diff --git a/authority/config.go b/authority/config.go index 9d79ce9a..86a5c80c 100644 --- a/authority/config.go +++ b/authority/config.go @@ -189,7 +189,6 @@ func (c *Config) Validate() error { // Options holds the RA/CAS configuration. ra := c.AuthorityConfig.Options - // The default RA/CAS requires root, crt and key. if ra.Is(cas.SoftCAS) { switch { diff --git a/authority/tls.go b/authority/tls.go index f22f4624..c848d188 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -148,6 +148,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign lifetime := leaf.NotAfter.Sub(leaf.NotBefore.Add(signOpts.Backdate)) resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{ Template: leaf, + CSR: csr, Lifetime: lifetime, Backdate: signOpts.Backdate, }) @@ -333,22 +334,21 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error if !ok { return errs.InternalServer("authority.Revoke; provisioner not found", opts...) } + rci.ProvisionerID = p.GetID() rci.TokenID, err = p.GetTokenID(revokeOpts.OTT) if err != nil { return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke; could not get ID for token") } + opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID)) opts = append(opts, errs.WithKeyVal("tokenID", rci.TokenID)) } else { // Load the Certificate provisioner if one exists. - p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt) - if err != nil { - return errs.Wrap(http.StatusUnauthorized, err, - "authority.Revoke: unable to load certificate provisioner", opts...) + if p, err = a.LoadProvisionerByCertificate(revokeOpts.Crt); err == nil { + rci.ProvisionerID = p.GetID() + opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID)) } } - rci.ProvisionerID = p.GetID() - opts = append(opts, errs.WithKeyVal("provisionerID", rci.ProvisionerID)) if provisioner.MethodFromContext(ctx) == provisioner.SSHRevokeMethod { err = a.db.RevokeSSH(rci) @@ -367,9 +367,11 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error // CAS operation, note that SoftCAS (default) is a noop. // The revoke happens when this is stored in the db. _, err = a.x509CAService.RevokeCertificate(&casapi.RevokeCertificateRequest{ - Certificate: revokedCert, - Reason: rci.Reason, - ReasonCode: rci.ReasonCode, + Certificate: revokedCert, + SerialNumber: rci.Serial, + Reason: rci.Reason, + ReasonCode: rci.ReasonCode, + PassiveOnly: revokeOpts.PassiveOnly, }) if err != nil { return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke", opts...) @@ -427,6 +429,7 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) { resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{ Template: certTpl, + CSR: cr, Lifetime: 24 * time.Hour, Backdate: 1 * time.Minute, }) diff --git a/authority/tls_test.go b/authority/tls_test.go index bf629a0d..4c936f0c 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -1231,6 +1231,30 @@ func TestAuthority_Revoke(t *testing.T) { crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt") assert.FatalError(t, err) + return test{ + auth: _a, + opts: &RevokeOptions{ + Crt: crt, + Serial: "102012593071130646873265215610956555026", + ReasonCode: reasonCode, + Reason: reason, + MTLS: true, + }, + } + }, + "ok/mTLS-no-provisioner": func() test { + _a := testAuthority(t, WithDatabase(&db.MockAuthDB{})) + + crt, err := pemutil.ReadCertificate("./testdata/certs/foo.crt") + assert.FatalError(t, err) + // Filter out provisioner extension. + for i, ext := range crt.Extensions { + if ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1}) { + crt.Extensions = append(crt.Extensions[:i], crt.Extensions[i+1:]...) + break + } + } + return test{ auth: _a, opts: &RevokeOptions{ diff --git a/cas/apiv1/options.go b/cas/apiv1/options.go index 46efae3b..4810d1f3 100644 --- a/cas/apiv1/options.go +++ b/cas/apiv1/options.go @@ -14,17 +14,29 @@ type Options struct { // The type of the CAS to use. Type string `json:"type"` - // Path to the credentials file used in CloudCAS - CredentialsFile string `json:"credentialsFile"` + // CertificateAuthority reference: + // In StepCAS the value is the CA url, e.g. "https://ca.smallstep.com:9000". + // In CloudCAS the format is "projects/*/locations/*/certificateAuthorities/*". + CertificateAuthority