certificates/authority/provisioner/sign_ssh_options.go

489 lines
16 KiB
Go
Raw Normal View History

package provisioner
import (
"crypto/rsa"
"encoding/binary"
2020-07-27 22:41:53 +00:00
"encoding/json"
"fmt"
"math/big"
"strings"
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/policy"
"github.com/smallstep/certificates/errs"
2020-08-14 22:33:50 +00:00
"go.step.sm/crypto/keyutil"
"golang.org/x/crypto/ssh"
)
const (
// SSHUserCert is the string used to represent ssh.UserCert.
SSHUserCert = "user"
// SSHHostCert is the string used to represent ssh.HostCert.
SSHHostCert = "host"
)
2020-01-24 06:04:34 +00:00
// SSHCertModifier is the interface used to change properties in an SSH
// certificate.
2020-01-24 06:04:34 +00:00
type SSHCertModifier interface {
SignOption
Modify(cert *ssh.Certificate, opts SignSSHOptions) error
}
2020-01-24 06:04:34 +00:00
// SSHCertValidator is the interface used to validate an SSH certificate.
type SSHCertValidator interface {
SignOption
Valid(cert *ssh.Certificate, opts SignSSHOptions) error
}
2020-01-24 06:04:34 +00:00
// SSHCertOptionsValidator is the interface used to validate the custom
// options used to modify the SSH certificate.
2020-01-24 06:04:34 +00:00
type SSHCertOptionsValidator interface {
SignOption
Valid(got SignSSHOptions) error
}
// SignSSHOptions contains the options that can be passed to the SignSSH method.
type SignSSHOptions struct {
2020-07-27 22:41:53 +00:00
CertType string `json:"certType"`
KeyID string `json:"keyID"`
Principals []string `json:"principals"`
ValidAfter TimeDuration `json:"validAfter,omitempty"`
ValidBefore TimeDuration `json:"validBefore,omitempty"`
2020-08-04 01:10:29 +00:00
TemplateData json.RawMessage `json:"templateData,omitempty"`
2020-07-27 22:41:53 +00:00
Backdate time.Duration `json:"-"`
}
2020-08-04 01:36:05 +00:00
// Validate validates the given SignSSHOptions.
func (o SignSSHOptions) Validate() error {
if o.CertType != "" && o.CertType != SSHUserCert && o.CertType != SSHHostCert {
2021-11-24 02:06:18 +00:00
return errs.BadRequest("certType '%s' is not valid", o.CertType)
2020-08-04 01:36:05 +00:00
}
for _, p := range o.Principals {
if p == "" {
return errs.BadRequest("principals cannot contain empty values")
}
}
2020-08-04 01:36:05 +00:00
return nil
}
// Type returns the uint32 representation of the CertType.
func (o SignSSHOptions) Type() uint32 {
return sshCertTypeUInt32(o.CertType)
}
2020-01-24 06:04:34 +00:00
// Modify implements SSHCertModifier and sets the SSHOption in the ssh.Certificate.
func (o SignSSHOptions) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
switch o.CertType {
case "": // ignore
case SSHUserCert:
cert.CertType = ssh.UserCert
case SSHHostCert:
cert.CertType = ssh.HostCert
default:
return errs.BadRequest("ssh certificate has an unknown type '%s'", o.CertType)
}
cert.KeyId = o.KeyID
cert.ValidPrincipals = o.Principals
2019-11-14 23:26:37 +00:00
return o.ModifyValidity(cert)
}
// ModifyValidity modifies only the ValidAfter and ValidBefore on the given
// ssh.Certificate.
func (o SignSSHOptions) ModifyValidity(cert *ssh.Certificate) error {
2019-11-14 23:26:37 +00:00
t := now()
if !o.ValidAfter.IsZero() {
2019-11-14 23:26:37 +00:00
cert.ValidAfter = uint64(o.ValidAfter.RelativeTime(t).Unix())
}
if !o.ValidBefore.IsZero() {
2019-11-14 23:26:37 +00:00
cert.ValidBefore = uint64(o.ValidBefore.RelativeTime(t).Unix())
}
if cert.ValidAfter > 0 && cert.ValidBefore > 0 && cert.ValidAfter > cert.ValidBefore {
return errs.BadRequest("ssh certificate validAfter cannot be greater than validBefore")
}
return nil
}
// match compares two SSHOptions and return an error if they don't match. It
// ignores zero values.
