2019-09-13 19:11:46 +00:00
|
|
|
|
package pki
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2020-10-20 01:42:03 +00:00
|
|
|
|
"context"
|
2019-09-13 19:11:46 +00:00
|
|
|
|
"crypto"
|
|
|
|
|
|
"crypto/sha256"
|
|
|
|
|
|
"crypto/x509"
|
2020-10-23 22:04:09 +00:00
|
|
|
|
"crypto/x509/pkix"
|
2019-09-13 19:11:46 +00:00
|
|
|
|
"encoding/hex"
|
|
|
|
|
|
"encoding/json"
|
|
|
|
|
|
"encoding/pem"
|
|
|
|
|
|
"fmt"
|
|
|
|
|
|
"html"
|
|
|
|
|
|
"net"
|
|
|
|
|
|
"os"
|
|
|
|
|
|
"path/filepath"
|
|
|
|
|
|
"strconv"
|
|
|
|
|
|
"strings"
|
2020-08-11 02:05:27 +00:00
|
|
|
|
"time"
|
2019-09-13 19:11:46 +00:00
|
|
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
|
"github.com/smallstep/certificates/authority"
|
|
|
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
|
|
|
|
"github.com/smallstep/certificates/ca"
|
2020-10-20 01:42:03 +00:00
|
|
|
|
"github.com/smallstep/certificates/cas"
|
|
|
|
|
|
"github.com/smallstep/certificates/cas/apiv1"
|
2019-09-13 19:11:46 +00:00
|
|
|
|
"github.com/smallstep/certificates/db"
|
2020-10-29 20:10:03 +00:00
|
|
|
|
"go.step.sm/cli-utils/config"
|
|
|
|
|
|
"go.step.sm/cli-utils/errs"
|
|
|
|
|
|
"go.step.sm/cli-utils/fileutil"
|
|
|
|
|
|
"go.step.sm/cli-utils/ui"
|
2020-08-24 21:44:11 +00:00
|
|
|
|
"go.step.sm/crypto/jose"
|
2020-08-14 22:33:50 +00:00
|
|
|
|
"go.step.sm/crypto/keyutil"
|
|
|
|
|
|
"go.step.sm/crypto/pemutil"
|
2019-10-11 18:25:48 +00:00
|
|
|
|
"golang.org/x/crypto/ssh"
|
2019-09-13 19:11:46 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
|
// ConfigPath is the directory name under the step path where the configuration
|
|
|
|
|
|
// files will be stored.
|
|
|
|
|
|
configPath = "config"
|
|
|
|
|
|
// PublicPath is the directory name under the step path where the public keys
|
|
|
|
|
|
// will be stored.
|
|
|
|
|
|
publicPath = "certs"
|
|
|
|
|
|
// PublicPath is the directory name under the step path where the private keys
|
|
|
|
|
|
// will be stored.
|
|
|
|
|
|
privatePath = "secrets"
|
|
|
|
|
|
// DBPath is the directory name under the step path where the private keys
|
|
|
|
|
|
// will be stored.
|
|
|
|
|
|
dbPath = "db"
|
2019-10-11 18:25:48 +00:00
|
|
|
|
// templatesPath is the directory to store templates
|
|
|
|
|
|
templatesPath = "templates"
|
2019-09-13 19:11:46 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// GetDBPath returns the path where the file-system persistence is stored
|
|
|
|
|
|
// based on the STEPPATH environment variable.
|
|
|
|
|
|
func GetDBPath() string {
|
|
|
|
|
|
return filepath.Join(config.StepPath(), dbPath)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetConfigPath returns the directory where the configuration files are stored
|
|
|
|
|
|
// based on the STEPPATH environment variable.
|
|
|
|
|
|
func GetConfigPath() string {
|
|
|
|
|
|
return filepath.Join(config.StepPath(), configPath)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetPublicPath returns the directory where the public keys are stored based on
|
|
|
|
|
|
// the STEPPATH environment variable.
|
|
|
|
|
|
func GetPublicPath() string {
|
|
|
|
|
|
return filepath.Join(config.StepPath(), publicPath)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetSecretsPath returns the directory where the private keys are stored based
|
|
|
|
|
|
// on the STEPPATH environment variable.
