2019-03-05 01:58:20 +00:00
package provisioner
import (
2019-08-27 00:52:49 +00:00
"crypto/ecdsa"
2020-08-05 23:02:46 +00:00
"crypto/ed25519"
2019-08-27 00:52:49 +00:00
"crypto/rsa"
2019-03-05 01:58:20 +00:00
"crypto/x509"
2019-03-06 22:58:46 +00:00
"crypto/x509/pkix"
"encoding/asn1"
2020-07-08 02:00:06 +00:00
"encoding/json"
2021-05-06 20:56:28 +00:00
"fmt"
2019-03-06 22:58:46 +00:00
"net"
2020-06-23 18:10:45 +00:00
"net/url"
2019-03-06 22:58:46 +00:00
"reflect"
"time"
2019-03-05 01:58:20 +00:00
"github.com/pkg/errors"
2020-08-05 23:02:46 +00:00
"go.step.sm/crypto/x509util"
2019-03-05 01:58:20 +00:00
)
2020-07-21 02:01:43 +00:00
// DefaultCertValidity is the default validity for a certificate if none is specified.
const DefaultCertValidity = 24 * time . Hour
2020-07-23 01:24:45 +00:00
// SignOptions contains the options that can be passed to the Sign method. Backdate
2020-01-03 01:48:28 +00:00
// is automatically filled and can only be configured in the CA.
2020-07-23 01:24:45 +00:00
type SignOptions struct {
2020-07-13 18:39:28 +00:00
NotAfter TimeDuration ` json:"notAfter" `
NotBefore TimeDuration ` json:"notBefore" `
TemplateData json . RawMessage ` json:"templateData" `
Backdate time . Duration ` json:"-" `
2019-03-07 23:14:18 +00:00
}
2019-03-05 01:58:20 +00:00
// SignOption is the interface used to collect all extra options used in the
// Sign method.
type SignOption interface { }
2020-07-08 02:00:06 +00:00
// CertificateValidator is an interface used to validate a given X.509 certificate.
2019-03-05 01:58:20 +00:00
type CertificateValidator interface {
2020-07-23 01:24:45 +00:00
Valid ( cert * x509 . Certificate , opts SignOptions ) error
2019-03-05 01:58:20 +00:00
}
2020-07-08 02:00:06 +00:00
// CertificateRequestValidator is an interface used to validate a given X.509 certificate request.
2019-03-05 01:58:20 +00:00
type CertificateRequestValidator interface {
2020-07-08 02:00:06 +00:00
Valid ( cr * x509 . CertificateRequest ) error
2019-03-05 01:58:20 +00:00
}
2020-07-08 02:00:06 +00:00
// CertificateModifier is an interface used to modify a given X.509 certificate.
// Types implementing this interface will be validated with a
// CertificateValidator.
type CertificateModifier interface {
2020-07-23 01:24:45 +00:00
Modify ( cert * x509 . Certificate , opts SignOptions ) error
2019-03-05 01:58:20 +00:00
}
2020-07-08 02:00:06 +00:00
// CertificateEnforcer is an interface used to modify a given X.509 certificate.
// Types implemented this interface will NOT be validated with a
// CertificateValidator.
2020-03-31 18:41:36 +00:00
type CertificateEnforcer interface {
Enforce ( cert * x509 . Certificate ) error
2020-03-31 00:33:04 +00:00
}
2020-07-13 18:39:28 +00:00
// CertificateModifierFunc allows to create simple certificate modifiers just
// with a function.
2020-07-23 01:24:45 +00:00
type CertificateModifierFunc func ( cert * x509 . Certificate , opts SignOptions ) error
2020-07-13 18:39:28 +00:00
// Modify implements CertificateModifier and just calls the defined function.
