Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Produce serial number selector in x509pop NodeAttestor #4216

Merged
merged 5 commits into from
Jun 14, 2023
Merged

Produce serial number selector in x509pop NodeAttestor #4216

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cd3ecfc
Produce serial number selector in x509pop NodeAttestor
Jun 2, 2023
4bb17fc
Represent serial number as hex
Jun 8, 2023
8bca792
Document x509pop serialnumber selector and Agent SPIFFE ID path templ…
Jun 8, 2023
d22dcd3
Fix agent ID path template field name
Jun 8, 2023
149d0b7
Merge branch 'main' into x509pop-serial-number-selector
evan2645 Jun 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Produce serial number selector in x509pop NodeAttestor 
The serial number of an X.509 certificate is supposed to be unique and
may be a useful way to organize authorized workload entries.

Signed-off-by: Ryan Turner <turner@uber.com>
  • Loading branch information
Ryan Turner committed Jun 2, 2023
commit cd3ecfc0413063e75fc53ded7d8fd81c98b1d705
6 changes: 5 additions & 1 deletion pkg/server/plugin/nodeattestor/x509pop/x509pop.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ func (p *Plugin) setConfiguration(config *configuration) {
}

func buildSelectorValues(leaf *x509.Certificate, chains [][]*x509.Certificate) []string {
selectorValues := []string{}
var selectorValues []string

if leaf.Subject.CommonName != "" {
selectorValues = append(selectorValues, "subject:cn:"+leaf.Subject.CommonName)
Expand All @@ -263,5 +263,9 @@ func buildSelectorValues(leaf *x509.Certificate, chains [][]*x509.Certificate) [
}
}

if leaf.SerialNumber != nil {
selectorValues = append(selectorValues, "serialnumber:"+leaf.SerialNumber.String())
}

return selectorValues
}
5 changes: 3 additions & 2 deletions pkg/server/plugin/nodeattestor/x509pop/x509pop_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ func (s *Suite) TestAttestSuccess() {
},
{
desc: "success with custom agent id (ca_bundle_paths)",
expectAgentID: "spiffe://example.org/spire/agent/cn/COMMONNAME",
giveConfig: s.createConfiguration("ca_bundle_paths", `agent_path_template = "/cn/{{ .Subject.CommonName }}"`),
expectAgentID: "spiffe://example.org/spire/agent/serialnumber/3",
giveConfig: s.createConfiguration("ca_bundle_paths", `agent_path_template = "/serialnumber/{{ .SerialNumber }}"`),
},
}

Expand Down Expand Up @@ -124,6 +124,7 @@ func (s *Suite) TestAttestSuccess() {
{Type: "x509pop", Value: "subject:cn:COMMONNAME"},
{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.intermediateCert)},
{Type: "x509pop", Value: "ca:fingerprint:" + x509pop.Fingerprint(s.rootCert)},
{Type: "x509pop", Value: "serialnumber:3"},
}, result.Selectors)
})
}
Expand Down
8 changes: 4 additions & 4 deletions test/fixture/nodeattestor/x509pop/generate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ func main() {
intermediateKey := generateRSAKey()

intermediateCert := createCertificate(intermediateKey, &x509.Certificate{
SerialNumber: big.NewInt(1),
SerialNumber: big.NewInt(2),
BasicConstraintsValid: true,
IsCA: true,
NotAfter: neverExpires,
Expand All @@ -43,7 +43,7 @@ func main() {
leafKey := generateRSAKey()

leafCert := createCertificate(leafKey, &x509.Certificate{
SerialNumber: big.NewInt(1),
SerialNumber: big.NewInt(3),
KeyUsage: x509.KeyUsageDigitalSignature,
NotAfter: neverExpires,
Subject: pkix.Name{CommonName: "COMMONNAME"},
Expand Down Expand Up @@ -81,7 +81,7 @@ func writeKey(path string, key interface{}) {
Type: "PRIVATE KEY",
Bytes: keyBytes,
})
err = os.WriteFile(path, pemBytes, 0600)
err = os.WriteFile(path, pemBytes, 0o600)
panice(err)
}

