smallstep-certificates/scep/api/api.go

399 lines
9.3 KiB
Go
Raw Normal View History

package api
import (
"context"
"crypto"
"crypto/sha1"
"crypto/x509"
"encoding/base64"
"errors"
"fmt"
"io"
"io/ioutil"
"math/big"
"math/rand"
"net/http"
"strings"
"time"
"github.com/smallstep/certificates/acme"
"github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/scep"
microscep "github.com/micromdm/scep/scep"
)
const (
opnGetCACert = "GetCACert"
opnGetCACaps = "GetCACaps"
opnPKIOperation = "PKIOperation"
)
// SCEPRequest is a SCEP server request.
type SCEPRequest struct {
Operation string
Message []byte
}
// SCEPResponse is a SCEP server response.
type SCEPResponse struct {
Operation string
CACertNum int
Data []byte
Err error
}
// Handler is the SCEP request handler.
type Handler struct {
Auth scep.Interface
}
// New returns a new SCEP API router.
func New(scepAuth scep.Interface) api.RouterHandler {
return &Handler{scepAuth}
}
// Route traffic and implement the Router interface.
func (h *Handler) Route(r api.Router) {
//getLink := h.Auth.GetLinkExplicit
//fmt.Println(getLink)
//r.MethodFunc("GET", "/bla", h.baseURLFromRequest(h.lookupProvisioner(nil)))
//r.MethodFunc("GET", getLink(acme.NewNonceLink, "{provisionerID}", false, nil), h.baseURLFromRequest(h.lookupProvisioner(h.addNonce(h.GetNonce))))
r.MethodFunc(http.MethodGet, "/", h.lookupProvisioner(h.Get))
r.MethodFunc(http.MethodPost, "/", h.lookupProvisioner(h.Post))
}
func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
scepRequest, err := decodeSCEPRequest(r)
if err != nil {
fmt.Println(err)
fmt.Println("not a scep get request")
w.WriteHeader(500)
}
scepResponse := SCEPResponse{Operation: scepRequest.Operation}
switch scepRequest.Operation {
case opnGetCACert:
err := h.GetCACert(w, r, scepResponse)
if err != nil {
fmt.Println(err)
}
case opnGetCACaps:
err := h.GetCACaps(w, r, scepResponse)
if err != nil {
fmt.Println(err)
}
case opnPKIOperation:
default:
}
}
func (h *Handler) Post(w http.ResponseWriter, r *http.Request) {
scepRequest, err := decodeSCEPRequest(r)
if err != nil {
fmt.Println(err)
fmt.Println("not a scep post request")
w.WriteHeader(500)
}
scepResponse := SCEPResponse{Operation: scepRequest.Operation}
switch scepRequest.Operation {
case opnPKIOperation:
err := h.PKIOperation(w, r, scepRequest, scepResponse)
if err != nil {
fmt.Println(err)
}
default:
}
}
const maxPayloadSize = 2 << 20
func decodeSCEPRequest(r *http.Request) (SCEPRequest, error) {
defer r.Body.Close()
method := r.Method
query := r.URL.Query()
var operation string
if _, ok := query["operation"]; ok {
operation = query.Get("operation")
}
switch method {
case http.MethodGet:
switch operation {
case opnGetCACert, opnGetCACaps:
return SCEPRequest{
Operation: operation,
Message: []byte{},
}, nil
case opnPKIOperation:
var message string
if _, ok := query["message"]; ok {
message = query.Get("message")
}
decodedMessage, err := base64.URLEncoding.DecodeString(message)
if err != nil {
return SCEPRequest{}, err
}
return SCEPRequest{
Operation: operation,
Message: decodedMessage,
}, nil
default:
return SCEPRequest{}, fmt.Errorf("unsupported operation: %s", operation)
}
case http.MethodPost:
body, err := ioutil.ReadAll(io.LimitReader(r.Body, maxPayloadSize))
if err != nil {
return SCEPRequest{}, err
}
return SCEPRequest{
Operation: operation,
Message: body,
}, nil
default:
return SCEPRequest{}, fmt.Errorf("unsupported method: %s", method)
}
}
type nextHTTP = func(http.ResponseWriter, *http.Request)
// lookupProvisioner loads the provisioner associated with the request.
// Responds 404 if the provisioner does not exist.
func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP {
return func(w http.ResponseWriter, r *http.Request) {
// name := chi.URLParam(r, "provisionerID")
// provisionerID, err := url.PathUnescape(name)
// if err != nil {
// api.WriteError(w, fmt.Errorf("error url unescaping provisioner id '%s'", name))
// return
// }
// TODO: make this configurable; and we might want to look at being able to provide multiple,
// like the ACME one? The below assumes a SCEP provider (scep/) called "scep1" exists.
