certificates/authority/authority.go

package authority

import (
	"crypto"
	"crypto/sha256"
	"crypto/x509"
	"encoding/hex"
	"sync"
	"time"

	"github.com/smallstep/certificates/templates"

	"github.com/pkg/errors"
	"github.com/smallstep/certificates/authority/provisioner"
	"github.com/smallstep/certificates/db"
	"github.com/smallstep/cli/crypto/pemutil"
	"github.com/smallstep/cli/crypto/x509util"
	"golang.org/x/crypto/ssh"
)

const (
	legacyAuthority = "step-certificate-authority"
)

// Authority implements the Certificate Authority internal interface.
type Authority struct {
	config                  *Config
	rootX509Certs           []*x509.Certificate
	intermediateIdentity    *x509util.Identity
	sshCAUserCertSignKey    ssh.Signer
	sshCAHostCertSignKey    ssh.Signer
	sshCAUserCerts          []ssh.PublicKey
	sshCAHostCerts          []ssh.PublicKey
	sshCAUserFederatedCerts []ssh.PublicKey
	sshCAHostFederatedCerts []ssh.PublicKey
	certificates            *sync.Map
	startTime               time.Time
	provisioners            *provisioner.Collection
	db                      db.AuthDB
	// Do not re-initialize
	initOnce bool
}

// Option sets options to the Authority.
type Option func(*Authority)

// WithDatabase sets an already initialized authority database to a new
// authority. This option is intended to be use on graceful reloads.
func WithDatabase(db db.AuthDB) Option {
	return func(a *Authority) {
		a.db = db
	}
}

// New creates and initiates a new Authority type.
func New(config *Config, opts ...Option) (*Authority, error) {
	err := config.Validate()
	if err != nil {
		return nil, err
	}

	var a = &Authority{
		config:       config,
		certificates: new(sync.Map),
		provisioners: provisioner.NewCollection(config.getAudiences()),
	}
	for _, opt := range opts {
		opt(a)
	}
	if err := a.init(); err != nil {
		return nil, err
	}
	return a, nil
}

// init performs validation and initializes the fields of an Authority struct.
func (a *Authority) init() error {
	// Check if handler has already been validated/initialized.
	if a.initOnce {
		return nil
	}

	var err error
	// Initialize step-ca Database if it's not already initialized with WithDB.
	// If a.config.DB is nil then a simple, barebones in memory DB will be used.
	if a.db == nil {
		if a.db, err = db.New(a.config.DB); err != nil {
			return err
		}
	}

	// Load the root certificates and add them to the certificate store
	a.rootX509Certs = make([]*x509.Certificate, len(a.config.Root))
	for i, path := range a.config.Root {
		crt, err := pemutil.ReadCertificate(path)
		if err != nil {
			return err
		}
		// Add root certificate to the certificate map
		sum := sha256.Sum256(crt.Raw)
		a.certificates.Store(hex.EncodeToString(sum[:]), crt)
		a.rootX509Certs[i] = crt
	}

	// Add federated roots
	for _, path := range a.config.FederatedRoots {
		crt, err := pemutil.ReadCertificate(path)
		if err != nil {
			return err
		}
		sum := sha256.Sum256(crt.Raw)
		a.certificates.Store(hex.EncodeToString(sum[:]), crt)
	}

	// Decrypt and load intermediate public / private key pair.
	if len(a.config.Password) > 0 {
		a.intermediateIdentity, err = x509util.LoadIdentityFromDisk(
			a.config.IntermediateCert,
			a.config.IntermediateKey,
			pemutil.WithPassword([]byte(a.config.Password)),
		)
		if err != nil {
			return err
		}
	} else {
		a.intermediateIdentity, err = x509util.LoadIdentityFromDisk(a.config.IntermediateCert, a.config.IntermediateKey)
		if err != nil {
			return err
		}
	}

