2020-09-09 02:26:32 +00:00
|
|
|
package apiv1
|
|
|
|
|
|
|
|
import (
|
2020-09-11 02:09:46 +00:00
|
|
|
"crypto"
|
|
|
|
"crypto/x509"
|
2022-01-20 09:16:47 +00:00
|
|
|
"encoding/json"
|
2020-09-09 02:26:32 +00:00
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
2020-10-23 22:04:09 +00:00
|
|
|
"github.com/smallstep/certificates/kms"
|
2020-09-09 02:26:32 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Options represents the configuration options used to select and configure the
|
|
|
|
// CertificateAuthorityService (CAS) to use.
|
|
|
|
type Options struct {
|
|
|
|
// The type of the CAS to use.
|
|
|
|
Type string `json:"type"`
|
|
|
|
|
2021-03-18 02:33:35 +00:00
|
|
|
// CertificateAuthority reference:
|
2021-03-24 19:06:29 +00:00
|
|
|
// In StepCAS the value is the CA url, e.g. "https://ca.smallstep.com:9000".
|
2021-03-18 02:33:35 +00:00
|
|
|
// In CloudCAS the format is "projects/*/locations/*/certificateAuthorities/*".
|
2022-01-14 17:56:17 +00:00
|
|
|
// In VaultCAS the value is the url, e.g. "https://vault.smallstep.com".
|
2021-03-18 02:33:35 +00:00
|
|
|
CertificateAuthority string `json:"certificateAuthority,omitempty"`
|
2020-09-11 02:09:46 +00:00
|
|
|
|
2021-03-18 02:33:35 +00:00
|
|
|
// CertificateAuthorityFingerprint is the root fingerprint used to
|
|
|
|
// authenticate the connection to the CA when using StepCAS.
|
|
|
|
CertificateAuthorityFingerprint string `json:"certificateAuthorityFingerprint,omitempty"`
|
2020-09-11 02:09:46 +00:00
|
|
|
|
2021-03-18 02:33:35 +00:00
|
|
|
// CertificateIssuer contains the configuration used in StepCAS.
|
|
|
|
CertificateIssuer *CertificateIssuer `json:"certificateIssuer,omitempty"`
|
|
|
|
|
|
|
|
// Path to the credentials file used in CloudCAS. If not defined the default
|
|
|
|
// authentication mechanism provided by Google SDK will be used. See
|
|
|
|
// https://cloud.google.com/docs/authentication.
|
|
|
|
CredentialsFile string `json:"credentialsFile,omitempty"`
|
|
|
|
|
|
|
|
// Certificate and signer are the issuer certificate, along with any other
|
|
|
|
// bundled certificates to be returned in the chain for consumers, and
|
|
|
|
// signer used in SoftCAS. They are configured in ca.json crt and key
|
|
|
|
// properties.
|
|
|
|
CertificateChain []*x509.Certificate `json:"-"`
|
|
|
|
Signer crypto.Signer `json:"-"`
|
2020-10-23 22:04:09 +00:00
|
|
|
|
2021-08-04 23:16:35 +00:00
|
|
|
// IsCreator is set to true when we're creating a certificate authority. It
|
|
|
|
// is used to skip some validations when initializing a
|
|
|
|
// CertificateAuthority. This option is used on SoftCAS and CloudCAS.
|
2020-10-23 22:04:09 +00:00
|
|
|
IsCreator bool `json:"-"`
|
|
|
|
|
2021-08-04 23:16:35 +00:00
|
|
|
// IsCAGetter is set to true when we're just using the
|
|
|
|
// CertificateAuthorityGetter interface to retrieve the root certificate. It
|
|
|
|
// is used to skip some validations when initializing a
|
|
|
|
// CertificateAuthority. This option is used on StepCAS.
|
|
|
|
IsCAGetter bool `json:"-"`
|
|
|
|
|
2020-10-23 22:04:09 +00:00
|
|
|
// KeyManager is the KMS used to generate keys in SoftCAS.
|
|
|
|
KeyManager kms.KeyManager `json:"-"`
|
|
|
|
|
2021-06-09 00:43:52 +00:00
|
|
|
// Project, Location, CaPool and GCSBucket are parameters used in CloudCAS
|
2021-06-23 07:35:14 +00:00
|
|
|
// to create a new certificate authority. If a CaPool does not exist it will
|
|
|
|
// be created. GCSBucket is optional, if not provided GCloud will create a
|
|
|
|
// managed bucket.
|
2021-06-09 00:43:52 +00:00
|
|
|
Project string `json:"-"`
|
|
|
|
Location string `json:"-"`
|
|
|
|
CaPool string `json:"-"`
|
|
|
|
CaPoolTier string `json:"-"`
|
|
|
|
GCSBucket string `json:"-"`
|
2022-01-13 15:23:54 +00:00
|
|
|
|
|
|
|
// Generic structure to configure any CAS
|
2022-01-20 09:16:47 +00:00
|
|
|
Config json.RawMessage `json:"config,omitempty"`
|
2020-09-09 02:26:32 +00:00
|
|
|
}
|
|
|
|
|
2021-03-18 02:33:35 +00:00
|
|
|
// CertificateIssuer contains the properties used to use the StepCAS certificate
|
|
|
|
// authority service.
|
|
|
|
type CertificateIssuer struct {
|
|
|
|
Type string `json:"type"`
|
|
|
|
Provisioner string `json:"provisioner,omitempty"`
|
|
|
|
Certificate string `json:"crt,omitempty"`
|
|
|
|
Key string `json:"key,omitempty"`
|
2021-03-24 00:54:42 +00:00
|
|
|
Password string `json:"password,omitempty"`
|
2021-03-18 02:33:35 +00:00
|
|
|
}
|
|
|
|
|
2020-09-09 02:26:32 +00:00
|
|
|
// Validate checks the fields in Options.
|
|
|
|
func (o *Options) Validate() error {
|
2020-09-11 02:09:46 +00:00
|
|
|
var typ Type
|
2020-09-09 02:26:32 +00:00
|
|
|
if o == nil {
|
2020-09-11 02:09:46 +00:00
|
|
|
typ = Type(SoftCAS)
|
|
|
|
} else {
|
|
|
|
typ = Type(o.Type)
|
2020-09-09 02:26:32 +00:00
|
|
|
}
|
2020-09-11 02:09:46 +00:00
|
|
|
// Check that the type can be loaded.
|
|
|
|
if _, ok := LoadCertificateAuthorityServiceNewFunc(typ); !ok {
|
|
|
|
return errors.Errorf("unsupported cas type %s", typ)
|
2020-09-09 02:26:32 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2020-09-10 23:19:18 +00:00
|
|
|
|
2020-09-21 22:11:25 +00:00
|
|
|
// Is returns if the options have the given type.
|
|
|
|
func (o *Options) Is(t Type) bool {
|
2020-09-10 23:19:18 +00:00
|
|
|
if o == nil {
|
2020-09-11 02:09:46 +00:00
|
|
|
return t.String() == SoftCAS
|
2020-09-10 23:19:18 +00:00
|
|
|
}
|
|
|
|
return Type(o.Type).String() == t.String()
|
|
|
|
}
|