						t.Errorf("caHandler.Provisioners Body = %s, wants %s", body, expectedError400Bytes)
 					}
 				case 500:
-					if !bytes.Equal(bytes.TrimSpace(body), expectedError500) {
-						t.Errorf("caHandler.Provisioners Body = %s, wants %s", body, expectedError500)
+					if !bytes.Equal(bytes.TrimSpace(body), expectedError500Bytes) {
+						t.Errorf("caHandler.Provisioners Body = %s, wants %s", body, expectedError500Bytes)
 					}
 				default:
 					t.Errorf("caHandler.Provisioner unexpected status code = %d", tt.statusCode)
@@ -1077,7 +1082,9 @@ func Test_caHandler_ProvisionerKey(t *testing.T) {
 	}
 
 	expected := []byte(`{"key":"` + privKey + `"}`)
-	expectedError := []byte(`{"status":404,"message":"Not Found"}`)
+	expectedError404 := errs.NotFound(errors.New("force"))
+	expectedError404Bytes, err := json.Marshal(expectedError404)
+	assert.FatalError(t, err)
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1101,8 +1108,8 @@ func Test_caHandler_ProvisionerKey(t *testing.T) {
 					t.Errorf("caHandler.Provisioners Body = %s, wants %s", body, expected)
 				}
 			} else {
-				if !bytes.Equal(bytes.TrimSpace(body), expectedError) {
-					t.Errorf("caHandler.Provisioners Body = %s, wants %s", body, expectedError)
+				if !bytes.Equal(bytes.TrimSpace(body), expectedError404Bytes) {
+					t.Errorf("caHandler.Provisioners Body = %s, wants %s", body, expectedError404Bytes)
 				}
 			}
 		})
 
@@ -0,0 +1,36 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/errs"
+)
+
+// Renew uses the information of certificate in the TLS connection to create a
+// new one.
+func (h *caHandler) Renew(w http.ResponseWriter, r *http.Request) {
+	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
+		WriteError(w, errs.BadRequest(errors.New("missing peer certificate")))
+		return
+	}
+
+	certChain, err := h.Authority.Renew(r.TLS.PeerCertificates[0])
+	if err != nil {
+		WriteError(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
+		return
+	}
+	certChainPEM := certChainToPEM(certChain)
+	var caPEM Certificate
+	if len(certChainPEM) > 0 {
+		caPEM = certChainPEM[1]
+	}
+
+	logCertificate(w, certChain[0])
+	JSONStatus(w, &SignResponse{
+		ServerPEM:    certChainPEM[0],
+		CaPEM:        caPEM,
+		CertChainPEM: certChainPEM,
+		TLSOptions:   h.Authority.GetTLSOptions(),
+	}, http.StatusCreated)
+}
@@ -0,0 +1,90 @@
+package api
+
+import (
+	"crypto/tls"
+	"net/http"
+
+	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/cli/crypto/tlsutil"
+)
+
+// SignRequest is the request body for a certificate signature request.
+type SignRequest struct {
+	CsrPEM    CertificateRequest `json:"csr"`
+	OTT       string             `json:"ott"`
+	NotAfter  TimeDuration       `json:"notAfter"`
+	NotBefore TimeDuration       `json:"notBefore"`
+}
+
+// Validate checks the fields of the SignRequest and returns nil if they are ok
+// or an error if something is wrong.
+func (s *SignRequest) Validate() error {
+	if s.CsrPEM.CertificateRequest == nil {
+		return errs.BadRequest(errors.New("missing csr"))
+	}
+	if err := s.CsrPEM.CertificateRequest.CheckSignature(); err != nil {
+		return errs.BadRequest(errors.Wrap(err, "invalid csr"))
+	}
+	if s.OTT == "" {
+		return errs.BadRequest(errors.New("missing ott"))
+	}
+
+	return nil
+}
+
+// SignResponse is the response object of the certificate signature request.
+type SignResponse struct {
+	ServerPEM    Certificate          `json:"crt"`
+	CaPEM        Certificate          `json:"ca"`
+	CertChainPEM []Certificate        `json:"certChain"`
+	TLSOptions   *tlsutil.TLSOptions  `json:"tlsOptions,omitempty"`
+	TLS          *tls.ConnectionState `json:"-"`
+}
+
+// Sign is an HTTP handler that reads a certificate request and an
+// one-time-token (ott) from the body and creates a new certificate with the
+// information in the certificate request.
+func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {
+	var body SignRequest
+	if err := ReadJSON(r.Body, &body); err != nil {
+		WriteError(w, errs.BadRequest(errors.Wrap(err, "error reading request body")))
+		return
+	}
+
+	logOtt(w, body.OTT)
+	if err := body.Validate(); err != nil {
+		WriteError(w, err)
+		return
+	}
+
+	opts := provisioner.Options{
+		NotBefore: body.NotBefore,
+		NotAfter:  body.NotAfter,
+	}
+
+	signOpts, err := h.Authority.AuthorizeSign(body.OTT)
+	if err != nil {
+		WriteError(w, errs.Unauthorized(err))
+		return
+	}
+
+	certChain, err := h.Authority.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...)
+	if err != nil {
+		WriteError(w, errs.Forbidden(err))
+		return
+	}
+	certChainPEM := certChainToPEM(certChain)
+	var caPEM Certificate
+	if len(certChainPEM) > 0 {
+		caPEM = certChainPEM[1]
+	}
+	logCertificate(w, certChain[0])
+	JSONStatus(w, &SignResponse{
+		ServerPEM:    certChainPEM[0],
+		CaPEM:        caPEM,
+		CertChainPEM: certChainPEM,
+		TLSOptions:   h.Authority.GetTLSOptions(),
+	}, http.StatusCreated)
+}
@@ -282,7 +282,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 		ValidAfter:  body.ValidAfter,
 	}
 
