Refactor SCEP authority initialization and clean some code

This commit is contained in:
Herman Slatman 2021-02-12 17:02:39 +01:00
parent ffdd58ea3c
commit 713b571d7a
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
9 changed files with 175 additions and 147 deletions

View file

@ -329,10 +329,11 @@ func (a *Authority) init() error {
audiences := a.config.getAudiences() audiences := a.config.getAudiences()
a.provisioners = provisioner.NewCollection(audiences) a.provisioners = provisioner.NewCollection(audiences)
config := provisioner.Config{ config := provisioner.Config{
// TODO: this probably shouldn't happen like this; via SignAuth instead? // TODO: I'm not sure if extending this configuration is a good way to integrate
IntermediateCert: a.config.IntermediateCert, // It's powerful, but leaks quite some seemingly internal stuff to the provisioner.
SigningKey: a.config.IntermediateKey, // IntermediateCert: a.config.IntermediateCert,
CACertificates: a.rootX509Certs, // SigningKey: a.config.IntermediateKey,
// CACertificates: a.rootX509Certs,
Claims: claimer.Claims(), Claims: claimer.Claims(),
Audiences: audiences, Audiences: audiences,
DB: a.db, DB: a.db,

View file

@ -140,6 +140,8 @@ func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
return c.Load("gcp/" + string(provisioner.Name)) return c.Load("gcp/" + string(provisioner.Name))
case TypeACME: case TypeACME:
return c.Load("acme/" + string(provisioner.Name)) return c.Load("acme/" + string(provisioner.Name))
case TypeSCEP:
return c.Load("scep/" + string(provisioner.Name))
case TypeX5C: case TypeX5C:
return c.Load("x5c/" + string(provisioner.Name)) return c.Load("x5c/" + string(provisioner.Name))
case TypeK8sSA: case TypeK8sSA:

View file

@ -182,10 +182,6 @@ type SSHKeys struct {
// Config defines the default parameters used in the initialization of // Config defines the default parameters used in the initialization of
// provisioners. // provisioners.
type Config struct { type Config struct {
// TODO: these probably shouldn't be here but passed via SignAuth
IntermediateCert string
SigningKey string
CACertificates []*x509.Certificate
// Claims are the default claims. // Claims are the default claims.
Claims Claims Claims Claims
// Audiences are the audiences used in the default provisioner, (JWK). // Audiences are the audiences used in the default provisioner, (JWK).

View file

@ -1,11 +1,7 @@
package provisioner package provisioner
import ( import (
"crypto/rsa" "time"
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"github.com/pkg/errors" "github.com/pkg/errors"
) )
@ -16,14 +12,11 @@ type SCEP struct {
*base *base
Type string `json:"type"` Type string `json:"type"`
Name string `json:"name"` Name string `json:"name"`
// ForceCN bool `json:"forceCN,omitempty"`
// Claims *Claims `json:"claims,omitempty"`
// Options *Options `json:"options,omitempty"`
// claimer *Claimer
IntermediateCert string // ForceCN bool `json:"forceCN,omitempty"`
SigningKey string Options *Options `json:"options,omitempty"`
CACertificates []*x509.Certificate Claims *Claims `json:"claims,omitempty"`
claimer *Claimer
} }
// GetID returns the provisioner unique identifier. // GetID returns the provisioner unique identifier.
@ -51,40 +44,15 @@ func (s *SCEP) GetTokenID(ott string) (string, error) {
return "", errors.New("scep provisioner does not implement GetTokenID") return "", errors.New("scep provisioner does not implement GetTokenID")
} }
// GetCACertificates returns the CA certificate chain // GetOptions returns the configured provisioner options.
// TODO: this should come from the authority instead? func (s *SCEP) GetOptions() *Options {
func (s *SCEP) GetCACertificates() []*x509.Certificate { return s.Options
pemtxt, _ := ioutil.ReadFile(s.IntermediateCert) // TODO: move reading key to init? That's probably safer.
block, _ := pem.Decode([]byte(pemtxt))
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
fmt.Println(err)
}
// TODO: return chain? I'm not sure if the client understands it correctly
return []*x509.Certificate{cert}
} }
func (s *SCEP) GetSigningKey() *rsa.PrivateKey { // DefaultTLSCertDuration returns the default TLS cert duration enforced by
// the provisioner.
keyBytes, err := ioutil.ReadFile(s.SigningKey) func (s *SCEP) DefaultTLSCertDuration() time.Duration {
if err != nil { return s.claimer.DefaultTLSCertDuration()
return nil
}
block, _ := pem.Decode([]byte(keyBytes))
if block == nil {
return nil
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
fmt.Println(err)
return nil
}
return key
} }
// Init initializes and validates the fields of a JWK type. // Init initializes and validates the fields of a JWK type.
@ -97,14 +65,10 @@ func (s *SCEP) Init(config Config) (err error) {
return errors.New("provisioner name cannot be empty") return errors.New("provisioner name cannot be empty")
} }
// // Update claims with global ones // Update claims with global ones
// if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil { if s.claimer, err = NewClaimer(s.Claims, config.Claims); err != nil {
// return err return err
// } }
s.IntermediateCert = config.IntermediateCert
s.SigningKey = config.SigningKey
s.CACertificates = config.CACertificates
return err return err
} }