func (o SignSSHOptions) match(got SignSSHOptions) error {
if o.CertType != "" && got.CertType != "" && o.CertType != got.CertType {
return errs.Forbidden("ssh certificate type does not match - got %v, want %v", got.CertType, o.CertType)
}
if len(o.Principals) > 0 && len(got.Principals) > 0 && !containsAllMembers(o.Principals, got.Principals) {
return errs.Forbidden("ssh certificate principals does not match - got %v, want %v", got.Principals, o.Principals)
}
if !o.ValidAfter.IsZero() && !got.ValidAfter.IsZero() && !o.ValidAfter.Equal(&got.ValidAfter) {
return errs.Forbidden("ssh certificate validAfter does not match - got %v, want %v", got.ValidAfter, o.ValidAfter)
}
if !o.ValidBefore.IsZero() && !got.ValidBefore.IsZero() && !o.ValidBefore.Equal(&got.ValidBefore) {
return errs.Forbidden("ssh certificate validBefore does not match - got %v, want %v", got.ValidBefore, o.ValidBefore)
}
return nil
}
2020-01-24 06:04:34 +00:00
// sshCertValidAfterModifier is an SSHCertModifier that sets the
// ValidAfter in the SSH certificate.
type sshCertValidAfterModifier uint64
func (m sshCertValidAfterModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
cert.ValidAfter = uint64(m)
return nil
}
2020-01-24 06:04:34 +00:00
// sshCertValidBeforeModifier is an SSHCertModifier that sets the
// ValidBefore in the SSH certificate.
type sshCertValidBeforeModifier uint64
func (m sshCertValidBeforeModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
cert.ValidBefore = uint64(m)
return nil
}
2020-01-24 06:04:34 +00:00
// sshDefaultDuration is an SSHCertModifier that sets the certificate
// ValidAfter and ValidBefore if they have not been set. It will fail if a
// CertType has not been set or is not valid.
type sshDefaultDuration struct {
*Claimer
}
// Modify implements SSHCertModifier and sets the validity if it has not been
// set, but it always applies the backdate.
func (m *sshDefaultDuration) Modify(cert *ssh.Certificate, o SignSSHOptions) error {
d, err := m.DefaultSSHCertDuration(cert.CertType)
if err != nil {
return err
}
2019-09-05 01:31:09 +00:00
var backdate uint64
if cert.ValidAfter == 0 {
backdate = uint64(o.Backdate / time.Second)
cert.ValidAfter = uint64(now().Truncate(time.Second).Unix())
}
if cert.ValidBefore == 0 {
cert.ValidBefore = cert.ValidAfter + uint64(d/time.Second)
}
// Apply backdate safely
if cert.ValidAfter > backdate {
cert.ValidAfter -= backdate
}
return nil
}
// sshLimitDuration adjusts the duration to min(default, remaining provisioning
// credential duration). E.g. if the default is 12hrs but the remaining validity
// of the provisioning credential is only 4hrs, this option will set the value
// to 4hrs (the min of the two values). It will fail if a CertType has not been
// set or is not valid.
type sshLimitDuration struct {
*Claimer
NotAfter time.Time
}
2019-09-05 01:31:09 +00:00
// Modify implements SSHCertModifier and modifies the validity of the
// certificate to expire before the configured limit.
func (m *sshLimitDuration) Modify(cert *ssh.Certificate, o SignSSHOptions) error {
if m.NotAfter.IsZero() {
defaultDuration := &sshDefaultDuration{m.Claimer}
return defaultDuration.Modify(cert, o)
}
// Make sure the duration is within the limits.
d, err := m.DefaultSSHCertDuration(cert.CertType)
if err != nil {
return err
}
var backdate uint64
if cert.ValidAfter == 0 {
backdate = uint64(o.Backdate / time.Second)
cert.ValidAfter = uint64(now().Truncate(time.Second).Unix())
}
2019-09-05 01:31:09 +00:00
certValidAfter := time.Unix(int64(cert.ValidAfter), 0)
if certValidAfter.After(m.NotAfter) {
return errs.Forbidden("provisioning credential expiration (%s) is before requested certificate validAfter (%s)",
m.NotAfter, certValidAfter)
}
2019-09-05 01:31:09 +00:00
if cert.ValidBefore == 0 {
certValidBefore := certValidAfter.Add(d)
if m.NotAfter.Before(certValidBefore) {
certValidBefore = m.NotAfter
}
cert.ValidBefore = uint64(certValidBefore.Unix())
} else {
certValidBefore := time.Unix(int64(cert.ValidBefore), 0)
if m.NotAfter.Before(certValidBefore) {
return errs.Forbidden("provisioning credential expiration (%s) is before requested certificate validBefore (%s)",
m.NotAfter, certValidBefore)
}
}
2019-09-05 01:31:09 +00:00
// Apply backdate safely
if cert.ValidAfter > backdate {
cert.ValidAfter -= backdate
}
return nil
}
2020-01-24 06:04:34 +00:00
// sshCertOptionsValidator validates the user SSHOptions with the ones
// usually present in the token.