	// Decrypt and load SSH keys
	if a.config.SSH != nil {
		if a.config.SSH.HostKey != "" {
			signer, err := parseCryptoSigner(a.config.SSH.HostKey, a.config.Password)
			if err != nil {
				return err
			}
			a.sshCAHostCertSignKey, err = ssh.NewSignerFromSigner(signer)
			if err != nil {
				return errors.Wrap(err, "error creating ssh signer")
			}
			// Append public key to list of host certs
			a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())
			a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())
		}
		if a.config.SSH.UserKey != "" {
			signer, err := parseCryptoSigner(a.config.SSH.UserKey, a.config.Password)
			if err != nil {
				return err
			}
			a.sshCAUserCertSignKey, err = ssh.NewSignerFromSigner(signer)
			if err != nil {
				return errors.Wrap(err, "error creating ssh signer")
			}
			// Append public key to list of user certs
			a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAHostCertSignKey.PublicKey())
			a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())
		}

		// Append other public keys
		for _, key := range a.config.SSH.Keys {
			switch key.Type {
			case provisioner.SSHHostCert:
				if key.Federated {
					a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, key.PublicKey())
				} else {
					a.sshCAHostCerts = append(a.sshCAHostCerts, key.PublicKey())
				}
			case provisioner.SSHUserCert:
				if key.Federated {
					a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, key.PublicKey())
				} else {
					a.sshCAUserCerts = append(a.sshCAUserCerts, key.PublicKey())
				}
			default:
				return errors.Errorf("unsupported type %s", key.Type)
			}
		}
	}

	// Store all the provisioners
	for _, p := range a.config.AuthorityConfig.Provisioners {
		if err := a.provisioners.Store(p); err != nil {
			return err
		}
	}

	// Configure protected template variables:
	if t := a.config.Templates; t != nil {
		if t.Data == nil {
			t.Data = make(map[string]interface{})
		}
		var vars templates.Step
		if a.config.SSH != nil {
			if a.sshCAHostCertSignKey != nil {
				vars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
				vars.SSH.HostFederatedKeys = append(vars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts[1:]...)
			}
			if a.sshCAUserCertSignKey != nil {
				vars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
				vars.SSH.UserFederatedKeys = append(vars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts[1:]...)
			}
		}
		t.Data["Step"] = vars
	}

	// JWT numeric dates are seconds.
	a.startTime = time.Now().Truncate(time.Second)
	// Set flag indicating that initialization has been completed, and should
	// not be repeated.
	a.initOnce = true

	return nil
}

// GetDatabase returns the authority database. If the configuration does not
// define a database, GetDatabase will return a db.SimpleDB instance.
func (a *Authority) GetDatabase() db.AuthDB {
	return a.db
}

// Shutdown safely shuts down any clients, databases, etc. held by the Authority.
func (a *Authority) Shutdown() error {
	return a.db.Shutdown()
}

func parseCryptoSigner(filename, password string) (crypto.Signer, error) {
	var opts []pemutil.Options
	if password != "" {
		opts = append(opts, pemutil.WithPassword([]byte(password)))
	}
	key, err := pemutil.Read(filename, opts...)
	if err != nil {
		return nil, err
	}
	signer, ok := key.(crypto.Signer)
	if !ok {
		return nil, errors.Errorf("key %s of type %T cannot be used for signing operations", filename, key)
	}
	return signer, nil
}
first commit 2018-10-05 21:48:36 +00:00			`package authority`

			`import (`
Add initial implementation of an SSH CA using the JWK provisioner. Fixes smallstep/ca-component#187 2019-07-24 01:46:43 +00:00			`"crypto"`
first commit 2018-10-05 21:48:36 +00:00			`"crypto/sha256"`
Add initial support for federated root certificates. 2019-01-05 01:51:32 +00:00			`"crypto/x509"`
first commit 2018-10-05 21:48:36 +00:00			`"encoding/hex"`
			`"sync"`
			`"time"`

Add initial support for ssh config. Related to smallstep/cli#170 2019-10-04 02:03:38 +00:00			`"github.com/smallstep/certificates/templates"`

