certificates/authority/provisioner/acme.go

174 lines
5.1 KiB
Go
Raw Normal View History

2019-05-27 00:41:10 +00:00
package provisioner
import (
"context"
"crypto/x509"
"net"
"time"
2019-05-27 00:41:10 +00:00
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/policy"
"github.com/smallstep/certificates/errs"
2019-05-27 00:41:10 +00:00
)
// ACME is the acme provisioner type, an entity that can authorize the ACME
// provisioning flow.
type ACME struct {
*base
ID string `json:"-"`
Type string `json:"type"`
Name string `json:"name"`
ForceCN bool `json:"forceCN,omitempty"`
// RequireEAB makes the provisioner require ACME EAB to be provided
// by clients when creating a new Account. If set to true, the provided
// EAB will be verified. If set to false and an EAB is provided, it is
// not verified. Defaults to false.
RequireEAB bool `json:"requireEAB,omitempty"`
Claims *Claims `json:"claims,omitempty"`
Options *Options `json:"options,omitempty"`
claimer *Claimer
x509Policy policy.X509Policy
2019-05-27 00:41:10 +00:00
}
// GetID returns the provisioner unique identifier.
func (p ACME) GetID() string {
2021-05-20 01:23:20 +00:00
if p.ID != "" {
return p.ID
}
return p.GetIDForToken()
}
// GetIDForToken returns an identifier that will be used to load the provisioner
// from a token.
func (p *ACME) GetIDForToken() string {
2019-05-27 00:41:10 +00:00
return "acme/" + p.Name
}
// GetTokenID returns the identifier of the token.
func (p *ACME) GetTokenID(ott string) (string, error) {
return "", errors.New("acme provisioner does not implement GetTokenID")
}
// GetName returns the name of the provisioner.
func (p *ACME) GetName() string {
return p.Name
}
// GetType returns the type of provisioner.
func (p *ACME) GetType() Type {
return TypeACME
}
// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
func (p *ACME) GetEncryptedKey() (string, string, bool) {
return "", "", false
}
// GetOptions returns the configured provisioner options.
func (p *ACME) GetOptions() *Options {
return p.Options
}
// DefaultTLSCertDuration returns the default TLS cert duration enforced by
// the provisioner.
func (p *ACME) DefaultTLSCertDuration() time.Duration {
return p.claimer.DefaultTLSCertDuration()
}
// Init initializes and validates the fields of an ACME type.
2019-05-27 00:41:10 +00:00
func (p *ACME) Init(config Config) (err error) {
switch {
case p.Type == "":
return errors.New("provisioner type cannot be empty")
case p.Name == "":
return errors.New("provisioner name cannot be empty")
}
// Update claims with global ones
if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
return err
}
// Initialize the x509 allow/deny policy engine
if p.x509Policy, err = policy.NewX509PolicyEngine(p.Options.GetX509Options()); err != nil {
return err
}
return nil
}
// ACMEIdentifierType encodes ACME Identifier types
type ACMEIdentifierType string
const (
// IP is the ACME ip identifier type
IP ACMEIdentifierType = "ip"
// DNS is the ACME dns identifier type
DNS ACMEIdentifierType = "dns"
)
// ACMEIdentifier encodes ACME Order Identifiers
type ACMEIdentifier struct {
Type ACMEIdentifierType
Value string
}
// AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a
// certificate for an ACME Order Identifier.
func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error {
// identifier is allowed if no policy is configured
if p.x509Policy == nil {
return nil
}
2022-01-03 14:32:58 +00:00
// assuming only valid identifiers (IP or DNS) are provided
var err error
switch identifier.Type {
case IP:
_, err = p.x509Policy.IsIPAllowed(net.ParseIP(identifier.Value))
case DNS:
_, err = p.x509Policy.IsDNSAllowed(identifier.Value)
}
2019-05-27 00:41:10 +00:00
return err
}
// AuthorizeSign does not do any validation, because all validation is handled
// in the ACME protocol. This method returns a list of modifiers / constraints
// on the resulting certificate.
func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
opts := []SignOption{
2019-09-05 01:31:09 +00:00
// modifiers / withOptions
2019-05-27 00:41:10 +00:00
newProvisionerExtensionOption(TypeACME, p.Name, ""),
newForceCNOption(p.ForceCN),
2019-09-05 01:31:09 +00:00
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
// validators
2019-05-27 00:41:10 +00:00
defaultPublicKeyValidator{},
2019-09-05 01:31:09 +00:00
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
newX509NamePolicyValidator(p.x509Policy),
}
return opts, nil
2019-05-27 00:41:10 +00:00
}
2021-07-09 22:28:31 +00:00
// AuthorizeRevoke is called just before the certificate is to be revoked by
// the CA. It can be used to authorize revocation of a certificate. It
// currently is a no-op.
2021-11-28 20:20:57 +00:00
// TODO(hs): add configuration option that toggles revocation? Or change function signature to make it more useful?
2021-07-09 22:28:31 +00:00
// Or move certain logic out of the Revoke API to here? Would likely involve some more stuff in the ctx.
func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error {
return nil
}
// AuthorizeRenew returns an error if the renewal is disabled.
// NOTE: This method does not actually validate the certificate or check it's
// revocation status. Just confirms that the provisioner that created the
// certificate was configured to allow renewals.
func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
2019-05-27 00:41:10 +00:00
if p.claimer.IsDisableRenewal() {
return errs.Unauthorized("acme.AuthorizeRenew; renew is disabled for acme provisioner '%s'", p.GetName())
2019-05-27 00:41:10 +00:00
}
return nil
}