forked from TrueCloudLab/certificates
993 lines
33 KiB
Go
993 lines
33 KiB
Go
package authority
|
|
|
|
import (
|
|
"context"
|
|
"crypto"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"math/big"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/pkg/errors"
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
"go.step.sm/crypto/jose"
|
|
"go.step.sm/crypto/keyutil"
|
|
"go.step.sm/crypto/pemutil"
|
|
"go.step.sm/crypto/x509util"
|
|
|
|
"github.com/smallstep/certificates/authority/config"
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
casapi "github.com/smallstep/certificates/cas/apiv1"
|
|
"github.com/smallstep/certificates/db"
|
|
"github.com/smallstep/certificates/errs"
|
|
"github.com/smallstep/certificates/webhook"
|
|
"github.com/smallstep/nosql/database"
|
|
)
|
|
|
|
type tokenKey struct{}
|
|
|
|
// NewTokenContext adds the given token to the context.
|
|
func NewTokenContext(ctx context.Context, token string) context.Context {
|
|
return context.WithValue(ctx, tokenKey{}, token)
|
|
}
|
|
|
|
// TokenFromContext returns the token from the given context.
|
|
func TokenFromContext(ctx context.Context) (token string, ok bool) {
|
|
token, ok = ctx.Value(tokenKey{}).(string)
|
|
return
|
|
}
|
|
|
|
// GetTLSOptions returns the tls options configured.
|
|
func (a *Authority) GetTLSOptions() *config.TLSOptions {
|
|
return a.config.TLS
|
|
}
|
|
|
|
var (
|
|
oidAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
|
|
oidSubjectKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 14}
|
|
oidExtensionIssuingDistributionPoint = asn1.ObjectIdentifier{2, 5, 29, 28}
|
|
)
|
|
|
|
func withDefaultASN1DN(def *config.ASN1DN) provisioner.CertificateModifierFunc {
|
|
return func(crt *x509.Certificate, opts provisioner.SignOptions) error {
|
|
if def == nil {
|
|
return errors.New("default ASN1DN template cannot be nil")
|
|
}
|
|
if len(crt.Subject.Country) == 0 && def.Country != "" {
|
|
crt.Subject.Country = append(crt.Subject.Country, def.Country)
|
|
}
|
|
if len(crt.Subject.Organization) == 0 && def.Organization != "" {
|
|
crt.Subject.Organization = append(crt.Subject.Organization, def.Organization)
|
|
}
|
|
if len(crt.Subject.OrganizationalUnit) == 0 && def.OrganizationalUnit != "" {
|
|
crt.Subject.OrganizationalUnit = append(crt.Subject.OrganizationalUnit, def.OrganizationalUnit)
|
|
}
|
|
if len(crt.Subject.Locality) == 0 && def.Locality != "" {
|
|
crt.Subject.Locality = append(crt.Subject.Locality, def.Locality)
|
|
}
|
|
if len(crt.Subject.Province) == 0 && def.Province != "" {
|
|
crt.Subject.Province = append(crt.Subject.Province, def.Province)
|
|
}
|
|
if len(crt.Subject.StreetAddress) == 0 && def.StreetAddress != "" {
|
|
crt.Subject.StreetAddress = append(crt.Subject.StreetAddress, def.StreetAddress)
|
|
}
|
|
if crt.Subject.SerialNumber == "" && def.SerialNumber != "" {
|
|
crt.Subject.SerialNumber = def.SerialNumber
|
|
}
|
|
if crt.Subject.CommonName == "" && def.CommonName != "" {
|
|
crt.Subject.CommonName = def.CommonName
|
|
}
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// Sign creates a signed certificate from a certificate signing request.
|
|
func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
|
var (
|
|
certOptions []x509util.Option
|
|
certValidators []provisioner.CertificateValidator
|
|
certModifiers []provisioner.CertificateModifier
|
|
certEnforcers []provisioner.CertificateEnforcer
|
|
)
|
|
|
|
opts := []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)}
|
|
if err := csr.CheckSignature(); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.BadRequestErr(err, "invalid certificate request"),
|
|
opts...,
|
|
)
|
|
}
|
|
|
|
// Set backdate with the configured value
|
|
signOpts.Backdate = a.config.AuthorityConfig.Backdate.Duration
|
|
|
|
var prov provisioner.Interface
|
|
var pInfo *casapi.ProvisionerInfo
|
|
var attData *provisioner.AttestationData
|
|
var webhookCtl webhookController
|
|
for _, op := range extraOpts {
|
|
switch k := op.(type) {
|
|
// Capture current provisioner
|
|
case provisioner.Interface:
|
|
prov = k
|
|
pInfo = &casapi.ProvisionerInfo{
|
|
ID: prov.GetID(),
|
|
Type: prov.GetType().String(),
|
|
Name: prov.GetName(),
|
|
}
|
|
// Adds new options to NewCertificate
|
|
case provisioner.CertificateOptions:
|
|
certOptions = append(certOptions, k.Options(signOpts)...)
|
|
|
|
// Validate the given certificate request.
|
|
case provisioner.CertificateRequestValidator:
|
|
if err := k.Valid(csr); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, "error validating certificate"),
|
|
opts...,
|
|
)
|
|
}
|
|
|
|
// Validates the unsigned certificate template.
