smallstep-certificates/api/renew.go

package api

import (
	"crypto/x509"
	"net/http"
	"strings"

	"github.com/smallstep/certificates/api/render"
	"github.com/smallstep/certificates/authority"
	"github.com/smallstep/certificates/errs"
)

const (
	authorizationHeader = "Authorization"
	bearerScheme        = "Bearer"
)

// Renew uses the information of certificate in the TLS connection to create a
// new one.
func Renew(w http.ResponseWriter, r *http.Request) {
	ctx := r.Context()

	// Get the leaf certificate from the peer or the token.
	cert, token, err := getPeerCertificate(r)
	if err != nil {
		render.Error(w, err)
		return
	}

	// The token can be used by RAs to renew a certificate.
	if token != "" {
		ctx = authority.NewTokenContext(ctx, token)
	}

	a := mustAuthority(ctx)
	certChain, err := a.RenewContext(ctx, cert, nil)
	if err != nil {
		render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))
		return
	}
	certChainPEM := certChainToPEM(certChain)
	var caPEM Certificate
	if len(certChainPEM) > 1 {
		caPEM = certChainPEM[1]
	}

	LogCertificate(w, certChain[0])
	render.JSONStatus(w, &SignResponse{
		ServerPEM:    certChainPEM[0],
		CaPEM:        caPEM,
		CertChainPEM: certChainPEM,
		TLSOptions:   a.GetTLSOptions(),
	}, http.StatusCreated)
}

func getPeerCertificate(r *http.Request) (*x509.Certificate, string, error) {
	if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
		return r.TLS.PeerCertificates[0], "", nil
	}
	if s := r.Header.Get(authorizationHeader); s != "" {
		if parts := strings.SplitN(s, bearerScheme+" ", 2); len(parts) == 2 {
			ctx := r.Context()
			peer, err := mustAuthority(ctx).AuthorizeRenewToken(ctx, parts[1])
			return peer, parts[1], err
		}
	}
	return nil, "", errs.BadRequest("missing client certificate")
}
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`package api`

			`import (`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`"crypto/x509"`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`"net/http"`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`"strings"`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`"github.com/smallstep/certificates/api/render"`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`"github.com/smallstep/certificates/authority"`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`"github.com/smallstep/certificates/errs"`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`)`

			`const (`
			`authorizationHeader = "Authorization"`
			`bearerScheme = "Bearer"`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`)`

			`// Renew uses the information of certificate in the TLS connection to create a`
			`// new one.`
Retrieve the authority from the context in api methods. 2022-04-26 19:58:40 +00:00			`func Renew(w http.ResponseWriter, r *http.Request) {`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`ctx := r.Context()`

			`// Get the leaf certificate from the peer or the token.`
			`cert, token, err := getPeerCertificate(r)`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`if err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, err)`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`return`
			`}`

Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`// The token can be used by RAs to renew a certificate.`
			`if token != "" {`
			`ctx = authority.NewTokenContext(ctx, token)`
			`}`

			`a := mustAuthority(ctx)`
			`certChain, err := a.RenewContext(ctx, cert, nil)`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`if err != nil {`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.Error(w, errs.Wrap(http.StatusInternalServerError, err, "cahandler.Renew"))`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`return`
			`}`
			`certChainPEM := certChainToPEM(certChain)`
			`var caPEM Certificate`
Simplify statuscoder error generators. 2020-01-24 06:04:34 +00:00			`if len(certChainPEM) > 1 {`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`caPEM = certChainPEM[1]`
			`}`

Add cert logging for acme/certificate api 2020-08-12 22:50:45 +00:00			`LogCertificate(w, certChain[0])`
api/render, api/log: initial implementation of the packages (#860) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package 2022-03-30 08:22:22 +00:00			`render.JSONStatus(w, &SignResponse{`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`ServerPEM: certChainPEM[0],`
			`CaPEM: caPEM,`
			`CertChainPEM: certChainPEM,`
Retrieve the authority from the context in api methods. 2022-04-26 19:58:40 +00:00			`TLSOptions: a.GetTLSOptions(),`
Introduce generalized statusCoder errors and loads of ssh unit tests. * StatusCoder api errors that have friendly user messages. * Unit tests for SSH sign/renew/rekey/revoke across all provisioners. 2019-12-20 21:30:05 +00:00			`}, http.StatusCreated)`
			`}`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`func getPeerCertificate(r http.Request) (x509.Certificate, string, error) {`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`return r.TLS.PeerCertificates[0], "", nil`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`}`
			`if s := r.Header.Get(authorizationHeader); s != "" {`
			`if parts := strings.SplitN(s, bearerScheme+" ", 2); len(parts) == 2 {`
Retrieve the authority from the context in api methods. 2022-04-26 19:58:40 +00:00			`ctx := r.Context()`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`peer, err := mustAuthority(ctx).AuthorizeRenewToken(ctx, parts[1])`
			`return peer, parts[1], err`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`}`
			`}`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00			`return nil, "", errs.BadRequest("missing client certificate")`
Allow to renew certificates using an x5c-like token. 2022-03-10 04:37:41 +00:00			`}`