2020-07-23 01:24:45 +00:00
func ( fn CertificateModifierFunc ) Modify ( cert * x509 . Certificate , opts SignOptions ) error {
2020-07-13 18:39:28 +00:00
return fn ( cert , opts )
}
// CertificateEnforcerFunc allows to create simple certificate enforcer just
// with a function.
type CertificateEnforcerFunc func ( cert * x509 . Certificate ) error
2020-08-21 01:48:17 +00:00
// Enforce implements CertificateEnforcer and just calls the defined function.
2020-07-13 18:39:28 +00:00
func ( fn CertificateEnforcerFunc ) Enforce ( cert * x509 . Certificate ) error {
return fn ( cert )
}
2019-03-05 01:58:20 +00:00
// emailOnlyIdentity is a CertificateRequestValidator that checks that the only
// SAN provided is the given email address.
type emailOnlyIdentity string
func ( e emailOnlyIdentity ) Valid ( req * x509 . CertificateRequest ) error {
switch {
case len ( req . DNSNames ) > 0 :
return errors . New ( "certificate request cannot contain DNS names" )
case len ( req . IPAddresses ) > 0 :
return errors . New ( "certificate request cannot contain IP addresses" )
case len ( req . URIs ) > 0 :
return errors . New ( "certificate request cannot contain URIs" )
case len ( req . EmailAddresses ) == 0 :
return errors . New ( "certificate request does not contain any email address" )
case len ( req . EmailAddresses ) > 1 :
2019-08-27 00:52:49 +00:00
return errors . New ( "certificate request contains too many email addresses" )
2019-03-11 20:25:19 +00:00
case req . EmailAddresses [ 0 ] == "" :
return errors . New ( "certificate request cannot contain an empty email address" )
2019-03-05 01:58:20 +00:00
case req . EmailAddresses [ 0 ] != string ( e ) :
2019-03-06 22:58:46 +00:00
return errors . Errorf ( "certificate request does not contain the valid email address, got %s, want %s" , req . EmailAddresses [ 0 ] , e )
2019-03-05 01:58:20 +00:00
default :
return nil
}
}
2019-03-06 22:58:46 +00:00
2019-08-27 00:52:49 +00:00
// defaultPublicKeyValidator validates the public key of a certificate request.
type defaultPublicKeyValidator struct { }
// Valid checks that certificate request common name matches the one configured.
func ( v defaultPublicKeyValidator ) Valid ( req * x509 . CertificateRequest ) error {
switch k := req . PublicKey . ( type ) {
case * rsa . PublicKey :
if k . Size ( ) < 256 {
return errors . New ( "rsa key in CSR must be at least 2048 bits (256 bytes)" )
}
case * ecdsa . PublicKey , ed25519 . PublicKey :
default :
return errors . Errorf ( "unrecognized public key of type '%T' in CSR" , k )
}
return nil
}
2021-05-06 20:56:28 +00:00
// publicKeyMinimumLengthValidator validates the length (in bits) of the public key
// of a certificate request is at least a certain length
type publicKeyMinimumLengthValidator struct {
length int
}
// newPublicKeyMinimumLengthValidator creates a new publicKeyMinimumLengthValidator
// with the given length as its minimum value
// TODO: change the defaultPublicKeyValidator to have a configurable length instead?
func newPublicKeyMinimumLengthValidator ( length int ) publicKeyMinimumLengthValidator {
return publicKeyMinimumLengthValidator {
length : length ,
}
}
// Valid checks that certificate request common name matches the one configured.
func ( v publicKeyMinimumLengthValidator ) Valid ( req * x509 . CertificateRequest ) error {
switch k := req . PublicKey . ( type ) {
case * rsa . PublicKey :
minimumLengthInBytes := v . length / 8
if k . Size ( ) < minimumLengthInBytes {
return fmt . Errorf ( "rsa key in CSR must be at least %d bits (%d bytes)" , v . length , minimumLengthInBytes )
}
case * ecdsa . PublicKey , ed25519 . PublicKey :
default :
return errors . Errorf ( "unrecognized public key of type '%T' in CSR" , k )
}
return nil
}
2019-03-06 22:58:46 +00:00
// commonNameValidator validates the common name of a certificate request.
type commonNameValidator string
// Valid checks that certificate request common name matches the one configured.
