Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/go_modules/github.com/slackhq/nebula-1.9.0
wire-acme-extensions
mariano/init-provisioners
fix-1637
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7e82bd6ef3'
${ noResults }
smallstep-certificates/authority/authority.go

603 lines
18 KiB
Go
Raw Normal View History Unescape Escape

first commit
6 years ago
package authority
import (
Use x5cInsecure token for /ssh/check-host endpoint
5 years ago
"context"
Add support for using ssh-agent as a KMS This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys for issuing ssh certificates signed by a key managed by a ssh-agent. It uses the golang.org/x/crypto package to get a native Go implementation to talk to a ssh-agent. This was primarly written to be able to use gpg-agent to provide the keys stored in a YubiKeys openpgp interface, but can be used for other setups like proxying a ssh-agent over network. That way the signing key for ssh certificates can be kept in a "sign-only" hsm. This code was written for my employer Intinor AB, but for simplicity sake gifted to me to contribute upstream. Signed-off-by: Anton Lundin <glance@acc.umu.se>
4 years ago
"crypto"
first commit
6 years ago
"crypto/sha256"
Add initial support for federated root certificates.
5 years ago
"crypto/x509"
first commit
6 years ago
"encoding/hex"
Close the key manager before shutting down.
4 years ago
"log"
first commit
6 years ago
"sync"
"time"
Early attempt to develop a CAS interface.
4 years ago
"github.com/smallstep/certificates/cas"
wip
3 years ago
"github.com/smallstep/certificates/linkedca"
Refactor initialization of SCEP authority
3 years ago
"github.com/smallstep/certificates/scep"
Early attempt to develop a CAS interface.
4 years ago
Allow to use custom SSH user/host key files.
5 years ago
"github.com/pkg/errors"
wip
3 years ago
"github.com/smallstep/certificates/authority/admin"
first commit
3 years ago
"github.com/smallstep/certificates/authority/config"
"github.com/smallstep/certificates/authority/mgmt"
authMgmtNosql "github.com/smallstep/certificates/authority/mgmt/db/nosql"
Use provisioner.Collection to store and request the provisioners.
5 years ago
"github.com/smallstep/certificates/authority/provisioner"
Early attempt to develop a CAS interface.
4 years ago
casapi "github.com/smallstep/certificates/cas/apiv1"
Add /revoke API with interface db backend
5 years ago
"github.com/smallstep/certificates/db"
Add wip support for kms.
4 years ago
"github.com/smallstep/certificates/kms"
kmsapi "github.com/smallstep/certificates/kms/apiv1"
Add support for using ssh-agent as a KMS This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys for issuing ssh certificates signed by a key managed by a ssh-agent. It uses the golang.org/x/crypto package to get a native Go implementation to talk to a ssh-agent. This was primarly written to be able to use gpg-agent to provide the keys stored in a YubiKeys openpgp interface, but can be used for other setups like proxying a ssh-agent over network. That way the signing key for ssh certificates can be kept in a "sign-only" hsm. This code was written for my employer Intinor AB, but for simplicity sake gifted to me to contribute upstream. Signed-off-by: Anton Lundin <glance@acc.umu.se>
4 years ago
"github.com/smallstep/certificates/kms/sshagentkms"
Add version endpoint.
5 years ago
"github.com/smallstep/certificates/templates"
first commit
3 years ago
"github.com/smallstep/nosql"
Use always go.step.sm/crypto
4 years ago
"go.step.sm/crypto/pemutil"
Add initial implementation of ssh config.
5 years ago
"golang.org/x/crypto/ssh"
first commit
6 years ago
)
// Authority implements the Certificate Authority internal interface.
type Authority struct {
first commit
3 years ago
config *config.Config
wip
3 years ago
adminDB mgmt.DB
Add options to read the roots and federated roots from a bundle.
4 years ago
keyManager kms.KeyManager
provisioners *provisioner.Collection
wip
3 years ago
admins *admin.Collection
Add options to read the roots and federated roots from a bundle.
4 years ago
db db.AuthDB
Use templates from authority instead of config.
4 years ago
templates *templates.Templates
Add options to read the roots and federated roots from a bundle.
4 years ago
// X509 CA
Early attempt to develop a CAS interface.
4 years ago
x509CAService cas.CertificateAuthorityService
Add options to read the roots and federated roots from a bundle.