|
|
|
|
|
|
func GetSecretsPath() string {
|
|
|
|
|
|
return filepath.Join(config.StepPath(), privatePath)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetRootCAPath returns the path where the root CA is stored based on the
|
|
|
|
|
|
// STEPPATH environment variable.
|
|
|
|
|
|
func GetRootCAPath() string {
|
|
|
|
|
|
return filepath.Join(config.StepPath(), publicPath, "root_ca.crt")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetOTTKeyPath returns the path where the one-time token key is stored based
|
|
|
|
|
|
// on the STEPPATH environment variable.
|
|
|
|
|
|
func GetOTTKeyPath() string {
|
|
|
|
|
|
return filepath.Join(config.StepPath(), privatePath, "ott_key")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-10-11 18:25:48 +00:00
|
|
|
|
// GetTemplatesPath returns the path where the templates are stored.
|
|
|
|
|
|
func GetTemplatesPath() string {
|
|
|
|
|
|
return filepath.Join(config.StepPath(), templatesPath)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-09-13 19:11:46 +00:00
|
|
|
|
// GetProvisioners returns the map of provisioners on the given CA.
|
|
|
|
|
|
func GetProvisioners(caURL, rootFile string) (provisioner.List, error) {
|
|
|
|
|
|
if len(rootFile) == 0 {
|
|
|
|
|
|
rootFile = GetRootCAPath()
|
|
|
|
|
|
}
|
|
|
|
|
|
client, err := ca.NewClient(caURL, ca.WithRootFile(rootFile))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
cursor := ""
|
|
|
|
|
|
provisioners := provisioner.List{}
|
|
|
|
|
|
for {
|
|
|
|
|
|
resp, err := client.Provisioners(ca.WithProvisionerCursor(cursor), ca.WithProvisionerLimit(100))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
provisioners = append(provisioners, resp.Provisioners...)
|
|
|
|
|
|
if resp.NextCursor == "" {
|
|
|
|
|
|
return provisioners, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
cursor = resp.NextCursor
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetProvisionerKey returns the encrypted provisioner key with the for the
|
|
|
|
|
|
// given kid.
|
|
|
|
|
|
func GetProvisionerKey(caURL, rootFile, kid string) (string, error) {
|
|
|
|
|
|
if len(rootFile) == 0 {
|
|
|
|
|
|
rootFile = GetRootCAPath()
|
|
|
|
|
|
}
|
|
|
|
|
|
client, err := ca.NewClient(caURL, ca.WithRootFile(rootFile))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
resp, err := client.ProvisionerKey(kid)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
return resp.Key, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// PKI represents the Public Key Infrastructure used by a certificate authority.
|
|
|
|
|
|
type PKI struct {
|
2020-10-23 22:04:09 +00:00
|
|
|
|
casOptions apiv1.Options
|
|
|
|
|
|
caCreator apiv1.CertificateAuthorityCreator
|
2019-09-13 19:11:46 +00:00
|
|
|
|
root, rootKey, rootFingerprint string
|
|
|
|
|
|
intermediate, intermediateKey string
|
|
|
|
|
|
sshHostPubKey, sshHostKey string
|
|
|
|
|
|
sshUserPubKey, sshUserKey string
|
|
|
|
|
|
config, defaults string
|
|
|
|
|
|
ottPublicKey *jose.JSONWebKey
|
|
|
|
|
|
ottPrivateKey *jose.JSONWebEncryption
|
|
|
|
|
|
provisioner string
|
|
|
|
|
|
address string
|
|
|
|
|
|
dnsNames []string
|
|
|
|
|
|
caURL string
|
|
|
|
|
|
enableSSH bool
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// New creates a new PKI configuration.