2020-04-20 17:43:33 +00:00
// An empty common name is considered valid.
2019-03-06 22:58:46 +00:00
func ( v commonNameValidator ) Valid ( req * x509 . CertificateRequest ) error {
if req . Subject . CommonName == "" {
2020-04-20 17:43:33 +00:00
return nil
2019-03-06 22:58:46 +00:00
}
if req . Subject . CommonName != string ( v ) {
2019-12-20 21:30:05 +00:00
return errors . Errorf ( "certificate request does not contain the valid common name; requested common name = %s, token subject = %s" , req . Subject . CommonName , v )
2019-03-06 22:58:46 +00:00
}
return nil
}
2020-04-20 17:43:33 +00:00
// commonNameSliceValidator validates thats the common name of a certificate
// request is present in the slice. An empty common name is considered valid.
2019-07-15 22:52:36 +00:00
type commonNameSliceValidator [ ] string
func ( v commonNameSliceValidator ) Valid ( req * x509 . CertificateRequest ) error {
if req . Subject . CommonName == "" {
2020-04-20 17:43:33 +00:00
return nil
2019-07-15 22:52:36 +00:00
}
for _ , cn := range v {
if req . Subject . CommonName == cn {
return nil
}
}
return errors . Errorf ( "certificate request does not contain the valid common name, got %s, want %s" , req . Subject . CommonName , v )
}
2019-03-06 22:58:46 +00:00
// dnsNamesValidator validates the DNS names SAN of a certificate request.
type dnsNamesValidator [ ] string
2019-03-09 02:09:35 +00:00
// Valid checks that certificate request DNS Names match those configured in
// the bootstrap (token) flow.
2019-03-06 22:58:46 +00:00
func ( v dnsNamesValidator ) Valid ( req * x509 . CertificateRequest ) error {
2021-01-14 21:26:46 +00:00
if len ( req . DNSNames ) == 0 {
return nil
}
2019-03-06 22:58:46 +00:00
want := make ( map [ string ] bool )
for _ , s := range v {
want [ s ] = true
}
got := make ( map [ string ] bool )
for _ , s := range req . DNSNames {
got [ s ] = true
}
if ! reflect . DeepEqual ( want , got ) {
return errors . Errorf ( "certificate request does not contain the valid DNS names - got %v, want %v" , req . DNSNames , v )
}
return nil
}
// ipAddressesValidator validates the IP addresses SAN of a certificate request.
type ipAddressesValidator [ ] net . IP
2019-03-09 02:09:35 +00:00
// Valid checks that certificate request IP Addresses match those configured in
// the bootstrap (token) flow.
2019-03-06 22:58:46 +00:00
func ( v ipAddressesValidator ) Valid ( req * x509 . CertificateRequest ) error {
2021-01-14 21:26:46 +00:00
if len ( req . IPAddresses ) == 0 {
return nil
}
2019-03-06 22:58:46 +00:00
want := make ( map [ string ] bool )
for _ , ip := range v {
want [ ip . String ( ) ] = true
}
got := make ( map [ string ] bool )
for _ , ip := range req . IPAddresses {
got [ ip . String ( ) ] = true
}
if ! reflect . DeepEqual ( want , got ) {
return errors . Errorf ( "IP Addresses claim failed - got %v, want %v" , req . IPAddresses , v )
}
return nil
}
2019-08-23 19:09:16 +00:00
// emailAddressesValidator validates the email address SANs of a certificate request.
type emailAddressesValidator [ ] string
// Valid checks that certificate request IP Addresses match those configured in
// the bootstrap (token) flow.
