package main import ( "encoding/json" "fmt" "path/filepath" "time" "github.com/pkg/errors" provisioners "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/ca" "github.com/smallstep/cli/config" "github.com/smallstep/cli/crypto/randutil" "github.com/smallstep/cli/jose" "github.com/smallstep/cli/token" "github.com/smallstep/cli/token/provision" ) const ( tokenLifetime = 5 * time.Minute ) // Provisioner is an authorized entity that can sign tokens necessary for // signature requests. type Provisioner interface { Name() string Kid() string Token(subject string) (string, error) } type provisioner struct { name string kid string caURL string caRoot string jwk *jose.JSONWebKey tokenLifetime time.Duration } // Name returns the provisioner's name. func (p *provisioner) Name() string { return p.name } // Kid returns the provisioners key ID. func (p *provisioner) Kid() string { return p.kid } // Token generates a bootstrap token for a subject. func (p *provisioner) Token(subject string) (string, error) { // A random jwt id will be used to identify duplicated tokens jwtID, err := randutil.Hex(64) // 256 bits if err != nil { return "", err } notBefore := time.Now() notAfter := notBefore.Add(tokenLifetime) signURL := fmt.Sprintf("%v/1.0/sign", p.caURL) tokOptions := []token.Options{ token.WithJWTID(jwtID), token.WithKid(p.kid), token.WithIssuer(p.name), token.WithAudience(signURL), token.WithValidity(notBefore, notAfter), token.WithRootCA(p.caRoot), } tok, err := provision.New(subject, tokOptions...) if err != nil { return "", err } return tok.SignedString(p.jwk.Algorithm, p.jwk.Key) } func decryptProvisionerJWK(encryptedKey, passFile string) (*jose.JSONWebKey, error) { decrypted, err := jose.Decrypt("", []byte(encryptedKey), jose.WithPasswordFile(passFile)) if err != nil { return nil, err } jwk := new(jose.JSONWebKey) if err := json.Unmarshal(decrypted, jwk); err != nil { return nil, errors.Wrap(err, "error unmarshalling provisioning key") } return jwk, nil } // loadProvisionerJWKByKid retrieves a provisioner key from the CA by key ID and // decrypts it using the specified password file. func loadProvisionerJWKByKid(kid, caURL, caRoot, passFile string) (*jose.JSONWebKey, error) { encrypted, err := getProvisionerKey(caURL, caRoot, kid) if err != nil { return nil, err } return decryptProvisionerJWK(encrypted, passFile) } // loadProvisionerJWKByName retrieves the list of provisioners and encrypted key then // returns the key of the first provisioner with a matching name that can be successfully // decrypted with the specified password file. func loadProvisionerJWKByName(name, caURL, caRoot, passFile string) (key *jose.JSONWebKey, err error) { provisioners, err := getProvisioners(caURL, caRoot) if err != nil { err = errors.Wrap(err, "error getting the provisioners") return } for _, provisioner := range provisioners { if provisioner.GetName() == name { if _, encryptedKey, ok := provisioner.GetEncryptedKey(); ok { key, err = decryptProvisionerJWK(encryptedKey, passFile) if err == nil { return } } } } return nil, errors.Errorf("provisioner '%s' not found (or your password is wrong)", name) } // NewProvisioner loads and decrypts key material from the CA for the named // provisioner. The key identified by `kid` will be used if specified. If `kid` // is the empty string we'll use the first key for the named provisioner that // decrypts using `passFile`. func NewProvisioner(name, kid, caURL, caRoot, passFile string) (Provisioner, error) { var jwk *jose.JSONWebKey var err error if kid != "" { jwk, err = loadProvisionerJWKByKid(kid, caURL, caRoot, passFile) } else { jwk, err = loadProvisionerJWKByName(name, caURL, caRoot, passFile) } if err != nil { return nil, err } return &provisioner{ name: name, kid: jwk.KeyID, caURL: caURL, caRoot: caRoot, jwk: jwk, tokenLifetime: tokenLifetime, }, nil } // getRootCAPath returns the path where the root CA is stored based on the // STEPPATH environment variable. func getRootCAPath() string { return filepath.Join(config.StepPath(), "certs", "root_ca.crt") } // getProvisioners returns the map of provisioners on the given CA. func getProvisioners(caURL, rootFile string) (provisioners.List, error) { if len(rootFile) == 0 { rootFile = getRootCAPath() } client, err := ca.NewClient(caURL, ca.WithRootFile(rootFile)) if err != nil { return nil, err } cursor := "" var provisioners provisioners.List for { resp, err := client.Provisioners(ca.WithProvisionerCursor(cursor), ca.WithProvisionerLimit(100)) if err != nil { return nil, err } provisioners = append(provisioners, resp.Provisioners...) if resp.NextCursor == "" { return provisioners, nil } cursor = resp.NextCursor } } // getProvisionerKey returns the encrypted provisioner key with the for the // given kid. func getProvisionerKey(caURL, rootFile, kid string) (string, error) { if len(rootFile) == 0 { rootFile = getRootCAPath() } client, err := ca.NewClient(caURL, ca.WithRootFile(rootFile)) if err != nil { return "", err } resp, err := client.ProvisionerKey(kid) if err != nil { return "", err } return resp.Key, nil }