type sshCertOptionsValidator SignSSHOptions
2020-01-24 06:04:34 +00:00
// Valid implements SSHCertOptionsValidator and returns nil if both
// SSHOptions match.
func (v sshCertOptionsValidator) Valid(got SignSSHOptions) error {
want := SignSSHOptions(v)
return want.match(got)
}
// sshCertOptionsRequireValidator defines which elements in the SignSSHOptions are required.
type sshCertOptionsRequireValidator struct {
CertType bool
KeyID bool
Principals bool
}
func (v *sshCertOptionsRequireValidator) Valid(got SignSSHOptions) error {
switch {
case v.CertType && got.CertType == "":
return errs.BadRequest("ssh certificate certType cannot be empty")
case v.KeyID && got.KeyID == "":
return errs.BadRequest("ssh certificate keyID cannot be empty")
case v.Principals && len(got.Principals) == 0:
return errs.BadRequest("ssh certificate principals cannot be empty")
default:
return nil
}
}
2020-01-24 06:04:34 +00:00
type sshCertValidityValidator struct {
2019-09-05 01:31:09 +00:00
*Claimer
}
func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOptions) error {
2019-09-05 01:31:09 +00:00
switch {
case cert.ValidAfter == 0:
return errs.BadRequest("ssh certificate validAfter cannot be 0")
2019-09-05 01:31:09 +00:00
case cert.ValidBefore < uint64(now().Unix()):
return errs.BadRequest("ssh certificate validBefore cannot be in the past")
2019-09-05 01:31:09 +00:00
case cert.ValidBefore < cert.ValidAfter:
return errs.BadRequest("ssh certificate validBefore cannot be before validAfter")
2019-09-05 01:31:09 +00:00
}
var min, max time.Duration
switch cert.CertType {
case ssh.UserCert:
min = v.MinUserSSHCertDuration()
max = v.MaxUserSSHCertDuration()
case ssh.HostCert:
min = v.MinHostSSHCertDuration()
max = v.MaxHostSSHCertDuration()
case 0:
return errs.BadRequest("ssh certificate type has not been set")
2019-09-05 01:31:09 +00:00
default:
2021-11-24 02:06:18 +00:00
return errs.BadRequest("ssh certificate has an unknown type '%d'", cert.CertType)
2019-09-05 01:31:09 +00:00
}
// To not take into account the backdate, time.Now() will be used to
// calculate the duration if ValidAfter is in the past.
dur := time.Duration(cert.ValidBefore-cert.ValidAfter) * time.Second
2019-09-05 01:31:09 +00:00
switch {
case dur < min:
return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
case dur > max+opts.Backdate:
return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
2019-09-05 01:31:09 +00:00
default:
return nil
}
}
2020-01-24 06:04:34 +00:00
// sshCertDefaultValidator implements a simple validator for all the
// fields in the SSH certificate.
2020-01-24 06:04:34 +00:00
type sshCertDefaultValidator struct{}
// Valid returns an error if the given certificate does not contain the
// necessary fields. We skip ValidPrincipals and Extensions as with custom
// templates you can set them empty.
2023-05-10 06:47:28 +00:00
func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error {
switch {
case len(cert.Nonce) == 0:
return errs.Forbidden("ssh certificate nonce cannot be empty")
case cert.Key == nil:
return errs.Forbidden("ssh certificate key cannot be nil")
case cert.Serial == 0:
return errs.Forbidden("ssh certificate serial cannot be 0")
case cert.CertType != ssh.UserCert && cert.CertType != ssh.HostCert:
return errs.Forbidden("ssh certificate has an unknown type '%d'", cert.CertType)
case cert.KeyId == "":
return errs.Forbidden("ssh certificate key id cannot be empty")
case cert.ValidAfter == 0:
return errs.Forbidden("ssh certificate validAfter cannot be 0")
case cert.ValidBefore < uint64(now().Unix()):
return errs.Forbidden("ssh certificate validBefore cannot be in the past")
case cert.ValidBefore < cert.ValidAfter:
return errs.Forbidden("ssh certificate validBefore cannot be before validAfter")
case cert.SignatureKey == nil:
return errs.Forbidden("ssh certificate signature key cannot be nil")
case cert.Signature == nil:
return errs.Forbidden("ssh certificate signature cannot be nil")
default:
return nil
}
}
// sshDefaultPublicKeyValidator implements a validator for the certificate key.
type sshDefaultPublicKeyValidator struct{}
// Valid checks that certificate request common name matches the one configured.
//
// TODO: this is the only validator that checks the key type. We should execute
// this before the signing. We should add a new validations interface or extend
// SSHCertOptionsValidator with the key.
