From 0a59efd853c259d232f657ac1a3fcb3f388c86c6 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 10 Aug 2020 16:09:22 -0700 Subject: [PATCH] Use new x509util to generate the CA certificate. --- authority/tls.go | 63 +++++++++++++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 25 deletions(-) diff --git a/authority/tls.go b/authority/tls.go index bff60649..4dd7fecf 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -9,15 +9,14 @@ import ( "encoding/base64" "encoding/pem" "net/http" - "strings" "time" "github.com/pkg/errors" "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/db" "github.com/smallstep/certificates/errs" + "github.com/smallstep/cli/crypto/keys" "github.com/smallstep/cli/crypto/pemutil" - x509legacy "github.com/smallstep/cli/crypto/x509util" "github.com/smallstep/cli/jose" "go.step.sm/crypto/x509util" ) @@ -359,48 +358,62 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error // GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server. func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) { - profile, err := x509legacy.NewLeafProfile("Step Online CA", a.x509Issuer, a.x509Signer, - x509legacy.WithHosts(strings.Join(a.config.DNSNames, ","))) - if err != nil { + fatal := func(err error) (*tls.Certificate, error) { return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.GetTLSCertificate") } - crtBytes, err := profile.CreateCertificate() + // Generate default key. + priv, err := keys.GenerateDefaultKey() if err != nil { - return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.GetTLSCertificate") + return fatal(err) + } + signer, ok := priv.(crypto.Signer) + if !ok { + return fatal(errors.New("private key is not a crypto.Signer")) } - keyPEM, err := pemutil.Serialize(profile.SubjectPrivateKey()) + // Create initial certificate request. + cr, err := x509util.CreateCertificateRequest("Step Online CA", a.config.DNSNames, signer) if err != nil { - return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.GetTLSCertificate") + return fatal(err) } + // Generate certificate directly from the certificate request. + certificate, err := x509util.NewCertificate(cr) + if err != nil { + return fatal(err) + } + + // Get certificate template, set validity and sign it. + now := time.Now() + template := certificate.GetCertificate() + template.NotBefore = now.Add(-1 * time.Minute) + template.NotAfter = now.Add(24 * time.Hour) + + cert, err := x509util.CreateCertificate(template, a.x509Issuer, cr.PublicKey, a.x509Signer) + if err != nil { + return fatal(err) + } + + // Generate PEM blocks to create tls.Certificate crtPEM := pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", - Bytes: crtBytes, + Bytes: cert.Raw, }) - - // Load the x509 key pair (combining server and intermediate blocks) - // to a tls.Certificate. intermediatePEM, err := pemutil.Serialize(a.x509Issuer) if err != nil { - return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.GetTLSCertificate") + return fatal(err) } - tlsCrt, err := tls.X509KeyPair(append(crtPEM, - pem.EncodeToMemory(intermediatePEM)...), - pem.EncodeToMemory(keyPEM)) + keyPEM, err := pemutil.Serialize(priv) if err != nil { - return nil, errs.Wrap(http.StatusInternalServerError, err, - "authority.GetTLSCertificate; error creating tls certificate") + return fatal(err) } - // Get the 'leaf' certificate and set the attribute accordingly. - leaf, err := x509.ParseCertificate(tlsCrt.Certificate[0]) + tlsCrt, err := tls.X509KeyPair(append(crtPEM, pem.EncodeToMemory(intermediatePEM)...), pem.EncodeToMemory(keyPEM)) if err != nil { - return nil, errs.Wrap(http.StatusInternalServerError, err, - "authority.GetTLSCertificate; error parsing tls certificate") + return fatal(err) } - tlsCrt.Leaf = leaf - + // Set leaf certificate + tlsCrt.Leaf = cert return &tlsCrt, nil }