From a0f6119d60d682f65c7a786d70116ad943b7d9b2 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 4 Nov 2023 16:32:22 -0500 Subject: [PATCH] server: host: Remove alias request parameter I realized that allowing hosts to request certificates for arbitrary aliases sort of defeats the purpose of the authentication process. If a host successfully authenticates, there would be nothing stopping it from requesting a certificate for another host. I will have to come up with a different way of specifying aliases. Probably something like a JSON map containing pre-assigned aliases for hosts that will need them. --- src/server/host.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/server/host.rs b/src/server/host.rs index 2144404..ebfa526 100644 --- a/src/server/host.rs +++ b/src/server/host.rs @@ -84,7 +84,6 @@ impl IntoResponse for SignKeyError { struct SignKeyRequest { hostname: String, pubkey: Vec, - aliases: Vec, } pub(super) async fn sign_host_cert( @@ -100,7 +99,6 @@ pub(super) async fn sign_host_cert( Some("pubkey") => { body.pubkey = field.bytes().await?.into(); } - Some("alias") => body.aliases.push(field.text().await?), Some("hostname") => body.hostname = field.text().await?, Some(n) => { warn!("Client request included unsupported field {:?}", n); @@ -111,7 +109,6 @@ pub(super) async fn sign_host_cert( if body.pubkey.is_empty() { return Err(SignKeyError::NoKey); } - let aliases: Vec<_> = body.aliases.iter().map(String::as_ref).collect(); let config = &ctx.config; let duration = Duration::from_secs(config.ca.host.cert_duration); @@ -140,7 +137,7 @@ pub(super) async fn sign_host_cert( hostname ); let cert = - ca::sign_cert(&hostname, &pubkey, duration, &privkey, &aliases)?; + ca::sign_cert(&hostname, &pubkey, duration, &privkey, &[])?; info!( "Signed {} key for {}", pubkey.algorithm().as_str(),