|
2020-10-23 22:04:09 +00:00
|
|
|
|
func New(opts apiv1.Options) (*PKI, error) {
|
|
|
|
|
|
caCreator, err := cas.NewCreator(context.Background(), opts)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-10-11 18:25:48 +00:00
|
|
|
|
public := GetPublicPath()
|
|
|
|
|
|
private := GetSecretsPath()
|
|
|
|
|
|
config := GetConfigPath()
|
|
|
|
|
|
|
|
|
|
|
|
// Create directories
|
|
|
|
|
|
dirs := []string{public, private, config, GetTemplatesPath()}
|
|
|
|
|
|
for _, name := range dirs {
|
|
|
|
|
|
if _, err := os.Stat(name); os.IsNotExist(err) {
|
|
|
|
|
|
if err = os.MkdirAll(name, 0700); err != nil {
|
|
|
|
|
|
return nil, errs.FileError(err, name)
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// get absolute path for dir/name
|
|
|
|
|
|
getPath := func(dir string, name string) (string, error) {
|
|
|
|
|
|
s, err := filepath.Abs(filepath.Join(dir, name))
|
|
|
|
|
|
return s, errors.Wrapf(err, "error getting absolute path for %s", name)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
p := &PKI{
|
2020-10-23 22:04:09 +00:00
|
|
|
|
casOptions: opts,
|
|
|
|
|
|
caCreator: caCreator,
|
2019-09-13 19:11:46 +00:00
|
|
|
|
provisioner: "step-cli",
|
|
|
|
|
|
address: "127.0.0.1:9000",
|
|
|
|
|
|
dnsNames: []string{"127.0.0.1"},
|
|
|
|
|
|
}
|
|
|
|
|
|
if p.root, err = getPath(public, "root_ca.crt"); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
if p.rootKey, err = getPath(private, "root_ca_key"); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
if p.intermediate, err = getPath(public, "intermediate_ca.crt"); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
if p.intermediateKey, err = getPath(private, "intermediate_ca_key"); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2019-11-06 00:20:29 +00:00
|
|
|
|
if p.sshHostPubKey, err = getPath(public, "ssh_host_ca_key.pub"); err != nil {
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2019-11-06 00:20:29 +00:00
|
|
|
|
if p.sshUserPubKey, err = getPath(public, "ssh_user_ca_key.pub"); err != nil {
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2019-11-06 00:20:29 +00:00
|
|
|
|
if p.sshHostKey, err = getPath(private, "ssh_host_ca_key"); err != nil {
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2019-11-06 00:20:29 +00:00
|
|
|
|
if p.sshUserKey, err = getPath(private, "ssh_user_ca_key"); err != nil {
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
if len(config) > 0 {
|
|
|
|
|
|
if p.config, err = getPath(config, "ca.json"); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
if p.defaults, err = getPath(config, "defaults.json"); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return p, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetCAConfigPath returns the path of the CA configuration file.
|
|
|
|
|
|
func (p *PKI) GetCAConfigPath() string {
|
|
|
|
|
|
return p.config
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetRootFingerprint returns the root fingerprint.
|
|
|
|
|
|
func (p *PKI) GetRootFingerprint() string {
|
|
|
|
|
|
return p.rootFingerprint
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// SetProvisioner sets the provisioner name of the OTT keys.
|
|
|
|
|
|
func (p *PKI) SetProvisioner(s string) {
|
|
|
|
|
|
p.provisioner = s
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// SetAddress sets the listening address of the CA.
|
|
|
|
|
|
func (p *PKI) SetAddress(s string) {
|
|
|
|
|
|
p.address = s
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// SetDNSNames sets the dns names of the CA.
|
|
|
|
|
|
func (p *PKI) SetDNSNames(s []string) {
|
|
|
|
|
|
p.dnsNames = s
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// SetCAURL sets the ca-url to use in the defaults.json.
|
|
|
|
|
|
func (p *PKI) SetCAURL(s string) {
|
|
|
|
|
|
p.caURL = s
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GenerateKeyPairs generates the key pairs used by the certificate authority.
|
|
|
|
|
|
func (p *PKI) GenerateKeyPairs(pass []byte) error {
|
|
|
|
|
|
var err error
|
|
|
|
|
|
// Create OTT key pair, the user doesn't need to know about this.
|
|
|
|
|
|
p.ottPublicKey, p.ottPrivateKey, err = jose.GenerateDefaultKeyPair(pass)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
// GenerateRootCertificate generates a root certificate with the given name
|
|
|
|
|
|
// and using the default key type.