Expand All @@ -94,6 +94,6 @@ func writeCerts(path string, certs ...*x509.Certificate) {
})
panice(err)
}
err := os.WriteFile(path, data.Bytes(), 0600)
err := os.WriteFile(path, data.Bytes(), 0o600)
panice(err)
}
16 changes: 8 additions & 8 deletions test/fixture/nodeattestor/x509pop/intermediate.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw
MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDW
UpS68MTlVPbSNdjicX80KYFmK5CMA8nQs1EXEXAdwWuKzMy7obvTu7bIqbqLJQvi
PfNwXu986tg/s51PeoJ9UoUSf5bJqPW05tYEDSiqOQsf21Snjp3cxZIC/+pLA28C
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYbZxH0x8WrcY9r++
pEyVwL48W2MwDQYJKoZIhvcNAQELBQADYQCoXQg2nK51+w5bEyg+qa0N+sWkyYYq
S/GR/YnJuPAVsBZ4pug/ggkdHtrb3g4fPlCNseTFyJYbYcXl+DqW6sJp8ZhnrmYP
y7Pj902GdgJRpzg0DrSttqT8AJvMBXDccK8=
MIIBZjCB8aADAgECAgECMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw
MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCa
ZoonwCLeHkAKr/grV8slwveHlh/28VX+8U0wPfvdMPJf5s61PLFwxntfDlPyAFn3
l+ZDIoSlb2m8Luf2eBqxhHruZgkqwYQD25L+j74dG/8HeEPU98AZwn6kaPZlFz0C
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3W6LsOJgzhtkBfOM
94OVZ2YMFC8wDQYJKoZIhvcNAQELBQADYQCN/cuXqKFTcRvLmLj3rlR3xvVkYHls
0NAEw0OM1fTEOxzrx931ILA2QsBfS61eULk4TUXNlFDAdLJmrEAsWuV4aAVcoKOj
LBtrrS/OPHOuAp48sr71ciMgAsKj7PCqB5Y=
-----END CERTIFICATE-----
32 changes: 16 additions & 16 deletions test/fixture/nodeattestor/x509pop/leaf-crt-bundle.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIBfTCCAQegAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw
MIIBfTCCAQegAwIBAgIBAzANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw
MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBUxEzARBgNVBAMTCkNPTU1PTk5BTUUwfDAN
BgkqhkiG9w0BAQEFAANrADBoAmEArRwxAq+ajkNS7mJ+ia8GSV/+5HzmHHmLQuoD
P6iNw4AMtYZFV01Dw4aphMfstRasoRnfxKCTkfqQAZkUkDZ1jQdS+QDGvscKQ+mR
PKckkDTopeCp1WGTc3WEUB5Q7DJvAgMBAAGjMzAxMA4GA1UdDwEB/wQEAwIHgDAf
BgNVHSMEGDAWgBRhtnEfTHxatxj2v76kTJXAvjxbYzANBgkqhkiG9w0BAQsFAANh
ALDVUEceVCdPUsWjbXOIB64tO4sVQk4eIH974nXG5HPuMW8f2CwnE2Fg0dirEose
y7l11jo5zbpsk7YXBE34B93ds5Ofcte2reUatEhh44yWC+FN2atelYK1hh/FpMBC
GQ==
BgkqhkiG9w0BAQEFAANrADBoAmEAuoQesWD+20va6saTFE8w4WO3CzrUHF0JXJ/+
HVtqeX//uDneQm0tSvpid6+6ujXYEw3hxoX5/el0tsATzEufF7RtDmbMSmx+t+82
FKprsTktDaLxL3fjjiOmevmfZ2EnAgMBAAGjMzAxMA4GA1UdDwEB/wQEAwIHgDAf
BgNVHSMEGDAWgBTdbouw4mDOG2QF84z3g5VnZgwULzANBgkqhkiG9w0BAQsFAANh
AC3kLZfecT7fr4eCo/5cjQ4xJ1X3/Upwgna8jT+Ir75BurDGf8CjNX302ymB4Qb4