Allow to use custom SSH user/host key files. 2019-08-01 22:04:56 +00:00			`"github.com/pkg/errors"`
Use provisioner.Collection to store and request the provisioners. 2019-03-06 23:00:23 +00:00			`"github.com/smallstep/certificates/authority/provisioner"`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`"github.com/smallstep/certificates/db"`
first commit 2018-10-05 21:48:36 +00:00			`"github.com/smallstep/cli/crypto/pemutil"`
			`"github.com/smallstep/cli/crypto/x509util"`
Add initial implementation of ssh config. 2019-09-25 02:12:13 +00:00			`"golang.org/x/crypto/ssh"`
first commit 2018-10-05 21:48:36 +00:00			`)`

Add ACME CA capabilities 2019-05-27 00:41:10 +00:00			`const (`
			`legacyAuthority = "step-certificate-authority"`
			`)`
Set audience using the sign url. 2018-10-20 01:25:59 +00:00
first commit 2018-10-05 21:48:36 +00:00			`// Authority implements the Certificate Authority internal interface.`
			`type Authority struct {`
Add support for multiple ssh roots. Fixes #125 2019-10-09 01:09:41 +00:00			`config *Config`
			`rootX509Certs []*x509.Certificate`
			`intermediateIdentity *x509util.Identity`
			`sshCAUserCertSignKey ssh.Signer`
			`sshCAHostCertSignKey ssh.Signer`
			`sshCAUserCerts []ssh.PublicKey`
			`sshCAHostCerts []ssh.PublicKey`
			`sshCAUserFederatedCerts []ssh.PublicKey`
			`sshCAHostFederatedCerts []ssh.PublicKey`
			`certificates *sync.Map`
			`startTime time.Time`
			`provisioners *provisioner.Collection`
			`db db.AuthDB`
first commit 2018-10-05 21:48:36 +00:00			`// Do not re-initialize`
			`initOnce bool`
			`}`

Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170 2019-05-10 22:58:37 +00:00			`// Option sets options to the Authority.`
			`type Option func(*Authority)`

Fix comments. 2019-05-11 00:54:18 +00:00			`// WithDatabase sets an already initialized authority database to a new`
			`// authority. This option is intended to be use on graceful reloads.`
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170 2019-05-10 22:58:37 +00:00			`func WithDatabase(db db.AuthDB) Option {`
			`return func(a *Authority) {`
			`a.db = db`
			`}`
			`}`

first commit 2018-10-05 21:48:36 +00:00			`// New creates and initiates a new Authority type.`
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170 2019-05-10 22:58:37 +00:00			`func New(config Config, opts ...Option) (Authority, error) {`
Add backend support for provisioners with cursors. Fixes #83 2018-10-25 22:40:12 +00:00			`err := config.Validate()`
			`if err != nil {`
first commit 2018-10-05 21:48:36 +00:00			`return nil, err`
			`}`
Add backend support for provisioners with cursors. Fixes #83 2018-10-25 22:40:12 +00:00
first commit 2018-10-05 21:48:36 +00:00			`var a = &Authority{`
Use provisioner.Collection to store and request the provisioners. 2019-03-06 23:00:23 +00:00			`config: config,`
			`certificates: new(sync.Map),`
Validate audiences in the default provisioner. 2019-03-07 02:32:56 +00:00			`provisioners: provisioner.NewCollection(config.getAudiences()),`
first commit 2018-10-05 21:48:36 +00:00			`}`
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170 2019-05-10 22:58:37 +00:00			`for _, opt := range opts {`
			`opt(a)`
			`}`
first commit 2018-10-05 21:48:36 +00:00			`if err := a.init(); err != nil {`
			`return nil, err`
			`}`
			`return a, nil`
			`}`

			`// init performs validation and initializes the fields of an Authority struct.`
			`func (a *Authority) init() error {`
			`// Check if handler has already been validated/initialized.`
			`if a.initOnce {`
			`return nil`
			`}`

			`var err error`
Fix typo. 2019-05-10 23:04:30 +00:00			`// Initialize step-ca Database if it's not already initialized with WithDB.`
NoopDB -> SimpleDB 2019-05-07 18:38:27 +00:00			`// If a.config.DB is nil then a simple, barebones in memory DB will be used.`
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170 2019-05-10 22:58:37 +00:00			`if a.db == nil {`
			`if a.db, err = db.New(a.config.DB); err != nil {`
			`return err`
			`}`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`}`