provisionerID := "scep1"
p, err := h.Auth.LoadProvisionerByID("scep/" + provisionerID)
if err != nil {
api.WriteError(w, err)
return
}
scepProvisioner, ok := p.(*provisioner.SCEP)
if !ok {
api.WriteError(w, errors.New("provisioner must be of type SCEP"))
return
}
ctx := r.Context()
ctx = context.WithValue(ctx, acme.ProvisionerContextKey, scep.Provisioner(scepProvisioner))
next(w, r.WithContext(ctx))
}
}
func (h *Handler) GetCACert(w http.ResponseWriter, r *http.Request, scepResponse SCEPResponse) error {
certs, err := h.Auth.GetCACertificates()
if err != nil {
return err
}
if len(certs) == 0 {
scepResponse.CACertNum = 0
scepResponse.Err = errors.New("missing CA Cert")
} else if len(certs) == 1 {
scepResponse.Data = certs[0].Raw
scepResponse.CACertNum = 1
} else {
data, err := microscep.DegenerateCertificates(certs)
scepResponse.CACertNum = len(certs)
scepResponse.Data = data
scepResponse.Err = err
}
return writeSCEPResponse(w, scepResponse)
}
func (h *Handler) GetCACaps(w http.ResponseWriter, r *http.Request, scepResponse SCEPResponse) error {
ctx := r.Context()
_, err := ProvisionerFromContext(ctx)
if err != nil {
return err
}
// TODO: get the actual capabilities from provisioner config
scepResponse.Data = formatCapabilities(defaultCapabilities)
return writeSCEPResponse(w, scepResponse)
}
func (h *Handler) PKIOperation(w http.ResponseWriter, r *http.Request, scepRequest SCEPRequest, scepResponse SCEPResponse) error {
msg, err := microscep.ParsePKIMessage(scepRequest.Message)
if err != nil {
return err
}
certs, err := h.Auth.GetCACertificates()
if err != nil {
return err
}
// TODO: instead of getting the key to decrypt, add a decrypt function to the auth; less leaky
key, err := h.Auth.GetSigningKey()
if err != nil {
return err
}
ca := certs[0]
if err := msg.DecryptPKIEnvelope(ca, key); err != nil {
return err
}
if msg.MessageType == microscep.PKCSReq {
// TODO: CSR validation, like challenge password
}
csr := msg.CSRReqMessage.CSR
id, err := createKeyIdentifier(csr.PublicKey)
if err != nil {
return err
}
serial := big.NewInt(int64(rand.Int63())) // TODO: serial logic?
days := 40
template := &x509.Certificate{
SerialNumber: serial,
Subject: csr.Subject,
NotBefore: time.Now().Add(-600).UTC(),
NotAfter: time.Now().AddDate(0, 0, days).UTC(),
SubjectKeyId: id,
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
SignatureAlgorithm: csr.SignatureAlgorithm,
EmailAddresses: csr.EmailAddresses,
}
certRep, err := msg.SignCSR(ca, key, template)
if err != nil {
return err
}
//cert := certRep.CertRepMessage.Certificate
//name := certName(cert)
// TODO: check if CN already exists, if renewal is allowed and if existing should be revoked; fail if not
// TODO: store the new cert for CN locally; should go into the DB
scepResponse.Data = certRep.Raw
api.LogCertificate(w, certRep.Certificate)
return writeSCEPResponse(w, scepResponse)
}
func certName(cert *x509.Certificate) string {
if cert.Subject.CommonName != "" {
return cert.Subject.CommonName
}
return string(cert.Signature)
}
// createKeyIdentifier create an identifier for public keys
// according to the first method in RFC5280 section 4.2.1.2.
func createKeyIdentifier(pub crypto.PublicKey) ([]byte, error) {
keyBytes, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {
return nil, err
}
id := sha1.Sum(keyBytes)
return id[:], nil
}
func formatCapabilities(caps []string) []byte {
return []byte(strings.Join(caps, "\r\n"))
}
// writeSCEPResponse writes a SCEP response back to the SCEP client.
func writeSCEPResponse(w http.ResponseWriter, response SCEPResponse) error {
if response.Err != nil {
http.Error(w, response.Err.Error(), http.StatusInternalServerError)
return nil
}
w.Header().Set("Content-Type", contentHeader(response.Operation, response.CACertNum))
w.Write(response.Data)
return nil
}
var (
// TODO: check the default capabilities; https://tools.ietf.org/html/rfc8894#section-3.5.2
defaultCapabilities = []string{
"Renewal",
"SHA-1",
"SHA-256",
"AES",
"DES3",
"SCEPStandard",
"POSTPKIOperation",
}
)
const (
certChainHeader = "application/x-x509-ca-ra-cert"
leafHeader = "application/x-x509-ca-cert"
pkiOpHeader = "application/x-pki-message"
)
func contentHeader(operation string, certNum int) string {
switch operation {
case opnGetCACert:
if certNum > 1 {
return certChainHeader
}
return leafHeader
case opnPKIOperation:
return pkiOpHeader
default:
return "text/plain"
}
}
// ProvisionerFromContext searches the context for a provisioner. Returns the
// provisioner or an error.
func ProvisionerFromContext(ctx context.Context) (scep.Provisioner, error) {
val := ctx.Value(acme.ProvisionerContextKey)
if val == nil {
return nil, errors.New("provisioner expected in request context")
}
pval, ok := val.(scep.Provisioner)
if !ok || pval == nil {
return nil, errors.New("provisioner in context is not a SCEP provisioner")
}
return pval, nil
}