2021-03-18 02:33:35 +00:00
|
|
|
package stepcas
|
|
|
|
|
|
|
|
import (
|
2021-03-23 23:14:49 +00:00
|
|
|
"net/url"
|
2021-03-18 02:33:35 +00:00
|
|
|
"strings"
|
2021-03-23 23:14:49 +00:00
|
|
|
"time"
|
2021-03-18 02:33:35 +00:00
|
|
|
|
2022-08-11 21:47:11 +00:00
|
|
|
"github.com/google/uuid"
|
2021-03-18 02:33:35 +00:00
|
|
|
"github.com/pkg/errors"
|
2021-03-25 02:05:56 +00:00
|
|
|
"github.com/smallstep/certificates/ca"
|
2021-03-18 02:33:35 +00:00
|
|
|
"github.com/smallstep/certificates/cas/apiv1"
|
|
|
|
)
|
|
|
|
|
2022-08-11 21:47:11 +00:00
|
|
|
// raAuthorityNS is a custom namespace used to generate endpoint ids based on
|
|
|
|
// the authority id.
|
|
|
|
var raAuthorityNS = uuid.MustParse("d6f14c1f-2f92-47bf-a04f-7b2c11382edd")
|
|
|
|
|
|
|
|
// newServerEndpointID returns a uuid v5 using raAuthorityNS as the namespace.
|
|
|
|
// The return uuid will be used as the server endpoint id, it will be unique per
|
|
|
|
// authority.
|
|
|
|
func newServerEndpointID(data string) uuid.UUID {
|
|
|
|
return uuid.NewSHA1(raAuthorityNS, []byte(data))
|
|
|
|
}
|
|
|
|
|
2022-08-03 02:28:49 +00:00
|
|
|
type raInfo struct {
|
|
|
|
AuthorityID string `json:"authorityId,omitempty"`
|
2022-08-11 21:47:11 +00:00
|
|
|
EndpointID string `json:"endpointId,omitempty"`
|
|
|
|
ProvisionerID string `json:"provisionerId,omitempty"`
|
|
|
|
ProvisionerType string `json:"provisionerType,omitempty"`
|
|
|
|
ProvisionerName string `json:"provisionerName,omitempty"`
|
2022-08-03 02:28:49 +00:00
|
|
|
}
|
|
|
|
|
2021-03-23 23:14:49 +00:00
|
|
|
type stepIssuer interface {
|
2022-08-03 02:28:49 +00:00
|
|
|
SignToken(subject string, sans []string, info *raInfo) (string, error)
|
2021-03-23 23:14:49 +00:00
|
|
|
RevokeToken(subject string) (string, error)
|
|
|
|
Lifetime(d time.Duration) time.Duration
|
|
|
|
}
|
|
|
|
|
|
|
|
// newStepIssuer returns the configured step issuer.
|
2021-03-25 02:05:56 +00:00
|
|
|
func newStepIssuer(caURL *url.URL, client *ca.Client, iss *apiv1.CertificateIssuer) (stepIssuer, error) {
|
2021-03-23 23:14:49 +00:00
|
|
|
if err := validateCertificateIssuer(iss); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
switch strings.ToLower(iss.Type) {
|
|
|
|
case "x5c":
|
|
|
|
return newX5CIssuer(caURL, iss)
|
|
|
|
case "jwk":
|
2021-03-25 02:05:56 +00:00
|
|
|
return newJWKIssuer(caURL, client, iss)
|
2021-03-23 23:14:49 +00:00
|
|
|
default:
|
|
|
|
return nil, errors.Errorf("stepCAS `certificateIssuer.type` %s is not supported", iss.Type)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-18 02:33:35 +00:00
|
|
|
// validateCertificateIssuer validates the configuration of the certificate
|
|
|
|
// issuer.
|
|
|
|
func validateCertificateIssuer(iss *apiv1.CertificateIssuer) error {
|
|
|
|
switch {
|
|
|
|
case iss == nil:
|
|
|
|
return errors.New("stepCAS 'certificateIssuer' cannot be nil")
|
|
|
|
case iss.Type == "":
|
|
|
|
return errors.New("stepCAS `certificateIssuer.type` cannot be empty")
|
|
|
|
}
|
|
|
|
|
|
|
|
switch strings.ToLower(iss.Type) {
|
|
|
|
case "x5c":
|
|
|
|
return validateX5CIssuer(iss)
|
2021-03-23 23:14:49 +00:00
|
|
|
case "jwk":
|
|
|
|
return validateJWKIssuer(iss)
|
2021-03-18 02:33:35 +00:00
|
|
|
default:
|
|
|
|
return errors.Errorf("stepCAS `certificateIssuer.type` %s is not supported", iss.Type)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// validateX5CIssuer validates the configuration of x5c issuer.
|
|
|
|
func validateX5CIssuer(iss *apiv1.CertificateIssuer) error {
|
|
|
|
switch {
|
|
|
|
case iss.Certificate == "":
|
|
|
|
return errors.New("stepCAS `certificateIssuer.crt` cannot be empty")
|
|
|
|
case iss.Key == "":
|
|
|
|
return errors.New("stepCAS `certificateIssuer.key` cannot be empty")
|
|
|
|
case iss.Provisioner == "":
|
|
|
|
return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty")
|
|
|
|
default:
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
2021-03-23 23:14:49 +00:00
|
|
|
|
2021-03-25 02:05:56 +00:00
|
|
|
// validateJWKIssuer validates the configuration of jwk issuer. If the key is
|
2021-03-25 18:07:58 +00:00
|
|
|
// not given, then it will download it from the CA. If the password is not set
|
|
|
|
// it will be prompted.
|
2021-03-23 23:14:49 +00:00
|
|
|
func validateJWKIssuer(iss *apiv1.CertificateIssuer) error {
|
|
|
|
switch {
|
|
|
|
case iss.Provisioner == "":
|
|
|
|
return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty")
|
|
|
|
default:
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|