Add support for multiple roots. 2019-01-07 23:30:28 +00:00			`// Load the root certificates and add them to the certificate store`
			`a.rootX509Certs = make([]*x509.Certificate, len(a.config.Root))`
			`for i, path := range a.config.Root {`
			`crt, err := pemutil.ReadCertificate(path)`
			`if err != nil {`
			`return err`
			`}`
			`// Add root certificate to the certificate map`
			`sum := sha256.Sum256(crt.Raw)`
			`a.certificates.Store(hex.EncodeToString(sum[:]), crt)`
			`a.rootX509Certs[i] = crt`
			`}`
first commit 2018-10-05 21:48:36 +00:00
Add initial support for federated root certificates. 2019-01-05 01:51:32 +00:00			`// Add federated roots`
			`for _, path := range a.config.FederatedRoots {`
			`crt, err := pemutil.ReadCertificate(path)`
			`if err != nil {`
			`return err`
			`}`
			`sum := sha256.Sum256(crt.Raw)`
			`a.certificates.Store(hex.EncodeToString(sum[:]), crt)`
			`}`

first commit 2018-10-05 21:48:36 +00:00			`// Decrypt and load intermediate public / private key pair.`
			`if len(a.config.Password) > 0 {`
			`a.intermediateIdentity, err = x509util.LoadIdentityFromDisk(`
			`a.config.IntermediateCert,`
			`a.config.IntermediateKey,`
			`pemutil.WithPassword([]byte(a.config.Password)),`
			`)`
			`if err != nil {`
			`return err`
			`}`
			`} else {`
			`a.intermediateIdentity, err = x509util.LoadIdentityFromDisk(a.config.IntermediateCert, a.config.IntermediateKey)`
			`if err != nil {`
			`return err`
			`}`
			`}`

Allow to use custom SSH user/host key files. 2019-08-01 22:04:56 +00:00			`// Decrypt and load SSH keys`
			`if a.config.SSH != nil {`
			`if a.config.SSH.HostKey != "" {`
Add initial implementation of ssh config. 2019-09-25 02:12:13 +00:00			`signer, err := parseCryptoSigner(a.config.SSH.HostKey, a.config.Password)`
Allow to use custom SSH user/host key files. 2019-08-01 22:04:56 +00:00			`if err != nil {`
			`return err`
			`}`
Add initial implementation of ssh config. 2019-09-25 02:12:13 +00:00			`a.sshCAHostCertSignKey, err = ssh.NewSignerFromSigner(signer)`
			`if err != nil {`
			`return errors.Wrap(err, "error creating ssh signer")`
			`}`
Add support for multiple ssh roots. Fixes #125 2019-10-09 01:09:41 +00:00			`// Append public key to list of host certs`
			`a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())`
			`a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())`
Allow to use custom SSH user/host key files. 2019-08-01 22:04:56 +00:00			`}`
			`if a.config.SSH.UserKey != "" {`
Add initial implementation of ssh config. 2019-09-25 02:12:13 +00:00			`signer, err := parseCryptoSigner(a.config.SSH.UserKey, a.config.Password)`
Allow to use custom SSH user/host key files. 2019-08-01 22:04:56 +00:00			`if err != nil {`
			`return err`
			`}`
Add initial implementation of ssh config. 2019-09-25 02:12:13 +00:00			`a.sshCAUserCertSignKey, err = ssh.NewSignerFromSigner(signer)`
			`if err != nil {`
			`return errors.Wrap(err, "error creating ssh signer")`
			`}`
Add support for multiple ssh roots. Fixes #125 2019-10-09 01:09:41 +00:00			`// Append public key to list of user certs`
			`a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAHostCertSignKey.PublicKey())`
			`a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())`
			`}`

