From c2dc76550ce519b53ddba7d8b340d6732d52abdb Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 27 Jul 2020 16:03:16 -0700 Subject: [PATCH] Add ssh certificate template to X5C provisioner. --- authority/provisioner/x5c.go | 58 +++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index ff01b151..ee05078e 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -9,6 +9,7 @@ import ( "github.com/pkg/errors" "github.com/smallstep/certificates/errs" + "github.com/smallstep/certificates/sshutil" "github.com/smallstep/certificates/x509util" "github.com/smallstep/cli/jose" ) @@ -25,14 +26,15 @@ type x5cPayload struct { // signature requests. type X5C struct { *base - Type string `json:"type"` - Name string `json:"name"` - Roots []byte `json:"roots"` - Claims *Claims `json:"claims,omitempty"` - Options *Options `json:"options,omitempty"` - claimer *Claimer - audiences Audiences - rootPool *x509.CertPool + Type string `json:"type"` + Name string `json:"name"` + Roots []byte `json:"roots"` + Claims *Claims `json:"claims,omitempty"` + Options *Options `json:"options,omitempty"` + SSHOptions *SSHOptions `json:"sshOptions,omitempty"` + claimer *Claimer + audiences Audiences + rootPool *x509.CertPool } // GetID returns the provisioner unique identifier. The name and credential id @@ -249,14 +251,37 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, sshCertOptionsValidator(*opts), } - // Add modifiers from custom claims - // FIXME: this is also set in the sign method using SSHOptions.Modify. + // Default template attributes. + certType := sshutil.UserCert + keyID := claims.Subject + principals := []string{claims.Subject} + + // Use options in the token. if opts.CertType != "" { - signOptions = append(signOptions, sshCertTypeModifier(opts.CertType)) + if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil { + return nil, errs.Wrap(http.StatusBadRequest, err, "jwk.AuthorizeSSHSign") + } + } + if opts.KeyID != "" { + keyID = opts.KeyID } if len(opts.Principals) > 0 { - signOptions = append(signOptions, sshCertPrincipalsModifier(opts.Principals)) + principals = opts.Principals } + + // Certificate templates. + data := sshutil.CreateTemplateData(certType, keyID, principals) + if v, err := unsafeParseSigned(token); err == nil { + data.SetToken(v) + } + + templateOptions, err := TemplateSSHOptions(p.SSHOptions, data) + if err != nil { + return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign") + } + signOptions = append(signOptions, templateOptions) + + // Add modifiers from custom claims t := now() if !opts.ValidAfter.IsZero() { signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix())) @@ -264,17 +289,8 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, if !opts.ValidBefore.IsZero() { signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix())) } - // Make sure to define the the KeyID - if opts.KeyID == "" { - signOptions = append(signOptions, sshCertKeyIDModifier(claims.Subject)) - } - - // Default to a user certificate with no principals if not set - signOptions = append(signOptions, sshCertDefaultsModifier{CertType: SSHUserCert}) return append(signOptions, - // Set the default extensions. - &sshDefaultExtensionModifier{}, // Checks the validity bounds, and set the validity if has not been set. &sshLimitDuration{p.claimer, claims.chains[0][0].NotAfter}, // set the key id to the token subject