cltVYfn5vbBr0yrJyMq+ovksbwRVvCFgh7wkGQw/U79DZ/jJtuzt4+pJfHeI+SRB
bg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw
MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDW
UpS68MTlVPbSNdjicX80KYFmK5CMA8nQs1EXEXAdwWuKzMy7obvTu7bIqbqLJQvi
PfNwXu986tg/s51PeoJ9UoUSf5bJqPW05tYEDSiqOQsf21Snjp3cxZIC/+pLA28C
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYbZxH0x8WrcY9r++
pEyVwL48W2MwDQYJKoZIhvcNAQELBQADYQCoXQg2nK51+w5bEyg+qa0N+sWkyYYq
S/GR/YnJuPAVsBZ4pug/ggkdHtrb3g4fPlCNseTFyJYbYcXl+DqW6sJp8ZhnrmYP
y7Pj902GdgJRpzg0DrSttqT8AJvMBXDccK8=
MIIBZjCB8aADAgECAgECMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw
MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQCa
ZoonwCLeHkAKr/grV8slwveHlh/28VX+8U0wPfvdMPJf5s61PLFwxntfDlPyAFn3
l+ZDIoSlb2m8Luf2eBqxhHruZgkqwYQD25L+j74dG/8HeEPU98AZwn6kaPZlFz0C
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3W6LsOJgzhtkBfOM
94OVZ2YMFC8wDQYJKoZIhvcNAQELBQADYQCN/cuXqKFTcRvLmLj3rlR3xvVkYHls
0NAEw0OM1fTEOxzrx931ILA2QsBfS61eULk4TUXNlFDAdLJmrEAsWuV4aAVcoKOj
LBtrrS/OPHOuAp48sr71ciMgAsKj7PCqB5Y=
-----END CERTIFICATE-----
22 changes: 11 additions & 11 deletions test/fixture/nodeattestor/x509pop/leaf-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
-----BEGIN PRIVATE KEY-----
MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEArRwxAq+ajkNS7mJ+
ia8GSV/+5HzmHHmLQuoDP6iNw4AMtYZFV01Dw4aphMfstRasoRnfxKCTkfqQAZkU
kDZ1jQdS+QDGvscKQ+mRPKckkDTopeCp1WGTc3WEUB5Q7DJvAgMBAAECYERzwGGa
hNg6gQGoyvaw0iCTqBw701ZxLYNRO+WhRiWHbf8d0C+cau5XQpMx50UYaJX3389u
RQbWO5Z9zNcgSRAuLZuXvDzOeOtV3OPGjfRhhXVpJwYp461XaUbKDs/PEQIxAOMg
O8sicHBmrC9g94pjniApVP2gA4McjwE2NIngSk9W6urSGfmN3kbfZJWfDNokyQIx
AMMeBmkKFKh+t1niz0ezpLv9u9F/9d/g1d4ZxQ7PVLeXblNvkGOWXTbUWiC+4xXR
dwIwV9NZC72veOda4Z8/WVYYCRuyb7h2Yzah3bgWLNJ8KZ3UjSTdQnCnaQRtIqY0
FA5xAjA7JrMSzPeOTTwQh+4G8rMSOs3hqUVE5chwWKeg4cHxFntf2AaR6le/84iP
PM9jIekCMQDJu/Jmcth5PotCT4eE5bPsOYuWMhYyWkYIprP6uTKhURFJf3pxVgGt
8ApA517OF6w=
MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEAuoQesWD+20va6saT
FE8w4WO3CzrUHF0JXJ/+HVtqeX//uDneQm0tSvpid6+6ujXYEw3hxoX5/el0tsAT
zEufF7RtDmbMSmx+t+82FKprsTktDaLxL3fjjiOmevmfZ2EnAgMBAAECYBrawwCP
EqLIfTCofqzB6ivJi6VWRwv+aUao0pGvg9kSkOMZkeLGjWrqOhs5dg0xizfJEp70
qF24KtHD7Wh8xniiAUnBiCEpeXyrlcxeC433pZf/Mwwky7J7HVo20IgUAQIxAM2u
7gu6i131KjjttRe1iD0Iad82FR+Ogywp52MCrFA9FqRu+erGxRQeKxgaXDYYgQIx
AOgk1Ap348M1f0nf2VKIcaXPOsDbXf+9rhzVaPUM/9b33f1rqbGmmMyHfn9MyzLl