|
|
case provisioner.CertificateValidator:
|
|
certValidators = append(certValidators, k)
|
|
|
|
// Modifies a certificate before validating it.
|
|
case provisioner.CertificateModifier:
|
|
certModifiers = append(certModifiers, k)
|
|
|
|
// Modifies a certificate after validating it.
|
|
case provisioner.CertificateEnforcer:
|
|
certEnforcers = append(certEnforcers, k)
|
|
|
|
// Extra information from ACME attestations.
|
|
case provisioner.AttestationData:
|
|
attData = &k
|
|
|
|
// Capture the provisioner's webhook controller
|
|
case webhookController:
|
|
webhookCtl = k
|
|
|
|
default:
|
|
return nil, errs.InternalServer("authority.Sign; invalid extra option type %T", append([]interface{}{k}, opts...)...)
|
|
}
|
|
}
|
|
|
|
if err := callEnrichingWebhooksX509(webhookCtl, attData, csr); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, err.Error()),
|
|
errs.WithKeyVal("csr", csr),
|
|
errs.WithKeyVal("signOptions", signOpts),
|
|
)
|
|
}
|
|
|
|
cert, err := x509util.NewCertificate(csr, certOptions...)
|
|
if err != nil {
|
|
var te *x509util.TemplateError
|
|
if errors.As(err, &te) {
|
|
return nil, errs.ApplyOptions(
|
|
errs.BadRequestErr(err, err.Error()),
|
|
errs.WithKeyVal("csr", csr),
|
|
errs.WithKeyVal("signOptions", signOpts),
|
|
)
|
|
}
|
|
// explicitly check for unmarshaling errors, which are most probably caused by JSON template (syntax) errors
|
|
if strings.HasPrefix(err.Error(), "error unmarshaling certificate") {
|
|
return nil, errs.InternalServerErr(templatingError(err),
|
|
errs.WithKeyVal("csr", csr),
|
|
errs.WithKeyVal("signOptions", signOpts),
|
|
errs.WithMessage("error applying certificate template"),
|
|
)
|
|
}
|
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.Sign", opts...)
|
|
}
|
|
|
|
// Certificate modifiers before validation
|
|
leaf := cert.GetCertificate()
|
|
|
|
// Set default subject
|
|
if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, "error creating certificate"),
|
|
opts...,
|
|
)
|
|
}
|
|
|
|
for _, m := range certModifiers {
|
|
if err := m.Modify(leaf, signOpts); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, "error creating certificate"),
|
|
opts...,
|
|
)
|
|
}
|
|
}
|
|
|
|
// Certificate validation.
|
|
for _, v := range certValidators {
|
|
if err := v.Valid(leaf, signOpts); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, "error validating certificate"),
|
|
opts...,
|
|
)
|
|
}
|
|
}
|
|
|
|
// Certificate modifiers after validation
|
|
for _, m := range certEnforcers {
|
|
if err := m.Enforce(leaf); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, "error creating certificate"),
|
|
opts...,
|
|
)
|
|
}
|
|
}
|
|
|
|
// Process injected modifiers after validation
|
|
for _, m := range a.x509Enforcers {
|
|
if err := m.Enforce(leaf); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, "error creating certificate"),
|
|
opts...,
|
|
)
|
|
}
|
|
}
|
|
|
|
// Check if authority is allowed to sign the certificate
|
|
if err := a.isAllowedToSignX509Certificate(leaf); err != nil {
|
|
var ee *errs.Error
|
|
if errors.As(err, &ee) {
|
|
return nil, errs.ApplyOptions(ee, opts...)
|
|
}
|
|
return nil, errs.InternalServerErr(err,
|
|
errs.WithKeyVal("csr", csr),
|
|
errs.WithKeyVal("signOptions", signOpts),
|
|
errs.WithMessage("error creating certificate"),
|
|
)
|
|
}
|
|
|
|
// Send certificate to webhooks for authorization
|
|
if err := callAuthorizingWebhooksX509(webhookCtl, cert, leaf, attData); err != nil {
|
|
return nil, errs.ApplyOptions(
|
|
errs.ForbiddenErr(err, "error creating certificate"),
|
|
opts...,
|
|
)
|
|
}
|
|
|
|
// Sign certificate
|
|
lifetime := leaf.NotAfter.Sub(leaf.NotBefore.Add(signOpts.Backdate))
|
|
resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{
|
|
Template: leaf,
|
|
CSR: csr,
|
|
Lifetime: lifetime,
|
|
Backdate: signOpts.Backdate,
|
|
Provisioner: pInfo,
|
|
})
|
|
if err != nil {
|
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.Sign; error creating certificate", opts...)
|
|
}
|
|
|
|
fullchain := append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...)
|
|
|
|
// Wrap provisioner with extra information.
|
|
prov = wrapProvisioner(prov, attData)
|
|
|
|
// Store certificate in the db.
|
|
if err = a.storeCertificate(prov, fullchain); err != nil {
|
|
if !errors.Is(err, db.ErrNotImplemented) {
|
|
return nil, errs.Wrap(http.StatusInternalServerError, err,
|
|
"authority.Sign; error storing certificate in db", opts...)
