forked from TrueCloudLab/certificates
492256f2d7
Before this commit, EAB keys could be used CA-wide, meaning that an EAB credential could be used at any ACME provisioner. This commit changes that behavior, so that EAB credentials are now intended to be used with a specific ACME provisioner. I think that makes sense, because from the perspective of an ACME client the provisioner is like a distinct CA. Besides that this commit also includes the first tests for EAB. The logic for creating the EAB JWS as a client has been taken from github.com/mholt/acmez. This logic may be moved or otherwise sourced (i.e. from a vendor) as soon as the step client also (needs to) support(s) EAB with ACME.
245 lines
6.9 KiB
Go
245 lines
6.9 KiB
Go
package nosql
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"encoding/json"
|
|
"time"
|
|
|
|
"github.com/pkg/errors"
|
|
"github.com/smallstep/certificates/acme"
|
|
nosqlDB "github.com/smallstep/nosql"
|
|
"go.step.sm/crypto/jose"
|
|
)
|
|
|
|
// dbAccount represents an ACME account.
|
|
type dbAccount struct {
|
|
ID string `json:"id"`
|
|
Key *jose.JSONWebKey `json:"key"`
|
|
Contact []string `json:"contact,omitempty"`
|
|
Status acme.Status `json:"status"`
|
|
CreatedAt time.Time `json:"createdAt"`
|
|
DeactivatedAt time.Time `json:"deactivatedAt"`
|
|
}
|
|
|
|
func (dba *dbAccount) clone() *dbAccount {
|
|
nu := *dba
|
|
return &nu
|
|
}
|
|
|
|
type dbExternalAccountKey struct {
|
|
ID string `json:"id"`
|
|
ProvisionerName string `json:"provisioner_name"`
|
|
Name string `json:"name"`
|
|
AccountID string `json:"accountID,omitempty"`
|
|
KeyBytes []byte `json:"key"`
|
|
CreatedAt time.Time `json:"createdAt"`
|
|
BoundAt time.Time `json:"boundAt"`
|
|
}
|
|
|
|
func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, error) {
|
|
id, err := db.db.Get(accountByKeyIDTable, []byte(kid))
|
|
if err != nil {
|
|
if nosqlDB.IsErrNotFound(err) {
|
|
return "", acme.ErrNotFound
|
|
}
|
|
return "", errors.Wrapf(err, "error loading key-account index for key %s", kid)
|
|
}
|
|
return string(id), nil
|
|
}
|
|
|
|
// getDBAccount retrieves and unmarshals dbAccount.
|
|
func (db *DB) getDBAccount(ctx context.Context, id string) (*dbAccount, error) {
|
|
data, err := db.db.Get(accountTable, []byte(id))
|
|
if err != nil {
|
|
if nosqlDB.IsErrNotFound(err) {
|
|
return nil, acme.ErrNotFound
|
|
}
|
|
return nil, errors.Wrapf(err, "error loading account %s", id)
|
|
}
|
|
|
|
dbacc := new(dbAccount)
|
|
if err = json.Unmarshal(data, dbacc); err != nil {
|
|
return nil, errors.Wrapf(err, "error unmarshaling account %s into dbAccount", id)
|
|
}
|
|
return dbacc, nil
|
|
}
|
|
|
|
// getDBExternalAccountKey retrieves and unmarshals dbExternalAccountKey.
|
|
func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExternalAccountKey, error) {
|
|
data, err := db.db.Get(externalAccountKeyTable, []byte(id))
|
|
if err != nil {
|
|
if nosqlDB.IsErrNotFound(err) {
|
|
return nil, acme.ErrNotFound
|
|
}
|
|
return nil, errors.Wrapf(err, "error loading external account key %s", id)
|
|
}
|
|
|
|
dbeak := new(dbExternalAccountKey)
|
|
if err = json.Unmarshal(data, dbeak); err != nil {
|
|
return nil, errors.Wrapf(err, "error unmarshaling external account key %s into dbExternalAccountKey", id)
|
|
}
|
|
|
|
return dbeak, nil
|
|
}
|
|
|
|
// GetAccount retrieves an ACME account by ID.
|
|
func (db *DB) GetAccount(ctx context.Context, id string) (*acme.Account, error) {
|
|
dbacc, err := db.getDBAccount(ctx, id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &acme.Account{
|
|
Status: dbacc.Status,
|
|
Contact: dbacc.Contact,
|
|
Key: dbacc.Key,
|
|
ID: dbacc.ID,
|
|
}, nil
|
|
}
|
|
|
|
// GetAccountByKeyID retrieves an ACME account by KeyID (thumbprint of the Account Key -- JWK).
|
|
func (db *DB) GetAccountByKeyID(ctx context.Context, kid string) (*acme.Account, error) {
|
|
id, err := db.getAccountIDByKeyID(ctx, kid)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return db.GetAccount(ctx, id)
|
|
}
|
|
|
|
// CreateAccount imlements the AcmeDB.CreateAccount interface.
