2018-10-05 21:48:36 +00:00
package authority
import (
2019-07-29 19:34:27 +00:00
"context"
2020-09-18 23:25:08 +00:00
"crypto/sha256"
2018-11-01 22:43:24 +00:00
"crypto/x509"
2020-09-18 23:25:08 +00:00
"encoding/hex"
2022-05-20 21:41:44 +00:00
"fmt"
2018-10-05 21:48:36 +00:00
"net/http"
2022-03-11 04:21:01 +00:00
"net/url"
2021-07-21 22:22:57 +00:00
"strconv"
2019-03-18 17:59:36 +00:00
"strings"
2021-05-03 19:48:20 +00:00
"time"
2018-10-05 21:48:36 +00:00
2022-08-23 19:43:48 +00:00
"github.com/pkg/errors"
2021-05-03 19:48:20 +00:00
"github.com/smallstep/certificates/authority/admin"
2019-03-06 23:04:28 +00:00
"github.com/smallstep/certificates/authority/provisioner"
2019-12-20 21:30:05 +00:00
"github.com/smallstep/certificates/errs"
2020-08-24 21:44:11 +00:00
"go.step.sm/crypto/jose"
2021-05-03 19:48:20 +00:00
"go.step.sm/linkedca"
2019-12-20 21:30:05 +00:00
"golang.org/x/crypto/ssh"
2018-10-05 21:48:36 +00:00
)
2019-03-06 23:04:28 +00:00
// Claims extends jose.Claims with step attributes.
2019-01-30 23:36:42 +00:00
type Claims struct {
2019-03-06 23:04:28 +00:00
jose . Claims
2019-03-07 01:00:45 +00:00
SANs [ ] string ` json:"sans,omitempty" `
Email string ` json:"email,omitempty" `
Nonce string ` json:"nonce,omitempty" `
2019-01-30 23:36:42 +00:00
}
2019-11-20 19:51:25 +00:00
type skipTokenReuseKey struct { }
// NewContextWithSkipTokenReuse creates a new context from ctx and attaches a
// value to skip the token reuse.
func NewContextWithSkipTokenReuse ( ctx context . Context ) context . Context {
return context . WithValue ( ctx , skipTokenReuseKey { } , true )
}
// SkipTokenReuseFromContext returns if the token reuse needs to be ignored.
func SkipTokenReuseFromContext ( ctx context . Context ) bool {
m , _ := ctx . Value ( skipTokenReuseKey { } ) . ( bool )
return m
}
2022-05-20 21:41:44 +00:00
// getProvisionerFromToken extracts a provisioner from the given token without
// doing any token validation.
func ( a * Authority ) getProvisionerFromToken ( token string ) ( provisioner . Interface , * Claims , error ) {
2019-12-20 21:30:05 +00:00
tok , err := jose . ParseSigned ( token )
2018-10-05 21:48:36 +00:00
if err != nil {
2022-05-20 21:41:44 +00:00
return nil , nil , fmt . Errorf ( "error parsing token: %w" , err )
2018-10-05 21:48:36 +00:00
}
2018-10-30 01:00:30 +00:00
// Get claims w/out verification. We need to look up the provisioner
// key in order to verify the claims and we need the issuer from the claims
// before we can look up the provisioner.
2019-03-07 01:00:45 +00:00
var claims Claims
2021-10-08 18:59:57 +00:00
if err := tok . UnsafeClaimsWithoutVerification ( & claims ) ; err != nil {
2022-05-20 21:41:44 +00:00
return nil , nil , fmt . Errorf ( "error unmarshaling token: %w" , err )
}
// This method will also validate the audiences for JWK provisioners.
p , ok := a . provisioners . LoadByToken ( tok , & claims . Claims )
if ! ok {
return nil , nil , fmt . Errorf ( "provisioner not found or invalid audience (%s)" , strings . Join ( claims . Audience , ", " ) )
}
return p , & claims , nil
}
// authorizeToken parses the token and returns the provisioner used to generate
// the token. This method enforces the One-Time use policy (tokens can only be
// used once).
func ( a * Authority ) authorizeToken ( ctx context . Context , token string ) ( provisioner . Interface , error ) {
p , claims , err := a . getProvisionerFromToken ( token )
if err != nil {
return nil , errs . UnauthorizedErr ( err )
2018-10-30 01:00:30 +00:00
}
2018-10-05 21:48:36 +00:00
2019-03-05 08:07:13 +00:00
// TODO: use new persistence layer abstraction.