|
|
|
|
|
|
func (p *PKI) GenerateRootCertificate(name, org, resource string, pass []byte) (*apiv1.CreateCertificateAuthorityResponse, error) {
|
|
|
|
|
|
resp, err := p.caCreator.CreateCertificateAuthority(&apiv1.CreateCertificateAuthorityRequest{
|
|
|
|
|
|
Name: resource + "-Root-CA",
|
|
|
|
|
|
Type: apiv1.RootCA,
|
|
|
|
|
|
Lifetime: 10 * 365 * 24 * time.Hour,
|
|
|
|
|
|
CreateKey: nil, // use default
|
|
|
|
|
|
Template: &x509.Certificate{
|
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
|
CommonName: name + " Root CA",
|
|
|
|
|
|
Organization: []string{org},
|
|
|
|
|
|
},
|
|
|
|
|
|
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
|
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
|
IsCA: true,
|
|
|
|
|
|
MaxPathLen: 1,
|
|
|
|
|
|
MaxPathLenZero: false,
|
|
|
|
|
|
},
|
|
|
|
|
|
})
|
2019-09-13 19:11:46 +00:00
|
|
|
|
if err != nil {
|
2020-10-23 22:04:09 +00:00
|
|
|
|
return nil, err
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
// PrivateKey will only be set if we have access to it (SoftCAS).
|
|
|
|
|
|
if err := p.WriteRootCertificate(resp.Certificate, resp.PrivateKey, pass); err != nil {
|
|
|
|
|
|
return nil, err
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
return resp, nil
|
|
|
|
|
|
}
|
2019-09-13 19:11:46 +00:00
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
// GenerateIntermediateCertificate generates an intermediate certificate with
|
|
|
|
|
|
// the given name and using the default key type.
|
|
|
|
|
|
func (p *PKI) GenerateIntermediateCertificate(name, org, resource string, parent *apiv1.CreateCertificateAuthorityResponse, pass []byte) error {
|
|
|
|
|
|
resp, err := p.caCreator.CreateCertificateAuthority(&apiv1.CreateCertificateAuthorityRequest{
|
|
|
|
|
|
Name: resource + "-Intermediate-CA",
|
|
|
|
|
|
Type: apiv1.IntermediateCA,
|
|
|
|
|
|
Lifetime: 10 * 365 * 24 * time.Hour,
|
|
|
|
|
|
CreateKey: nil, // use default
|
|
|
|
|
|
Template: &x509.Certificate{
|
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
|
CommonName: name + " Intermediate CA",
|
|
|
|
|
|
Organization: []string{org},
|
|
|
|
|
|
},
|
|
|
|
|
|
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
|
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
|
IsCA: true,
|
|
|
|
|
|
MaxPathLen: 0,
|
|
|
|
|
|
MaxPathLenZero: true,
|
|
|
|
|
|
},
|
|
|
|
|
|
Parent: parent,
|
|
|
|
|
|
})
|
2020-08-11 02:05:27 +00:00
|
|
|
|
if err != nil {
|
2020-10-23 22:04:09 +00:00
|
|
|
|
return err
|
2020-08-11 02:05:27 +00:00
|
|
|
|
}
|
2019-09-13 19:11:46 +00:00
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
p.casOptions.CertificateAuthority = resp.Name
|
|
|
|
|
|
return p.WriteIntermediateCertificate(resp.Certificate, resp.PrivateKey, pass)
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// WriteRootCertificate writes to disk the given certificate and key.
|
|
|
|
|
|
func (p *PKI) WriteRootCertificate(rootCrt *x509.Certificate, rootKey interface{}, pass []byte) error {
|
2020-10-29 20:10:03 +00:00
|
|
|
|
if err := fileutil.WriteFile(p.root, pem.EncodeToMemory(&pem.Block{
|
2019-09-13 19:11:46 +00:00
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
|
Bytes: rootCrt.Raw,
|
|
|
|
|
|
}), 0600); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-20 01:42:03 +00:00
|
|
|
|
if rootKey != nil {
|
|
|
|
|
|
_, err := pemutil.Serialize(rootKey, pemutil.WithPassword(pass), pemutil.ToFile(p.rootKey, 0600))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
2020-04-23 20:43:51 +00:00
|
|
|
|
|
|
|
|
|
|
sum := sha256.Sum256(rootCrt.Raw)
|
|
|
|
|
|
p.rootFingerprint = strings.ToLower(hex.EncodeToString(sum[:]))
|
|
|
|
|
|
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
// WriteIntermediateCertificate writes to disk the given certificate and key.