4 years ago
rootX509Certs []*x509.Certificate
federatedX509Certs []*x509.Certificate
certificates *sync.Map
Refactor initialization of SCEP authority
3 years ago
// SCEP CA
scepService *scep.Service
Add options to read the roots and federated roots from a bundle.
4 years ago
// SSH CA
Add support for multiple ssh roots. Fixes #125
5 years ago
sshCAUserCertSignKey ssh.Signer
sshCAHostCertSignKey ssh.Signer
sshCAUserCerts []ssh.PublicKey
sshCAHostCerts []ssh.PublicKey
sshCAUserFederatedCerts []ssh.PublicKey
sshCAHostFederatedCerts []ssh.PublicKey
Add options to read the roots and federated roots from a bundle.
4 years ago
first commit
6 years ago
// Do not re-initialize
Add options to read the roots and federated roots from a bundle.
4 years ago
initOnce bool
startTime time.Time
Add support for /ssh/bastion method.
5 years ago
// Custom functions
first commit
3 years ago
sshBastionFunc func(ctx context.Context, user, hostname string) (*config.Bastion, error)
Use x5cInsecure token for /ssh/check-host endpoint
5 years ago
sshCheckHostFunc func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)
first commit
3 years ago
sshGetHostsFunc func(ctx context.Context, cert *x509.Certificate) ([]config.Host, error)
Use x5cInsecure token for /ssh/check-host endpoint
5 years ago
getIdentityFunc provisioner.GetIdentityFunc
first commit
6 years ago
}
// New creates and initiates a new Authority type.
first commit
3 years ago
func New(config *config.Config, opts ...Option) (*Authority, error) {
Add backend support for provisioners with cursors. Fixes #83
6 years ago
err := config.Validate()
if err != nil {
first commit
6 years ago
return nil, err
}
Add backend support for provisioners with cursors. Fixes #83
6 years ago
first commit
6 years ago
var a = &Authority{
Use provisioner.Collection to store and request the provisioners.
5 years ago
config: config,
certificates: new(sync.Map),
first commit
6 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Apply options.
for _, fn := range opts {
if err := fn(a); err != nil {
return nil, err
}
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Initialize authority from options or configuration.
first commit
6 years ago
if err := a.init(); err != nil {
return nil, err
}
Add options to read the roots and federated roots from a bundle.
4 years ago
first commit
6 years ago
return a, nil
}
Rename method to NewEmbedded
4 years ago
// NewEmbedded initializes an authority that can be embedded in a different
// project without the limitations of the config.
func NewEmbedded(opts ...Option) (*Authority, error) {
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
a := &Authority{
first commit
3 years ago
config: &config.Config{},
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
certificates: new(sync.Map),
}
// Apply options.
for _, fn := range opts {
if err := fn(a); err != nil {
return nil, err
}
}
// Validate required options
switch {
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
case a.config == nil:
return nil, errors.New("cannot create an authority without a configuration")
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
case len(a.rootX509Certs) == 0 && a.config.Root.HasEmpties():
return nil, errors.New("cannot create an authority without a root certificate")
Remove unnecessary properties.
4 years ago
case a.x509CAService == nil && a.config.IntermediateCert == "":
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
return nil, errors.New("cannot create an authority without an issuer certificate")
Remove unnecessary properties.
4 years ago
case a.x509CAService == nil && a.config.IntermediateKey == "":
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
return nil, errors.New("cannot create an authority without an issuer signer")
}
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
// Initialize config required fields.
first commit
3 years ago
a.config.Init()
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
// Initialize authority from options or configuration.
if err := a.init(); err != nil {
return nil, err
}
return a, nil
}
wip
3 years ago
// ReloadAuthConfig reloads dynamic fields of the AuthConfig.
wip
3 years ago
func (a *Authority) ReloadAuthConfig(ctx context.Context) error {
provs, err := a.adminDB.GetProvisioners(ctx)
wip
3 years ago
if err != nil {
wip
3 years ago
return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
wip
3 years ago
}
wip
3 years ago
a.config.AuthorityConfig.Provisioners, err = provisionerListToCertificates(provs)
if err != nil {
return mgmt.WrapErrorISE(err, "error converting provisioner list to certificates")
}
a.config.AuthorityConfig.Admins, err = a.adminDB.GetAdmins(ctx)
wip
3 years ago
if err != nil {
wip
3 years ago
return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
wip
3 years ago
}
// Merge global and configuration claims
claimer, err := provisioner.NewClaimer(a.config.AuthorityConfig.Claims, config.GlobalProvisionerClaims)
if err != nil {
return err
}
// TODO: should we also be combining the ssh federated roots here?