2018-10-25 01:59:48 +00:00
// Do not accept tokens issued before the start of the ca.
// This check is meant as a stopgap solution to the current lack of a persistence layer.
if a . config . AuthorityConfig != nil && ! a . config . AuthorityConfig . DisableIssuedAtCheck {
2019-04-05 19:54:23 +00:00
if claims . IssuedAt != nil && claims . IssuedAt . Time ( ) . Before ( a . startTime ) {
2022-05-20 21:41:44 +00:00
return nil , errs . Unauthorized ( "token issued before the bootstrap of certificate authority" )
2018-10-25 01:59:48 +00:00
}
}
2019-11-20 19:51:25 +00:00
// Store the token to protect against reuse unless it's skipped.
2020-09-18 23:25:08 +00:00
// If we cannot get a token id from the provisioner, just hash the token.
2019-11-20 19:51:25 +00:00
if ! SkipTokenReuseFromContext ( ctx ) {
2021-10-08 18:59:57 +00:00
if err := a . UseToken ( token , p ) ; err != nil {
2021-05-03 19:48:20 +00:00
return nil , err
2019-03-07 01:00:45 +00:00
}
}
2019-03-06 23:04:28 +00:00
2019-03-05 08:07:13 +00:00
return p , nil
}
2021-05-03 19:48:20 +00:00
// AuthorizeAdminToken authorize an Admin token.
func ( a * Authority ) AuthorizeAdminToken ( r * http . Request , token string ) ( * linkedca . Admin , error ) {
jwt , err := jose . ParseSigned ( token )
if err != nil {
return nil , admin . WrapError ( admin . ErrorUnauthorizedType , err , "adminHandler.authorizeToken; error parsing x5c token" )
}
verifiedChains , err := jwt . Headers [ 0 ] . Certificates ( x509 . VerifyOptions {
Roots : a . rootX509CertPool ,
KeyUsages : [ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageClientAuth } ,
} )
if err != nil {
return nil , admin . WrapError ( admin . ErrorUnauthorizedType , err ,
"adminHandler.authorizeToken; error verifying x5c certificate chain in token" )
}
leaf := verifiedChains [ 0 ] [ 0 ]
if leaf . KeyUsage & x509 . KeyUsageDigitalSignature == 0 {
return nil , admin . NewError ( admin . ErrorUnauthorizedType , "adminHandler.authorizeToken; certificate used to sign x5c token cannot be used for digital signature" )
}
// Using the leaf certificates key to validate the claims accomplishes two
// things:
// 1. Asserts that the private key used to sign the token corresponds
// to the public certificate in the `x5c` header of the token.
// 2. Asserts that the claims are valid - have not been tampered with.
var claims jose . Claims
2021-10-08 18:59:57 +00:00
if err := jwt . Claims ( leaf . PublicKey , & claims ) ; err != nil {
2021-05-03 19:48:20 +00:00
return nil , admin . WrapError ( admin . ErrorUnauthorizedType , err , "adminHandler.authorizeToken; error parsing x5c claims" )
}
prov , err := a . LoadProvisionerByCertificate ( leaf )
if err != nil {
return nil , err
}
// Check that the token has not been used.
2021-10-08 18:59:57 +00:00
if err := a . UseToken ( token , prov ) ; err != nil {
2021-05-03 19:48:20 +00:00
return nil , admin . WrapError ( admin . ErrorUnauthorizedType , err , "adminHandler.authorizeToken; error with reuse token" )
}
// According to "rfc7519 JSON Web Token" acceptable skew should be no
// more than a few minutes.
2021-10-08 18:59:57 +00:00
if err := claims . ValidateWithLeeway ( jose . Expected {
2022-04-13 23:00:15 +00:00
Time : time . Now ( ) . UTC ( ) ,
2021-05-03 19:48:20 +00:00
} , time . Minute ) ; err != nil {
return nil , admin . WrapError ( admin . ErrorUnauthorizedType , err , "x5c.authorizeToken; invalid x5c claims" )
}
// validate audience: path matches the current path
2022-04-08 01:14:43 +00:00
if ! matchesAudience ( claims . Audience , a . config . Audience ( r . URL . Path ) ) {
return nil , admin . NewError ( admin . ErrorUnauthorizedType , "x5c.authorizeToken; x5c token has invalid audience claim (aud)" )
2021-05-03 19:48:20 +00:00
}
2022-04-13 23:00:15 +00:00
// validate issuer: old versions used the provisioner name, new version uses
// 'step-admin-client/1.0'
if claims . Issuer != "step-admin-client/1.0" && claims . Issuer != prov . GetName ( ) {
return nil , admin . NewError ( admin . ErrorUnauthorizedType , "x5c.authorizeToken; x5c token has invalid issuer claim (iss)" )
}
2021-05-03 19:48:20 +00:00
if claims . Subject == "" {
2022-04-08 01:14:43 +00:00
return nil , admin . NewError ( admin . ErrorUnauthorizedType , "x5c.authorizeToken; x5c token subject cannot be empty" )
2021-05-03 19:48:20 +00:00
}
var (
ok bool
adm * linkedca . Admin
)
adminFound := false
adminSANs := append ( [ ] string { leaf . Subject . CommonName } , leaf . DNSNames ... )
adminSANs = append ( adminSANs , leaf . EmailAddresses ... )
for _ , san := range adminSANs {
2022-04-08 01:14:43 +00:00
if adm , ok = a . LoadAdminBySubProv ( san , prov . GetName ( ) ) ; ok {
2021-05-03 19:48:20 +00:00
adminFound = true
break
}
}
if ! adminFound {
return nil , admin . NewError ( admin . ErrorUnauthorizedType ,
"adminHandler.authorizeToken; unable to load admin with subject(s) %s and provisioner '%s'" ,
adminSANs , claims . Issuer )
}
if strings . HasPrefix ( r . URL . Path , "/admin/admins" ) && ( r . Method != "GET" ) && adm . Type != linkedca . Admin_SUPER_ADMIN {
return nil , admin . NewError ( admin . ErrorUnauthorizedType , "must have super admin access to make this request" )
}
return adm , nil
}
// UseToken stores the token to protect against reuse.
2021-08-11 18:50:54 +00:00
//
// This method currently ignores any error coming from the GetTokenID, but it
// should specifically ignore the error provisioner.ErrAllowTokenReuse.
2021-05-03 19:48:20 +00:00
func ( a * Authority ) UseToken ( token string , prov provisioner . Interface ) error {
if reuseKey , err := prov . GetTokenID ( token ) ; err == nil {
if reuseKey == "" {
sum := sha256 . Sum256 ( [ ] byte ( token ) )
reuseKey = strings . ToLower ( hex . EncodeToString ( sum [ : ] ) )
}
ok , err := a . db . UseToken ( reuseKey , token )
if err != nil {
2022-05-20 21:41:44 +00:00
return errs . Wrap ( http . StatusInternalServerError , err , "failed when attempting to store token" )
2021-05-03 19:48:20 +00:00
}
if ! ok {
2022-05-20 21:41:44 +00:00
return errs . Unauthorized ( "token already used" )
2021-05-03 19:48:20 +00:00
}
}
return nil
}
2019-12-20 21:30:05 +00:00
// Authorize grabs the method from the context and authorizes the request by
// validating the one-time-token.
