Several improvements

* Add EC support * Make token form toggleable * Make client certificates compatible with iOS native IKEv2 * Fix OU for self-enroll * Improved sample scripts in web UI
2025-10-30 08:59:13 +00:00 · 2018-04-09 13:08:12 +00:00
parent 9c6872a949
commit 577962e09b
11 changed files with 253 additions and 184 deletions
--- a/certidude/api/init.py
+++ b/certidude/api/init.py
@@ -10,7 +10,7 @@ from xattr import listxattr, getxattr
 from certidude.auth import login_required
 from certidude.user import User
 from certidude.decorators import serialize, csrf_protection
-from certidude import const, config
+from certidude import const, config, authority
 from .utils import AuthorityHandler

 logger = logging.getLogger(__name__)
@@ -140,8 +140,11 @@ class SessionResource(AuthorityHandler):
                    offline = 600, # Seconds from last seen activity to consider lease offline, OpenVPN reneg-sec option
                    dead = 604800 # Seconds from last activity to consider lease dead, X509 chain broken or machine discarded
                ),
-                common_name = const.FQDN,
-                title = self.authority.certificate.subject.native["common_name"],
+                certificate = dict(
+                    algorithm = authority.public_key.algorithm,
+                    common_name = self.authority.certificate.subject.native["common_name"],
+                    blob = self.authority.certificate_buf.decode("ascii"),
+                ),
                mailer = dict(
                    name = config.MAILER_NAME,
                    address = config.MAILER_ADDRESS
@@ -164,6 +167,7 @@ class SessionResource(AuthorityHandler):
                )
            ) if req.context.get("user").is_admin() else None,
            features=dict(
+                token=bool(config.TOKEN_URL),
                tagging=True,
                leases=True,
                logging=config.LOGGING_BACKEND))
--- a/certidude/api/token.py
+++ b/certidude/api/token.py
@@ -41,7 +41,8 @@ class TokenResource(AuthorityHandler):
        common_name = csr["certification_request_info"]["subject"].native["common_name"]
        assert common_name == username or common_name.startswith(username + "@"), "Invalid common name %s" % common_name
        try:
-            _, resp.body = self.authority._sign(csr, body, profile="default")
+            _, resp.body = self.authority._sign(csr, body, profile="default",
+                overwrite=config.TOKEN_OVERWRITE_PERMITTED)
            resp.set_header("Content-Type", "application/x-pem-file")
            logger.info("Autosigned %s as proven by token ownership", common_name)
        except FileExistsError: