This commit is contained in:
Herman Slatman 2022-01-18 15:54:18 +01:00
parent 9c6580ccd2
commit 3612eefc31
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
5 changed files with 18 additions and 75 deletions

View file

@ -595,7 +595,7 @@ func (a *Authority) IsRevoked(sn string) (bool, error) {
return a.db.IsRevoked(sn) return a.db.IsRevoked(sn)
} }
// GetIntermediateCertificate returns the x509 CA intermediate // GetIntermediateCertificate returns the x509 intermediate CA
// certificate. // certificate.
func (a *Authority) GetIntermediateCertificate() (*x509.Certificate, error) { func (a *Authority) GetIntermediateCertificate() (*x509.Certificate, error) {
return pemutil.ReadCertificate(a.config.IntermediateCert) return pemutil.ReadCertificate(a.config.IntermediateCert)

View file

@ -6,7 +6,6 @@ import (
"crypto/sha256" "crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/hex" "encoding/hex"
"fmt"
"net" "net"
"os" "os"
"reflect" "reflect"
@ -328,7 +327,6 @@ func TestAuthority_CloseForReload(t *testing.T) {
} }
func testScepAuthority(t *testing.T, opts ...Option) *Authority { func testScepAuthority(t *testing.T, opts ...Option) *Authority {
p := provisioner.List{ p := provisioner.List{
&provisioner.SCEP{ &provisioner.SCEP{
Name: "scep1", Name: "scep1",
@ -353,39 +351,15 @@ func testScepAuthority(t *testing.T, opts ...Option) *Authority {
} }
func TestAuthority_GetSCEPService(t *testing.T) { func TestAuthority_GetSCEPService(t *testing.T) {
auth := testScepAuthority(t) _ = testScepAuthority(t)
fmt.Println(auth)
p := provisioner.List{ p := provisioner.List{
&provisioner.SCEP{ &provisioner.SCEP{
Name: "scep1", Name: "scep1",
Type: "SCEP", Type: "SCEP",
}, },
} }
type fields struct { type fields struct {
config *Config config *Config
// keyManager kms.KeyManager
// provisioners *provisioner.Collection
// db db.AuthDB
// templates *templates.Templates
// x509CAService cas.CertificateAuthorityService
// rootX509Certs []*x509.Certificate
// federatedX509Certs []*x509.Certificate
// certificates *sync.Map
// scepService *scep.Service
// sshCAUserCertSignKey ssh.Signer
// sshCAHostCertSignKey ssh.Signer
// sshCAUserCerts []ssh.PublicKey
// sshCAHostCerts []ssh.PublicKey
// sshCAUserFederatedCerts []ssh.PublicKey
// sshCAHostFederatedCerts []ssh.PublicKey
// initOnce bool
// startTime time.Time
// sshBastionFunc func(ctx context.Context, user, hostname string) (*Bastion, error)
// sshCheckHostFunc func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)
// sshGetHostsFunc func(ctx context.Context, cert *x509.Certificate) ([]Host, error)
// getIdentityFunc provisioner.GetIdentityFunc
} }
tests := []struct { tests := []struct {
name string name string
@ -434,30 +408,6 @@ func TestAuthority_GetSCEPService(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
// a := &Authority{
// config: tt.fields.config,
// keyManager: tt.fields.keyManager,
// provisioners: tt.fields.provisioners,
// db: tt.fields.db,
// templates: tt.fields.templates,
// x509CAService: tt.fields.x509CAService,
// rootX509Certs: tt.fields.rootX509Certs,
// federatedX509Certs: tt.fields.federatedX509Certs,
// certificates: tt.fields.certificates,
// scepService: tt.fields.scepService,
// sshCAUserCertSignKey: tt.fields.sshCAUserCertSignKey,
// sshCAHostCertSignKey: tt.fields.sshCAHostCertSignKey,
// sshCAUserCerts: tt.fields.sshCAUserCerts,
// sshCAHostCerts: tt.fields.sshCAHostCerts,
// sshCAUserFederatedCerts: tt.fields.sshCAUserFederatedCerts,
// sshCAHostFederatedCerts: tt.fields.sshCAHostFederatedCerts,
// initOnce: tt.fields.initOnce,
// startTime: tt.fields.startTime,
// sshBastionFunc: tt.fields.sshBastionFunc,
// sshCheckHostFunc: tt.fields.sshCheckHostFunc,
// sshGetHostsFunc: tt.fields.sshGetHostsFunc,
// getIdentityFunc: tt.fields.getIdentityFunc,
// }
a, err := New(tt.fields.config) a, err := New(tt.fields.config)
if (err != nil) != tt.wantErr { if (err != nil) != tt.wantErr {
t.Errorf("Authority.New(), error = %v, wantErr %v", err, tt.wantErr) t.Errorf("Authority.New(), error = %v, wantErr %v", err, tt.wantErr)

View file

@ -24,8 +24,8 @@ type SCEP struct {
MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"` MinimumPublicKeyLength int `json:"minimumPublicKeyLength,omitempty"`
// Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7 // Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7
// at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63 // at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63
// Defaults to 2, being AES-256-CBC // Defaults to 0, being DES-CBC
EncryptionAlgorithmIdentifier *int `json:"encryptionAlgorithmIdentifier,omitempty"` EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"`
Options *Options `json:"options,omitempty"` Options *Options `json:"options,omitempty"`
Claims *Claims `json:"claims,omitempty"` Claims *Claims `json:"claims,omitempty"`
claimer *Claimer claimer *Claimer
@ -104,16 +104,12 @@ func (s *SCEP) Init(config Config) (err error) {
} }
if s.MinimumPublicKeyLength%8 != 0 { if s.MinimumPublicKeyLength%8 != 0 {
return errors.Errorf("only minimum public keys exactly divisible by 8 are supported; %d is not exactly divisible by 8", s.MinimumPublicKeyLength) return errors.Errorf("%d bits is not exactly divisible by 8", s.MinimumPublicKeyLength)
} }
s.encryptionAlgorithm = 2 // default to AES-256-CBC s.encryptionAlgorithm = s.EncryptionAlgorithmIdentifier
if s.EncryptionAlgorithmIdentifier != nil { if s.encryptionAlgorithm < 0 || s.encryptionAlgorithm > 4 {
value := *s.EncryptionAlgorithmIdentifier return errors.New("only encryption algorithm identifiers from 0 to 4 are valid")
if value < 0 || value > 4 {
return errors.Errorf("only encryption algorithm identifiers from 0 to 4 are valid")
}
s.encryptionAlgorithm = value
} }
// TODO: add other, SCEP specific, options? // TODO: add other, SCEP specific, options?

View file

@ -432,17 +432,13 @@ func (ca *CA) getTLSConfig(auth *authority.Authority) (*tls.Config, error) {
certPool.AddCert(crt) certPool.AddCert(crt)
} }
// adding the intermediate CA to the pool will allow clients that // adding the intermediate CA to the pool will allow clients that do not
// fail to send the intermediate for chain building to connect to the CA // send the intermediate for chain building to connect to the CA successfully.
// successfully.
shouldAddIntermediateToClientCAPool := true // TODO(hs): make this into a configuration
if shouldAddIntermediateToClientCAPool {
cert, err := auth.GetIntermediateCertificate() cert, err := auth.GetIntermediateCertificate()
if err != nil { if err != nil {
return nil, err return nil, err
} }
certPool.AddCert(cert) certPool.AddCert(cert)
}
// Add support for mutual tls to renew certificates // Add support for mutual tls to renew certificates
tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven

View file

@ -166,8 +166,9 @@ func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate,
certs := []*x509.Certificate{} certs := []*x509.Certificate{}
certs = append(certs, a.caCerts[0]) certs = append(certs, a.caCerts[0])
// TODO(hs): we're adding the roots here, but they may be something different than what the RFC means. Clients are responsible to select the right cert(s) to use, though. // NOTE: we're adding the CA roots here, but they are (highly likely) different than what the RFC means.
if p.ShouldIncludeRootsInChain() && len(a.caCerts) >= 2 { // Clients are responsible to select the right cert(s) to use, though.
if p.ShouldIncludeRootsInChain() && len(a.caCerts) > 1 {
certs = append(certs, a.caCerts[1:]...) certs = append(certs, a.caCerts[1:]...)
} }
@ -304,7 +305,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m
// apparently the pkcs7 library uses a global default setting for the content encryption // apparently the pkcs7 library uses a global default setting for the content encryption
// algorithm to use when en- or decrypting data. We need to restore the current setting after // algorithm to use when en- or decrypting data. We need to restore the current setting after
// the cryptographic operation, so that other usages of the library are not influenced by // the cryptographic operation, so that other usages of the library are not influenced by
// this call to Encrypt(). // this call to Encrypt(). We are not required to use the same algorithm the SCEP client uses.
encryptionAlgorithmToRestore := pkcs7.ContentEncryptionAlgorithm encryptionAlgorithmToRestore := pkcs7.ContentEncryptionAlgorithm
pkcs7.ContentEncryptionAlgorithm = p.GetContentEncryptionAlgorithm() pkcs7.ContentEncryptionAlgorithm = p.GetContentEncryptionAlgorithm()
e7, err := pkcs7.Encrypt(deg, msg.P7.Certificates) e7, err := pkcs7.Encrypt(deg, msg.P7.Certificates)