|
|
}
|
|
}
|
|
|
|
return fullchain, nil
|
|
}
|
|
|
|
// isAllowedToSignX509Certificate checks if the Authority is allowed
|
|
// to sign the X.509 certificate.
|
|
func (a *Authority) isAllowedToSignX509Certificate(cert *x509.Certificate) error {
|
|
if err := a.constraintsEngine.ValidateCertificate(cert); err != nil {
|
|
return err
|
|
}
|
|
return a.policyEngine.IsX509CertificateAllowed(cert)
|
|
}
|
|
|
|
// AreSANsAllowed evaluates the provided sans against the
|
|
// authority X.509 policy.
|
|
func (a *Authority) AreSANsAllowed(_ context.Context, sans []string) error {
|
|
return a.policyEngine.AreSANsAllowed(sans)
|
|
}
|
|
|
|
// Renew creates a new Certificate identical to the old certificate, except with
|
|
// a validity window that begins 'now'.
|
|
func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error) {
|
|
return a.RenewContext(context.Background(), oldCert, nil)
|
|
}
|
|
|
|
// Rekey is used for rekeying and renewing based on the public key. If the
|
|
// public key is 'nil' then it's assumed that the cert should be renewed using
|
|
// the existing public key. If the public key is not 'nil' then it's assumed
|
|
// that the cert should be rekeyed.
|
|
//
|
|
// For both Rekey and Renew all other attributes of the new certificate should
|
|
// match the old certificate. The exceptions are 'AuthorityKeyId' (which may
|
|
// have changed), 'SubjectKeyId' (different in case of rekey), and
|
|
// 'NotBefore/NotAfter' (the validity duration of the new certificate should be
|
|
// equal to the old one, but starting 'now').
|
|
func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error) {
|
|
return a.RenewContext(context.Background(), oldCert, pk)
|
|
}
|
|
|
|
// RenewContext creates a new certificate identical to the old one, but it can
|
|
// optionally replace the public key with the given one. When running on RA
|
|
// mode, it can only renew a certificate using a renew token instead.
|
|
//
|
|
// For both rekey and renew operations, all other attributes of the new
|
|
// certificate should match the old certificate. The exceptions are
|
|
// 'AuthorityKeyId' (which may have changed), 'SubjectKeyId' (different in case
|
|
// of rekey), and 'NotBefore/NotAfter' (the validity duration of the new
|
|
// certificate should be equal to the old one, but starting 'now').
|
|
func (a *Authority) RenewContext(ctx context.Context, oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error) {
|
|
isRekey := (pk != nil)
|
|
opts := []errs.Option{
|
|
errs.WithKeyVal("serialNumber", oldCert.SerialNumber.String()),
|
|
}
|
|
|
|
// Check step provisioner extensions
|
|
if err := a.authorizeRenew(ctx, oldCert); err != nil {
|
|
return nil, errs.StatusCodeError(http.StatusInternalServerError, err, opts...)
|
|
}
|
|
|
|
// Durations
|
|
backdate := a.config.AuthorityConfig.Backdate.Duration
|
|
duration := oldCert.NotAfter.Sub(oldCert.NotBefore)
|
|
lifetime := duration - backdate
|
|
|
|
// Create new certificate from previous values.
|
|
// Issuer, NotBefore, NotAfter and SubjectKeyId will be set by the CAS.
|
|
newCert := &x509.Certificate{
|
|
RawSubject: oldCert.RawSubject,
|
|
KeyUsage: oldCert.KeyUsage,
|
|
UnhandledCriticalExtensions: oldCert.UnhandledCriticalExtensions,
|
|
ExtKeyUsage: oldCert.ExtKeyUsage,
|
|
UnknownExtKeyUsage: oldCert.UnknownExtKeyUsage,
|
|
BasicConstraintsValid: oldCert.BasicConstraintsValid,
|
|
IsCA: oldCert.IsCA,
|
|
MaxPathLen: oldCert.MaxPathLen,
|
|
MaxPathLenZero: oldCert.MaxPathLenZero,
|
|
OCSPServer: oldCert.OCSPServer,
|
|
IssuingCertificateURL: oldCert.IssuingCertificateURL,
|
|
PermittedDNSDomainsCritical: oldCert.PermittedDNSDomainsCritical,
|
|
PermittedEmailAddresses: oldCert.PermittedEmailAddresses,
|
|
DNSNames: oldCert.DNSNames,
|
|
EmailAddresses: oldCert.EmailAddresses,
|
|
IPAddresses: oldCert.IPAddresses,
|
|
URIs: oldCert.URIs,
|
|
PermittedDNSDomains: oldCert.PermittedDNSDomains,
|
|
ExcludedDNSDomains: oldCert.ExcludedDNSDomains,
|
|
PermittedIPRanges: oldCert.PermittedIPRanges,
|
|
ExcludedIPRanges: oldCert.ExcludedIPRanges,
|
|
ExcludedEmailAddresses: oldCert.ExcludedEmailAddresses,
|
|
PermittedURIDomains: oldCert.PermittedURIDomains,
|
|
ExcludedURIDomains: oldCert.ExcludedURIDomains,
|
|
CRLDistributionPoints: oldCert.CRLDistributionPoints,
|
|
PolicyIdentifiers: oldCert.PolicyIdentifiers,
|
|
}
|
|
|
|
if isRekey {
|
|
newCert.PublicKey = pk
|
|
} else {
|
|
newCert.PublicKey = oldCert.PublicKey
|
|
}
|
|
|
|
// Copy all extensions except:
|
|
//
|
|
// 1. Authority Key Identifier - This one might be different if we rotate
|
|
// the intermediate certificate and it will cause a TLS bad certificate
|
|
// error.