// If we rotate ssh roots keys, sshpop provisioner will lose ability to
// validate old SSH certificates, unless they are added as federated certs.
wip
3 years ago
sshKeys, err := a.GetSSHRoots(ctx)
wip
3 years ago
if err != nil {
return err
}
// Initialize provisioners
audiences := a.config.GetAudiences()
a.provisioners = provisioner.NewCollection(audiences)
config := provisioner.Config{
Claims: claimer.Claims(),
Audiences: audiences,
DB: a.db,
SSHKeys: &provisioner.SSHKeys{
UserKeys: sshKeys.UserKeys,
HostKeys: sshKeys.HostKeys,
},
GetIdentityFunc: a.getIdentityFunc,
}
// Store all the provisioners
for _, p := range a.config.AuthorityConfig.Provisioners {
if err := p.Init(config); err != nil {
return err
}
if err := a.provisioners.Store(p); err != nil {
return err
}
}
// Store all the admins
wip
3 years ago
a.admins = admin.NewCollection(a.provisioners)
wip
3 years ago
for _, adm := range a.config.AuthorityConfig.Admins {
if err := a.admins.Store(adm); err != nil {
return err
}
}
return nil
}
first commit
6 years ago
// init performs validation and initializes the fields of an Authority struct.
func (a *Authority) init() error {
// Check if handler has already been validated/initialized.
if a.initOnce {
return nil
}
var err error
Add wip support for kms.
4 years ago
Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority.
4 years ago
// Initialize step-ca Database if it's not already initialized with WithDB.
// If a.config.DB is nil then a simple, barebones in memory DB will be used.
if a.db == nil {
if a.db, err = db.New(a.config.DB); err != nil {
return err
}
}
wip
3 years ago
if len(a.config.AuthorityConfig.Provisioners) == 0 {
// Initialize step-ca Admin Database if it's not already initialized using
// WithAdminDB.
if a.adminDB == nil {
// Check if AuthConfig already exists
a.adminDB, err = authMgmtNosql.New(a.db.(nosql.DB), mgmt.DefaultAuthorityID)
if err != nil {
return err
lots of codes
3 years ago
}
first commit
3 years ago
}
wip admin CRUD
3 years ago
wip
3 years ago
provs, err := a.adminDB.GetProvisioners(context.Background())
first steps
3 years ago
if err != nil {
wip
3 years ago
return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
first steps
3 years ago
}
wip
3 years ago
if len(provs) == 0 {
// Create First Provisioner
prov, err := mgmt.CreateFirstProvisioner(context.Background(), a.adminDB, a.config.Password)
if err != nil {
wip
3 years ago
return mgmt.WrapErrorISE(err, "error creating first provisioner")
}
certProv, err := provisionerToCertificates(prov)
if err != nil {
return mgmt.WrapErrorISE(err, "error converting provisioner to certificates type")
wip
3 years ago
}
wip
3 years ago
a.config.AuthorityConfig.Provisioners = []provisioner.Interface{certProv}
wip
3 years ago
// Create First Admin
adm := &linkedca.Admin{
ProvisionerId: prov.Id,
Subject: "step",
Type: linkedca.Admin_SUPER_ADMIN,
}
if err := a.adminDB.CreateAdmin(context.Background(), adm); err != nil {
// TODO should we try to clean up?
return mgmt.WrapErrorISE(err, "error creating first admin")
}
a.config.AuthorityConfig.Admins = []*linkedca.Admin{adm}
} else {
a.config.AuthorityConfig.Provisioners, err = provisionerListToCertificates(provs)
if err != nil {
wip
3 years ago
return mgmt.WrapErrorISE(err, "error converting provisioner list to certificates type")
wip
3 years ago
}
a.config.AuthorityConfig.Admins, err = a.adminDB.GetAdmins(context.Background())
if err != nil {
return mgmt.WrapErrorISE(err, "error getting provisioners to initialize authority")
}
}
first commit
3 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Initialize key manager if it has not been set in the options.
Add wip support for kms.
4 years ago
if a.keyManager == nil {
Fix types.
4 years ago
var options kmsapi.Options
if a.config.KMS != nil {
options = *a.config.KMS
}
a.keyManager, err = kms.New(context.Background(), options)
Add wip support for kms.