func ( a * Authority ) Authorize ( ctx context . Context , token string ) ( [ ] provisioner . SignOption , error ) {
2020-01-24 06:04:34 +00:00
var opts = [ ] interface { } { errs . WithKeyVal ( "token" , token ) }
2019-12-20 21:30:05 +00:00
2019-07-29 19:34:27 +00:00
switch m := provisioner . MethodFromContext ( ctx ) ; m {
2019-08-01 22:04:56 +00:00
case provisioner . SignMethod :
2019-12-20 21:30:05 +00:00
signOpts , err := a . authorizeSign ( ctx , token )
return signOpts , errs . Wrap ( http . StatusInternalServerError , err , "authority.Authorize" , opts ... )
2019-10-28 18:50:43 +00:00
case provisioner . RevokeMethod :
2019-12-20 21:30:05 +00:00
return nil , errs . Wrap ( http . StatusInternalServerError , a . authorizeRevoke ( ctx , token ) , "authority.Authorize" , opts ... )
case provisioner . SSHSignMethod :
2019-08-01 22:04:56 +00:00
if a . sshCAHostCertSignKey == nil && a . sshCAUserCertSignKey == nil {
2020-01-24 06:04:34 +00:00
return nil , errs . NotImplemented ( "authority.Authorize; ssh certificate flows are not enabled" , opts ... )
2019-07-29 19:34:27 +00:00
}
2020-01-29 19:58:47 +00:00
signOpts , err := a . authorizeSSHSign ( ctx , token )
return signOpts , errs . Wrap ( http . StatusInternalServerError , err , "authority.Authorize" , opts ... )
2019-12-20 21:30:05 +00:00
case provisioner . SSHRenewMethod :
2019-10-28 18:50:43 +00:00
if a . sshCAHostCertSignKey == nil && a . sshCAUserCertSignKey == nil {
2020-01-24 06:04:34 +00:00
return nil , errs . NotImplemented ( "authority.Authorize; ssh certificate flows are not enabled" , opts ... )
2019-10-28 18:50:43 +00:00
}
2019-12-20 21:30:05 +00:00
_ , err := a . authorizeSSHRenew ( ctx , token )
return nil , errs . Wrap ( http . StatusInternalServerError , err , "authority.Authorize" , opts ... )
case provisioner . SSHRevokeMethod :
return nil , errs . Wrap ( http . StatusInternalServerError , a . authorizeSSHRevoke ( ctx , token ) , "authority.Authorize" , opts ... )
case provisioner . SSHRekeyMethod :
2019-10-28 18:50:43 +00:00
if a . sshCAHostCertSignKey == nil && a . sshCAUserCertSignKey == nil {
2020-01-24 06:04:34 +00:00
return nil , errs . NotImplemented ( "authority.Authorize; ssh certificate flows are not enabled" , opts ... )
2019-10-28 18:50:43 +00:00
}
2019-12-20 21:30:05 +00:00
_ , signOpts , err := a . authorizeSSHRekey ( ctx , token )
return signOpts , errs . Wrap ( http . StatusInternalServerError , err , "authority.Authorize" , opts ... )
2019-07-29 19:34:27 +00:00
default :
2020-01-24 06:04:34 +00:00
return nil , errs . InternalServer ( "authority.Authorize; method %d is not supported" , append ( [ ] interface { } { m } , opts ... ) ... )
2019-03-09 02:05:11 +00:00
}
2019-07-29 19:34:27 +00:00
}
2019-03-09 02:05:11 +00:00
2019-12-20 21:30:05 +00:00
// authorizeSign loads the provisioner from the token and calls the provisioner
// AuthorizeSign method. Returns a list of methods to apply to the signing flow.
func ( a * Authority ) authorizeSign ( ctx context . Context , token string ) ( [ ] provisioner . SignOption , error ) {
p , err := a . authorizeToken ( ctx , token )
2019-08-01 22:04:56 +00:00
if err != nil {
2019-12-20 21:30:05 +00:00
return nil , errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSign" )
2019-08-01 22:04:56 +00:00
}
2019-12-20 21:30:05 +00:00
signOpts , err := p . AuthorizeSign ( ctx , token )
2019-08-01 22:04:56 +00:00
if err != nil {
2019-12-20 21:30:05 +00:00
return nil , errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSign" )
2019-08-01 22:04:56 +00:00
}
2019-12-20 21:30:05 +00:00
return signOpts , nil
2019-08-01 22:04:56 +00:00
}
2019-07-29 19:34:27 +00:00
// AuthorizeSign authorizes a signature request by validating and authenticating
2019-12-20 21:30:05 +00:00
// a token that must be sent w/ the request.
