Merge pull request #220 from smallstep/identity-cert-duration

Enforce a duration for identity certificates
This commit is contained in:
Mariano Cano 2020-03-31 13:02:23 -07:00 committed by GitHub
commit 1d9edcd48f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 81 additions and 14 deletions

View file

@ -308,14 +308,6 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
// Sign identity certificate if available. // Sign identity certificate if available.
var identityCertificate []Certificate var identityCertificate []Certificate
if cr := body.IdentityCSR.CertificateRequest; cr != nil { if cr := body.IdentityCSR.CertificateRequest; cr != nil {
var opts provisioner.Options
// Use same duration as ssh certificate for user certificates
if cert.CertType == ssh.UserCert {
opts = provisioner.Options{
NotBefore: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidAfter), 0)),
NotAfter: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidBefore), 0)),
}
}
ctx := authority.NewContextWithSkipTokenReuse(r.Context()) ctx := authority.NewContextWithSkipTokenReuse(r.Context())
ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod) ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
signOpts, err := h.Authority.Authorize(ctx, body.OTT) signOpts, err := h.Authority.Authorize(ctx, body.OTT)
@ -323,7 +315,14 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
WriteError(w, errs.UnauthorizedErr(err)) WriteError(w, errs.UnauthorizedErr(err))
return return
} }
certChain, err := h.Authority.Sign(cr, opts, signOpts...)
// Enforce the same duration as ssh certificate.
signOpts = append(signOpts, &identityModifier{
NotBefore: time.Unix(int64(cert.ValidAfter), 0),
NotAfter: time.Unix(int64(cert.ValidBefore), 0),
})
certChain, err := h.Authority.Sign(cr, provisioner.Options{}, signOpts...)
if err != nil { if err != nil {
WriteError(w, errs.ForbiddenErr(err)) WriteError(w, errs.ForbiddenErr(err))
return return
@ -483,3 +482,15 @@ func (h *caHandler) SSHBastion(w http.ResponseWriter, r *http.Request) {
Bastion: bastion, Bastion: bastion,
}) })
} }
// identityModifier is a custom modifier used to force a fixed duration.
type identityModifier struct {
NotBefore time.Time
NotAfter time.Time
}
func (m *identityModifier) Enforce(cert *x509.Certificate) error {
cert.NotBefore = m.NotBefore
cert.NotAfter = m.NotAfter
return nil
}

View file

@ -47,6 +47,13 @@ type ProfileModifier interface {
Option(o Options) x509util.WithOption Option(o Options) x509util.WithOption
} }
// CertificateEnforcer is the interface used to modify a certificate after
// validation.
type CertificateEnforcer interface {
SignOption
Enforce(cert *x509.Certificate) error
}
// profileWithOption is a wrapper against x509util.WithOption to conform the // profileWithOption is a wrapper against x509util.WithOption to conform the
// interface. // interface.
type profileWithOption x509util.WithOption type profileWithOption x509util.WithOption

View file

@ -61,9 +61,10 @@ func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
// Sign creates a signed certificate from a certificate signing request. // Sign creates a signed certificate from a certificate signing request.
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) { func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
var ( var (
opts = []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)} opts = []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)}
mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)} mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
certValidators = []provisioner.CertificateValidator{} certValidators = []provisioner.CertificateValidator{}
forcedModifiers = []provisioner.CertificateEnforcer{}
) )
// Set backdate with the configured value // Set backdate with the configured value
@ -79,6 +80,8 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
} }
case provisioner.ProfileModifier: case provisioner.ProfileModifier:
mods = append(mods, k.Option(signOpts)) mods = append(mods, k.Option(signOpts))
case provisioner.CertificateEnforcer:
forcedModifiers = append(forcedModifiers, k)
default: default:
return nil, errs.InternalServer("authority.Sign; invalid extra option type %T", append([]interface{}{k}, opts...)...) return nil, errs.InternalServer("authority.Sign; invalid extra option type %T", append([]interface{}{k}, opts...)...)
} }
@ -93,12 +96,20 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.Sign", opts...) return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.Sign", opts...)
} }
// Certificate validation
for _, v := range certValidators { for _, v := range certValidators {
if err := v.Valid(leaf.Subject(), signOpts); err != nil { if err := v.Valid(leaf.Subject(), signOpts); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
} }
} }
// Certificate modifier after validation
for _, m := range forcedModifiers {
if err := m.Enforce(leaf.Subject()); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
}
}
crtBytes, err := leaf.CreateCertificate() crtBytes, err := leaf.CreateCertificate()
if err != nil { if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, return nil, errs.Wrap(http.StatusInternalServerError, err,