4 years ago
if err != nil {
return err
}
}
Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority.
4 years ago
// Initialize the X.509 CA Service if it has not been set in the options.
if a.x509CAService == nil {
var options casapi.Options
Move cas options under authority.
4 years ago
if a.config.AuthorityConfig.Options != nil {
options = *a.config.AuthorityConfig.Options
Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority.
4 years ago
}
// Read intermediate and create X509 signer for default CAS.
if options.Is(casapi.SoftCAS) {
leverage intermediate_ca.crt for appending certs.
3 years ago
options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority.
4 years ago
if err != nil {
return err
}
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
})
if err != nil {
return err
}
}
a.x509CAService, err = cas.New(context.Background(), options)
if err != nil {
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170
5 years ago
return err
}
Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority.
4 years ago
// Get root certificate from CAS.
if srv, ok := a.x509CAService.(casapi.CertificateAuthorityGetter); ok {
resp, err := srv.GetCertificateAuthority(&casapi.GetCertificateAuthorityRequest{
Move cas options under authority.
4 years ago
Name: options.CertificateAuthority,
Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority.
4 years ago
})
if err != nil {
return err
}
a.rootX509Certs = append(a.rootX509Certs, resp.RootCertificate)
Print root fingerprint for CloudCAS.
4 years ago
sum := sha256.Sum256(resp.RootCertificate.Raw)
log.Printf("Using root fingerprint '%s'", hex.EncodeToString(sum[:]))
Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority.
4 years ago
}
Add /revoke API with interface db backend
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Read root certificates and store them in the certificates map.
if len(a.rootX509Certs) == 0 {
a.rootX509Certs = make([]*x509.Certificate, len(a.config.Root))
for i, path := range a.config.Root {
crt, err := pemutil.ReadCertificate(path)
if err != nil {
return err
}
a.rootX509Certs[i] = crt
Add support for multiple roots.
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
}
for _, crt := range a.rootX509Certs {
Add support for multiple roots.
5 years ago
sum := sha256.Sum256(crt.Raw)
a.certificates.Store(hex.EncodeToString(sum[:]), crt)
}
first commit
6 years ago
Add options to read the roots and federated roots from a bundle.
4 years ago
// Read federated certificates and store them in the certificates map.
if len(a.federatedX509Certs) == 0 {
a.federatedX509Certs = make([]*x509.Certificate, len(a.config.FederatedRoots))
for i, path := range a.config.FederatedRoots {
crt, err := pemutil.ReadCertificate(path)
if err != nil {
return err
}
a.federatedX509Certs[i] = crt
Add initial support for federated root certificates.
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
}
for _, crt := range a.federatedX509Certs {
Add initial support for federated root certificates.
5 years ago
sum := sha256.Sum256(crt.Raw)
a.certificates.Store(hex.EncodeToString(sum[:]), crt)
}
Allow to use custom SSH user/host key files.
5 years ago
// Decrypt and load SSH keys
Load default templates if no templates are configured.
4 years ago
var tmplVars templates.Step
Allow to use custom SSH user/host key files.
5 years ago
if a.config.SSH != nil {
if a.config.SSH.HostKey != "" {
Add wip support for kms.
4 years ago
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.SSH.HostKey,
Fix types.
4 years ago
Password: []byte(a.config.Password),
Add wip support for kms.
4 years ago
})
Allow to use custom SSH user/host key files.
5 years ago
if err != nil {
return err
}
Add support for using ssh-agent as a KMS This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys for issuing ssh certificates signed by a key managed by a ssh-agent. It uses the golang.org/x/crypto package to get a native Go implementation to talk to a ssh-agent. This was primarly written to be able to use gpg-agent to provide the keys stored in a YubiKeys openpgp interface, but can be used for other setups like proxying a ssh-agent over network. That way the signing key for ssh certificates can be kept in a "sign-only" hsm. This code was written for my employer Intinor AB, but for simplicity sake gifted to me to contribute upstream. Signed-off-by: Anton Lundin <glance@acc.umu.se>
4 years ago
// If our signer is from sshagentkms, just unwrap it instead of
// wrapping it in another layer, and this prevents crypto from
// erroring out with: ssh: unsupported key type *agent.Key
switch s := signer.(type) {
case *sshagentkms.WrappedSSHSigner:
a.sshCAHostCertSignKey = s.Sshsigner
case crypto.Signer:
a.sshCAHostCertSignKey, err = ssh.NewSignerFromSigner(s)
default:
return errors.Errorf("unsupported signer type %T", signer)
}
Add initial implementation of ssh config.