func ( v emailAddressesValidator ) Valid ( req * x509 . CertificateRequest ) error {
2021-01-14 21:26:46 +00:00
if len ( req . EmailAddresses ) == 0 {
return nil
}
2019-08-23 19:09:16 +00:00
want := make ( map [ string ] bool )
for _ , s := range v {
want [ s ] = true
}
got := make ( map [ string ] bool )
for _ , s := range req . EmailAddresses {
got [ s ] = true
}
if ! reflect . DeepEqual ( want , got ) {
return errors . Errorf ( "certificate request does not contain the valid Email Addresses - got %v, want %v" , req . EmailAddresses , v )
}
return nil
}
2020-06-23 18:10:45 +00:00
// urisValidator validates the URI SANs of a certificate request.
type urisValidator [ ] * url . URL
// Valid checks that certificate request IP Addresses match those configured in
// the bootstrap (token) flow.
func ( v urisValidator ) Valid ( req * x509 . CertificateRequest ) error {
2021-01-14 21:26:46 +00:00
if len ( req . URIs ) == 0 {
return nil
}
2020-06-23 18:10:45 +00:00
want := make ( map [ string ] bool )
for _ , u := range v {
want [ u . String ( ) ] = true
}
got := make ( map [ string ] bool )
for _ , u := range req . URIs {
got [ u . String ( ) ] = true
}
if ! reflect . DeepEqual ( want , got ) {
return errors . Errorf ( "URIs claim failed - got %v, want %v" , req . URIs , v )
}
return nil
}
2020-06-24 16:58:40 +00:00
// defaultsSANsValidator stores a set of SANs to eventually validate 1:1 against
// the SANs in an x509 certificate request.
2020-06-24 00:13:39 +00:00
type defaultSANsValidator [ ] string
2020-06-24 16:58:40 +00:00
// Valid verifies that the SANs stored in the validator match 1:1 with those
// requested in the x509 certificate request.
2020-06-24 00:13:39 +00:00
func ( v defaultSANsValidator ) Valid ( req * x509 . CertificateRequest ) ( err error ) {
dnsNames , ips , emails , uris := x509util . SplitSANs ( v )
if err = dnsNamesValidator ( dnsNames ) . Valid ( req ) ; err != nil {
return
} else if err = emailAddressesValidator ( emails ) . Valid ( req ) ; err != nil {
return
} else if err = ipAddressesValidator ( ips ) . Valid ( req ) ; err != nil {
return
} else if err = urisValidator ( uris ) . Valid ( req ) ; err != nil {
return
}
return
2020-06-23 18:10:45 +00:00
}
2020-07-08 02:00:06 +00:00
// profileDefaultDuration is a modifier that sets the certificate
// duration.
2019-09-05 01:31:09 +00:00
type profileDefaultDuration time . Duration
2020-07-23 01:24:45 +00:00
func ( v profileDefaultDuration ) Modify ( cert * x509 . Certificate , so SignOptions ) error {
2020-01-03 01:48:28 +00:00
var backdate time . Duration
2019-09-05 01:31:09 +00:00
notBefore := so . NotBefore . Time ( )
if notBefore . IsZero ( ) {
2020-01-06 20:19:00 +00:00
notBefore = now ( )
2020-01-03 01:48:28 +00:00
backdate = - 1 * so . Backdate
2020-07-08 02:00:06 +00:00
2019-09-05 01:31:09 +00:00
}
notAfter := so . NotAfter . RelativeTime ( notBefore )
2020-07-08 02:00:06 +00:00
if notAfter . IsZero ( ) {
2020-07-21 02:01:43 +00:00
if v != 0 {
notAfter = notBefore . Add ( time . Duration ( v ) )
} else {
notAfter = notBefore . Add ( DefaultCertValidity )
}
2020-01-03 01:48:28 +00:00
}
2020-07-08 02:00:06 +00:00
cert . NotBefore = notBefore . Add ( backdate )
cert . NotAfter = notAfter
return nil
2019-09-05 01:31:09 +00:00
}
// profileLimitDuration is an x509 profile option that modifies an x509 validity
// period according to an imposed expiration time.
type profileLimitDuration struct {
2020-06-16 19:16:43 +00:00
def time . Duration
notBefore , notAfter time . Time
2019-09-05 01:31:09 +00:00
}
// Option returns an x509util option that limits the validity period of a
// certificate to one that is superficially imposed.