View file

@ -41,6 +41,17 @@ type stepProvisionerASN1 struct {
CredentialID []byte CredentialID []byte
} }
type certificateDurationEnforcer struct {
NotBefore time.Time
NotAfter time.Time
}
func (m *certificateDurationEnforcer) Enforce(cert *x509.Certificate) error {
cert.NotBefore = m.NotBefore
cert.NotAfter = m.NotAfter
return nil
}
func withProvisionerOID(name, kid string) x509util.WithOption { func withProvisionerOID(name, kid string) x509util.WithOption {
return func(p x509util.Profile) error { return func(p x509util.Profile) error {
crt := p.Subject() crt := p.Subject()
@ -114,6 +125,8 @@ func TestAuthority_Sign(t *testing.T) {
csr *x509.CertificateRequest csr *x509.CertificateRequest
signOpts provisioner.Options signOpts provisioner.Options
extraOpts []provisioner.SignOption extraOpts []provisioner.SignOption
notBefore time.Time
notAfter time.Time
err error err error
code int code int
} }
@ -253,6 +266,31 @@ ZYtQ9Ot36qc=
csr: csr, csr: csr,
extraOpts: extraOpts, extraOpts: extraOpts,
signOpts: signOpts, signOpts: signOpts,
notBefore: signOpts.NotBefore.Time().Truncate(time.Second),
notAfter: signOpts.NotAfter.Time().Truncate(time.Second),
}
},
"ok with enforced modifier": func(t *testing.T) *signTest {
csr := getCSR(t, priv)
now := time.Now().UTC()
enforcedExtraOptions := append(extraOpts, &certificateDurationEnforcer{
NotBefore: now,
NotAfter: now.Add(365 * 24 * time.Hour),
})
_a := testAuthority(t)
_a.db = &db.MockAuthDB{
MStoreCertificate: func(crt *x509.Certificate) error {
assert.Equals(t, crt.Subject.CommonName, "smallstep test")
return nil
},
}
return &signTest{
auth: a,
csr: csr,
extraOpts: enforcedExtraOptions,
signOpts: signOpts,
notBefore: now.Truncate(time.Second),
notAfter: now.Add(365 * 24 * time.Hour).Truncate(time.Second),
} }
}, },
} }
@ -279,8 +317,8 @@ ZYtQ9Ot36qc=
leaf := certChain[0] leaf := certChain[0]
intermediate := certChain[1] intermediate := certChain[1]
if assert.Nil(t, tc.err) { if assert.Nil(t, tc.err) {
assert.Equals(t, leaf.NotBefore, signOpts.NotBefore.Time().Truncate(time.Second)) assert.Equals(t, leaf.NotBefore, tc.notBefore)
assert.Equals(t, leaf.NotAfter, signOpts.NotAfter.Time().Truncate(time.Second)) assert.Equals(t, leaf.NotAfter, tc.notAfter)
tmplt := a.config.AuthorityConfig.Template tmplt := a.config.AuthorityConfig.Template
assert.Equals(t, fmt.Sprintf("%v", leaf.Subject), assert.Equals(t, fmt.Sprintf("%v", leaf.Subject),
fmt.Sprintf("%v", &pkix.Name{ fmt.Sprintf("%v", &pkix.Name{