diff --git a/pki/helm.go b/pki/helm.go index 7651d8ef..3fbadb40 100644 --- a/pki/helm.go +++ b/pki/helm.go @@ -62,6 +62,9 @@ func (p *PKI) WriteHelmTemplate(w io.Writer) error { } } + // TODO(hs): add default SSHPOP provisioner if SSH is configured, similar + // as the ACME one above. + if err := tmpl.Execute(w, helmVariables{ Configuration: &p.Configuration, Defaults: &p.Defaults, diff --git a/pki/helm_test.go b/pki/helm_test.go index aeffb5ca..1eb621a8 100644 --- a/pki/helm_test.go +++ b/pki/helm_test.go @@ -2,9 +2,13 @@ package pki import ( "bytes" + "crypto/sha256" "crypto/x509" + "encoding/hex" "encoding/json" + "encoding/pem" "os" + "strings" "testing" "github.com/google/go-cmp/cmp" @@ -106,12 +110,12 @@ func TestPKI_WriteHelmTemplate(t *testing.T) { t.Run(tt.name, func(t *testing.T) { o := tt.fields.casOptions opts := tt.fields.pkiOptions + // TODO(hs): invoking `New` doesn't perform all operations that are executed - // when `ca init --helm` is executed. The list of provisioners on the authority - // is not populated, for example, resulting in this test not being entirely - // realistic. Ideally this logic should be handled in one place and probably - // inside of the PKI initialization, but if that becomes messy, some more - // logic needs to be performed here to get the PKI instance in good shape. + // when `ca init --helm` is executed. Ideally this logic should be handled + // in one place and probably inside of the PKI initialization. For testing + // purposes the missing operations to fill a Helm template fully are faked + // by `setKeyPair`, `setCertificates` and `setSSHSigningKeys` p, err := New(o, opts...) assert.NoError(t, err) @@ -124,10 +128,10 @@ func TestPKI_WriteHelmTemplate(t *testing.T) { // The password for the predefined encrypted key is \x01\x03\x03\x07. setKeyPair(t, p) - // setFiles sets some static intermediate and root CA certificate bytes. It + // setCertificates sets some static intermediate and root CA certificate bytes. It // replaces the logic executed in `p.GenerateRootCertificate`, `p.WriteRootCertificate`, // and `p.GenerateIntermediateCertificate`. - setFiles(t, p) + setCertificates(t, p) // setSSHSigningKeys sets predefined SSH user and host certificate and key bytes. // This replaces the logic in `p.GenerateSSHSigningKeys` @@ -175,7 +179,6 @@ func setKeyPair(t *testing.T, p *PKI) { } } - // Add JWK provisioner to the configuration. publicKey, err := json.Marshal(p.ottPublicKey) if err != nil { t.Fatal(err) @@ -199,12 +202,21 @@ func setKeyPair(t *testing.T, p *PKI) { }) } -// setFiles sets some static, gibberish intermediate and root CA certificate bytes. -func setFiles(t *testing.T, p *PKI) { - p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake root CA cert bytes")}) - p.Files[p.RootKey[0]] = []byte("these are just some fake root CA key bytes") +// setCertificates sets some static, gibberish intermediate and root CA certificate and key bytes. +func setCertificates(t *testing.T, p *PKI) { + raw := []byte("these are just some fake root CA cert bytes") + p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: raw}) + p.Files[p.RootKey[0]] = pem.EncodeToMemory(&pem.Block{ + Type: "EC PRIVATE KEY", + Bytes: []byte("these are just some fake root CA key bytes"), + }) p.Files[p.Intermediate] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake intermediate CA cert bytes")}) - p.Files[p.IntermediateKey] = []byte("these are just some fake intermediate CA key bytes") + p.Files[p.IntermediateKey] = pem.EncodeToMemory(&pem.Block{ + Type: "EC PRIVATE KEY", + Bytes: []byte("these are just some fake intermediate CA key bytes"), + }) + sum := sha256.Sum256(raw) + p.Defaults.Fingerprint = strings.ToLower(hex.EncodeToString(sum[:])) } // setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes. @@ -214,8 +226,14 @@ func setSSHSigningKeys(t *testing.T, p *PKI) { return } - p.Files[p.Ssh.HostKey] = []byte("fake ssh host key bytes") - p.Files[p.Ssh.HostPublicKey] = []byte("fake ssh host cert bytes") - p.Files[p.Ssh.UserKey] = []byte("fake