2020-07-23 01:24:45 +00:00
func ( v profileLimitDuration ) Modify ( cert * x509 . Certificate , so SignOptions ) error {
2020-07-08 02:00:06 +00:00
var backdate time . Duration
notBefore := so . NotBefore . Time ( )
if notBefore . IsZero ( ) {
notBefore = now ( )
backdate = - 1 * so . Backdate
}
if notBefore . Before ( v . notBefore ) {
return errors . Errorf ( "requested certificate notBefore (%s) is before " +
"the active validity window of the provisioning credential (%s)" ,
notBefore , v . notBefore )
}
2019-09-05 01:31:09 +00:00
2020-07-08 02:00:06 +00:00
notAfter := so . NotAfter . RelativeTime ( notBefore )
if notAfter . After ( v . notAfter ) {
return errors . Errorf ( "requested certificate notAfter (%s) is after " +
"the expiration of the provisioning credential (%s)" ,
notAfter , v . notAfter )
}
if notAfter . IsZero ( ) {
t := notBefore . Add ( v . def )
if t . After ( v . notAfter ) {
notAfter = v . notAfter
} else {
notAfter = t
2019-09-05 01:31:09 +00:00
}
}
2020-07-08 02:00:06 +00:00
cert . NotBefore = notBefore . Add ( backdate )
cert . NotAfter = notAfter
return nil
2019-09-05 01:31:09 +00:00
}
// validityValidator validates the certificate validity settings.
2019-03-06 22:58:46 +00:00
type validityValidator struct {
min time . Duration
max time . Duration
}
2019-03-07 01:30:14 +00:00
// newValidityValidator return a new validity validator.
func newValidityValidator ( min , max time . Duration ) * validityValidator {
return & validityValidator { min : min , max : max }
}
2019-09-05 01:31:09 +00:00
// Valid validates the certificate validity settings (notBefore/notAfter) and
// and total duration.
2020-07-23 01:24:45 +00:00
func ( v * validityValidator ) Valid ( cert * x509 . Certificate , o SignOptions ) error {
2019-03-06 22:58:46 +00:00
var (
2019-12-20 21:30:05 +00:00
na = cert . NotAfter . Truncate ( time . Second )
nb = cert . NotBefore . Truncate ( time . Second )
2020-01-04 02:22:02 +00:00
now = time . Now ( ) . Truncate ( time . Second )
2019-03-06 22:58:46 +00:00
)
2020-01-04 02:22:02 +00:00
2019-12-20 21:30:05 +00:00
d := na . Sub ( nb )
2019-03-06 22:58:46 +00:00
if na . Before ( now ) {
2019-12-20 21:30:05 +00:00
return errors . Errorf ( "notAfter cannot be in the past; na=%v" , na )
2019-03-06 22:58:46 +00:00
}
if na . Before ( nb ) {
2019-12-20 21:30:05 +00:00
return errors . Errorf ( "notAfter cannot be before notBefore; na=%v, nb=%v" , na , nb )
2019-03-06 22:58:46 +00:00
}
if d < v . min {
return errors . Errorf ( "requested duration of %v is less than the authorized minimum certificate duration of %v" ,
d , v . min )
}
2019-12-20 21:30:05 +00:00
// NOTE: this check is not "technically correct". We're allowing the max
// duration of a cert to be "max + backdate" and not all certificates will
// be backdated (e.g. if a user passes the NotBefore value then we do not
// apply a backdate). This is good enough.