View file

@ -19,6 +19,7 @@ import (
"github.com/smallstep/certificates/logging" "github.com/smallstep/certificates/logging"
"github.com/smallstep/certificates/monitoring" "github.com/smallstep/certificates/monitoring"
"github.com/smallstep/certificates/scep" "github.com/smallstep/certificates/scep"
scepAPI "github.com/smallstep/certificates/scep/api"
"github.com/smallstep/certificates/server" "github.com/smallstep/certificates/server"
"github.com/smallstep/nosql" "github.com/smallstep/nosql"
) )
@ -150,9 +151,9 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
scepPrefix := "scep" scepPrefix := "scep"
scepAuthority, err := scep.New(auth, scep.AuthorityOptions{ scepAuthority, err := scep.New(auth, scep.AuthorityOptions{
//Certificates: certificates, IntermediateCertificatePath: config.IntermediateCert,
//AuthConfig: *config.AuthorityConfig, IntermediateKeyPath: config.IntermediateKey,
//Backdate: *config.AuthorityConfig.Backdate, Backdate: *config.AuthorityConfig.Backdate,
DB: auth.GetDatabase().(nosql.DB), DB: auth.GetDatabase().(nosql.DB),
DNS: dns, DNS: dns,
Prefix: scepPrefix, Prefix: scepPrefix,
@ -160,7 +161,7 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
if err != nil { if err != nil {
return nil, errors.Wrap(err, "error creating SCEP authority") return nil, errors.Wrap(err, "error creating SCEP authority")
} }
scepRouterHandler := scep.NewAPI(scepAuthority) scepRouterHandler := scepAPI.New(scepAuthority)
mux.Route("/"+scepPrefix, func(r chi.Router) { mux.Route("/"+scepPrefix, func(r chi.Router) {
scepRouterHandler.Route(r) scepRouterHandler.Route(r)
}) })