string `json:"certificateAuthority,omitempty"` - // CertificateAuthority reference. In CloudCAS the format is - // `projects/*/locations/*/certificateAuthorities/*`. - CertificateAuthority string `json:"certificateAuthority"` + // CertificateAuthorityFingerprint is the root fingerprint used to + // authenticate the connection to the CA when using StepCAS. + CertificateAuthorityFingerprint string `json:"certificateAuthorityFingerprint,omitempty"` - // Certificate and signer are the issuer certificate,along with any other bundled certificates to be returned in the chain for consumers, and signer used in SoftCAS. - // They are configured in ca.json crt and key properties. - CertificateChain []*x509.Certificate - Signer crypto.Signer `json:"-"` + // CertificateIssuer contains the configuration used in StepCAS. + CertificateIssuer *CertificateIssuer `json:"certificateIssuer,omitempty"` + + // Path to the credentials file used in CloudCAS. If not defined the default + // authentication mechanism provided by Google SDK will be used. See + // https://cloud.google.com/docs/authentication. + CredentialsFile string `json:"credentialsFile,omitempty"` + + // Certificate and signer are the issuer certificate, along with any other + // bundled certificates to be returned in the chain for consumers, and + // signer used in SoftCAS. They are configured in ca.json crt and key + // properties. + CertificateChain []*x509.Certificate `json:"-"` + Signer crypto.Signer `json:"-"` // IsCreator is set to true when we're creating a certificate authority. Is // used to skip some validations when initializing a CertificateAuthority. @@ -39,6 +51,16 @@ type Options struct { Location string `json:"-"` } +// CertificateIssuer contains the properties used to use the StepCAS certificate +// authority service. +type CertificateIssuer struct { + Type string `json:"type"` + Provisioner string `json:"provisioner,omitempty"` + Certificate string `json:"crt,omitempty"` + Key string `json:"key,omitempty"` + Password string `json:"password,omitempty"` +} + // Validate checks the fields in Options. func (o *Options) Validate() error { var typ Type diff --git a/cas/apiv1/requests.go b/cas/apiv1/requests.go index 68f1cb7b..b47a9c13 100644 --- a/cas/apiv1/requests.go +++ b/cas/apiv1/requests.go @@ -53,6 +53,7 @@ const ( // CreateCertificateRequest is the request used to sign a new certificate. type CreateCertificateRequest struct { Template *x509.Certificate + CSR *x509.CertificateRequest Lifetime time.Duration Backdate time.Duration RequestID string @@ -67,6 +68,7 @@ type CreateCertificateResponse struct { // RenewCertificateRequest is the request used to re-sign a certificate. type RenewCertificateRequest struct { Template *x509.Certificate + CSR *x509.CertificateRequest Lifetime time.Duration Backdate time.Duration RequestID string @@ -80,10 +82,12 @@ type RenewCertificateResponse struct { // RevokeCertificateRequest is the request used to revoke a certificate. type RevokeCertificateRequest struct { - Certificate *x509.Certificate - Reason string - ReasonCode int - RequestID string + Certificate *x509.Certificate + SerialNumber string + Reason string + ReasonCode int + PassiveOnly bool + RequestID string } // RevokeCertificateResponse is the response to a revoke certificate request. diff --git a/cas/apiv1/services.go b/cas/apiv1/services.go index 58a8f139..d4dd3c8c 100644 --- a/cas/apiv1/services.go +++ b/cas/apiv1/services.go @@ -1,6 +1,7 @@ package apiv1 import ( + "net/http" "strings" ) @@ -35,6 +36,8 @@ const ( SoftCAS = "softcas" // CloudCAS is a CertificateAuthorityService using Google Cloud CAS. CloudCAS = "cloudcas" + // StepCAS is a CertificateAuthorityService using another step-ca instance. + StepCAS = "stepcas" ) // String returns a string from the type. It will always return the lower case @@ -46,3 +49,23 @@ func (t Type) String() string { } return strings.ToLower(string(t)) } + +// ErrNotImplemented is the type of error returned if an operation is not +// implemented. +type ErrNotImplemented struct { + Message string +} + +// ErrNotImplemented implements the error interface. +func (e ErrNotImplemented) Error() string { + if e.Message != "" { + return e.Message + } + return "not implemented" +} + +// StatusCode implements the StatusCoder interface and returns the HTTP 501 +// error. +func (e ErrNotImplemented) StatusCode() int { + return http.StatusNotImplemented +} diff --git a/cas/apiv1/services_test.go b/cas/apiv1/services_test.go index f9ab9042..eb7d502e 100644 --- a/cas/apiv1/services_test.go +++ b/cas/apiv1/services_test.go @@ -1,6 +1,8 @@ package apiv1 -import "testing" +import ( + "testing" +) func TestType_String(t *testing.T) { tests := []struct { @@ -21,3 +23,51 @@ func TestType_String(t *testing.T) { }) } } + +func TestErrNotImplemented_Error(t *testing.T) { + type fields struct { + Message string + } + tests := []struct { + name string + fields fields + want string + }{ + {"default", fields{""}, "not implemented"}, + {"with message", fields{"method not supported"}, "method not supported"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + e := ErrNotImplemented{ + Message: tt.fields.Message, + } + if got := e.Error(); got != tt.want { + t.Errorf("ErrNotImplemented.Error() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestErrNotImplemented_StatusCode(t *testing.T) { + type fields struct { + Message string + } + tests := []struct { + name string + fields fields + want int + }{ + {"default", fields{""}, 501}, + {"with message", fields{"method not supported"}, 501}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := ErrNotImplemented{ + Message: tt.fields.Message, + } + if got := s.StatusCode(); got != tt.want { + t.Errorf("ErrNotImplemented.StatusCode() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/cas/cloudcas/cloudcas.go b/cas/cloudcas/cloudcas.go index 4fb75b3a..695258c9 100644 --- a/cas/cloudcas/cloudcas.go +++ b/cas/cloudcas/cloudcas.go @@ -141,7 +141,6 @@ func (c *CloudCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityReq Name: name, }) if err != nil { - println(name) return nil, errors.Wrap(err, "cloudCAS GetCertificateAuthority failed") } if len(resp.PemCaCertificates) == 0 { diff --git a/cas/stepcas/issuer.go b/cas/stepcas/issuer.go new file mode 100644 index 00000000..9289709e --- /dev/null +++ b/cas/stepcas/issuer.go @@ -0,0 +1,78 @@ +package stepcas + +import ( + "net/url" + "strings" + "time" + + "github.com/pkg/errors" + "github.com/smallstep/certificates/cas/apiv1" +) + +type stepIssuer interface { + SignToken(subject string, sans []string) (string, error) + RevokeToken(subject string) (string, error) + Lifetime(d time.Duration) time.Duration +} + +// newStepIssuer returns the configured step issuer. +func newStepIssuer(caURL *url.URL, iss *apiv1.CertificateIssuer) (stepIssuer, error) { + if err := validateCertificateIssuer(iss); err != nil { + return nil, err + } + + switch strings.ToLower(iss.Type) { + case "x5c": + return newX5CIssuer(caURL, iss) + case "jwk": + return newJWKIssuer(caURL, iss) + default: + return nil, errors.Errorf("stepCAS `certificateIssuer.type` %s is not supported", iss.Type) + } +} + +// validateCertificateIssuer validates the configuration of the certificate +// issuer. +func validateCertificateIssuer(iss *apiv1.CertificateIssuer) error { + switch { + case iss == nil: + return errors.New("stepCAS 'certificateIssuer' cannot be nil") + case iss.Type == "": + return errors.New("stepCAS `certificateIssuer.type` cannot be empty") + } + + switch strings.ToLower(iss.Type) { + case "x5c": + return validateX5CIssuer(iss) + case "jwk": + return validateJWKIssuer(iss) + default: + return errors.Errorf("stepCAS `certificateIssuer.type` %s is not supported", iss.Type) + } +} + +// validateX5CIssuer validates the configuration of x5c issuer. +func validateX5CIssuer(iss *apiv1.CertificateIssuer) error { + switch { + case iss.Certificate == "": + return errors.New("stepCAS `certificateIssuer.crt` cannot be empty") + case iss.Key == "": + return errors.New("stepCAS `certificateIssuer.key` cannot be empty") + case iss.Provisioner == "": + return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty") + default: + return nil + } +} + +// validateJWKIssuer validates the configuration of jwk issuer. +func validateJWKIssuer(iss *apiv1.CertificateIssuer) error { + switch { + case iss.Key == "": + return errors.New("stepCAS `certificateIssuer.key` cannot be empty") + case iss.Provisioner == "": + return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty") + default: + return nil + } +} diff --git a/cas/stepcas/issuer_test.go b/cas/stepcas/issuer_test.go new file mode 100644 index 00000000..743d6eec --- /dev/null +++ b/cas/stepcas/issuer_test.go @@ -0,0 +1,80 @@ +package stepcas + +import ( + "net/url" + "reflect" + "testing" + "time" + + "github.com/smallstep/certificates/cas/apiv1" +) + +type mockErrIssuer struct{} + +func (m mockErrIssuer) SignToken(subject string, sans []string) (string, error) { + return "", apiv1.ErrNotImplemented{} +} + +func (m mockErrIssuer) RevokeToken(subject string) (string, error) { + return "", apiv1.ErrNotImplemented{} +} + +func (m mockErrIssuer) Lifetime(d time.Duration) time.Duration { + return d +} + +func Test_newStepIssuer(t *testing.T) { + caURL, err := url.Parse("https://ca.smallstep.com") + if err != nil { + t.Fatal(err) + } + + type args struct { + caURL *url.URL + iss *apiv1.CertificateIssuer + } + tests := []struct { + name string + args args + want stepIssuer + wantErr bool + }{ + {"x5c", args{caURL, &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }}, &x5cIssuer{ + caURL: caURL, + certFile: testX5CPath, + keyFile: testX5CKeyPath, + issuer: "X5C", + }, false}, + {"jwk", args{caURL, &apiv1.CertificateIssuer{ + Type: "jwk", + Provisioner: "ra@doe.org", + Key: testX5CKeyPath, + }}, &jwkIssuer{ + caURL: caURL, + keyFile: testX5CKeyPath, + issuer: "ra@doe.org", + }, false}, + {"fail", args{caURL, &apiv1.CertificateIssuer{ + Type: "unknown", + Provisioner: "ra@doe.org", + Key: testX5CKeyPath, + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := newStepIssuer(tt.args.caURL, tt.args.iss) + if (err != nil) != tt.wantErr { + t.Errorf("newStepIssuer() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("newStepIssuer() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/cas/stepcas/jwk_issuer.go b/cas/stepcas/jwk_issuer.go new file mode 100644 index 00000000..9a4cd7d1 --- /dev/null +++ b/cas/stepcas/jwk_issuer.go @@ -0,0 +1,92 @@ +package stepcas + +import ( + "net/url" + "time" + + "github.com/pkg/errors" + "github.com/smallstep/certificates/cas/apiv1" + "go.step.sm/crypto/jose" + "go.step.sm/crypto/randutil" +) + +type jwkIssuer struct { + caURL *url.URL + issuer string + keyFile string + password string +} + +func newJWKIssuer(caURL *url.URL, cfg *apiv1.CertificateIssuer) (*jwkIssuer, error) { + _, err := newJWKSigner(cfg.Key, cfg.Password) + if err != nil { + return nil, err + } + + return &jwkIssuer{ + caURL: caURL, + issuer: cfg.Provisioner, + keyFile: cfg.Key, + password: cfg.Password, + }, nil +} + +func (i *jwkIssuer) SignToken(subject string, sans []string) (string, error) { + aud := i.caURL.ResolveReference(&url.URL{ + Path: "/1.0/sign", + }).String() + return i.createToken(aud, subject, sans) +} + +func (i *jwkIssuer) RevokeToken(subject string) (string, error) { + aud := i.caURL.ResolveReference(&url.URL{ + Path: "/1.0/revoke", + }).String() + return i.createToken(aud, subject, nil) +} + +func (i *jwkIssuer) Lifetime(d time.Duration) time.Duration { + return d +} + +func (i *jwkIssuer) createToken(aud, sub string, sans []string) (string, error) { + signer, err := newJWKSigner(i.keyFile, i.password) + if err != nil { + return "", err + } + + id, err := randutil.Hex(64) // 256 bits + if err != nil { + return "", err + } + + claims := defaultClaims(i.issuer, sub, aud, id) + builder := jose.Signed(signer).Claims(claims) + if len(sans) > 0 { + builder = builder.Claims(map[string]interface{}{ + "sans": sans, + }) + } + + tok, err := builder.CompactSerialize() + if err != nil { + return "", errors.Wrap(err, "error signing token") + } + + return tok, nil +} + +func newJWKSigner(keyFile, password string) (jose.Signer, error) { + signer, err := readKey(keyFile, password) + if err != nil { + return nil, err + } + kid, err := jose.Thumbprint(&jose.JSONWebKey{Key: signer.Public()}) + if err != nil { + return nil, err + } + so := new(jose.SignerOptions) + so.WithType("JWT") + so.WithHeader("kid", kid) + return newJoseSigner(signer, so) +} diff --git a/cas/stepcas/jwk_issuer_test.go b/cas/stepcas/jwk_issuer_test.go new file mode 100644 index 00000000..2caccf25 --- /dev/null +++ b/cas/stepcas/jwk_issuer_test.go @@ -0,0 +1,172 @@ +package stepcas + +import ( + "net/url" + "reflect" + "testing" + "time" + + "go.step.sm/crypto/jose" +) + +func Test_jwkIssuer_SignToken(t *testing.T) { + caURL, err := url.Parse("https://ca.smallstep.com") + if err != nil { + t.Fatal(err) + } + + type fields struct { + caURL *url.URL + keyFile string + issuer string + } + type args struct { + subject string + sans []string + } + type claims struct { + Aud []string `json:"aud"` + Sub string `json:"sub"` + Sans []string `json:"sans"` + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{caURL, testX5CKeyPath, "ra@doe.org"}, args{"doe", []string{"doe.org"}}, false}, + {"fail key", fields{caURL, "", "ra@doe.org"}, args{"doe", []string{"doe.org"}}, true}, + {"fail no signer", fields{caURL, testIssPath, "ra@doe.org"}, args{"doe", []string{"doe.org"}}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + i := &jwkIssuer{ + caURL: tt.fields.caURL, + keyFile: tt.fields.keyFile, + issuer: tt.fields.issuer, + } + got, err := i.SignToken(tt.args.subject, tt.args.sans) + if (err != nil) != tt.wantErr { + t.Errorf("jwkIssuer.SignToken() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !tt.wantErr { + jwt, err := jose.ParseSigned(got) + if err != nil { + t.Errorf("jose.ParseSigned() error = %v", err) + } + var c claims + want := claims{ + Aud: []string{tt.fields.caURL.String() + "/1.0/sign"}, + Sub: tt.args.subject, + Sans: tt.args.sans, + } + if err := jwt.Claims(testX5CKey.Public(), &c); err != nil { + t.Errorf("jwt.Claims() error = %v", err) + } + if !reflect.DeepEqual(c, want) { + t.Errorf("jwt.Claims() claims = %#v, want %#v", c, want) + } + } + }) + } +} + +func Test_jwkIssuer_RevokeToken(t *testing.T) { + caURL, err := url.Parse("https://ca.smallstep.com") + if err != nil { + t.Fatal(err) + } + + type fields struct { + caURL *url.URL + keyFile string + issuer string + } + type args struct { + subject string + } + type claims struct { + Aud []string `json:"aud"` + Sub string `json:"sub"` + Sans []string `json:"sans"` + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{caURL, testX5CKeyPath, "ra@smallstep.com"}, args{"doe"}, false}, + {"fail key", fields{caURL, "", "ra@smallstep.com"}, args{"doe"}, true}, + {"fail no signer", fields{caURL, testIssPath, "ra@smallstep.com"}, args{"doe"}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + i := &jwkIssuer{ + caURL: tt.fields.caURL, + keyFile: tt.fields.keyFile, + issuer: tt.fields.issuer, + } + got, err := i.RevokeToken(tt.args.subject) + if (err != nil) != tt.wantErr { + t.Errorf("jwkIssuer.RevokeToken() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !tt.wantErr { + jwt, err := jose.ParseSigned(got) + if err != nil { + t.Errorf("jose.ParseSigned() error = %v", err) + } + var c claims + want := claims{ + Aud: []string{tt.fields.caURL.String() + "/1.0/revoke"}, + Sub: tt.args.subject, + } + if err := jwt.Claims(testX5CKey.Public(), &c); err != nil { + t.Errorf("jwt.Claims() error = %v", err) + } + if !reflect.DeepEqual(c, want) { + t.Errorf("jwt.Claims() claims = %#v, want %#v", c, want) + } + } + }) + } +} + +func Test_jwkIssuer_Lifetime(t *testing.T) { + caURL, err := url.Parse("https://ca.smallstep.com") + if err != nil { + t.Fatal(err) + } + + type fields struct { + caURL *url.URL + keyFile string + issuer string + } + type args struct { + d time.Duration + } + tests := []struct { + name string + fields fields + args args + want time.Duration + }{ + {"ok", fields{caURL, testX5CKeyPath, "ra@smallstep.com"}, args{time.Second}, time.Second}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + i := &jwkIssuer{ + caURL: tt.fields.caURL, + keyFile: tt.fields.keyFile, + issuer: tt.fields.issuer, + } + if got := i.Lifetime(tt.args.d); got != tt.want { + t.Errorf("jwkIssuer.Lifetime() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/cas/stepcas/stepcas.go b/cas/stepcas/stepcas.go new file mode 100644 index 00000000..7dc01e5a --- /dev/null +++ b/cas/stepcas/stepcas.go @@ -0,0 +1,178 @@ +package stepcas + +import ( + "context" + "crypto/x509" + "net/url" + "time" + + "github.com/pkg/errors" + "github.com/smallstep/certificates/api" + "github.com/smallstep/certificates/ca" + "github.com/smallstep/certificates/cas/apiv1" +) + +func init() { + apiv1.Register(apiv1.StepCAS, func(ctx context.Context, opts apiv1.Options) (apiv1.CertificateAuthorityService, error) { + return New(ctx, opts) + }) +} + +// StepCAS implements the cas.CertificateAuthorityService interface using +// another step-ca instance. +type StepCAS struct { + iss stepIssuer + client *ca.Client + fingerprint string +} + +// New creates a new CertificateAuthorityService implementation using another +// step-ca instance. +func New(ctx context.Context, opts apiv1.Options) (*StepCAS, error) { + switch { + case opts.CertificateAuthority == "": + return nil, errors.New("stepCAS 'certificateAuthority' cannot be empty") + case opts.CertificateAuthorityFingerprint == "": + return nil, errors.New("stepCAS 'certificateAuthorityFingerprint' cannot be empty") + } + + caURL, err := url.Parse(opts.CertificateAuthority) + if err != nil { + return nil, errors.Wrap(err, "stepCAS `certificateAuthority` is not valid") + } + + // Create configured issuer + iss, err := newStepIssuer(caURL, opts.CertificateIssuer) + if err != nil { + return nil, err + } + + // Create client. + client, err := ca.NewClient(opts.CertificateAuthority, ca.WithRootSHA256(opts.CertificateAuthorityFingerprint)) + if err != nil { + return nil, err + } + + return &StepCAS{ + iss: iss, + client: client, + fingerprint: opts.CertificateAuthorityFingerprint, + }, nil +} + +// CreateCertificate uses the step-ca sign request with the configured +// provisioner to get a new certificate from the certificate authority. +func (s *StepCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) { + switch { + case req.CSR == nil: + return nil, errors.New("createCertificateRequest `csr` cannot be nil") + case req.Lifetime == 0: + return nil, errors.New("createCertificateRequest `lifetime` cannot be 0") + } + + cert, chain, err := s.createCertificate(req.CSR, req.Lifetime) + if err != nil { + return nil, err + } + + return &apiv1.CreateCertificateResponse{ + Certificate: cert, + CertificateChain: chain, + }, nil +} + +// RenewCertificate will always return a non-implemented error as mTLS renewals +// are not supported yet. +func (s *StepCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { + return nil, apiv1.ErrNotImplemented{Message: "stepCAS does not support mTLS renewals"} +} + +func (s *StepCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) { + switch { + case req.SerialNumber == "" && req.Certificate == nil: + return nil, errors.New("revokeCertificateRequest `serialNumber` or `certificate` are required") + } + + serialNumber := req.SerialNumber + if req.Certificate != nil { + serialNumber = req.Certificate.SerialNumber.String() + } + + token, err := s.iss.RevokeToken(serialNumber) + if err != nil { + return nil, err + } + + _, err = s.client.Revoke(&api.RevokeRequest{ + Serial: serialNumber, + ReasonCode: req.ReasonCode, + Reason: req.Reason, + OTT: token, + Passive: req.PassiveOnly, + }, nil) + if err != nil { + return nil, err + } + + return &apiv1.RevokeCertificateResponse{ + Certificate: req.Certificate, + CertificateChain: nil, + }, nil +} + +// GetCertificateAuthority returns the root certificate of the certificate +// authority using the configured fingerprint. +func (s *StepCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) { + resp, err := s.client.Root(s.fingerprint) + if err != nil { + return nil, err + } + return &apiv1.GetCertificateAuthorityResponse{ + RootCertificate: resp.RootPEM.Certificate, + }, nil +} + +func (s *StepCAS) createCertificate(cr *x509.CertificateRequest, lifetime time.Duration) (*x509.Certificate, []*x509.Certificate, error) { + sans := make([]string, 0, len(cr.DNSNames)+len(cr.EmailAddresses)+len(cr.IPAddresses)+len(cr.URIs)) + sans = append(sans, cr.DNSNames...) + sans = append(sans, cr.EmailAddresses...) + for _, ip := range cr.IPAddresses { + sans = append(sans, ip.String()) + } + for _, u := range cr.URIs { + sans = append(sans, u.String()) + } + + commonName := cr.Subject.CommonName + if commonName == "" && len(sans) > 0 { + commonName = sans[0] + } + + token, err := s.iss.SignToken(commonName, sans) + if err != nil { + return nil, nil, err + } + + resp, err := s.client.Sign(&api.SignRequest{ + CsrPEM: api.CertificateRequest{CertificateRequest: cr}, + OTT: token, + NotAfter: s.lifetime(lifetime), + }) + if err != nil { + return nil, nil, err + } + + var chain []*x509.Certificate + cert := resp.CertChainPEM[0].Certificate + for _, c := range resp.CertChainPEM[1:] { + chain = append(chain, c.Certificate) + } + + return cert, chain, nil +} + +func (s *StepCAS) lifetime(d time.Duration) api.TimeDuration { + var td api.TimeDuration + td.SetDuration(s.iss.Lifetime(d)) + return td +} diff --git a/cas/stepcas/stepcas_test.go b/cas/stepcas/stepcas_test.go new file mode 100644 index 00000000..88cbb227 --- /dev/null +++ b/cas/stepcas/stepcas_test.go @@ -0,0 +1,807 @@ +package stepcas + +import ( + "bytes" + "context" + "crypto" + "crypto/ed25519" + "crypto/rand" + "crypto/x509" + "encoding/json" + "encoding/pem" + "fmt" + "io/ioutil" + "net/http" + "net/http/httptest" + "net/url" + "os" + "path/filepath" + "reflect" + "testing" + "time" + + "github.com/smallstep/certificates/api" + "github.com/smallstep/certificates/ca" + "github.com/smallstep/certificates/cas/apiv1" + "go.step.sm/crypto/pemutil" + "go.step.sm/crypto/randutil" + "go.step.sm/crypto/x509util" +) + +var ( + testRootCrt *x509.Certificate + testRootKey crypto.Signer + testRootPath, testRootKeyPath string + testRootFingerprint string + + testIssCrt *x509.Certificate + testIssKey crypto.Signer + testIssPath, testIssKeyPath string + + testX5CCrt *x509.Certificate + testX5CKey crypto.Signer + testX5CPath, testX5CKeyPath string + testPassword, testEncryptedKeyPath string + + testCR *x509.CertificateRequest + testCrt *x509.Certificate + testKey crypto.Signer + testFailCR *x509.CertificateRequest +) + +func mustSignCertificate(subject string, sans []string, template string, parent *x509.Certificate, signer crypto.Signer) (*x509.Certificate, crypto.Signer) { + pub, priv, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + panic(err) + } + cr, err := x509util.CreateCertificateRequest(subject, sans, priv) + if err != nil { + panic(err) + } + cert, err := x509util.NewCertificate(cr, x509util.WithTemplate(template, x509util.CreateTemplateData(subject, sans))) + if err != nil { + panic(err) + } + + crt := cert.GetCertificate() + crt.NotBefore = time.Now() + crt.NotAfter = crt.NotBefore.Add(time.Hour) + if parent == nil { + parent = crt + } + if signer == nil { + signer = priv + } + if crt, err = x509util.CreateCertificate(crt, parent, pub, signer); err != nil { + panic(err) + } + return crt, priv +} + +func mustSerializeCrt(filename string, certs ...*x509.Certificate) { + buf := new(bytes.Buffer) + for _, c := range certs { + if err := pem.Encode(buf, &pem.Block{ + Type: "CERTIFICATE", + Bytes: c.Raw, + }); err != nil { + panic(err) + } + } + if err := ioutil.WriteFile(filename, buf.Bytes(), 0600); err != nil { + panic(err) + } +} + +func mustSerializeKey(filename string, key crypto.Signer) { + b, err := x509.MarshalPKCS8PrivateKey(key) + if err != nil { + panic(err) + } + b = pem.EncodeToMemory(&pem.Block{ + Type: "PRIVATE KEY", + Bytes: b, + }) + if err := ioutil.WriteFile(filename, b, 0600); err != nil { + panic(err) + } +} + +func mustEncryptKey(filename string, key crypto.Signer) { + _, err := pemutil.Serialize(key, + pemutil.ToFile(filename, 0600), + pemutil.WithPKCS8(true), + pemutil.WithPassword([]byte(testPassword))) + if err != nil { + panic(err) + } +} + +func testCAHelper(t *testing.T) (*url.URL, *ca.Client) { + t.Helper() + + writeJSON := func(w http.ResponseWriter, v interface{}) { + _ = json.NewEncoder(w).Encode(v) + } + parseJSON := func(r *http.Request, v interface{}) { + _ = json.NewDecoder(r.Body).Decode(v) + } + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + switch { + case r.RequestURI == "/root/"+testRootFingerprint: + w.WriteHeader(http.StatusOK) + writeJSON(w, api.RootResponse{ + RootPEM: api.NewCertificate(testRootCrt), + }) + case r.RequestURI == "/sign": + var msg api.SignRequest + parseJSON(r, &msg) + if