|
|
//
|
|
// 2. Subject Key Identifier, if rekey - For rekey, SubjectKeyIdentifier
|
|
// extension will be calculated for the new public key by
|
|
// x509util.CreateCertificate()
|
|
for _, ext := range oldCert.Extensions {
|
|
if ext.Id.Equal(oidAuthorityKeyIdentifier) {
|
|
continue
|
|
}
|
|
if ext.Id.Equal(oidSubjectKeyIdentifier) && isRekey {
|
|
newCert.SubjectKeyId = nil
|
|
continue
|
|
}
|
|
newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext)
|
|
}
|
|
|
|
// Check if the certificate is allowed to be renewed, name constraints might
|
|
// change over time.
|
|
//
|
|
// TODO(hslatman,maraino): consider adding policies too and consider if
|
|
// RenewSSH should check policies.
|
|
if err := a.constraintsEngine.ValidateCertificate(newCert); err != nil {
|
|
var ee *errs.Error
|
|
if errors.As(err, &ee) {
|
|
return nil, errs.StatusCodeError(ee.StatusCode(), err, opts...)
|
|
}
|
|
return nil, errs.InternalServerErr(err,
|
|
errs.WithKeyVal("serialNumber", oldCert.SerialNumber.String()),
|
|
errs.WithMessage("error renewing certificate"),
|
|
)
|
|
}
|
|
|
|
// The token can optionally be in the context. If the CA is running in RA
|
|
// mode, this can be used to renew a certificate.
|
|
token, _ := TokenFromContext(ctx)
|
|
|
|
resp, err := a.x509CAService.RenewCertificate(&casapi.RenewCertificateRequest{
|
|
Template: newCert,
|
|
Lifetime: lifetime,
|
|
Backdate: backdate,
|
|
Token: token,
|
|
})
|
|
if err != nil {
|
|
return nil, errs.StatusCodeError(http.StatusInternalServerError, err, opts...)
|
|
}
|
|
|
|
fullchain := append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...)
|
|
if err = a.storeRenewedCertificate(oldCert, fullchain); err != nil {
|
|
if !errors.Is(err, db.ErrNotImplemented) {
|
|
return nil, errs.StatusCodeError(http.StatusInternalServerError, err, opts...)
|
|
}
|
|
}
|
|
|
|
return fullchain, nil
|
|
}
|
|
|
|
// storeCertificate allows to use an extension of the db.AuthDB interface that
|
|
// can log the full chain of certificates.
|
|
//
|
|
// TODO: at some point we should replace the db.AuthDB interface to implement
|
|
// `StoreCertificate(...*x509.Certificate) error` instead of just
|
|
// `StoreCertificate(*x509.Certificate) error`.
|
|
func (a *Authority) storeCertificate(prov provisioner.Interface, fullchain []*x509.Certificate) error {
|
|
type certificateChainStorer interface {
|
|
StoreCertificateChain(provisioner.Interface, ...*x509.Certificate) error
|
|
}
|
|
type certificateChainSimpleStorer interface {
|
|
StoreCertificateChain(...*x509.Certificate) error
|
|
}
|
|
|
|
// Store certificate in linkedca
|
|
switch s := a.adminDB.(type) {
|
|
case certificateChainStorer:
|
|
return s.StoreCertificateChain(prov, fullchain...)
|
|
case certificateChainSimpleStorer:
|
|
return s.StoreCertificateChain(fullchain...)
|
|
}
|
|
|
|
// Store certificate in local db
|
|
switch s := a.db.(type) {
|
|
case certificateChainStorer:
|
|
return s.StoreCertificateChain(prov, fullchain...)
|
|
case certificateChainSimpleStorer:
|
|
return s.StoreCertificateChain(fullchain...)
|
|
case db.CertificateStorer:
|
|
return s.StoreCertificate(fullchain[0])
|
|
default:
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// storeRenewedCertificate allows to use an extension of the db.AuthDB interface
|
|
// that can log if a certificate has been renewed or rekeyed.
|
|
//
|
|
// TODO: at some point we should implement this in the standard implementation.
|
|
func (a *Authority) storeRenewedCertificate(oldCert *x509.Certificate, fullchain []*x509.Certificate) error {
|
|
type renewedCertificateChainStorer interface {
|
|
StoreRenewedCertificate(*x509.Certificate, ...*x509.Certificate) error
|
|
}
|
|
|
|
// Store certificate in linkedca
|
|
if s, ok := a.adminDB.(renewedCertificateChainStorer); ok {
|
|
return s.StoreRenewedCertificate(oldCert, fullchain...)
|
|
}
|
|
|
|
// Store certificate in local db
|
|
switch s := a.db.(type) {
|
|
case renewedCertificateChainStorer:
|
|
return s.StoreRenewedCertificate(oldCert, fullchain...)
