LukeChannings · January 12, 2025 18:29
diff --git a/host-x5c-x509.tpl.json b/host-x5c-x509.tpl.json
 {{/*
 This template creates an x509 certificate given an x5c certificate issued by the Hosts CA.
 Smallstep's step-ca reserves per-provisioner policies for their enterprise tier, so I'm implementing
 the Permitted DNS Domain extension enforement in the template.
 */}}
 {{ $permitted_domains := .AuthorizationCrt.PermittedDNSDomains }}

 {{/* Combine the Subject Alt Name and Subject into one list so we can check everthing in one pass. */}}
 {{ $requested_domains := concat (list (dict "Value" .Subject.CommonName "Type" "dns")) .SANs }}

 {{/* Make a Permitted Domains Regex to check the Requested Domains. */}}
 {{- $permitted_domains_re := "^.*(" }}
 {{- range $permitted_domains }}
  {{- if not (empty .) }}
    {{ $permitted_domains_re = printf "%s%s|" $permitted_domains_re (regexQuoteMeta .) }}
  {{- end}}
 {{- end }}
 {{- $permitted_domains_re = printf "%s%s" (trimSuffix "|" $permitted_domains_re) ")$" }}

 {{/* Check every Requested Domain matches our Permitted Domains */}}
 {{- range $requested_domains }}
  {{- if eq .Type "dns" | and (not (mustRegexMatch $permitted_domains_re .Value)) }}
    {{ $error_msg := printf "%q is not a permitted domain.\n\n" .Value }}
    {{ $error_msg = printf "%sPermitted domains for this certificate are:\n\n" $error_msg }}
    {{- range $permitted_domains}}
      {{- if not (empty .)}}
        {{ $error_msg = (printf "%s- %s\n" $error_msg .) }}
      {{- end }}
    {{- end }}
    {{ fail $error_msg }}
  {{- end }}
 {{- end}}
 {
  "subject": {{ toJson .Subject }},
  "sans": {{ toJson .SANs }},
 {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
 	"keyUsage": ["keyEncipherment", "digitalSignature"],
 {{- else }}
 	"keyUsage": ["digitalSignature"],
 {{- end }}
 	"extKeyUsage": ["serverAuth", "clientAuth"]
 }
	{{/*
	This template creates an x509 certificate given an x5c certificate issued by the Hosts CA.
	Smallstep's step-ca reserves per-provisioner policies for their enterprise tier, so I'm implementing
	the Permitted DNS Domain extension enforement in the template.
	*/}}
	{{ $permitted_domains := .AuthorizationCrt.PermittedDNSDomains }}

	{{/* Combine the Subject Alt Name and Subject into one list so we can check everthing in one pass. */}}
	{{ $requested_domains := concat (list (dict "Value" .Subject.CommonName "Type" "dns")) .SANs }}

	{{/* Make a Permitted Domains Regex to check the Requested Domains. */}}
	{{- $permitted_domains_re := "^.*(" }}
	{{- range $permitted_domains }}
	{{- if not (empty .) }}
	{{ $permitted_domains_re = printf "%s%s\|" $permitted_domains_re (regexQuoteMeta .) }}
	{{- end}}
	{{- end }}
	{{- $permitted_domains_re = printf "%s%s" (trimSuffix "\|" $permitted_domains_re) ")$" }}

	{{/* Check every Requested Domain matches our Permitted Domains */}}
	{{- range $requested_domains }}
	{{- if eq .Type "dns" \| and (not (mustRegexMatch $permitted_domains_re .Value)) }}
	{{ $error_msg := printf "%q is not a permitted domain.\n\n" .Value }}
	{{ $error_msg = printf "%sPermitted domains for this certificate are:\n\n" $error_msg }}
	{{- range $permitted_domains}}
	{{- if not (empty .)}}
	{{ $error_msg = (printf "%s- %s\n" $error_msg .) }}
	{{- end }}
	{{- end }}
	{{ fail $error_msg }}
	{{- end }}
	{{- end}}
	{
	"subject": {{ toJson .Subject }},
	"sans": {{ toJson .SANs }},
	{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
	"keyUsage": ["keyEncipherment", "digitalSignature"],
	{{- else }}
	"keyUsage": ["digitalSignature"],
	{{- end }}
	"extKeyUsage": ["serverAuth", "clientAuth"]
	}