5 years ago
if err != nil {
return errors.Wrap(err, "error creating ssh signer")
}
Add support for multiple ssh roots. Fixes #125
5 years ago
// Append public key to list of host certs
a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())
Allow to use custom SSH user/host key files.
5 years ago
}
if a.config.SSH.UserKey != "" {
Add wip support for kms.
4 years ago
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.SSH.UserKey,
Fix types.
4 years ago
Password: []byte(a.config.Password),
Add wip support for kms.
4 years ago
})
Allow to use custom SSH user/host key files.
5 years ago
if err != nil {
return err
}
Add support for using ssh-agent as a KMS This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys for issuing ssh certificates signed by a key managed by a ssh-agent. It uses the golang.org/x/crypto package to get a native Go implementation to talk to a ssh-agent. This was primarly written to be able to use gpg-agent to provide the keys stored in a YubiKeys openpgp interface, but can be used for other setups like proxying a ssh-agent over network. That way the signing key for ssh certificates can be kept in a "sign-only" hsm. This code was written for my employer Intinor AB, but for simplicity sake gifted to me to contribute upstream. Signed-off-by: Anton Lundin <glance@acc.umu.se>
4 years ago
// If our signer is from sshagentkms, just unwrap it instead of
// wrapping it in another layer, and this prevents crypto from
// erroring out with: ssh: unsupported key type *agent.Key
switch s := signer.(type) {
case *sshagentkms.WrappedSSHSigner:
a.sshCAUserCertSignKey = s.Sshsigner
case crypto.Signer:
a.sshCAUserCertSignKey, err = ssh.NewSignerFromSigner(s)
default:
return errors.Errorf("unsupported signer type %T", signer)
}
Add initial implementation of ssh config.
5 years ago
if err != nil {
return errors.Wrap(err, "error creating ssh signer")
}
Add support for multiple ssh roots. Fixes #125
5 years ago
// Append public key to list of user certs
Fix list of user ssh public keys.
5 years ago
a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAUserCertSignKey.PublicKey())
Add support for multiple ssh roots. Fixes #125
5 years ago
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())
}
// Append other public keys
for _, key := range a.config.SSH.Keys {
switch key.Type {
case provisioner.SSHHostCert:
if key.Federated {
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, key.PublicKey())
} else {
a.sshCAHostCerts = append(a.sshCAHostCerts, key.PublicKey())
}
case provisioner.SSHUserCert:
if key.Federated {
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, key.PublicKey())
} else {
a.sshCAUserCerts = append(a.sshCAUserCerts, key.PublicKey())
}
default:
return errors.Errorf("unsupported type %s", key.Type)
}
Allow to use custom SSH user/host key files.
5 years ago
}
Fix ssh federated template variables.
4 years ago
// Configure template variables.
tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
// On the templates we skip the first one because there's a distinction
// between the main key and federated keys.
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts[1:]...)
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts[1:]...)
Allow to use custom SSH user/host key files.
5 years ago
}
Add initial implementation of an SSH CA using the JWK provisioner. Fixes smallstep/ca-component#187
5 years ago
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
// Merge global and configuration claims
first commit
3 years ago
claimer, err := provisioner.NewClaimer(a.config.AuthorityConfig.Claims, config.GlobalProvisionerClaims)
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
if err != nil {
return err
}
// TODO: should we also be combining the ssh federated roots here?
// If we rotate ssh roots keys, sshpop provisioner will lose ability to
// validate old SSH certificates, unless they are added as federated certs.
Add context parameter to all SSH methods.