|
|
case db.CertificateStorer:
|
|
return s.StoreCertificate(fullchain[0])
|
|
default:
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// RevokeOptions are the options for the Revoke API.
|
|
type RevokeOptions struct {
|
|
Serial string
|
|
Reason string
|
|
ReasonCode int
|
|
PassiveOnly bool
|
|
MTLS bool
|
|
ACME bool
|
|
Crt *x509.Certificate
|
|
OTT string
|
|
}
|
|
|
|
// Revoke revokes a certificate.
|
|
//
|
|
// NOTE: Only supports passive revocation - prevent existing certificates from
|
|
// being renewed.
|
|
//
|
|
// TODO: Add OCSP and CRL support.
|
|
func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error {
|
|
opts := []interface{}{
|
|
errs.WithKeyVal("serialNumber", revokeOpts.Serial),
|
|
errs.WithKeyVal("reasonCode", revokeOpts.ReasonCode),
|
|
errs.WithKeyVal("reason", revokeOpts.Reason),
|
|
errs.WithKeyVal("passiveOnly", revokeOpts.PassiveOnly),
|
|
errs.WithKeyVal("MTLS", revokeOpts.MTLS),
|
|
errs.WithKeyVal("ACME", revokeOpts.ACME),
|
|
errs.WithKeyVal("context", provisioner.MethodFromContext(ctx).String()),
|
|
}
|
|
if revokeOpts.MTLS || revokeOpts.ACME {
|
|
opts = append(opts, errs.WithKeyVal("certificate", base64.StdEncoding.EncodeToString(revokeOpts.Crt.Raw)))
|
|
} else {
|
|
opts = append(opts, errs.WithKeyVal("token", revokeOpts.OTT))
|
|
}
|
|
|
|
rci := &db.RevokedCertificateInfo{
|
|
Serial: revokeOpts.Serial,
|
|
ReasonCode: revokeOpts.ReasonCode,
|
|
Reason: revokeOpts.Reason,
|
|
MTLS: revokeOpts.MTLS,
|
|
ACME: revokeOpts.ACME,
|
|
RevokedAt: time.Now().UTC(),
|
|
}
|
|
|
|
// For X509 CRLs attempt to get the expiration date of the certificate.
|
|
if provisioner.MethodFromContext(ctx) == provisioner.RevokeMethod {
|
|
if revokeOpts.Crt == nil {
|
|
cert, err := a.db.GetCertificate(revokeOpts.Serial)
|
|
if err == nil {
|
|
rci.ExpiresAt = cert.NotAfter
|
|
}
|
|
} else {
|
|
rci.ExpiresAt = revokeOpts.Crt.NotAfter
|
|
}
|
|
}
|
|
|
|
// If not mTLS nor ACME, then get the TokenID of the token.
|
|
if !(revokeOpts.MTLS || revokeOpts.ACME) {
|
|
token, err := jose.ParseSigned(revokeOpts.OTT)
|
|
if err != nil {
|
|
return errs.Wrap(http.StatusUnauthorized, err, "authority.Revoke; error parsing token", opts...)
|
|
}
|
|
|
|
// Get claims w/out verification.
|
|
var claims Claims
|
|
if err = token.UnsafeClaimsWithoutVerification(&claims); err != nil {
|
|
return errs.Wrap(http.StatusUnauthorized, err, "authority.Revoke", opts...)
|
|
}
|
|
|
|
// This method will also validate the audiences for JWK provisioners.
|
|
p, err := a.LoadProvisionerByToken(token, &claims.Claims)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
rci.ProvisionerID = p.GetID()
|
|
rci.TokenID, err = p.GetTokenID(revokeOpts.OTT)
|
|
if err != nil && !errors.Is(err, provisioner.ErrAllowTokenReuse) {
|
|
return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke; could not get ID for token")
|
|
}
|
|
opts = append(opts,
|
|
errs.WithKeyVal("provisionerID", rci.ProvisionerID),
|
|
errs.WithKeyVal("tokenID", rci.TokenID),
|
|
)
|
|
} else if p, err := a.LoadProvisionerByCertificate(revokeOpts.Crt); err == nil {
|
|
// Load the Certificate provisioner if one exists.
|
|
rci.ProvisionerID = p.GetID()
|
|
opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID))
|
|
}
|
|
|
|
failRevoke := func(err error) error {
|
|
switch {
|
|
case errors.Is(err, db.ErrNotImplemented):
|
|
return errs.NotImplemented("authority.Revoke; no persistence layer configured", opts...)
|
|
case errors.Is(err, db.ErrAlreadyExists):
|
|
return errs.ApplyOptions(
|
|
errs.BadRequest("certificate with serial number '%s' is already revoked", rci.Serial),
|
|
opts...,
|
|
)
|
|
default:
|
|
return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke", opts...)
|
|
}
|
|
}
|
|
|
|
if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod {
|
|
if err := a.revokeSSH(nil, rci); err != nil {
|
|
return failRevoke(err)
|
|
}
|
|
} else {
|
|
// Revoke an X.509 certificate using CAS. If the certificate is not
|
|
// provided we will try to read it from the db. If the read fails we
|
|
// won't throw an error as it will be responsibility of the CAS
|
|
// implementation to require a certificate.