2019-09-09 04:05:36 +00:00
//
2022-05-05 00:35:34 +00:00
// Deprecated: Use Authorize(context.Context, string) ([]provisioner.SignOption, error).
2019-12-20 21:30:05 +00:00
func ( a * Authority ) AuthorizeSign ( token string ) ( [ ] provisioner . SignOption , error ) {
2022-05-23 22:31:43 +00:00
ctx := NewContext ( context . Background ( ) , a )
ctx = provisioner . NewContextWithMethod ( ctx , provisioner . SignMethod )
2019-12-20 21:30:05 +00:00
return a . Authorize ( ctx , token )
2018-10-05 21:48:36 +00:00
}
2018-11-01 22:43:24 +00:00
2019-12-20 21:30:05 +00:00
// authorizeRevoke locates the provisioner used to generate the authenticating
// token and then performs the token validation flow.
2019-10-28 18:50:43 +00:00
func ( a * Authority ) authorizeRevoke ( ctx context . Context , token string ) error {
2019-11-20 19:51:25 +00:00
p , err := a . authorizeToken ( ctx , token )
2019-10-28 18:50:43 +00:00
if err != nil {
2019-12-20 21:30:05 +00:00
return errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeRevoke" )
2019-03-05 08:07:13 +00:00
}
2021-10-08 18:59:57 +00:00
if err := p . AuthorizeRevoke ( ctx , token ) ; err != nil {
2019-12-20 21:30:05 +00:00
return errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeRevoke" )
2019-10-28 18:50:43 +00:00
}
return nil
2019-03-05 08:07:13 +00:00
}
2019-12-20 21:30:05 +00:00
// authorizeRenew locates the provisioner (using the provisioner extension in the cert), and checks
2018-11-01 22:43:24 +00:00
// if for the configured provisioner, the renewal is enabled or not. If the
// extra extension cannot be found, authorize the renewal by default.
//
// TODO(mariano): should we authorize by default?
2022-11-04 23:42:07 +00:00
func ( a * Authority ) authorizeRenew ( ctx context . Context , cert * x509 . Certificate ) error {
2021-07-23 23:10:13 +00:00
serial := cert . SerialNumber . String ( )
2021-11-26 16:27:42 +00:00
var opts = [ ] interface { } { errs . WithKeyVal ( "serialNumber" , serial ) }
2022-03-10 02:43:45 +00:00
2021-11-26 16:27:42 +00:00
isRevoked , err := a . IsRevoked ( serial )
2019-03-05 08:07:13 +00:00
if err != nil {
2019-12-20 21:30:05 +00:00
return errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeRenew" , opts ... )
2019-03-05 08:07:13 +00:00
}
if isRevoked {
2020-01-24 06:04:34 +00:00
return errs . Unauthorized ( "authority.authorizeRenew: certificate has been revoked" , opts ... )
2019-03-05 08:07:13 +00:00
}
2022-04-08 21:18:24 +00:00
p , err := a . LoadProvisionerByCertificate ( cert )
if err != nil {
2022-04-11 19:19:42 +00:00
var ok bool
// For backward compatibility this method will also succeed if the
2022-04-13 00:56:39 +00:00
// certificate does not have a provisioner extension. LoadByCertificate
// returns the noop provisioner if this happens, and it allows
// certificate renewals.
2022-04-11 19:19:42 +00:00
if p , ok = a . provisioners . LoadByCertificate ( cert ) ; ! ok {
return errs . Unauthorized ( "authority.authorizeRenew: provisioner not found" , opts ... )
}
2019-03-06 23:04:28 +00:00
}
2022-11-04 23:42:07 +00:00
if err := p . AuthorizeRenew ( ctx , cert ) ; err != nil {
2019-12-20 21:30:05 +00:00
return errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeRenew" , opts ... )
}
return nil
}
2021-07-21 22:22:57 +00:00
// authorizeSSHCertificate returns an error if the given certificate is revoked.
