|
|
@ -62,7 +62,10 @@ type Authority struct {
|
|
|
|
x509Enforcers []provisioner.CertificateEnforcer
|
|
|
|
x509Enforcers []provisioner.CertificateEnforcer
|
|
|
|
|
|
|
|
|
|
|
|
// SCEP CA
|
|
|
|
// SCEP CA
|
|
|
|
scepAuthority *scep.Authority
|
|
|
|
scepAuthority *scep.Authority
|
|
|
|
|
|
|
|
scepCertificate *x509.Certificate
|
|
|
|
|
|
|
|
scepSigner crypto.Signer
|
|
|
|
|
|
|
|
scepDecrypter crypto.Decrypter
|
|
|
|
|
|
|
|
|
|
|
|
// SSH CA
|
|
|
|
// SSH CA
|
|
|
|
sshHostPassword []byte
|
|
|
|
sshHostPassword []byte
|
|
|
@ -673,37 +676,39 @@ func (a *Authority) init() error {
|
|
|
|
case a.requiresSCEP() && a.GetSCEP() == nil:
|
|
|
|
case a.requiresSCEP() && a.GetSCEP() == nil:
|
|
|
|
var options scep.Options
|
|
|
|
var options scep.Options
|
|
|
|
options.Roots = a.rootX509Certs
|
|
|
|
options.Roots = a.rootX509Certs
|
|
|
|
options.Intermediates, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
|
|
|
|
options.Intermediates = a.intermediateX509Certs
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
options.SignerCert = options.Intermediates[0]
|
|
|
|
options.SignerCert = options.Intermediates[0]
|
|
|
|
if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
|
|
|
if a.config.IntermediateKey != "" {
|
|
|
|
SigningKey: a.config.IntermediateKey,
|
|
|
|
if options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
|
|
|
Password: a.password,
|
|
|
|
SigningKey: a.config.IntermediateKey,
|
|
|
|
}); err != nil {
|
|
|
|
Password: a.password,
|
|
|
|
return err
|
|
|
|
}); err != nil {
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
// TODO(hs): instead of creating the decrypter here, pass the
|
|
|
|
// TODO(hs): instead of creating the decrypter here, pass the
|
|
|
|
// intermediate key + chain down to the SCEP authority,
|
|
|
|
// intermediate key + chain down to the SCEP authority,
|
|
|
|
// and only instantiate it when required there. Is that possible?
|
|
|
|
// and only instantiate it when required there. Is that possible?
|
|
|
|
// Also with entering passwords?
|
|
|
|
// Also with entering passwords?
|
|
|
|
// TODO(hs): if moving the logic, try improving the logic for the
|
|
|
|
// TODO(hs): if moving the logic, try improving the logic for the
|
|
|
|
// decrypter password too? Right now it needs to be entered multiple
|
|
|
|
// decrypter password too? Right now it needs to be entered multiple
|
|
|
|
// times; I've observed it to be three times maximum, every time
|
|
|
|
// times; I've observed it to be three times maximum, every time
|
|
|
|
// the intermediate key is read.
|
|
|
|
// the intermediate key is read.
|
|
|
|
_, isRSA := options.Signer.Public().(*rsa.PublicKey)
|
|
|
|
_, isRSA := options.Signer.Public().(*rsa.PublicKey)
|
|
|
|
if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSA {
|
|
|
|
if km, ok := a.keyManager.(kmsapi.Decrypter); ok && isRSA {
|
|
|
|
if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
|
|
|
|
if decrypter, err := km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
|
|
|
|
DecryptionKey: a.config.IntermediateKey,
|
|
|
|
DecryptionKey: a.config.IntermediateKey,
|
|
|
|
Password: a.password,
|
|
|
|
Password: a.password,
|
|
|
|
}); err == nil {
|
|
|
|
}); err == nil {
|
|
|
|
// only pass the decrypter down when it was successfully created,
|
|
|
|
// only pass the decrypter down when it was successfully created,
|
|
|
|
// meaning it's an RSA key, and `CreateDecrypter` did not fail.
|
|
|
|
// meaning it's an RSA key, and `CreateDecrypter` did not fail.
|
|
|
|
options.Decrypter = decrypter
|
|
|
|
options.Decrypter = decrypter
|
|
|
|
options.DecrypterCert = options.Intermediates[0]
|
|
|
|
options.DecrypterCert = options.Intermediates[0]
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
options.Signer = a.scepSigner
|
|
|
|
|
|
|
|
options.Decrypter = a.scepDecrypter
|
|
|
|
|
|
|
|
options.DecrypterCert = a.scepCertificate
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// provide the current SCEP provisioner names, so that the provisioners
|
|
|
|
// provide the current SCEP provisioner names, so that the provisioners
|
|
|
|