|
|
var revokedCert *x509.Certificate
|
|
if revokeOpts.Crt != nil {
|
|
revokedCert = revokeOpts.Crt
|
|
} else if rci.Serial != "" {
|
|
revokedCert, _ = a.db.GetCertificate(rci.Serial)
|
|
}
|
|
|
|
// CAS operation, note that SoftCAS (default) is a noop.
|
|
// The revoke happens when this is stored in the db.
|
|
_, err := a.x509CAService.RevokeCertificate(&casapi.RevokeCertificateRequest{
|
|
Certificate: revokedCert,
|
|
SerialNumber: rci.Serial,
|
|
Reason: rci.Reason,
|
|
ReasonCode: rci.ReasonCode,
|
|
PassiveOnly: revokeOpts.PassiveOnly,
|
|
})
|
|
if err != nil {
|
|
return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke", opts...)
|
|
}
|
|
|
|
// Save as revoked in the Db.
|
|
if err := a.revoke(revokedCert, rci); err != nil {
|
|
return failRevoke(err)
|
|
}
|
|
|
|
// Generate a new CRL so CRL requesters will always get an up-to-date
|
|
// CRL whenever they request it.
|
|
if a.config.CRL.IsEnabled() && a.config.CRL.GenerateOnRevoke {
|
|
if err := a.GenerateCertificateRevocationList(); err != nil {
|
|
return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke", opts...)
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *Authority) revoke(crt *x509.Certificate, rci *db.RevokedCertificateInfo) error {
|
|
if lca, ok := a.adminDB.(interface {
|
|
Revoke(*x509.Certificate, *db.RevokedCertificateInfo) error
|
|
}); ok {
|
|
return lca.Revoke(crt, rci)
|
|
}
|
|
return a.db.Revoke(rci)
|
|
}
|
|
|
|
func (a *Authority) revokeSSH(crt *ssh.Certificate, rci *db.RevokedCertificateInfo) error {
|
|
if lca, ok := a.adminDB.(interface {
|
|
RevokeSSH(*ssh.Certificate, *db.RevokedCertificateInfo) error
|
|
}); ok {
|
|
return lca.RevokeSSH(crt, rci)
|
|
}
|
|
return a.db.RevokeSSH(rci)
|
|
}
|
|
|
|
// GetCertificateRevocationList will return the currently generated CRL from the DB, or a not implemented
|
|
// error if the underlying AuthDB does not support CRLs
|
|
func (a *Authority) GetCertificateRevocationList() ([]byte, error) {
|
|
if !a.config.CRL.IsEnabled() {
|
|
return nil, errs.Wrap(http.StatusNotFound, errors.Errorf("Certificate Revocation Lists are not enabled"), "authority.GetCertificateRevocationList")
|
|
}
|
|
|
|
crlDB, ok := a.db.(db.CertificateRevocationListDB)
|
|
if !ok {
|
|
return nil, errs.Wrap(http.StatusNotImplemented, errors.Errorf("Database does not support Certificate Revocation Lists"), "authority.GetCertificateRevocationList")
|
|
}
|
|
|
|
crlInfo, err := crlDB.GetCRL()
|
|
if err != nil {
|
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.GetCertificateRevocationList")
|
|
}
|
|
|
|
return crlInfo.DER, nil
|
|
}
|
|
|
|
// GenerateCertificateRevocationList generates a DER representation of a signed CRL and stores it in the
|
|
// database. Returns nil if CRL generation has been disabled in the config
|
|
func (a *Authority) GenerateCertificateRevocationList() error {
|
|
if !a.config.CRL.IsEnabled() {
|
|
return nil
|
|
}
|
|
|
|
crlDB, ok := a.db.(db.CertificateRevocationListDB)
|
|
if !ok {
|
|
return errors.Errorf("Database does not support CRL generation")
|
|
}
|
|
|
|
// some CAS may not implement the CRLGenerator interface, so check before we proceed
|
|
caCRLGenerator, ok := a.x509CAService.(casapi.CertificateAuthorityCRLGenerator)
|
|
if !ok {
|
|
return errors.Errorf("CA does not support CRL Generation")
|
|
}
|
|
|
|
// use a mutex to ensure only one CRL is generated at a time to avoid
|
|
// concurrency issues
|
|
a.crlMutex.Lock()
|
|
defer a.crlMutex.Unlock()
|
|
|
|
crlInfo, err := crlDB.GetCRL()
|
|
if err != nil && !database.IsErrNotFound(err) {
|
|
return errors.Wrap(err, "could not retrieve CRL from database")
|
|
}
|
|
|
|
now := time.Now().Truncate(time.Second).UTC()
|
|
revokedList, err := crlDB.GetRevokedCertificates()
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not retrieve revoked certificates list from database")
|
|
}
|
|
|
|
// Number is a monotonically increasing integer (essentially the CRL version
|
|
// number) that we need to keep track of and increase every time we generate
|
|
// a new CRL
|
|
var bn big.Int
|
|
if crlInfo != nil {
|
|
bn.SetInt64(crlInfo.Number + 1)
|
|
}
|
|
|
|
// Convert our database db.RevokedCertificateInfo types into the pkix
|
|
// representation ready for the CAS to sign it
|
|
var revokedCertificates []pkix.RevokedCertificate
|
|
skipExpiredTime := now.Add(-config.DefaultCRLExpiredDuration)
|
|
for _, revokedCert := range *revokedList {
|
|
// skip expired certificates
|
|
if !revokedCert.ExpiresAt.IsZero() && revokedCert.ExpiresAt.Before(skipExpiredTime) {
|
|
continue
|
|
}
|
|
|
|
var sn big.Int
|
|
sn.SetString(revokedCert.Serial, 10)
|
|
revokedCertificates = append(revokedCertificates, pkix.RevokedCertificate{
|
|
SerialNumber: &sn,
|
|
RevocationTime: revokedCert.RevokedAt,
|
|
Extensions: nil,
|
|
})
|
|
}
|
|
|
|
var updateDuration time.Duration
|
|
if a.config.CRL.CacheDuration != nil {
|
|
updateDuration = a.config.CRL.CacheDuration.Duration
|
|
} else if crlInfo != nil {
|
|
updateDuration = crlInfo.Duration
|
|
}
|
|
|
|
// Create a RevocationList representation ready for the CAS to sign
|
|
// TODO: allow SignatureAlgorithm to be specified?
