smallstep-certificates/cas/apiv1/services.go

package apiv1

import (
	"crypto/x509"
	"net/http"
	"strings"
)

// CertificateAuthorityService is the interface implemented to support external
// certificate authorities.
type CertificateAuthorityService interface {
	CreateCertificate(req *CreateCertificateRequest) (*CreateCertificateResponse, error)
	RenewCertificate(req *RenewCertificateRequest) (*RenewCertificateResponse, error)
	RevokeCertificate(req *RevokeCertificateRequest) (*RevokeCertificateResponse, error)
}

// CertificateAuthorityCRLGenerator is an optional interface implemented by CertificateAuthorityService
// that has a method to create a CRL
type CertificateAuthorityCRLGenerator interface {
	CreateCRL(req *CreateCRLRequest) (*CreateCRLResponse, error)
}

// CertificateAuthorityGetter is an interface implemented by a
// CertificateAuthorityService that has a method to get the root certificate.
type CertificateAuthorityGetter interface {
	GetCertificateAuthority(req *GetCertificateAuthorityRequest) (*GetCertificateAuthorityResponse, error)
}

// CertificateAuthorityCreator is an interface implamented by a
// CertificateAuthorityService that has a method to create a new certificate
// authority.
type CertificateAuthorityCreator interface {
	CreateCertificateAuthority(req *CreateCertificateAuthorityRequest) (*CreateCertificateAuthorityResponse, error)
}

// SignatureAlgorithmGetter is an optional implementation in a crypto.Signer
// that returns the SignatureAlgorithm to use.
type SignatureAlgorithmGetter interface {
	SignatureAlgorithm() x509.SignatureAlgorithm
}

// Type represents the CAS type used.
type Type string

const (
	// DefaultCAS is a CertificateAuthorityService using software.
	DefaultCAS = ""
	// SoftCAS is a CertificateAuthorityService using software.
	SoftCAS = "softcas"
	// CloudCAS is a CertificateAuthorityService using Google Cloud CAS.
	CloudCAS = "cloudcas"
	// StepCAS is a CertificateAuthorityService using another step-ca instance.
	StepCAS = "stepcas"
	// VaultCAS is a CertificateAuthorityService using Hasicorp Vault PKI.
	VaultCAS = "vaultcas"
)

// String returns a string from the type. It will always return the lower case
// version of the Type, as we need a standard type to compare and use as the
// registry key.
func (t Type) String() string {
	if t == "" {
		return SoftCAS
	}
	return strings.ToLower(string(t))
}

// NotImplementedError is the type of error returned if an operation is not implemented.
type NotImplementedError struct {
	Message string
}

// Error implements the error interface.
func (e NotImplementedError) Error() string {
	if e.Message != "" {
		return e.Message
	}
	return "not implemented"
}

// StatusCode implements the StatusCoder interface and returns the HTTP 501
// error.
func (e NotImplementedError) StatusCode() int {
	return http.StatusNotImplemented
}

// ValidationError is the type of error returned if request is not properly
// validated.
type ValidationError struct {
	Message string
}

// NotImplementedError implements the error interface.
func (e ValidationError) Error() string {
	if e.Message != "" {
		return e.Message
	}
	return "bad request"
}

// StatusCode implements the StatusCoder interface and returns the HTTP 400
// error.
func (e ValidationError) StatusCode() int {
	return http.StatusBadRequest
}
Early attempt to develop a CAS interface. 2020-09-09 02:26:32 +00:00			`package apiv1`

Complete cloudcas using CAS v1beta1. 2020-09-10 23:19:18 +00:00			`import (`
Allow to kms signers to define the SignatureAlgorithm CloudKMS keys signs data using an specific signature algorithm, in RSA keys, this can be PKCS#1 RSA or RSA-PSS, if the later is used, x509.CreateCertificate will fail unless the template SignatureCertificate is properly set. On contrast, AWSKMS RSA keys, are just RSA keys, and can sign with PKCS#1 or RSA-PSS schemes, so right now the way to enforce one or the other is to used templates. 2021-09-08 22:33:34 +00:00			`"crypto/x509"`
Return a non-implemented error in stepcas.RenewCertificate. 2021-03-22 19:56:12 +00:00			`"net/http"`
Complete cloudcas using CAS v1beta1. 2020-09-10 23:19:18 +00:00			`"strings"`
			`)`

Early attempt to develop a CAS interface. 2020-09-09 02:26:32 +00:00			`// CertificateAuthorityService is the interface implemented to support external`
			`// certificate authorities.`
			`type CertificateAuthorityService interface {`
			`CreateCertificate(req CreateCertificateRequest) (CreateCertificateResponse, error)`
			`RenewCertificate(req RenewCertificateRequest) (RenewCertificateResponse, error)`
			`RevokeCertificate(req RevokeCertificateRequest) (RevokeCertificateResponse, error)`
			`}`

initial support for CRL 2021-10-30 07:52:50 +00:00			`// CertificateAuthorityCRLGenerator is an optional interface implemented by CertificateAuthorityService`
			`// that has a method to create a CRL`
			`type CertificateAuthorityCRLGenerator interface {`
implement changes from review 2021-11-04 06:05:07 +00:00			`CreateCRL(req CreateCRLRequest) (CreateCRLResponse, error)`
initial support for CRL 2021-10-30 07:52:50 +00:00			`}`

Add interface to get root certificate from CAS. This change makes easier the configuration of cloudCAS as it does not require to configure the root or intermediate certificate in the ca.json. CloudCAS will get the root certificate using the configured certificateAuthority. 2020-09-21 22:27:20 +00:00			`// CertificateAuthorityGetter is an interface implemented by a`
			`// CertificateAuthorityService that has a method to get the root certificate.`
			`type CertificateAuthorityGetter interface {`
			`GetCertificateAuthority(req GetCertificateAuthorityRequest) (GetCertificateAuthorityResponse, error)`
			`}`