ssh user key bytes") - p.Files[p.Ssh.UserPublicKey] = []byte("fake ssh user cert bytes") + p.Files[p.Ssh.HostKey] = pem.EncodeToMemory(&pem.Block{ + Type: "EC PRIVATE KEY", + Bytes: []byte("fake ssh host key bytes"), + }) + p.Files[p.Ssh.HostPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=") + p.Files[p.Ssh.UserKey] = pem.EncodeToMemory(&pem.Block{ + Type: "EC PRIVATE KEY", + Bytes: []byte("fake ssh user key bytes"), + }) + p.Files[p.Ssh.UserPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=") } diff --git a/pki/pki.go b/pki/pki.go index 5bbd42a1..a4a64344 100644 --- a/pki/pki.go +++ b/pki/pki.go @@ -648,7 +648,7 @@ func (p *PKI) GetCertificateAuthority() error { // SSH user certificates and a private key used for signing host certificates. func (p *PKI) GenerateSSHSigningKeys(password []byte) error { // Enable SSH - p.options.enableSSH = true + p.options.enableSSH = true // TODO(hs): change this function to not mutate configuration state // Create SSH key used to sign host certificates. Using // kmsapi.UnspecifiedSignAlgorithm will default to the default algorithm. diff --git a/pki/testdata/helm/simple.yml b/pki/testdata/helm/simple.yml index 9cc82806..8a7e369f 100644 --- a/pki/testdata/helm/simple.yml +++ b/pki/testdata/helm/simple.yml @@ -32,7 +32,7 @@ inject: defaults.json: ca-url: https://127.0.0.1 ca-config: /home/step/config/ca.json - fingerprint: + fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3 root: /home/step/certs/root_ca.crt # Certificates contains the root and intermediate certificate and @@ -64,11 +64,18 @@ inject: x509: # intermediate_ca_key contains the contents of your encrypted intermediate CA key intermediate_ca_key: | - these are just some fake intermediate CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0 + ZXM= + -----END EC PRIVATE KEY----- + # root_ca_key contains the contents of your encrypted root CA key # Note that this value can be omitted without impacting the functionality of step-certificates # If supplied, this should be encrypted using a unique password that is not used for encrypting # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. root_ca_key: | - these are just some fake root CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz + -----END EC PRIVATE KEY----- + diff --git a/pki/testdata/helm/with-acme.yml b/pki/testdata/helm/with-acme.yml index 4f9d5761..488bc32f 100644 --- a/pki/testdata/helm/with-acme.yml +++ b/pki/testdata/helm/with-acme.yml @@ -33,7 +33,7 @@ inject: defaults.json: ca-url: https://127.0.0.1 ca-config: /home/step/config/ca.json - fingerprint: + fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3 root: /home/step/certs/root_ca.crt # Certificates contains the root and intermediate certificate and @@ -65,11 +65,18 @@ inject: x509: # intermediate_ca_key contains the contents of your encrypted intermediate CA key intermediate_ca_key: | - these are just some fake intermediate CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0 + ZXM= + -----END EC PRIVATE KEY----- + # root_ca_key contains the contents of your encrypted root CA key # Note that this value can be omitted without impacting the functionality of step-certificates # If supplied, this should be encrypted using a unique password that is not used for encrypting # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. root_ca_key: | - these are just some fake root CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz + -----END EC PRIVATE KEY----- + diff --git a/pki/testdata/helm/with-admin.yml b/pki/testdata/helm/with-admin.yml index b90647ea..790fbdd4 100644 --- a/pki/testdata/helm/with-admin.yml +++ b/pki/testdata/helm/with-admin.yml @@ -32,7 +32,7 @@ inject: defaults.json: ca-url: https://127.0.0.1 ca-config: /home/step/config/ca.json - fingerprint: + fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3 root: /home/step/certs/root_ca.crt # Certificates contains the root and intermediate certificate and @@ -64,11 +64,18 @@ inject: x509: # intermediate_ca_key contains the contents of your