			`// Append other public keys`
			`for _, key := range a.config.SSH.Keys {`
			`switch key.Type {`
			`case provisioner.SSHHostCert:`
			`if key.Federated {`
			`a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, key.PublicKey())`
			`} else {`
			`a.sshCAHostCerts = append(a.sshCAHostCerts, key.PublicKey())`
			`}`
			`case provisioner.SSHUserCert:`
			`if key.Federated {`
			`a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, key.PublicKey())`
			`} else {`
			`a.sshCAUserCerts = append(a.sshCAUserCerts, key.PublicKey())`
			`}`
			`default:`
			`return errors.Errorf("unsupported type %s", key.Type)`
			`}`
Allow to use custom SSH user/host key files. 2019-08-01 22:04:56 +00:00			`}`
			`}`
Add initial implementation of an SSH CA using the JWK provisioner. Fixes smallstep/ca-component#187 2019-07-24 01:46:43 +00:00
Use provisioner.Collection to store and request the provisioners. 2019-03-06 23:00:23 +00:00			`// Store all the provisioners`
first commit 2018-10-05 21:48:36 +00:00			`for _, p := range a.config.AuthorityConfig.Provisioners {`
Use provisioner.Collection to store and request the provisioners. 2019-03-06 23:00:23 +00:00			`if err := a.provisioners.Store(p); err != nil {`
			`return err`
first commit 2018-10-05 21:48:36 +00:00			`}`
			`}`

Add initial support for ssh config. Related to smallstep/cli#170 2019-10-04 02:03:38 +00:00			`// Configure protected template variables:`
			`if t := a.config.Templates; t != nil {`
Add support for user data in templates. 2019-10-05 00:08:42 +00:00			`if t.Data == nil {`
			`t.Data = make(map[string]interface{})`
Add initial support for ssh config. Related to smallstep/cli#170 2019-10-04 02:03:38 +00:00			`}`
			`var vars templates.Step`
			`if a.config.SSH != nil {`
			`if a.sshCAHostCertSignKey != nil {`
			`vars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()`
Fix lint error. 2019-10-24 21:37:51 +00:00			`vars.SSH.HostFederatedKeys = append(vars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts[1:]...)`
Add initial support for ssh config. Related to smallstep/cli#170 2019-10-04 02:03:38 +00:00			`}`
			`if a.sshCAUserCertSignKey != nil {`
			`vars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()`
Fix lint error. 2019-10-24 21:37:51 +00:00			`vars.SSH.UserFederatedKeys = append(vars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts[1:]...)`
Add initial support for ssh config. Related to smallstep/cli#170 2019-10-04 02:03:38 +00:00			`}`
			`}`
Add support for user data in templates. 2019-10-05 00:08:42 +00:00			`t.Data["Step"] = vars`
Add initial support for ssh config. Related to smallstep/cli#170 2019-10-04 02:03:38 +00:00			`}`

Truncate to seconds the startTime to simplify tests. 2019-03-12 01:14:20 +00:00			`// JWT numeric dates are seconds.`
			`a.startTime = time.Now().Truncate(time.Second)`
first commit 2018-10-05 21:48:36 +00:00			`// Set flag indicating that initialization has been completed, and should`
			`// not be repeated.`
			`a.initOnce = true`

			`return nil`
			`}`
Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00
Fix comments. 2019-05-11 00:54:18 +00:00			`// GetDatabase returns the authority database. If the configuration does not`
			`// define a database, GetDatabase will return a db.SimpleDB instance.`
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170 2019-05-10 22:58:37 +00:00			`func (a *Authority) GetDatabase() db.AuthDB {`
			`return a.db`
			`}`

Add /revoke API with interface db backend 2019-03-05 08:07:13 +00:00			`// Shutdown safely shuts down any clients, databases, etc. held by the Authority.`
			`func (a *Authority) Shutdown() error {`
			`return a.db.Shutdown()`
			`}`
Allow to use custom SSH user/host key files. 2019-08-01 22:04:56 +00:00
			`func parseCryptoSigner(filename, password string) (crypto.Signer, error) {`
			`var opts []pemutil.Options`
			`if password != "" {`
			`opts = append(opts, pemutil.WithPassword([]byte(password)))`
			`}`
			`key, err := pemutil.Read(filename, opts...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`signer, ok := key.(crypto.Signer)`
			`if !ok {`
			`return nil, errors.Errorf("key %s of type %T cannot be used for signing operations", filename, key)`
			`}`
			`return signer, nil`
			`}`