pwIwbDdaVV9rjh68fUFL41KGgJ4ZnfAFgxnnF+hgLm6snHbXn+InqYe1DxWkVMUh
uPCBAjAe40eTXQBhKO0W10IDSURV24zlvEp1jLdt/rdIY8Jmx/Qxk/GwQYpzLFQY
fA9NZmECMQCHqoAO6y55MzqzRy87m7ljlpCH9Fw7tDaIjfQA96aGq+73BKI8qWp9
c4E+zXTnimQ=
-----END PRIVATE KEY-----
16 changes: 8 additions & 8 deletions test/fixture/nodeattestor/x509pop/leaf.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBfTCCAQegAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw
MIIBfTCCAQegAwIBAgIBAzANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw
MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBUxEzARBgNVBAMTCkNPTU1PTk5BTUUwfDAN
BgkqhkiG9w0BAQEFAANrADBoAmEArRwxAq+ajkNS7mJ+ia8GSV/+5HzmHHmLQuoD
P6iNw4AMtYZFV01Dw4aphMfstRasoRnfxKCTkfqQAZkUkDZ1jQdS+QDGvscKQ+mR
PKckkDTopeCp1WGTc3WEUB5Q7DJvAgMBAAGjMzAxMA4GA1UdDwEB/wQEAwIHgDAf
BgNVHSMEGDAWgBRhtnEfTHxatxj2v76kTJXAvjxbYzANBgkqhkiG9w0BAQsFAANh
ALDVUEceVCdPUsWjbXOIB64tO4sVQk4eIH974nXG5HPuMW8f2CwnE2Fg0dirEose
y7l11jo5zbpsk7YXBE34B93ds5Ofcte2reUatEhh44yWC+FN2atelYK1hh/FpMBC
GQ==
BgkqhkiG9w0BAQEFAANrADBoAmEAuoQesWD+20va6saTFE8w4WO3CzrUHF0JXJ/+
HVtqeX//uDneQm0tSvpid6+6ujXYEw3hxoX5/el0tsATzEufF7RtDmbMSmx+t+82
FKprsTktDaLxL3fjjiOmevmfZ2EnAgMBAAGjMzAxMA4GA1UdDwEB/wQEAwIHgDAf
BgNVHSMEGDAWgBTdbouw4mDOG2QF84z3g5VnZgwULzANBgkqhkiG9w0BAQsFAANh
AC3kLZfecT7fr4eCo/5cjQ4xJ1X3/Upwgna8jT+Ir75BurDGf8CjNX302ymB4Qb4
cltVYfn5vbBr0yrJyMq+ovksbwRVvCFgh7wkGQw/U79DZ/jJtuzt4+pJfHeI+SRB
bg==
-----END CERTIFICATE-----
14 changes: 7 additions & 7 deletions test/fixture/nodeattestor/x509pop/root-crt.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw
MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDb
gVZ0/8TYYk7DUArD+jJBNZRYCpnWlIcsHZXS+EkANck4PKK0noS+dytNB+EeIvb2
5oudnHoa7kItA2WHpC6H5o3KSacTk5W/YWrU8pDvtSrFmK+tBXjoFTkJVDbmIaMC
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlC1s6l4WVTeJyDd9
zU9e+sCYIwQwDQYJKoZIhvcNAQELBQADYQDZu2CQxpqpu2veGuT9UmCyFzhk1km6
oU+QE4ZBegzTk3wAXaky3TxY1NSi8pzx7ynDG5tRIVbVZFnA6VX6qaXJpFr8jFFr
tatahAJuWMCNHfwVZ7Hx4mPztoPHQaEEIpw=
MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDA
dmNXvu6D7YjyCh3cw7kKqLbbufIi+B9I6KYgbmBD7+AYxieFsyCwzzkfjsU9iNjS
qlj066/zzOjpL6QzVB3/KRzYYY8gFCHXPXwIGromgTuz5E0IPJvK7euwaBUxVeUC
AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUBRMe2lncgY4UoTWZ
vM33XXHrwdAwDQYJKoZIhvcNAQELBQADYQAeKwgLLV+9WT2wHEBcEHcglEelZ3lJ
letZ3thha5MPviOIcyiBGlZskG7FSBdPPTpyw5B5uDrVJoQyNyKrmI7hWGk4e1t4
eCyOfCuyO9asPvzQIx0JJHlFVqgIENV+Nis=
-----END CERTIFICATE-----