2023-05-10 06:47:28 +00:00
func ( a * Authority ) authorizeSSHCertificate ( _ context . Context , cert * ssh . Certificate ) error {
2021-07-23 23:10:13 +00:00
var err error
var isRevoked bool
2021-07-21 22:22:57 +00:00
serial := strconv . FormatUint ( cert . Serial , 10 )
2021-07-23 23:10:13 +00:00
if lca , ok := a . adminDB . ( interface {
IsSSHRevoked ( string ) ( bool , error )
} ) ; ok {
isRevoked , err = lca . IsSSHRevoked ( serial )
} else {
isRevoked , err = a . db . IsSSHRevoked ( serial )
}
2021-07-21 22:22:57 +00:00
if err != nil {
return errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSSHCertificate" , errs . WithKeyVal ( "serialNumber" , serial ) )
}
if isRevoked {
return errs . Unauthorized ( "authority.authorizeSSHCertificate: certificate has been revoked" , errs . WithKeyVal ( "serialNumber" , serial ) )
}
return nil
}
2019-12-20 21:30:05 +00:00
// authorizeSSHSign loads the provisioner from the token, checks that it has not
// been used again and calls the provisioner AuthorizeSSHSign method. Returns a
// list of methods to apply to the signing flow.
func ( a * Authority ) authorizeSSHSign ( ctx context . Context , token string ) ( [ ] provisioner . SignOption , error ) {
p , err := a . authorizeToken ( ctx , token )
if err != nil {
return nil , errs . Wrap ( http . StatusUnauthorized , err , "authority.authorizeSSHSign" )
}
signOpts , err := p . AuthorizeSSHSign ( ctx , token )
if err != nil {
return nil , errs . Wrap ( http . StatusUnauthorized , err , "authority.authorizeSSHSign" )
}
return signOpts , nil
}
// authorizeSSHRenew authorizes an SSH certificate renewal request, by
// validating the contents of an SSHPOP token.
func ( a * Authority ) authorizeSSHRenew ( ctx context . Context , token string ) ( * ssh . Certificate , error ) {
p , err := a . authorizeToken ( ctx , token )
if err != nil {
return nil , errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSSHRenew" )
}
cert , err := p . AuthorizeSSHRenew ( ctx , token )
if err != nil {
return nil , errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSSHRenew" )
}
return cert , nil
}
// authorizeSSHRekey authorizes an SSH certificate rekey request, by
// validating the contents of an SSHPOP token.
func ( a * Authority ) authorizeSSHRekey ( ctx context . Context , token string ) ( * ssh . Certificate , [ ] provisioner . SignOption , error ) {
p , err := a . authorizeToken ( ctx , token )
if err != nil {
return nil , nil , errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSSHRekey" )
}
cert , signOpts , err := p . AuthorizeSSHRekey ( ctx , token )
if err != nil {
return nil , nil , errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSSHRekey" )
}
return cert , signOpts , nil
}
// authorizeSSHRevoke authorizes an SSH certificate revoke request, by
// validating the contents of an SSHPOP token.
func ( a * Authority ) authorizeSSHRevoke ( ctx context . Context , token string ) error {
p , err := a . authorizeToken ( ctx , token )
if err != nil {
return errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSSHRevoke" )
}
if err = p . AuthorizeSSHRevoke ( ctx , token ) ; err != nil {
return errs . Wrap ( http . StatusInternalServerError , err , "authority.authorizeSSHRevoke" )
2018-11-01 22:43:24 +00:00
}
return nil
}
2022-03-11 04:21:01 +00:00
// AuthorizeRenewToken validates the renew token and returns the leaf
// certificate in the x5cInsecure header.