|
|
|
|
|
|
func (p *PKI) WriteIntermediateCertificate(crt *x509.Certificate, key interface{}, pass []byte) error {
|
|
|
|
|
|
if err := fileutil.WriteFile(p.intermediate, pem.EncodeToMemory(&pem.Block{
|
|
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
|
Bytes: crt.Raw,
|
|
|
|
|
|
}), 0600); err != nil {
|
2020-10-20 01:42:03 +00:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
2020-10-23 22:04:09 +00:00
|
|
|
|
if key != nil {
|
|
|
|
|
|
_, err := pemutil.Serialize(key, pemutil.WithPassword(pass), pemutil.ToFile(p.intermediateKey, 0600))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
2020-10-20 01:42:03 +00:00
|
|
|
|
|
2020-10-26 23:43:44 +00:00
|
|
|
|
// CreateCertificateAuthorityResponse returns a
|
|
|
|
|
|
// CreateCertificateAuthorityResponse that can be used as a parent of a
|
|
|
|
|
|
// CreateCertificateAuthority request.
|
|
|
|
|
|
func (p *PKI) CreateCertificateAuthorityResponse(cert *x509.Certificate, key crypto.PrivateKey) *apiv1.CreateCertificateAuthorityResponse {
|
|
|
|
|
|
signer, _ := key.(crypto.Signer)
|
|
|
|
|
|
return &apiv1.CreateCertificateAuthorityResponse{
|
|
|
|
|
|
Certificate: cert,
|
|
|
|
|
|
PrivateKey: key,
|
|
|
|
|
|
Signer: signer,
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
// GetCertificateAuthority attempts to load the certificate authority from the
|
|
|
|
|
|
// RA.
|
|
|
|
|
|
func (p *PKI) GetCertificateAuthority() error {
|
|
|
|
|
|
srv, ok := p.caCreator.(apiv1.CertificateAuthorityGetter)
|
2020-10-20 01:42:03 +00:00
|
|
|
|
if !ok {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
resp, err := srv.GetCertificateAuthority(&apiv1.GetCertificateAuthorityRequest{
|
2020-10-23 22:04:09 +00:00
|
|
|
|
Name: p.casOptions.CertificateAuthority,
|
2020-10-20 01:42:03 +00:00
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if err := p.WriteRootCertificate(resp.RootCertificate, nil, nil); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Issuer is in the RA
|
|
|
|
|
|
p.intermediate = ""
|
|
|
|
|
|
p.intermediateKey = ""
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-09-13 19:11:46 +00:00
|
|
|
|
// GenerateSSHSigningKeys generates and encrypts a private key used for signing
|
|
|
|
|
|
// SSH user certificates and a private key used for signing host certificates.
|
|
|
|
|
|
func (p *PKI) GenerateSSHSigningKeys(password []byte) error {
|
|
|
|
|
|
var pubNames = []string{p.sshHostPubKey, p.sshUserPubKey}
|
|
|
|
|
|
var privNames = []string{p.sshHostKey, p.sshUserKey}
|
|
|
|
|
|
for i := 0; i < 2; i++ {
|
2020-08-14 22:33:50 +00:00
|
|
|
|
pub, priv, err := keyutil.GenerateDefaultKeyPair()
|
2019-09-13 19:11:46 +00:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
if _, ok := priv.(crypto.Signer); !ok {
|
|
|
|
|
|
return errors.Errorf("key of type %T is not a crypto.Signer", priv)
|
|
|
|
|
|
}
|
|
|
|
|
|
sshKey, err := ssh.NewPublicKey(pub)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return errors.Wrapf(err, "error converting public key")
|
|
|
|
|
|
}
|
|
|
|
|
|
_, err = pemutil.Serialize(priv, pemutil.WithFilename(privNames[i]), pemutil.WithPassword(password))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2020-10-29 20:10:03 +00:00
|
|
|
|
if err = fileutil.WriteFile(pubNames[i], ssh.MarshalAuthorizedKey(sshKey), 0600); err != nil {
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
p.enableSSH = true
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (p *PKI) askFeedback() {
|
|
|
|
|
|
ui.Println()
|
|
|
|
|
|
ui.Printf("\033[1mFEEDBACK\033[0m %s %s\n",
|
|
|
|
|
|
html.UnescapeString("&#"+strconv.Itoa(128525)+";"),
|
|
|
|
|
|
html.UnescapeString("&#"+strconv.Itoa(127867)+";"))
|
|
|
|
|
|
ui.Println(" The \033[1mstep\033[0m utility is not instrumented for usage statistics. It does not")
|
|
|
|
|
|
ui.Println(" phone home. But your feedback is extremely valuable. Any information you")
|
|
|
|
|
|
ui.Println(" can provide regarding how you’re using `step` helps. Please send us a")
|
|
|
|
|
|
ui.Println(" sentence or two, good or bad: \033[1mfeedback@smallstep.com\033[0m or join")
|
2020-09-23 23:36:37 +00:00
|
|
|
|
ui.Println(" \033[1mhttps://github.com/smallstep/certificates/discussions\033[0m.")