encrypted intermediate CA key intermediate_ca_key: | - these are just some fake intermediate CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0 + ZXM= + -----END EC PRIVATE KEY----- + # root_ca_key contains the contents of your encrypted root CA key # Note that this value can be omitted without impacting the functionality of step-certificates # If supplied, this should be encrypted using a unique password that is not used for encrypting # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. root_ca_key: | - these are just some fake root CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz + -----END EC PRIVATE KEY----- + diff --git a/pki/testdata/helm/with-provisioner.yml b/pki/testdata/helm/with-provisioner.yml index 75788acc..de17ef0a 100644 --- a/pki/testdata/helm/with-provisioner.yml +++ b/pki/testdata/helm/with-provisioner.yml @@ -32,7 +32,7 @@ inject: defaults.json: ca-url: https://127.0.0.1 ca-config: /home/step/config/ca.json - fingerprint: + fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3 root: /home/step/certs/root_ca.crt # Certificates contains the root and intermediate certificate and @@ -64,11 +64,18 @@ inject: x509: # intermediate_ca_key contains the contents of your encrypted intermediate CA key intermediate_ca_key: | - these are just some fake intermediate CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0 + ZXM= + -----END EC PRIVATE KEY----- + # root_ca_key contains the contents of your encrypted root CA key # Note that this value can be omitted without impacting the functionality of step-certificates # If supplied, this should be encrypted using a unique password that is not used for encrypting # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. root_ca_key: | - these are just some fake root CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz + -----END EC PRIVATE KEY----- + diff --git a/pki/testdata/helm/with-ssh.yml b/pki/testdata/helm/with-ssh.yml index 1f922994..e1ce4143 100644 --- a/pki/testdata/helm/with-ssh.yml +++ b/pki/testdata/helm/with-ssh.yml @@ -35,7 +35,7 @@ inject: defaults.json: ca-url: https://127.0.0.1 ca-config: /home/step/config/ca.json - fingerprint: + fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3 root: /home/step/certs/root_ca.crt # Certificates contains the root and intermediate certificate and @@ -56,10 +56,10 @@ inject: -----END CERTIFICATE----- # ssh_host_ca contains the text of the public ssh key for the SSH root CA - ssh_host_ca: fake ssh host cert bytes + ssh_host_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms= # ssh_user_ca contains the text of the public ssh key for the SSH root CA - ssh_user_ca: fake ssh user cert bytes + ssh_user_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs= # Secrets contains the root and intermediate keys and optionally the SSH # private keys @@ -72,19 +72,32 @@ inject: x509: # intermediate_ca_key contains the contents of your encrypted intermediate CA key intermediate_ca_key: | - these are just some fake intermediate CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0 + ZXM= + -----END EC PRIVATE KEY----- + # root_ca_key contains the contents of your encrypted root CA key # Note that this value can be omitted without impacting the functionality of step-certificates # If supplied, this should be encrypted using a unique password that is not used for encrypting # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. root_ca_key: | - these are just some fake root CA key bytes + -----BEGIN EC PRIVATE KEY----- + dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz + -----END EC PRIVATE KEY----- + ssh: # ssh_host_ca_key contains the contents of your encrypted SSH Host CA key host_ca_key: | - fake ssh host key bytes + -----BEGIN EC PRIVATE KEY----- + ZmFrZSBzc2ggaG9zdCBrZXkgYnl0ZXM= + -----END EC PRIVATE KEY----- + # ssh_user_ca_key contains the contents of your encrypted SSH User CA key user_ca_key: | - fake ssh user key bytes + -----BEGIN EC PRIVATE KEY----- + ZmFrZSBzc2ggdXNlciBrZXkgYnl0ZXM= + -----END EC PRIVATE KEY----- +