2023-05-10 06:47:28 +00:00
func ( a * Authority ) AuthorizeRenewToken ( _ context . Context , ott string ) ( * x509 . Certificate , error ) {
2022-03-11 04:21:01 +00:00
var claims jose . Claims
jwt , chain , err := jose . ParseX5cInsecure ( ott , a . rootX509Certs )
if err != nil {
return nil , errs . UnauthorizedErr ( err , errs . WithMessage ( "error validating renew token" ) )
}
leaf := chain [ 0 ] [ 0 ]
if err := jwt . Claims ( leaf . PublicKey , & claims ) ; err != nil {
return nil , errs . InternalServerErr ( err , errs . WithMessage ( "error validating renew token" ) )
}
2022-04-08 21:18:24 +00:00
p , err := a . LoadProvisionerByCertificate ( leaf )
if err != nil {
2022-03-11 04:21:01 +00:00
return nil , errs . Unauthorized ( "error validating renew token: cannot get provisioner from certificate" )
}
if err := a . UseToken ( ott , p ) ; err != nil {
return nil , err
}
if err := claims . ValidateWithLeeway ( jose . Expected {
Subject : leaf . Subject . CommonName ,
Time : time . Now ( ) . UTC ( ) ,
} , time . Minute ) ; err != nil {
2022-08-23 19:43:48 +00:00
switch {
case errors . Is ( err , jose . ErrInvalidIssuer ) :
2022-03-11 04:21:01 +00:00
return nil , errs . UnauthorizedErr ( err , errs . WithMessage ( "error validating renew token: invalid issuer claim (iss)" ) )
2022-08-23 19:43:48 +00:00
case errors . Is ( err , jose . ErrInvalidSubject ) :
2022-03-11 04:21:01 +00:00
return nil , errs . UnauthorizedErr ( err , errs . WithMessage ( "error validating renew token: invalid subject claim (sub)" ) )
2022-08-23 19:43:48 +00:00
case errors . Is ( err , jose . ErrNotValidYet ) :
2022-03-11 04:21:01 +00:00
return nil , errs . UnauthorizedErr ( err , errs . WithMessage ( "error validating renew token: token not valid yet (nbf)" ) )
2022-08-23 19:43:48 +00:00
case errors . Is ( err , jose . ErrExpired ) :
2022-03-11 04:21:01 +00:00
return nil , errs . UnauthorizedErr ( err , errs . WithMessage ( "error validating renew token: token is expired (exp)" ) )
2022-08-23 19:43:48 +00:00
case errors . Is ( err , jose . ErrIssuedInTheFuture ) :
2022-03-11 04:21:01 +00:00
return nil , errs . UnauthorizedErr ( err , errs . WithMessage ( "error validating renew token: token issued in the future (iat)" ) )
default :
return nil , errs . UnauthorizedErr ( err , errs . WithMessage ( "error validating renew token" ) )
}
}
audiences := a . config . GetAudiences ( ) . Renew
2022-11-04 23:42:07 +00:00
if ! matchesAudience ( claims . Audience , audiences ) && ! isRAProvisioner ( p ) {
2022-09-15 20:05:39 +00:00
return nil , errs . InternalServerErr ( jose . ErrInvalidAudience , errs . WithMessage ( "error validating renew token: invalid audience claim (aud)" ) )
2022-03-11 04:21:01 +00:00
}
2022-04-18 19:38:09 +00:00
// validate issuer: old versions used the provisioner name, new version uses
// 'step-ca-client/1.0'
if claims . Issuer != "step-ca-client/1.0" && claims . Issuer != p . GetName ( ) {
return nil , admin . NewError ( admin . ErrorUnauthorizedType , "error validating renew token: invalid issuer claim (iss)" )
}
2022-03-11 04:21:01 +00:00
return leaf , nil
}
// matchesAudience returns true if A and B share at least one element.
func matchesAudience ( as , bs [ ] string ) bool {
if len ( bs ) == 0 || len ( as ) == 0 {
return false
}
for _ , b := range bs {
for _ , a := range as {
if b == a || stripPort ( a ) == stripPort ( b ) {
return true
}
}
}
return false
}
// stripPort attempts to strip the port from the given url. If parsing the url
// produces errors it will just return the passed argument.
func stripPort ( rawurl string ) string {
u , err := url . Parse ( rawurl )
if err != nil {
return rawurl
}
u . Host = u . Hostname ( )
return u . String ( )
}