View file

@ -1,4 +1,4 @@
package scep package api
import ( import (
"context" "context"
@ -19,17 +19,38 @@ import (
"github.com/smallstep/certificates/acme" "github.com/smallstep/certificates/acme"
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/scep"
microscep "github.com/micromdm/scep/scep" microscep "github.com/micromdm/scep/scep"
) )
// Handler is the ACME request handler. const (
type Handler struct { opnGetCACert = "GetCACert"
Auth Interface opnGetCACaps = "GetCACaps"
opnPKIOperation = "PKIOperation"
)
// SCEPRequest is a SCEP server request.
type SCEPRequest struct {
Operation string
Message []byte
} }
// New returns a new ACME API router. // SCEPResponse is a SCEP server response.
func NewAPI(scepAuth Interface) api.RouterHandler { type SCEPResponse struct {
Operation string
CACertNum int
Data []byte
Err error
}
// Handler is the SCEP request handler.
type Handler struct {
Auth scep.Interface
}
// New returns a new SCEP API router.
func New(scepAuth scep.Interface) api.RouterHandler {
return &Handler{scepAuth} return &Handler{scepAuth}
} }
@ -156,7 +177,6 @@ type nextHTTP = func(http.ResponseWriter, *http.Request)
// Responds 404 if the provisioner does not exist. // Responds 404 if the provisioner does not exist.
func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP { func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
// TODO: make this configurable; and we might want to look at being able to provide multiple, // TODO: make this configurable; and we might want to look at being able to provide multiple,
// like the actual ACME one? The below assumes a SCEP provider (scep/) called "scep1" exists. // like the actual ACME one? The below assumes a SCEP provider (scep/) called "scep1" exists.
@ -168,27 +188,23 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP {
scepProvisioner, ok := p.(*provisioner.SCEP) scepProvisioner, ok := p.(*provisioner.SCEP)
if !ok { if !ok {
api.WriteError(w, acme.AccountDoesNotExistErr(errors.New("provisioner must be of type SCEP"))) api.WriteError(w, errors.New("provisioner must be of type SCEP"))
return return
} }
ctx = context.WithValue(ctx, acme.ProvisionerContextKey, Provisioner(scepProvisioner)) ctx := r.Context()
ctx = context.WithValue(ctx, acme.ProvisionerContextKey, scep.Provisioner(scepProvisioner))
next(w, r.WithContext(ctx)) next(w, r.WithContext(ctx))
} }
} }
func (h *Handler) GetCACert(w http.ResponseWriter, r *http.Request, scepResponse SCEPResponse) error { func (h *Handler) GetCACert(w http.ResponseWriter, r *http.Request, scepResponse SCEPResponse) error {
ctx := r.Context() certs, err := h.Auth.GetCACertificates()
p, err := ProvisionerFromContext(ctx)
if err != nil { if err != nil {
return err return err
} }
// TODO: get the CA Certificates from the (signing) authority instead? I think that should be doable
certs := p.GetCACertificates()
if len(certs) == 0 { if len(certs) == 0 {
scepResponse.CACertNum = 0 scepResponse.CACertNum = 0
scepResponse.Err = errors.New("missing CA Cert") scepResponse.Err = errors.New("missing CA Cert")
@ -226,13 +242,16 @@ func (h *Handler) PKIOperation(w http.ResponseWriter, r *http.Request, scepReque
return err return err
} }
ctx := r.Context() certs, err := h.Auth.GetCACertificates()
p, err := ProvisionerFromContext(ctx) if err != nil {
return err
}
// TODO: instead of getting the key to decrypt, add a decrypt function to the auth; less leaky
key, err := h.Auth.GetSigningKey()
if err != nil { if err != nil {
return err return err
} }
certs := p.GetCACertificates()
key := p.GetSigningKey()
ca := certs[0] ca := certs[0]
if err := msg.DecryptPKIEnvelope(ca, key); err != nil { if err := msg.DecryptPKIEnvelope(ca, key); err != nil {
@ -276,10 +295,12 @@ func (h *Handler) PKIOperation(w http.ResponseWriter, r *http.Request, scepReque
//name := certName(cert) //name := certName(cert)
// TODO: check if CN already exists, if renewal is allowed and if existing should be revoked; fail if not // TODO: check if CN already exists, if renewal is allowed and if existing should be revoked; fail if not
// TODO: store the new cert for CN locally // TODO: store the new cert for CN locally; should go into the DB
scepResponse.Data = certRep.Raw scepResponse.Data = certRep.Raw
api.LogCertificate(w, certRep.Certificate)
return writeSCEPResponse(w, scepResponse) return writeSCEPResponse(w, scepResponse)
} }
@ -354,14 +375,14 @@ func contentHeader(operation string, certNum int) string {
// ProvisionerFromContext searches the context for a provisioner. Returns the // ProvisionerFromContext searches the context for a provisioner. Returns the
// provisioner or an error. // provisioner or an error.
func ProvisionerFromContext(ctx context.Context) (Provisioner, error) { func ProvisionerFromContext(ctx context.Context) (scep.Provisioner, error) {
val := ctx.Value(acme.ProvisionerContextKey) val := ctx.Value(acme.ProvisionerContextKey)
if val == nil { if val == nil {
return nil, acme.ServerInternalErr(errors.New("provisioner expected in request context")) return nil, errors.New("provisioner expected in request context")
} }
pval, ok := val.(Provisioner) pval, ok := val.(scep.Provisioner)
if !ok || pval == nil { if !ok || pval == nil {
return nil, acme.ServerInternalErr(errors.New("provisioner in context is not a SCEP provisioner")) return nil, errors.New("provisioner in context is not a SCEP provisioner")
} }
return pval, nil return pval, nil
} }