Add initial support for `step ca init` with cloud cas. Fixes smallstep/cli#363 2020-10-23 22:04:09 +00:00			`// CertificateAuthorityCreator is an interface implamented by a`
			`// CertificateAuthorityService that has a method to create a new certificate`
			`// authority.`
			`type CertificateAuthorityCreator interface {`
			`CreateCertificateAuthority(req CreateCertificateAuthorityRequest) (CreateCertificateAuthorityResponse, error)`
			`}`

Allow to kms signers to define the SignatureAlgorithm CloudKMS keys signs data using an specific signature algorithm, in RSA keys, this can be PKCS#1 RSA or RSA-PSS, if the later is used, x509.CreateCertificate will fail unless the template SignatureCertificate is properly set. On contrast, AWSKMS RSA keys, are just RSA keys, and can sign with PKCS#1 or RSA-PSS schemes, so right now the way to enforce one or the other is to used templates. 2021-09-08 22:33:34 +00:00			`// SignatureAlgorithmGetter is an optional implementation in a crypto.Signer`
			`// that returns the SignatureAlgorithm to use.`
			`type SignatureAlgorithmGetter interface {`
			`SignatureAlgorithm() x509.SignatureAlgorithm`
			`}`

Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS. 2020-09-11 02:09:46 +00:00			`// Type represents the CAS type used.`
Early attempt to develop a CAS interface. 2020-09-09 02:26:32 +00:00			`type Type string`

			`const (`
			`// DefaultCAS is a CertificateAuthorityService using software.`
			`DefaultCAS = ""`
			`// SoftCAS is a CertificateAuthorityService using software.`
Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS. 2020-09-11 02:09:46 +00:00			`SoftCAS = "softcas"`
Early attempt to develop a CAS interface. 2020-09-09 02:26:32 +00:00			`// CloudCAS is a CertificateAuthorityService using Google Cloud CAS.`
Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS. 2020-09-11 02:09:46 +00:00			`CloudCAS = "cloudcas"`
Add initial implementation of StepCAS. StepCAS allows to configure step-ca as an RA using another step-ca as the main CA. 2021-03-18 02:33:35 +00:00			`// StepCAS is a CertificateAuthorityService using another step-ca instance.`
			`StepCAS = "stepcas"`
feat(vault): adding hashicorp vault cas 2022-01-14 17:56:17 +00:00			`// VaultCAS is a CertificateAuthorityService using Hasicorp Vault PKI.`
			`VaultCAS = "vaultcas"`
Early attempt to develop a CAS interface. 2020-09-09 02:26:32 +00:00			`)`
Complete cloudcas using CAS v1beta1. 2020-09-10 23:19:18 +00:00
Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS. 2020-09-11 02:09:46 +00:00			`// String returns a string from the type. It will always return the lower case`
			`// version of the Type, as we need a standard type to compare and use as the`
			`// registry key.`
Complete cloudcas using CAS v1beta1. 2020-09-10 23:19:18 +00:00			`func (t Type) String() string {`
			`if t == "" {`
			`return SoftCAS`
			`}`
Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS. 2020-09-11 02:09:46 +00:00			`return strings.ToLower(string(t))`
Complete cloudcas using CAS v1beta1. 2020-09-10 23:19:18 +00:00			`}`
Return a non-implemented error in stepcas.RenewCertificate. 2021-03-22 19:56:12 +00:00
Fix linter warning about bad error name 2022-09-20 22:54:59 +00:00			`// NotImplementedError is the type of error returned if an operation is not implemented.`
Rebase over master and a few more linter fixes 2022-09-20 23:32:49 +00:00			`type NotImplementedError struct {`
Return a non-implemented error in stepcas.RenewCertificate. 2021-03-22 19:56:12 +00:00			`Message string`
			`}`

Correct bad comment on NotImplementedError.Error() 2022-11-07 23:37:17 +00:00			`// Error implements the error interface.`
Fix linter warning about bad error name 2022-09-20 22:54:59 +00:00			`func (e NotImplementedError) Error() string {`
Return a non-implemented error in stepcas.RenewCertificate. 2021-03-22 19:56:12 +00:00			`if e.Message != "" {`
			`return e.Message`
			`}`
			`return "not implemented"`
			`}`

			`// StatusCode implements the StatusCoder interface and returns the HTTP 501`
			`// error.`
Fix linter warning about bad error name 2022-09-20 22:54:59 +00:00			`func (e NotImplementedError) StatusCode() int {`
Return a non-implemented error in stepcas.RenewCertificate. 2021-03-22 19:56:12 +00:00			`return http.StatusNotImplemented`
			`}`
Add support for renew when using stepcas It supports renewing X.509 certificates when an RA is configured with stepcas. This will only work when the renewal uses a token, and it won't work with mTLS. The audience cannot be properly verified when an RA is used, to avoid this we will get from the database if an RA was used to issue the initial certificate and we will accept the renew token. Fixes #1021 for stepcas 2022-11-04 23:42:07 +00:00
			`// ValidationError is the type of error returned if request is not properly`
			`// validated.`
			`type ValidationError struct {`
			`Message string`
			`}`

			`// NotImplementedError implements the error interface.`
			`func (e ValidationError) Error() string {`
			`if e.Message != "" {`
			`return e.Message`
			`}`
			`return "bad request"`
			`}`

			`// StatusCode implements the StatusCoder interface and returns the HTTP 400`
			`// error.`
			`func (e ValidationError) StatusCode() int {`
			`return http.StatusBadRequest`
			`}`