forked from TrueCloudLab/certificates
116 lines
3.4 KiB
Go
116 lines
3.4 KiB
Go
package mgmt
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/smallstep/certificates/authority/config"
|
|
"github.com/smallstep/certificates/linkedca"
|
|
"go.step.sm/crypto/jose"
|
|
)
|
|
|
|
/*
|
|
type unmarshalProvisioner struct {
|
|
ID string `json:"-"`
|
|
AuthorityID string `json:"-"`
|
|
Type string `json:"type"`
|
|
Name string `json:"name"`
|
|
Claims *Claims `json:"claims"`
|
|
Details json.RawMessage `json:"details"`
|
|
X509Template string `json:"x509Template"`
|
|
X509TemplateData []byte `json:"x509TemplateData"`
|
|
SSHTemplate string `json:"sshTemplate"`
|
|
SSHTemplateData []byte `json:"sshTemplateData"`
|
|
Status status.Type `json:"status"`
|
|
}
|
|
|
|
type typ struct {
|
|
Type linkedca.Provisioner_Type `json:"type"`
|
|
}
|
|
|
|
// UnmarshalJSON implements the Unmarshal interface.
|
|
func (p *Provisioner) UnmarshalJSON(b []byte) error {
|
|
var (
|
|
err error
|
|
up = new(unmarshalProvisioner)
|
|
)
|
|
if err = json.Unmarshal(b, up); err != nil {
|
|
return WrapErrorISE(err, "error unmarshaling provisioner to intermediate type")
|
|
}
|
|
p.Details, err = UnmarshalProvisionerDetails(up.Details)
|
|
if err = json.Unmarshal(b, up); err != nil {
|
|
return WrapErrorISE(err, "error unmarshaling provisioner details")
|
|
}
|
|
|
|
p.ID = up.ID
|
|
p.AuthorityID = up.AuthorityID
|
|
p.Type = up.Type
|
|
p.Name = up.Name
|
|
p.Claims = up.Claims
|
|
p.X509Template = up.X509Template
|
|
p.X509TemplateData = up.X509TemplateData
|
|
p.SSHTemplate = up.SSHTemplate
|
|
p.SSHTemplateData = up.SSHTemplateData
|
|
p.Status = up.Status
|
|
|
|
return nil
|
|
}
|
|
*/
|
|
|
|
func NewDefaultClaims() *linkedca.Claims {
|
|
return &linkedca.Claims{
|
|
X509: &linkedca.X509Claims{
|
|
Durations: &linkedca.Durations{
|
|
Min: config.GlobalProvisionerClaims.MinTLSDur.String(),
|
|
Max: config.GlobalProvisionerClaims.MaxTLSDur.String(),
|
|
Default: config.GlobalProvisionerClaims.DefaultTLSDur.String(),
|
|
},
|
|
},
|
|
Ssh: &linkedca.SSHClaims{
|
|
UserDurations: &linkedca.Durations{
|
|
Min: config.GlobalProvisionerClaims.MinUserSSHDur.String(),
|
|
Max: config.GlobalProvisionerClaims.MaxUserSSHDur.String(),
|
|
Default: config.GlobalProvisionerClaims.DefaultUserSSHDur.String(),
|
|
},
|
|
HostDurations: &linkedca.Durations{
|
|
Min: config.GlobalProvisionerClaims.MinHostSSHDur.String(),
|
|
Max: config.GlobalProvisionerClaims.MaxHostSSHDur.String(),
|
|
Default: config.GlobalProvisionerClaims.DefaultHostSSHDur.String(),
|
|
},
|
|
},
|
|
DisableRenewal: config.DefaultDisableRenewal,
|
|
}
|
|
}
|
|
|
|
func CreateFirstProvisioner(ctx context.Context, db DB, password string) (*linkedca.Provisioner, error) {
|
|
jwk, jwe, err := jose.GenerateDefaultKeyPair([]byte(password))
|
|
if err != nil {
|
|
return nil, WrapErrorISE(err, "error generating JWK key pair")
|
|
}
|
|
|
|
jwkPubBytes, err := jwk.MarshalJSON()
|
|
if err != nil {
|
|
return nil, WrapErrorISE(err, "error marshaling JWK")
|
|
}
|
|
jwePrivStr, err := jwe.CompactSerialize()
|
|
if err != nil {
|
|
return nil, WrapErrorISE(err, "error serializing JWE")
|
|
}
|
|
|
|
p := &linkedca.Provisioner{
|
|
Name: "Admin JWK",
|
|
Type: linkedca.Provisioner_JWK,
|
|
Claims: NewDefaultClaims(),
|
|
Details: &linkedca.ProvisionerDetails{
|
|
Data: &linkedca.ProvisionerDetails_JWK{
|
|
JWK: &linkedca.JWKProvisioner{
|
|
PublicKey: jwkPubBytes,
|
|
EncryptedPrivateKey: []byte(jwePrivStr),
|
|
},
|
|
},
|
|
},
|
|
}
|
|
if err := db.CreateProvisioner(ctx, p); err != nil {
|
|
return nil, WrapErrorISE(err, "error creating provisioner")
|
|
}
|
|
return p, nil
|
|
}
|