2023-05-10 06:47:28 +00:00
func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error {
if cert.Key == nil {
return errs.BadRequest("ssh certificate key cannot be nil")
}
switch cert.Key.Type() {
case ssh.KeyAlgoRSA:
_, in, ok := sshParseString(cert.Key.Marshal())
if !ok {
return errs.BadRequest("ssh certificate key is invalid")
}
key, err := sshParseRSAPublicKey(in)
if err != nil {
return errs.BadRequestErr(err, "error parsing public key")
}
2020-08-14 22:33:50 +00:00
if key.Size() < keyutil.MinRSAKeyBytes {
return errs.Forbidden("ssh certificate key must be at least %d bits (%d bytes)",
2020-08-14 22:33:50 +00:00
8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes)
}
return nil
case ssh.KeyAlgoDSA:
return errs.BadRequest("ssh certificate key algorithm (DSA) is not supported")
default:
return nil
}
}
// sshNamePolicyValidator validates that the certificate (to be signed)
// contains only allowed principals.
type sshNamePolicyValidator struct {
hostPolicyEngine policy.HostPolicy
userPolicyEngine policy.UserPolicy
}
// newSSHNamePolicyValidator return a new SSH allow/deny validator.
func newSSHNamePolicyValidator(host policy.HostPolicy, user policy.UserPolicy) *sshNamePolicyValidator {
return &sshNamePolicyValidator{
hostPolicyEngine: host,
userPolicyEngine: user,
}
}
// Valid validates that the certificate (to be signed) contains only allowed principals.
func (v *sshNamePolicyValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error {
if v.hostPolicyEngine == nil && v.userPolicyEngine == nil {
// no policy configured at all; allow anything
return nil
}
// Check the policy type to execute based on type of the certificate.
// We don't allow user certs if only a host policy engine is configured and
// the same for host certs: if only a user policy engine is configured, host
// certs are denied. When both policy engines are configured, the type of
// cert determines which policy engine is used.
switch cert.CertType {
case ssh.HostCert:
// when no host policy engine is configured, but a user policy engine is
// configured, the host certificate is denied.
if v.hostPolicyEngine == nil && v.userPolicyEngine != nil {
return errors.New("SSH host certificate not authorized")
}
2022-04-26 11:12:16 +00:00
return v.hostPolicyEngine.IsSSHCertificateAllowed(cert)
case ssh.UserCert:
// when no user policy engine is configured, but a host policy engine is
// configured, the user certificate is denied.
if v.userPolicyEngine == nil && v.hostPolicyEngine != nil {
return errors.New("SSH user certificate not authorized")
}
2022-04-26 11:12:16 +00:00
return v.userPolicyEngine.IsSSHCertificateAllowed(cert)
default:
return fmt.Errorf("unexpected SSH certificate type %d", cert.CertType) // satisfy return; shouldn't happen
}
}
// sshCertTypeUInt32
func sshCertTypeUInt32(ct string) uint32 {
switch ct {
case SSHUserCert:
return ssh.UserCert
case SSHHostCert:
return ssh.HostCert
default:
return 0
}
}
// containsAllMembers reports whether all members of subgroup are within group.
func containsAllMembers(group, subgroup []string) bool {
lg, lsg := len(group), len(subgroup)
2019-07-30 01:16:52 +00:00
if lsg > lg || (lg > 0 && lsg == 0) {
return false
}
visit := make(map[string]struct{}, lg)
for i := 0; i < lg; i++ {
visit[strings.ToLower(group[i])] = struct{}{}
}
for i := 0; i < lsg; i++ {
if _, ok := visit[strings.ToLower(subgroup[i])]; !ok {
return false
}
}
return true
}
func sshParseString(in []byte) (out, rest []byte, ok bool) {
if len(in) < 4 {
return
}
length := binary.BigEndian.Uint32(in)
in = in[4:]
if uint32(len(in)) < length {
return
}
out = in[:length]
rest = in[length:]
ok = true
return
}
func sshParseRSAPublicKey(in []byte) (*rsa.PublicKey, error) {
var w struct {
E *big.Int
N *big.Int
Rest []byte `ssh:"rest"`
}
if err := ssh.Unmarshal(in, &w); err != nil {
return nil, errors.Wrap(err, "error unmarshalling public key")
}
if w.E.BitLen() > 24 {
return nil, errors.New("invalid public key: exponent too large")
}
e := w.E.Int64()
if e < 3 || e&1 == 0 {
return nil, errors.New("invalid public key: incorrect exponent")
}
var key rsa.PublicKey
key.E = int(e)
key.N = w.N
return &key, nil
}