|
|
revocationList := x509.RevocationList{
|
|
SignatureAlgorithm: 0,
|
|
RevokedCertificates: revokedCertificates,
|
|
Number: &bn,
|
|
ThisUpdate: now,
|
|
NextUpdate: now.Add(updateDuration),
|
|
}
|
|
|
|
// Set CRL IDP to config item, otherwise, leave as default
|
|
var fullName string
|
|
if a.config.CRL.IDPurl != "" {
|
|
fullName = a.config.CRL.IDPurl
|
|
} else {
|
|
fullName = a.config.Audience("/1.0/crl")[0]
|
|
}
|
|
|
|
// Add distribution point.
|
|
//
|
|
// Note that this is currently using the port 443 by default.
|
|
if b, err := marshalDistributionPoint(fullName, false); err == nil {
|
|
revocationList.ExtraExtensions = []pkix.Extension{
|
|
{Id: oidExtensionIssuingDistributionPoint, Critical: true, Value: b},
|
|
}
|
|
}
|
|
|
|
certificateRevocationList, err := caCRLGenerator.CreateCRL(&casapi.CreateCRLRequest{RevocationList: &revocationList})
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not create CRL")
|
|
}
|
|
|
|
// Create a new db.CertificateRevocationListInfo, which stores the new Number we just generated, the
|
|
// expiry time, duration, and the DER-encoded CRL
|
|
newCRLInfo := db.CertificateRevocationListInfo{
|
|
Number: bn.Int64(),
|
|
ExpiresAt: revocationList.NextUpdate,
|
|
DER: certificateRevocationList.CRL,
|
|
Duration: updateDuration,
|
|
}
|
|
|
|
// Store the CRL in the database ready for retrieval by api endpoints
|
|
err = crlDB.StoreCRL(&newCRLInfo)
|
|
if err != nil {
|
|
return errors.Wrap(err, "could not store CRL in database")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetTLSCertificate creates a new leaf certificate to be used by the CA HTTPS server.
|
|
func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
|
|
fatal := func(err error) (*tls.Certificate, error) {
|
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.GetTLSCertificate")
|
|
}
|
|
|
|
// Generate default key.
|
|
priv, err := keyutil.GenerateDefaultKey()
|
|
if err != nil {
|
|
return fatal(err)
|
|
}
|
|
signer, ok := priv.(crypto.Signer)
|
|
if !ok {
|
|
return fatal(errors.New("private key is not a crypto.Signer"))
|
|
}
|
|
|
|
// prepare the sans: IPv6 DNS hostname representations are converted to their IP representation
|
|
sans := make([]string, len(a.config.DNSNames))
|
|
for i, san := range a.config.DNSNames {
|
|
if strings.HasPrefix(san, "[") && strings.HasSuffix(san, "]") {
|
|
if ip := net.ParseIP(san[1 : len(san)-1]); ip != nil {
|
|
san = ip.String()
|
|
}
|
|
}
|
|
sans[i] = san
|
|
}
|
|
|
|
// Create initial certificate request.
|
|
cr, err := x509util.CreateCertificateRequest(a.config.CommonName, sans, signer)
|
|
if err != nil {
|
|
return fatal(err)
|
|
}
|
|
|
|
// Generate certificate template directly from the certificate request.
|
|
template, err := x509util.NewCertificate(cr)
|
|
if err != nil {
|
|
return fatal(err)
|
|
}
|
|
|
|
// Get x509 certificate template, set validity and sign it.
|
|
now := time.Now()
|
|
certTpl := template.GetCertificate()
|
|
certTpl.NotBefore = now.Add(-1 * time.Minute)
|
|
certTpl.NotAfter = now.Add(24 * time.Hour)
|
|
|
|
// Policy and constraints require this fields to be set. At this moment they
|
|
// are only present in the extra extension.
|
|
certTpl.DNSNames = cr.DNSNames
|
|
certTpl.IPAddresses = cr.IPAddresses
|
|
certTpl.EmailAddresses = cr.EmailAddresses
|
|
certTpl.URIs = cr.URIs
|
|
|
|
// Fail if name constraints do not allow the server names.