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// TellPKI outputs the locations of public and private keys generated
|
|
|
|
|
|
// generated for a new PKI. Generally this will consist of a root certificate
|
|
|
|
|
|
// and key and an intermediate certificate and key.
|
|
|
|
|
|
func (p *PKI) TellPKI() {
|
|
|
|
|
|
p.tellPKI()
|
|
|
|
|
|
p.askFeedback()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (p *PKI) tellPKI() {
|
|
|
|
|
|
ui.Println()
|
2020-10-23 22:04:09 +00:00
|
|
|
|
if p.casOptions.Is(apiv1.SoftCAS) {
|
2020-10-20 01:42:03 +00:00
|
|
|
|
ui.PrintSelected("Root certificate", p.root)
|
|
|
|
|
|
ui.PrintSelected("Root private key", p.rootKey)
|
|
|
|
|
|
ui.PrintSelected("Root fingerprint", p.rootFingerprint)
|
|
|
|
|
|
ui.PrintSelected("Intermediate certificate", p.intermediate)
|
|
|
|
|
|
ui.PrintSelected("Intermediate private key", p.intermediateKey)
|
|
|
|
|
|
} else if p.rootFingerprint != "" {
|
|
|
|
|
|
ui.PrintSelected("Root certificate", p.root)
|
|
|
|
|
|
ui.PrintSelected("Root fingerprint", p.rootFingerprint)
|
|
|
|
|
|
} else {
|
|
|
|
|
|
ui.Printf(`{{ "%s" | red }} {{ "Root certificate:" | bold }} failed to retrieve it from RA`+"\n", ui.IconBad)
|
|
|
|
|
|
}
|
2019-09-13 19:11:46 +00:00
|
|
|
|
if p.enableSSH {
|
|
|
|
|
|
ui.PrintSelected("SSH user root certificate", p.sshUserPubKey)
|
|
|
|
|
|
ui.PrintSelected("SSH user root private key", p.sshUserKey)
|
|
|
|
|
|
ui.PrintSelected("SSH host root certificate", p.sshHostPubKey)
|
|
|
|
|
|
ui.PrintSelected("SSH host root private key", p.sshHostKey)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type caDefaults struct {
|
|
|
|
|
|
CAUrl string `json:"ca-url"`
|
|
|
|
|
|
CAConfig string `json:"ca-config"`
|
|
|
|
|
|
Fingerprint string `json:"fingerprint"`
|
|
|
|
|
|
Root string `json:"root"`
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Option is the type for modifiers over the auth config object.
|
|
|
|
|
|
type Option func(c *authority.Config) error
|
|
|
|
|
|
|
|
|
|
|
|
// WithDefaultDB is a configuration modifier that adds a default DB stanza to
|
|
|
|
|
|
// the authority config.
|
|
|
|
|
|
func WithDefaultDB() Option {
|
|
|
|
|
|
return func(c *authority.Config) error {
|
|
|
|
|
|
c.DB = &db.Config{
|
|
|
|
|
|
Type: "badger",
|
|
|
|
|
|
DataSource: GetDBPath(),
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// WithoutDB is a configuration modifier that adds a default DB stanza to
|
|
|
|
|
|
// the authority config.
|
|
|
|
|
|
func WithoutDB() Option {
|
|
|
|
|
|
return func(c *authority.Config) error {
|
|
|
|
|
|
c.DB = nil
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GenerateConfig returns the step certificates configuration.