View file

@ -1,9 +1,15 @@
package scep package scep
import ( import (
"crypto/rsa"
"crypto/x509" "crypto/x509"
"encoding/pem"
"errors"
"io/ioutil"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
database "github.com/smallstep/certificates/db"
"go.step.sm/crypto/pemutil"
"github.com/smallstep/nosql" "github.com/smallstep/nosql"
) )
@ -34,23 +40,33 @@ type Interface interface {
// GetLink(ctx context.Context, linkType Link, absoluteLink bool, inputs ...string) string // GetLink(ctx context.Context, linkType Link, absoluteLink bool, inputs ...string) string
// GetLinkExplicit(linkType Link, provName string, absoluteLink bool, baseURL *url.URL, inputs ...string) string // GetLinkExplicit(linkType Link, provName string, absoluteLink bool, baseURL *url.URL, inputs ...string) string
GetCACerts() ([]*x509.Certificate, error) GetCACertificates() ([]*x509.Certificate, error)
GetSigningKey() (*rsa.PrivateKey, error)
} }
// Authority is the layer that handles all SCEP interactions. // Authority is the layer that handles all SCEP interactions.
type Authority struct { type Authority struct {
//certificates []*x509.Certificate
//authConfig authority.AuthConfig
backdate provisioner.Duration backdate provisioner.Duration
db nosql.DB db nosql.DB
prefix string
dns string
// dir *directory // dir *directory
intermediateCertificate *x509.Certificate
intermediateKey *rsa.PrivateKey
//signer crypto.Signer
signAuth SignAuthority signAuth SignAuthority
} }
// AuthorityOptions required to create a new SCEP Authority. // AuthorityOptions required to create a new SCEP Authority.
type AuthorityOptions struct { type AuthorityOptions struct {
Certificates []*x509.Certificate IntermediateCertificatePath string
//AuthConfig authority.AuthConfig IntermediateKeyPath string
// Backdate
Backdate provisioner.Duration Backdate provisioner.Duration
// DB is the database used by nosql. // DB is the database used by nosql.
DB nosql.DB DB nosql.DB
@ -69,17 +85,83 @@ type SignAuthority interface {
LoadProvisionerByID(string) (provisioner.Interface, error) LoadProvisionerByID(string) (provisioner.Interface, error)
} }
// New returns a new Authority that implements the SCEP interface.
func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error) {
if _, ok := ops.DB.(*database.SimpleDB); !ok {
// TODO: see ACME implementation
}
// TODO: the below is a bit similar as what happens in the core Authority class, which
// creates the full x509 service. However, those aren't accessible directly, which is
// why I reimplemented this (for now). There might be an alternative that I haven't
// found yet.
certificateChain, err := pemutil.ReadCertificateBundle(ops.IntermediateCertificatePath)
if err != nil {
return nil, err
}
intermediateKey, err := readPrivateKey(ops.IntermediateKeyPath)
if err != nil {
return nil, err
}
return &Authority{
backdate: ops.Backdate,
db: ops.DB,
prefix: ops.Prefix,
dns: ops.DNS,
intermediateCertificate: certificateChain[0],
intermediateKey: intermediateKey,
signAuth: signAuth,
}, nil
}
func readPrivateKey(path string) (*rsa.PrivateKey, error) {
keyBytes, err := ioutil.ReadFile(path)
if err != nil {
return nil, err
}
block, _ := pem.Decode([]byte(keyBytes))
if block == nil {
return nil, nil
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
return key, nil
}
// LoadProvisionerByID calls out to the SignAuthority interface to load a // LoadProvisionerByID calls out to the SignAuthority interface to load a
// provisioner by ID. // provisioner by ID.
func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error) { func (a *Authority) LoadProvisionerByID(id string) (provisioner.Interface, error) {
return a.signAuth.LoadProvisionerByID(id) return a.signAuth.LoadProvisionerByID(id)
} }
func (a *Authority) GetCACerts() ([]*x509.Certificate, error) { // GetCACertificates returns the certificate (chain) for the CA
func (a *Authority) GetCACertificates() ([]*x509.Certificate, error) {
// TODO: implement the SCEP authority if a.intermediateCertificate == nil {
return nil, errors.New("no intermediate certificate available in SCEP authority")
}
return []*x509.Certificate{}, nil return []*x509.Certificate{a.intermediateCertificate}, nil
}
// GetSigningKey returns the RSA private key for the CA
// TODO: we likely should provide utility functions for decrypting and
// signing instead of providing the signing key directly
func (a *Authority) GetSigningKey() (*rsa.PrivateKey, error) {
if a.intermediateKey == nil {
return nil, errors.New("no intermediate key available in SCEP authority")
}
return a.intermediateKey, nil
} }
// Interface guards // Interface guards

View file

@ -1,17 +1,16 @@
package scep package scep
import ( import (
"crypto/rsa" "time"
"crypto/x509"
"github.com/smallstep/certificates/authority/provisioner"
) )
// Provisioner is an interface that implements a subset of the provisioner.Interface -- // Provisioner is an interface that implements a subset of the provisioner.Interface --
// only those methods required by the SCEP api/authority. // only those methods required by the SCEP api/authority.
type Provisioner interface { type Provisioner interface {
// AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) // AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
// GetName() string GetName() string
// DefaultTLSCertDuration() time.Duration DefaultTLSCertDuration() time.Duration
// GetOptions() *provisioner.Options GetOptions() *provisioner.Options
GetCACertificates() []*x509.Certificate
GetSigningKey() *rsa.PrivateKey
} }

View file

@ -1,38 +0,0 @@
package scep
import (
database "github.com/smallstep/certificates/db"
)
const (
opnGetCACert = "GetCACert"
opnGetCACaps = "GetCACaps"
opnPKIOperation = "PKIOperation"
)
// New returns a new Authority that implements the SCEP interface.
func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error) {
if _, ok := ops.DB.(*database.SimpleDB); !ok {
// TODO: see ACME implementation
}
return &Authority{
//certificates: ops.Certificates,
backdate: ops.Backdate,
db: ops.DB,
signAuth: signAuth,
}, nil
}
// SCEPRequest is a SCEP server request.
type SCEPRequest struct {
Operation string
Message []byte
}
// SCEPResponse is a SCEP server response.
type SCEPResponse struct {
Operation string
CACertNum int
Data []byte
Err error
}