4 years ago
sshKeys, err := a.GetSSHRoots(context.Background())
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
if err != nil {
return err
}
// Initialize provisioners
first commit
3 years ago
audiences := a.config.GetAudiences()
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
a.provisioners = provisioner.NewCollection(audiences)
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
config := provisioner.Config{
Refactor SCEP authority initialization and clean some code
3 years ago
Claims: claimer.Claims(),
Audiences: audiences,
DB: a.db,
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
SSHKeys: &provisioner.SSHKeys{
UserKeys: sshKeys.UserKeys,
HostKeys: sshKeys.HostKeys,
},
Instrument getIdentity func for OIDC ssh provisioner
5 years ago
GetIdentityFunc: a.getIdentityFunc,
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
}
Add non-TLS server and improve crypto.Decrypter interface A server without TLS was added to serve the SCEP endpoints. According to the RFC, SCEP has to be served via HTTP. The `sscep` client, for example, will stop any URL that does not start with `http://` from being used, so serving SCEP seems to be the right way to do it. This commit adds a second server for which no TLS configuration is configured. A distinct field in the configuration, `insecureAddress` was added to specify the address for the insecure server. The SCEP endpoints will also still be served via HTTPS. Some clients may be able to work with that. This commit also improves how the crypto.Decrypter interface is handled for the different types of KMSes supported by step. The apiv1.Decrypter interface was added. Currently only SoftKMS implements this interface, providing a crypto.Decrypter required for SCEP operations.
3 years ago
// Check if a KMS with decryption capability is required and available
if a.requiresDecrypter() {
Make tests not fail hard on ECDSA keys All tests for the Authority failed because the test data contains ECDSA keys. ECDSA keys are no crypto.Decrypter, resulting in a failure when instantiating the Authority.
3 years ago
if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
Add non-TLS server and improve crypto.Decrypter interface A server without TLS was added to serve the SCEP endpoints. According to the RFC, SCEP has to be served via HTTP. The `sscep` client, for example, will stop any URL that does not start with `http://` from being used, so serving SCEP seems to be the right way to do it. This commit adds a second server for which no TLS configuration is configured. A distinct field in the configuration, `insecureAddress` was added to specify the address for the insecure server. The SCEP endpoints will also still be served via HTTPS. Some clients may be able to work with that. This commit also improves how the crypto.Decrypter interface is handled for the different types of KMSes supported by step. The apiv1.Decrypter interface was added. Currently only SoftKMS implements this interface, providing a crypto.Decrypter required for SCEP operations.
3 years ago
return errors.New("keymanager doesn't provide crypto.Decrypter")
}
}
Make tests green
3 years ago
// TODO: decide if this is a good approach for providing the SCEP functionality
// It currently mirrors the logic for the x509CAService
if a.requiresSCEPService() && a.scepService == nil {
Address (most) PR comments
3 years ago
var options scep.Options
Make tests green
3 years ago
// Read intermediate and create X509 signer and decrypter for default CAS.
Address (most) PR comments
3 years ago
options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
if err != nil {
return err
}
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
})
if err != nil {
return err
}
if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
DecryptionKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
Make tests green
3 years ago
})
if err != nil {
return err
}
}
a.scepService, err = scep.NewService(context.Background(), options)
if err != nil {
return err
}
// TODO: mimick the x509CAService GetCertificateAuthority here too?
}
Use provisioner.Collection to store and request the provisioners.
5 years ago
// Store all the provisioners
first commit
6 years ago
for _, p := range a.config.AuthorityConfig.Provisioners {
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
if err := p.Init(config); err != nil {
return err
}
Use provisioner.Collection to store and request the provisioners.
5 years ago
if err := a.provisioners.Store(p); err != nil {
return err
first commit
6 years ago
}
}
wip
3 years ago
// Store all the admins
wip
3 years ago
a.admins = admin.NewCollection(a.provisioners)
wip
3 years ago
for _, adm := range a.config.AuthorityConfig.Admins {
if err := a.admins.Store(adm); err != nil {
return err
}
}
first commit
6 years ago
Load default templates if no templates are configured.
4 years ago
// Configure templates, currently only ssh templates are supported.
if a.sshCAHostCertSignKey != nil || a.sshCAUserCertSignKey != nil {
Use templates from authority instead of config.
4 years ago
a.templates = a.config.Templates
if a.templates == nil {
a.templates = templates.DefaultTemplates()
Add initial support for ssh config. Related to smallstep/cli#170
5 years ago
}
Use templates from authority instead of config.
4 years ago
if a.templates.Data == nil {
a.templates.Data = make(map[string]interface{})
Add initial support for ssh config. Related to smallstep/cli#170
5 years ago
}
Use templates from authority instead of config.
4 years ago
a.templates.Data["Step"] = tmplVars
Add initial support for ssh config. Related to smallstep/cli#170
5 years ago
}
Truncate to seconds the startTime to simplify tests.
5 years ago
// JWT numeric dates are seconds.
a.startTime = time.Now().Truncate(time.Second)
first commit
6 years ago
// Set flag indicating that initialization has been completed, and should
// not be repeated.
a.initOnce = true
return nil
}
Add /revoke API with interface db backend
5 years ago
Fix comments.