-	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SignSSHMethod)
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SSHSignMethod)
 	signOpts, err := h.Authority.Authorize(ctx, body.OTT)
 	if err != nil {
 		WriteError(w, errs.Unauthorized(err))
 
@@ -56,13 +56,13 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RekeySSHMethod)
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SSHRekeyMethod)
 	signOpts, err := h.Authority.Authorize(ctx, body.OTT)
 	if err != nil {
 		WriteError(w, errs.Unauthorized(err))
 		return
 	}
-	oldCert, err := provisioner.ExtractSSHPOPCert(body.OTT)
+	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
 		WriteError(w, errs.InternalServerError(err))
 	}
 
@@ -46,13 +46,13 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RenewSSHMethod)
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SSHRenewMethod)
 	_, err := h.Authority.Authorize(ctx, body.OTT)
 	if err != nil {
 		WriteError(w, errs.Unauthorized(err))
 		return
 	}
-	oldCert, err := provisioner.ExtractSSHPOPCert(body.OTT)
+	oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)
 	if err != nil {
 		WriteError(w, errs.InternalServerError(err))
 	}
Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,7 @@ func (h caHandler) SSHSign(w http.ResponseWriter, r http.Request) {`
`282`	`282`	`ValidAfter: body.ValidAfter,`
`283`	`283`	`}`
`284`	`284`
`285`		`- ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SignSSHMethod)`
	`285`	`+ ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SSHSignMethod)`
`286`	`286`	`signOpts, err := h.Authority.Authorize(ctx, body.OTT)`
`287`	`287`	`if err != nil {`
`288`	`288`	`WriteError(w, errs.Unauthorized(err))`
Original file line number	Diff line number	Diff line change
`@@ -56,13 +56,13 @@ func (h caHandler) SSHRekey(w http.ResponseWriter, r http.Request) {`
`56`	`56`	`return`
`57`	`57`	`}`
`58`	`58`
`59`		`- ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RekeySSHMethod)`
	`59`	`+ ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SSHRekeyMethod)`
`60`	`60`	`signOpts, err := h.Authority.Authorize(ctx, body.OTT)`
`61`	`61`	`if err != nil {`
`62`	`62`	`WriteError(w, errs.Unauthorized(err))`
`63`	`63`	`return`
`64`	`64`	`}`
`65`		`- oldCert, err := provisioner.ExtractSSHPOPCert(body.OTT)`
	`65`	`+ oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)`
`66`	`66`	`if err != nil {`
`67`	`67`	`WriteError(w, errs.InternalServerError(err))`
`68`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,13 +46,13 @@ func (h caHandler) SSHRenew(w http.ResponseWriter, r http.Request) {`
`46`	`46`	`return`
`47`	`47`	`}`
`48`	`48`
`49`		`- ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RenewSSHMethod)`
	`49`	`+ ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SSHRenewMethod)`
`50`	`50`	`_, err := h.Authority.Authorize(ctx, body.OTT)`
`51`	`51`	`if err != nil {`
`52`	`52`	`WriteError(w, errs.Unauthorized(err))`
`53`	`53`	`return`
`54`	`54`	`}`
`55`		`- oldCert, err := provisioner.ExtractSSHPOPCert(body.OTT)`
	`55`	`+ oldCert, _, err := provisioner.ExtractSSHPOPCert(body.OTT)`
`56`	`56`	`if err != nil {`
`57`	`57`	`WriteError(w, errs.InternalServerError(err))`
`58`	`58`	`}`