if d > v . max + o . Backdate {
2019-03-06 22:58:46 +00:00
return errors . Errorf ( "requested duration of %v is more than the authorized maximum certificate duration of %v" ,
2020-01-24 21:42:00 +00:00
d , v . max + o . Backdate )
2019-03-06 22:58:46 +00:00
}
return nil
}
var (
stepOIDRoot = asn1 . ObjectIdentifier { 1 , 3 , 6 , 1 , 4 , 1 , 37476 , 9000 , 64 }
stepOIDProvisioner = append ( asn1 . ObjectIdentifier ( nil ) , append ( stepOIDRoot , 1 ) ... )
)
type stepProvisionerASN1 struct {
2019-07-15 22:52:36 +00:00
Type int
Name [ ] byte
CredentialID [ ] byte
KeyValuePairs [ ] string ` asn1:"optional,omitempty" `
2019-03-06 22:58:46 +00:00
}
2020-05-17 17:23:13 +00:00
type forceCNOption struct {
ForceCN bool
}
func newForceCNOption ( forceCN bool ) * forceCNOption {
return & forceCNOption { forceCN }
}
2020-07-23 01:24:45 +00:00
func ( o * forceCNOption ) Modify ( cert * x509 . Certificate , _ SignOptions ) error {
2020-07-08 02:00:06 +00:00
if ! o . ForceCN {
// Forcing CN is disabled, do nothing to certificate
2020-05-17 17:23:13 +00:00
return nil
}
2020-07-08 02:00:06 +00:00
if cert . Subject . CommonName == "" {
if len ( cert . DNSNames ) > 0 {
cert . Subject . CommonName = cert . DNSNames [ 0 ]
} else {
return errors . New ( "Cannot force CN, DNSNames is empty" )
}
}
return nil
2020-05-17 17:23:13 +00:00
}
2019-03-06 22:58:46 +00:00
type provisionerExtensionOption struct {
2019-07-15 22:52:36 +00:00
Type int
Name string
CredentialID string
KeyValuePairs [ ] string
2019-03-06 22:58:46 +00:00
}
2019-07-15 22:52:36 +00:00
func newProvisionerExtensionOption ( typ Type , name , credentialID string , keyValuePairs ... string ) * provisionerExtensionOption {
2019-03-06 22:58:46 +00:00
return & provisionerExtensionOption {
2019-07-15 22:52:36 +00:00
Type : int ( typ ) ,
Name : name ,
CredentialID : credentialID ,
KeyValuePairs : keyValuePairs ,
2019-03-06 22:58:46 +00:00
}
}
2020-07-23 01:24:45 +00:00
func ( o * provisionerExtensionOption ) Modify ( cert * x509 . Certificate , _ SignOptions ) error {
2020-07-08 02:00:06 +00:00
ext , err := createProvisionerExtension ( o . Type , o . Name , o . CredentialID , o . KeyValuePairs ... )
if err != nil {
return err
2019-03-06 22:58:46 +00:00
}
2020-07-08 02:00:06 +00:00
// Prepend the provisioner extension. In the auth.Sign code we will
// force the resulting certificate to only have one extension, the
// first stepOIDProvisioner that is found in the ExtraExtensions.
// A client could pass a csr containing a malicious stepOIDProvisioner
// ExtraExtension. If we were to append (rather than prepend) the correct
// stepOIDProvisioner extension, then the resulting certificate would
// contain the malicious extension, rather than the one applied by step-ca.
cert . ExtraExtensions = append ( [ ] pkix . Extension { ext } , cert . ExtraExtensions ... )
return nil
2019-03-06 22:58:46 +00:00
}
2019-03-08 20:19:44 +00:00
2019-07-15 22:52:36 +00:00
func createProvisionerExtension ( typ int , name , credentialID string , keyValuePairs ... string ) ( pkix . Extension , error ) {
2019-03-08 20:19:44 +00:00
b , err := asn1 . Marshal ( stepProvisionerASN1 {
2019-07-15 22:52:36 +00:00
Type : typ ,
Name : [ ] byte ( name ) ,
CredentialID : [ ] byte ( credentialID ) ,
KeyValuePairs : keyValuePairs ,
2019-03-08 20:19:44 +00:00
} )
if err != nil {
return pkix . Extension { } , errors . Wrapf ( err , "error marshaling provisioner extension" )
}
return pkix . Extension {
Id : stepOIDProvisioner ,
Critical : false ,
Value : b ,
} , nil
}