5 years ago
// GetDatabase returns the authority database. If the configuration does not
// define a database, GetDatabase will return a db.SimpleDB instance.
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170
5 years ago
func (a *Authority) GetDatabase() db.AuthDB {
return a.db
}
wip
3 years ago
// GetAdminDatabase returns the mgmt database, if one exists.
func (a *Authority) GetAdminDatabase() mgmt.DB {
return a.adminDB
first steps
3 years ago
}
wip
3 years ago
// GetAdminCollection returns the admin collection.
func (a *Authority) GetAdminCollection() *admin.Collection {
return a.admins
}
// GetProvisionerCollection returns the admin collection.
func (a *Authority) GetProvisionerCollection() *provisioner.Collection {
return a.provisioners
}
Add /revoke API with interface db backend
5 years ago
// Shutdown safely shuts down any clients, databases, etc. held by the Authority.
func (a *Authority) Shutdown() error {
Close the key manager before shutting down.
4 years ago
if err := a.keyManager.Close(); err != nil {
log.Printf("error closing the key manager: %v", err)
}
Add /revoke API with interface db backend
5 years ago
return a.db.Shutdown()
}
Close key manager for safe reloads when a cgo module is used.
3 years ago
// CloseForReload closes internal services, to allow a safe reload.
func (a *Authority) CloseForReload() {
if err := a.keyManager.Close(); err != nil {
log.Printf("error closing the key manager: %v", err)
}
}
Refactor initialization of SCEP authority
3 years ago
Make tests green
3 years ago
// requiresDecrypter returns whether the Authority
// requires a KMS that provides a crypto.Decrypter
Make serving SCEP endpoints optional Only when a SCEP provisioner is enabled, the SCEP endpoints will now be available. The SCEP endpoints will be served on an "insecure" server, without TLS, only when an additional "insecureAddress" and a SCEP provisioner are configured for the CA.
3 years ago
// Currently this is only required when SCEP is
// enabled.
Add non-TLS server and improve crypto.Decrypter interface A server without TLS was added to serve the SCEP endpoints. According to the RFC, SCEP has to be served via HTTP. The `sscep` client, for example, will stop any URL that does not start with `http://` from being used, so serving SCEP seems to be the right way to do it. This commit adds a second server for which no TLS configuration is configured. A distinct field in the configuration, `insecureAddress` was added to specify the address for the insecure server. The SCEP endpoints will also still be served via HTTPS. Some clients may be able to work with that. This commit also improves how the crypto.Decrypter interface is handled for the different types of KMSes supported by step. The apiv1.Decrypter interface was added. Currently only SoftKMS implements this interface, providing a crypto.Decrypter required for SCEP operations.
3 years ago
func (a *Authority) requiresDecrypter() bool {
Make tests green
3 years ago
return a.requiresSCEPService()
}
// requiresSCEPService iterates over the configured provisioners
// and determines if one of them is a SCEP provisioner.
func (a *Authority) requiresSCEPService() bool {
Add non-TLS server and improve crypto.Decrypter interface A server without TLS was added to serve the SCEP endpoints. According to the RFC, SCEP has to be served via HTTP. The `sscep` client, for example, will stop any URL that does not start with `http://` from being used, so serving SCEP seems to be the right way to do it. This commit adds a second server for which no TLS configuration is configured. A distinct field in the configuration, `insecureAddress` was added to specify the address for the insecure server. The SCEP endpoints will also still be served via HTTPS. Some clients may be able to work with that. This commit also improves how the crypto.Decrypter interface is handled for the different types of KMSes supported by step. The apiv1.Decrypter interface was added. Currently only SoftKMS implements this interface, providing a crypto.Decrypter required for SCEP operations.
3 years ago
for _, p := range a.config.AuthorityConfig.Provisioners {
if p.GetType() == provisioner.TypeSCEP {
return true
}
}
return false
}
Refactor initialization of SCEP authority
3 years ago
// GetSCEPService returns the configured SCEP Service
// TODO: this function is intended to exist temporarily
// in order to make SCEP work more easily. It can be
// made more correct by using the right interfaces/abstractions
// after it works as expected.
Make tests green
3 years ago
func (a *Authority) GetSCEPService() *scep.Service {
return a.scepService
Refactor initialization of SCEP authority
3 years ago
}