|
|
if err := a.constraintsEngine.ValidateCertificate(certTpl); err != nil {
|
|
return fatal(err)
|
|
}
|
|
|
|
resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{
|
|
Template: certTpl,
|
|
CSR: cr,
|
|
Lifetime: 24 * time.Hour,
|
|
Backdate: 1 * time.Minute,
|
|
IsCAServerCert: true,
|
|
})
|
|
if err != nil {
|
|
return fatal(err)
|
|
}
|
|
|
|
// Generate PEM blocks to create tls.Certificate
|
|
pemBlocks := pem.EncodeToMemory(&pem.Block{
|
|
Type: "CERTIFICATE",
|
|
Bytes: resp.Certificate.Raw,
|
|
})
|
|
for _, crt := range resp.CertificateChain {
|
|
pemBlocks = append(pemBlocks, pem.EncodeToMemory(&pem.Block{
|
|
Type: "CERTIFICATE",
|
|
Bytes: crt.Raw,
|
|
})...)
|
|
}
|
|
keyPEM, err := pemutil.Serialize(priv)
|
|
if err != nil {
|
|
return fatal(err)
|
|
}
|
|
|
|
tlsCrt, err := tls.X509KeyPair(pemBlocks, pem.EncodeToMemory(keyPEM))
|
|
if err != nil {
|
|
return fatal(err)
|
|
}
|
|
// Set leaf certificate
|
|
tlsCrt.Leaf = resp.Certificate
|
|
return &tlsCrt, nil
|
|
}
|
|
|
|
// RFC 5280, 5.2.5
|
|
type distributionPoint struct {
|
|
DistributionPoint distributionPointName `asn1:"optional,tag:0"`
|
|
OnlyContainsUserCerts bool `asn1:"optional,tag:1"`
|
|
OnlyContainsCACerts bool `asn1:"optional,tag:2"`
|
|
OnlySomeReasons asn1.BitString `asn1:"optional,tag:3"`
|
|
IndirectCRL bool `asn1:"optional,tag:4"`
|
|
OnlyContainsAttributeCerts bool `asn1:"optional,tag:5"`
|
|
}
|
|
|
|
type distributionPointName struct {
|
|
FullName []asn1.RawValue `asn1:"optional,tag:0"`
|
|
RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
|
|
}
|
|
|
|
func marshalDistributionPoint(fullName string, isCA bool) ([]byte, error) {
|
|
return asn1.Marshal(distributionPoint{
|
|
DistributionPoint: distributionPointName{
|
|
FullName: []asn1.RawValue{
|
|
{Class: 2, Tag: 6, Bytes: []byte(fullName)},
|
|
},
|
|
},
|
|
OnlyContainsUserCerts: !isCA,
|
|
OnlyContainsCACerts: isCA,
|
|
})
|
|
}
|
|
|
|
// templatingError tries to extract more information about the cause of
|
|
// an error related to (most probably) malformed template data and adds
|
|
// this to the error message.
|
|
func templatingError(err error) error {
|
|
cause := errors.Cause(err)
|
|
var (
|
|
syntaxError *json.SyntaxError
|
|
typeError *json.UnmarshalTypeError
|
|
)
|
|
if errors.As(err, &syntaxError) {
|
|
// offset is arguably not super clear to the user, but it's the best we can do here
|
|
cause = fmt.Errorf("%w at offset %d", cause, syntaxError.Offset)
|
|
} else if errors.As(err, &typeError) {
|
|
// slightly rewriting the default error message to include the offset
|
|
cause = fmt.Errorf("cannot unmarshal %s at offset %d into Go value of type %s", typeError.Value, typeError.Offset, typeError.Type)
|
|
}
|
|
return errors.Wrap(cause, "error applying certificate template")
|
|
}
|
|
|
|
func callEnrichingWebhooksX509(webhookCtl webhookController, attData *provisioner.AttestationData, csr *x509.CertificateRequest) error {
|
|
if webhookCtl == nil {
|
|
return nil
|
|
}
|
|
var attested *webhook.AttestationData
|
|
if attData != nil {
|
|
attested = &webhook.AttestationData{
|
|
PermanentIdentifier: attData.PermanentIdentifier,
|
|
}
|
|
}
|
|
whEnrichReq, err := webhook.NewRequestBody(
|
|
webhook.WithX509CertificateRequest(csr),
|
|
webhook.WithAttestationData(attested),
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return webhookCtl.Enrich(whEnrichReq)
|
|
}
|
|
|
|
func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Certificate, leaf *x509.Certificate, attData *provisioner.AttestationData) error {
|
|
if webhookCtl == nil {
|
|
return nil
|
|
}
|
|
var attested *webhook.AttestationData
|
|
if attData != nil {
|
|
attested = &webhook.AttestationData{
|
|
PermanentIdentifier: attData.PermanentIdentifier,
|
|
}
|
|
}
|
|
whAuthBody, err := webhook.NewRequestBody(
|
|
webhook.WithX509Certificate(cert, leaf),
|
|
webhook.WithAttestationData(attested),
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return webhookCtl.Authorize(whAuthBody)
|
|
}
|