|
|
|
|
|
|
func (p *PKI) GenerateConfig(opt ...Option) (*authority.Config, error) {
|
|
|
|
|
|
key, err := p.ottPrivateKey.CompactSerialize()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, errors.Wrap(err, "error serializing private key")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-09-26 22:23:32 +00:00
|
|
|
|
prov := &provisioner.JWK{
|
|
|
|
|
|
Name: p.provisioner,
|
|
|
|
|
|
Type: "JWK",
|
|
|
|
|
|
Key: p.ottPublicKey,
|
|
|
|
|
|
EncryptedKey: key,
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
|
var authorityOptions *apiv1.Options
|
|
|
|
|
|
if !p.casOptions.Is(apiv1.SoftCAS) {
|
|
|
|
|
|
authorityOptions = &p.casOptions
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-09-13 19:11:46 +00:00
|
|
|
|
config := &authority.Config{
|
|
|
|
|
|
Root: []string{p.root},
|
|
|
|
|
|
FederatedRoots: []string{},
|
|
|
|
|
|
IntermediateCert: p.intermediate,
|
|
|
|
|
|
IntermediateKey: p.intermediateKey,
|
|
|
|
|
|
Address: p.address,
|
|
|
|
|
|
DNSNames: p.dnsNames,
|
|
|
|
|
|
Logger: []byte(`{"format": "text"}`),
|
|
|
|
|
|
DB: &db.Config{
|
|
|
|
|
|
Type: "badger",
|
|
|
|
|
|
DataSource: GetDBPath(),
|
|
|
|
|
|
},
|
|
|
|
|
|
AuthorityConfig: &authority.AuthConfig{
|
2020-10-23 22:04:09 +00:00
|
|
|
|
Options: authorityOptions,
|
2019-09-13 19:11:46 +00:00
|
|
|
|
DisableIssuedAtCheck: false,
|
2019-09-26 22:23:32 +00:00
|
|
|
|
Provisioners: provisioner.List{prov},
|
2019-09-13 19:11:46 +00:00
|
|
|
|
},
|
2020-08-10 22:29:18 +00:00
|
|
|
|
TLS: &authority.TLSOptions{
|
|
|
|
|
|
MinVersion: authority.DefaultTLSMinVersion,
|
|
|
|
|
|
MaxVersion: authority.DefaultTLSMaxVersion,
|
|
|
|
|
|
Renegotiation: authority.DefaultTLSRenegotiation,
|
|
|
|
|
|
CipherSuites: authority.DefaultTLSCipherSuites,
|
2019-09-13 19:11:46 +00:00
|
|
|
|
},
|
2019-10-11 19:49:09 +00:00
|
|
|
|
Templates: p.getTemplates(),
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
|
|
|
|
|
if p.enableSSH {
|
2019-09-26 22:23:32 +00:00
|
|
|
|
enableSSHCA := true
|
2019-09-13 19:11:46 +00:00
|
|
|
|
config.SSH = &authority.SSHConfig{
|
|
|
|
|
|
HostKey: p.sshHostKey,
|
|
|
|
|
|
UserKey: p.sshUserKey,
|
|
|
|
|
|
}
|
2020-07-31 17:32:08 +00:00
|
|
|
|
// Enable SSH authorization for default JWK provisioner
|
2019-09-26 22:23:32 +00:00
|
|
|
|
prov.Claims = &provisioner.Claims{
|
|
|
|
|
|
EnableSSHCA: &enableSSHCA,
|
|
|
|
|
|
}
|
2020-07-31 17:32:08 +00:00
|
|
|
|
// Add default SSHPOP provisioner
|
|
|
|
|
|
sshpop := &provisioner.SSHPOP{
|
|
|
|
|
|
Type: "SSHPOP",
|
|
|
|
|
|
Name: "sshpop",
|
|
|
|
|
|
Claims: &provisioner.Claims{
|
|
|
|
|
|
EnableSSHCA: &enableSSHCA,
|
|
|
|
|
|
},
|
|
|
|
|
|
}
|
|
|
|
|
|
config.AuthorityConfig.Provisioners = append(config.AuthorityConfig.Provisioners, sshpop)
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Apply configuration modifiers
|
|
|
|
|
|
for _, o := range opt {
|
|
|
|
|
|
if err = o(config); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return config, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Save stores the pki on a json file that will be used as the certificate
|
|
|
|
|
|
// authority configuration.