|
|
func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error {
|
|
var err error
|
|
acc.ID, err = randID()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
dba := &dbAccount{
|
|
ID: acc.ID,
|
|
Key: acc.Key,
|
|
Contact: acc.Contact,
|
|
Status: acc.Status,
|
|
CreatedAt: clock.Now(),
|
|
}
|
|
|
|
kid, err := acme.KeyToID(dba.Key)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
kidB := []byte(kid)
|
|
|
|
// Set the jwkID -> acme account ID index
|
|
_, swapped, err := db.db.CmpAndSwap(accountByKeyIDTable, kidB, nil, []byte(acc.ID))
|
|
switch {
|
|
case err != nil:
|
|
return errors.Wrap(err, "error storing keyID to accountID index")
|
|
case !swapped:
|
|
return errors.Errorf("key-id to account-id index already exists")
|
|
default:
|
|
if err = db.save(ctx, acc.ID, dba, nil, "account", accountTable); err != nil {
|
|
db.db.Del(accountByKeyIDTable, kidB)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// UpdateAccount imlements the AcmeDB.UpdateAccount interface.
|
|
func (db *DB) UpdateAccount(ctx context.Context, acc *acme.Account) error {
|
|
old, err := db.getDBAccount(ctx, acc.ID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
nu := old.clone()
|
|
nu.Contact = acc.Contact
|
|
nu.Status = acc.Status
|
|
|
|
// If the status has changed to 'deactivated', then set deactivatedAt timestamp.
|
|
if acc.Status == acme.StatusDeactivated && old.Status != acme.StatusDeactivated {
|
|
nu.DeactivatedAt = clock.Now()
|
|
}
|
|
|
|
return db.save(ctx, old.ID, nu, old, "account", accountTable)
|
|
}
|
|
|
|
// CreateExternalAccountKey creates a new External Account Binding key with a name
|
|
func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerName string, name string) (*acme.ExternalAccountKey, error) {
|
|
keyID, err := randID()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
random := make([]byte, 32)
|
|
_, err = rand.Read(random)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
dbeak := &dbExternalAccountKey{
|
|
ID: keyID,
|
|
ProvisionerName: provisionerName,
|
|
Name: name,
|
|
KeyBytes: random,
|
|
CreatedAt: clock.Now(),
|
|
}
|
|
|
|
if err = db.save(ctx, keyID, dbeak, nil, "external_account_key", externalAccountKeyTable); err != nil {
|
|
return nil, err
|
|
}
|
|
return &acme.ExternalAccountKey{
|
|
ID: dbeak.ID,
|
|
ProvisionerName: dbeak.ProvisionerName,
|
|
Name: dbeak.Name,
|
|
AccountID: dbeak.AccountID,
|
|
KeyBytes: dbeak.KeyBytes,
|
|
CreatedAt: dbeak.CreatedAt,
|
|
BoundAt: dbeak.BoundAt,
|
|
}, nil
|
|
}
|
|
|
|
// GetExternalAccountKey retrieves an External Account Binding key by KeyID
|
|
func (db *DB) GetExternalAccountKey(ctx context.Context, provisionerName string, keyID string) (*acme.ExternalAccountKey, error) {
|
|
dbeak, err := db.getDBExternalAccountKey(ctx, keyID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if dbeak.ProvisionerName != provisionerName {
|
|
return nil, acme.NewError(acme.ErrorUnauthorizedType, "name of provisioner does not match provisioner for which the EAB key was created")
|
|
}
|
|
|
|
return &acme.ExternalAccountKey{
|
|
ID: dbeak.ID,
|
|
ProvisionerName: dbeak.ProvisionerName,
|
|
Name: dbeak.Name,
|
|
AccountID: dbeak.AccountID,
|
|
KeyBytes: dbeak.KeyBytes,
|
|
CreatedAt: dbeak.CreatedAt,
|
|
BoundAt: dbeak.BoundAt,
|
|
}, nil
|
|
}
|
|
|
|
func (db *DB) UpdateExternalAccountKey(ctx context.Context, provisionerName string, eak *acme.ExternalAccountKey) error {
|
|
old, err := db.getDBExternalAccountKey(ctx, eak.ID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if old.ProvisionerName != provisionerName {
|
|
return acme.NewError(acme.ErrorUnauthorizedType, "name of provisioner does not match provisioner for which the EAB key was created")
|
|
}
|
|
|
|
nu := dbExternalAccountKey{
|
|
ID: eak.ID,
|
|
ProvisionerName: eak.ProvisionerName,
|
|
Name: eak.Name,
|
|
AccountID: eak.AccountID,
|
|
KeyBytes: eak.KeyBytes,
|
|
CreatedAt: eak.CreatedAt,
|
|
BoundAt: eak.BoundAt,
|
|
}
|
|
|
|
return db.save(ctx, nu.ID, nu, old, "external_account_key", externalAccountKeyTable)
|
|
}
|