Merge pull request #370 from smallstep/yubi-management-key

Make the YubiKey management key configurable.
4 years ago · 4f3b24af8f
parent 87bbcee239 f100b2d0e3
commit 4f3b24af8f
3 changed files with 61 additions and 18 deletions
--- a/cmd/step-yubikey-init/main.go
+++ b/cmd/step-yubikey-init/main.go
@ -9,6 +9,7 @@ import (
 	"crypto/sha1"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/hex"
 	"encoding/pem"
 	"flag"
 	"fmt"
@ -27,6 +28,7 @@ import (
 	_ "github.com/smallstep/certificates/kms/yubikey"
 )
 // Config is a mapping of the cli flags.
 type Config struct {
 	RootOnly      bool
 	RootSlot      string
@ -34,11 +36,15 @@ type Config struct {
 	RootFile      string
 	KeyFile       string
 	Pin           string
 	ManagementKey string
 	Force         bool
 }
 // Validate checks the flags in the config.
 func (c *Config) Validate() error {
 	switch {
 	case c.ManagementKey != "" && len(c.ManagementKey) != 48:
 		return errors.New("flag `--management-key` must be 48 hexadecimal characters (24 bytes)")
 	case c.RootFile != "" && c.KeyFile == "":
 		return errors.New("flag `--root` requires flag `--key`")
 	case c.KeyFile != "" && c.RootFile == "":
@ -56,12 +62,18 @@ func (c *Config) Validate() error {
 		if c.RootOnly {
 			c.CrtSlot = ""
 		}
 		if c.ManagementKey != "" {
 			if _, err := hex.DecodeString(c.ManagementKey); err != nil {
 				return errors.Wrap(err, "flag `--management-key` is not valid")
 			}
 		}
 		return nil
 	}
 }
 func main() {
 	var c Config
 	flag.StringVar(&c.ManagementKey, "management-key", "", `Management key to use in hexadecimal format. (default "010203040506070801020304050607080102030405060708")`)
 	flag.BoolVar(&c.RootOnly, "root-only", false, "Slot only the root certificate and sign and intermediate.")
 	flag.StringVar(&c.RootSlot, "root-slot", "9a", "Slot to store the root certificate.")
 	flag.StringVar(&c.CrtSlot, "crt-slot", "9c", "Slot to store the intermediate certificate.")
@ -84,6 +96,7 @@ func main() {
 	k, err := kms.New(context.Background(), apiv1.Options{
 		Type:          string(apiv1.YubiKey),
 		Pin:           c.Pin,
 		ManagementKey: c.ManagementKey,
 	})
 	if err != nil {
 		fatal(err)
@ -109,7 +122,11 @@ func main() {
 }
 func fatal(err error) {
 	if os.Getenv("STEPDEBUG") == "1" {
 		fmt.Fprintf(os.Stderr, "%+v\n", err)
 	} else {
 		fmt.Fprintln(os.Stderr, err)
 	}
 	os.Exit(1)
 }
--- a/kms/apiv1/options.go
+++ b/kms/apiv1/options.go
@ -19,11 +19,12 @@ type KeyManager interface {
 // CertificateManager is the interface implemented by the KMS that can load and
 // store x509.Certificates.
 type CertificateManager interface {
-	LoadCerticate(req *LoadCertificateRequest) (*x509.Certificate, error)
+	LoadCertificate(req *LoadCertificateRequest) (*x509.Certificate, error)
 	StoreCertificate(req *StoreCertificateRequest) error
 }
-// ErrNotImplemented
+// ErrNotImplemented is the type of error returned if an operation is not
 // implemented.
 type ErrNotImplemented struct {
 	msg string
 }
@ -53,6 +54,7 @@ const (
 	YubiKey Type = "yubikey"
 )
 // Options are the KMS options. They represent the kms object in the ca.json.
 type Options struct {
 	// The type of the KMS to use.
 	Type string `json:"type"`
@ -66,6 +68,15 @@ type Options struct {
 	// Pin used to access the PKCS11 module.
 	Pin string `json:"pin"`
 	// ManagementKey used in YubiKeys. Default management key is the hexadecimal
 	// string 010203040506070801020304050607080102030405060708:
 	//   []byte{
 	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
 	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
 	//       0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
 	//   }
 	ManagementKey string `json:"managementKey"`
 	// Region to use in AmazonKMS.
 	Region string `json:"region"`
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@ -6,6 +6,7 @@ import (
 	"context"
 	"crypto"
 	"crypto/x509"
 	"encoding/hex"
 	"net/url"
 	"strings"
@ -18,11 +19,24 @@ import (
 type YubiKey struct {
 	yk            *piv.YubiKey
 	pin           string
 	managementKey [24]byte
 }
 // New initializes a new YubiKey.
 // TODO(mariano): only one card is currently supported.
 func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
 	managementKey := piv.DefaultManagementKey
 	if opts.ManagementKey != "" {
 		b, err := hex.DecodeString(opts.ManagementKey)
 		if err != nil {
 			return nil, errors.Wrap(err, "error decoding managementKey")
 		}
 		if len(b) != 24 {
 			return nil, errors.New("invalid managementKey: length is not 24 bytes")
 		}
 		copy(managementKey[:], b[:24])
 	}
 	cards, err := piv.Cards()
 	if err != nil {
 		return nil, err
@ -39,6 +53,7 @@ func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
 	return &YubiKey{
 		yk:            yk,
 		pin:           opts.Pin,
 		managementKey: managementKey,
 	}, nil
 }
@ -76,7 +91,7 @@ func (k *YubiKey) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
 		return err
 	}
-	err = k.yk.SetCertificate(piv.DefaultManagementKey, slot, req.Certificate)
+	err = k.yk.SetCertificate(k.managementKey, slot, req.Certificate)
 	if err != nil {
 		return errors.Wrap(err, "error storing certificate")
 	}
@ -110,7 +125,7 @@ func (k *YubiKey) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespon
 		return nil, err
 	}
-	pub, err := k.yk.GenerateKey(piv.DefaultManagementKey, slot, piv.Key{
+	pub, err := k.yk.GenerateKey(k.managementKey, slot, piv.Key{
 		Algorithm:   alg,
 		PINPolicy:   piv.PINPolicyAlways,
 		TouchPolicy: piv.TouchPolicyNever,