|
|
|
|
|
|
func (p *PKI) Save(opt ...Option) error {
|
|
|
|
|
|
p.tellPKI()
|
|
|
|
|
|
|
2019-10-11 19:49:09 +00:00
|
|
|
|
// Generate and write ca.json
|
2019-09-13 19:11:46 +00:00
|
|
|
|
config, err := p.GenerateConfig(opt...)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2020-10-14 01:53:45 +00:00
|
|
|
|
b, err := json.MarshalIndent(config, "", "\t")
|
2019-09-13 19:11:46 +00:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return errors.Wrapf(err, "error marshaling %s", p.config)
|
|
|
|
|
|
}
|
2020-10-29 20:10:03 +00:00
|
|
|
|
if err = fileutil.WriteFile(p.config, b, 0644); err != nil {
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return errs.FileError(err, p.config)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Generate the CA URL.
|
|
|
|
|
|
if p.caURL == "" {
|
|
|
|
|
|
p.caURL = p.dnsNames[0]
|
|
|
|
|
|
var port string
|
|
|
|
|
|
_, port, err = net.SplitHostPort(p.address)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return errors.Wrapf(err, "error parsing %s", p.address)
|
|
|
|
|
|
}
|
|
|
|
|
|
if port == "443" {
|
|
|
|
|
|
p.caURL = fmt.Sprintf("https://%s", p.caURL)
|
|
|
|
|
|
} else {
|
|
|
|
|
|
p.caURL = fmt.Sprintf("https://%s:%s", p.caURL, port)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-10-11 19:49:09 +00:00
|
|
|
|
// Generate and write defaults.json
|
2019-09-13 19:11:46 +00:00
|
|
|
|
defaults := &caDefaults{
|
|
|
|
|
|
Root: p.root,
|
|
|
|
|
|
CAConfig: p.config,
|
|
|
|
|
|
CAUrl: p.caURL,
|
|
|
|
|
|
Fingerprint: p.rootFingerprint,
|
|
|
|
|
|
}
|
2020-10-14 01:53:45 +00:00
|
|
|
|
b, err = json.MarshalIndent(defaults, "", "\t")
|
2019-09-13 19:11:46 +00:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return errors.Wrapf(err, "error marshaling %s", p.defaults)
|
|
|
|
|
|
}
|
2020-10-29 20:10:03 +00:00
|
|
|
|
if err = fileutil.WriteFile(p.defaults, b, 0644); err != nil {
|
2019-09-13 19:11:46 +00:00
|
|
|
|
return errs.FileError(err, p.defaults)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-10-11 19:49:09 +00:00
|
|
|
|
// Generate and write templates
|
|
|
|
|
|
if err := generateTemplates(config.Templates); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-09-13 19:11:46 +00:00
|
|
|
|
if config.DB != nil {
|
2019-10-11 19:49:09 +00:00
|
|
|
|
ui.PrintSelected("Database folder", config.DB.DataSource)
|
2019-09-13 19:11:46 +00:00
|
|
|
|
}
|
2019-10-11 19:49:09 +00:00
|
|
|
|
if config.Templates != nil {
|
|
|
|
|
|
ui.PrintSelected("Templates folder", GetTemplatesPath())
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ui.PrintSelected("Default configuration", p.defaults)
|
|
|
|
|
|
ui.PrintSelected("Certificate Authority configuration", p.config)
|
2019-09-13 19:11:46 +00:00
|
|
|
|
ui.Println()
|
2020-10-23 22:04:09 +00:00
|
|
|
|
if p.casOptions.Is(apiv1.SoftCAS) {
|
2020-10-20 01:42:03 +00:00
|
|
|
|
ui.Println("Your PKI is ready to go. To generate certificates for individual services see 'step help ca'.")
|
|
|
|
|
|
} else {
|
|
|
|
|
|
ui.Println("Your registration authority is ready to go. To generate certificates for individual services see 'step help ca'.")
|
|
|
|
|
|
}
|
2019-09-13 19:11:46 +00:00
|
|
|
|
|
|
|
|
|
|
p.askFeedback()
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
