Adjust digest flag not to use globals

Support any case input for digest algo
micromdm · Jan 30, 2024 · 116a800 · 116a800
1 parent e41b5eb
commit 116a800
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 16 deletions.
diff --git a/cmd/scepserver/scepserver.go b/cmd/scepserver/scepserver.go
@@ -9,12 +9,13 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"go.mozilla.org/pkcs7"
+	"github.com/smallstep/pkcs7"
 	"net/http"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"
 
 	"github.com/micromdm/scep/v2/csrverifier"
@@ -45,8 +46,6 @@ var digestStringOIMap = map[string]asn1.ObjectIdentifier{
 	"ECDSASHA512": pkcs7.OIDDigestAlgorithmECDSASHA512,
 }
 
-var digest = pkcs7.OIDDigestAlgorithmSHA256
-
 func main() {
 	var caCMD = flag.NewFlagSet("ca", flag.ExitOnError)
 	{
@@ -61,20 +60,18 @@ func main() {
 	var (
 		flVersion           = flag.Bool("version", false, "prints version information")
 		flHTTPAddr          = flag.String("http-addr", envString("SCEP_HTTP_ADDR", ""), "http listen address. defaults to \":8080\"")
-		flPort              = flag.String("port", envString("SCEP_HTTP_LISTEN_PORT", "8081"), "http port to listen on (if you want to specify an address, use -http-addr instead)")
+		flPort              = flag.String("port", envString("SCEP_HTTP_LISTEN_PORT", "8080"), "http port to listen on (if you want to specify an address, use -http-addr instead)")
 		flDepotPath         = flag.String("depot", envString("SCEP_FILE_DEPOT", "depot"), "path to ca folder")
 		flCAPass            = flag.String("capass", envString("SCEP_CA_PASS", ""), "passwd for the ca.key")
 		flClDuration        = flag.String("crtvalid", envString("SCEP_CERT_VALID", "365"), "validity for new client certificates in days")
 		flClAllowRenewal    = flag.String("allowrenew", envString("SCEP_CERT_RENEW", "14"), "do not allow renewal until n days before expiry, set to 0 to always allow")
 		flChallengePassword = flag.String("challenge", envString("SCEP_CHALLENGE_PASSWORD", ""), "enforce a challenge password")
 		flCSRVerifierExec   = flag.String("csrverifierexec", envString("SCEP_CSR_VERIFIER_EXEC", ""), "will be passed the CSRs for verification")
+		flDigestAlgo        = flag.String("digest-algo", envString("SCEP_DIGEST_ALGO", "SHA256"), "digest algorithm for pkcs7")
 		flDebug             = flag.Bool("debug", envBool("SCEP_LOG_DEBUG"), "enable debug logging")
 		flLogJSON           = flag.Bool("log-json", envBool("SCEP_LOG_JSON"), "output JSON logs")
 		flSignServerAttrs   = flag.Bool("sign-server-attrs", envBool("SCEP_SIGN_SERVER_ATTRS"), "sign cert attrs for server usage")
 	)
-	//main flags
-	flag.Func("digest-algo", "digest algorithm for pkcs7", parseUserDefinedDigestAlgo)
-
 	flag.Usage = func() {
 		flag.PrintDefaults()
 
@@ -103,6 +100,17 @@ func main() {
 		httpAddr = ":" + *flPort
 	}
 
+	var digestAlgo asn1.ObjectIdentifier
+	digestSet := setByUser("digest-algo", "SCEP_DIGEST_ALGO")
+	if digestSet {
+		d, err := parseUserDefinedDigestAlgo(*flDigestAlgo)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err.Error())
+			os.Exit(1)
+		}
+		digestAlgo = d
+	}
+
 	var logger log.Logger
 	{
 
@@ -174,7 +182,7 @@ func main() {
 		if csrVerifier != nil {
 			signer = csrverifier.Middleware(csrVerifier, signer)
 		}
-		svc, err = scepserver.NewService(crts[0], key, signer, scepserver.WithLogger(logger), scepserver.WithDigestAlgo(digest))
+		svc, err = scepserver.NewService(crts[0], key, signer, scepserver.WithLogger(logger), scepserver.WithDigestAlgo(digestAlgo))
 		if err != nil {
 			lginfo.Log("err", err)
 			os.Exit(1)
@@ -338,14 +346,13 @@ func setByUser(flagName, envName string) bool {
 	return flagSet || envSet
 }
 
-func parseUserDefinedDigestAlgo(s string) error {
+func parseUserDefinedDigestAlgo(s string) (asn1.ObjectIdentifier, error) {
 	if s == "" {
-		return nil
+		//no value is fine, it will default to SHA256
+		return nil, nil
 	}
-	if v, ok := digestStringOIMap[s]; !ok {
-		return errors.New("invalid value for digest algo")
-	} else {
-		digest = v
+	if v, ok := digestStringOIMap[strings.ToUpper(s)]; ok {
+		return v, nil
 	}
-	return nil
+	return nil, errors.New("invalid value for digest algo")
 }
diff --git a/go.mod b/go.mod
@@ -9,7 +9,6 @@ require (
 	github.com/groob/finalizer v0.0.0-20210806035223-91592c9e1e0b
 	github.com/pkg/errors v0.8.0
 	github.com/smallstep/pkcs7 v0.0.0-20231107075624-be1870d87d13
-	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 )
 
 require (