msg.CsrPEM.DNSNames[0] == "fail.doe.org" { + w.WriteHeader(http.StatusBadRequest) + fmt.Fprintf(w, `{"error":"fail","message":"fail"}`) + return + } + w.WriteHeader(http.StatusOK) + writeJSON(w, api.SignResponse{ + CertChainPEM: []api.Certificate{api.NewCertificate(testCrt), api.NewCertificate(testIssCrt)}, + }) + case r.RequestURI == "/revoke": + var msg api.RevokeRequest + parseJSON(r, &msg) + if msg.Serial == "fail" { + w.WriteHeader(http.StatusBadRequest) + fmt.Fprintf(w, `{"error":"fail","message":"fail"}`) + return + } + w.WriteHeader(http.StatusOK) + writeJSON(w, api.RevokeResponse{ + Status: "ok", + }) + default: + w.WriteHeader(http.StatusNotFound) + fmt.Fprintf(w, `{"error":"not found"}`) + } + })) + t.Cleanup(func() { + srv.Close() + }) + u, err := url.Parse(srv.URL) + if err != nil { + srv.Close() + t.Fatal(err) + } + + client, err := ca.NewClient(srv.URL, ca.WithTransport(http.DefaultTransport)) + if err != nil { + srv.Close() + t.Fatal(err) + } + + return u, client +} + +func testX5CIssuer(t *testing.T, caURL *url.URL, password string) *x5cIssuer { + t.Helper() + key, givenPassword := testX5CKeyPath, password + if password != "" { + key = testEncryptedKeyPath + password = testPassword + } + x5c, err := newX5CIssuer(caURL, &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: key, + Password: password, + }) + if err != nil { + t.Fatal(err) + } + x5c.password = givenPassword + return x5c +} + +func testJWKIssuer(t *testing.T, caURL *url.URL, password string) *jwkIssuer { + t.Helper() + key, givenPassword := testX5CKeyPath, password + if password != "" { + key = testEncryptedKeyPath + password = testPassword + } + jwk, err := newJWKIssuer(caURL, &apiv1.CertificateIssuer{ + Type: "jwk", + Provisioner: "ra@doe.org", + Key: key, + Password: password, + }) + if err != nil { + t.Fatal(err) + } + jwk.password = givenPassword + return jwk +} + +func TestMain(m *testing.M) { + testRootCrt, testRootKey = mustSignCertificate("Test Root Certificate", nil, x509util.DefaultRootTemplate, nil, nil) + testIssCrt, testIssKey = mustSignCertificate("Test Intermediate Certificate", nil, x509util.DefaultIntermediateTemplate, testRootCrt, testRootKey) + testX5CCrt, testX5CKey = mustSignCertificate("Test X5C Certificate", nil, x509util.DefaultLeafTemplate, testIssCrt, testIssKey) + + // Final certificate. + var err error + sans := []string{"doe.org", "jane@doe.org", "127.0.0.1", "::1", "localhost", "uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6;name=value"} + testCrt, testKey = mustSignCertificate("Test Certificate", sans, x509util.DefaultLeafTemplate, testIssCrt, testIssKey) + testCR, err = x509util.CreateCertificateRequest("Test Certificate", sans, testKey) + if err != nil { + panic(err) + } + + // CR used in errors. + testFailCR, err = x509util.CreateCertificateRequest("", []string{"fail.doe.org"}, testKey) + if err != nil { + panic(err) + } + + // Password used to encrypto the key + testPassword, err = randutil.Hex(32) + if err != nil { + panic(err) + } + + testRootFingerprint = x509util.Fingerprint(testRootCrt) + + path, err := ioutil.TempDir(os.TempDir(), "stepcas") + if err != nil { + panic(err) + } + + testRootPath = filepath.Join(path, "root_ca.crt") + testRootKeyPath = filepath.Join(path, "root_ca.key") + mustSerializeCrt(testRootPath, testRootCrt) + mustSerializeKey(testRootKeyPath, testRootKey) + + testIssPath = filepath.Join(path, "intermediate_ca.crt") + testIssKeyPath = filepath.Join(path, "intermediate_ca.key") + mustSerializeCrt(testIssPath, testIssCrt) + mustSerializeKey(testIssKeyPath, testIssKey) + + testX5CPath = filepath.Join(path, "x5c.crt") + testX5CKeyPath = filepath.Join(path, "x5c.key") + mustSerializeCrt(testX5CPath, testX5CCrt, testIssCrt) + mustSerializeKey(testX5CKeyPath, testX5CKey) + + testEncryptedKeyPath = filepath.Join(path, "x5c.enc.key") + mustEncryptKey(testEncryptedKeyPath, testX5CKey) + + code := m.Run() + if err := os.RemoveAll(path); err != nil { + panic(err) + } + os.Exit(code) +} + +func Test_init(t *testing.T) { + caURL, _ := testCAHelper(t) + + fn, ok := apiv1.LoadCertificateAuthorityServiceNewFunc(apiv1.StepCAS) + if !ok { + t.Errorf("apiv1.Register() ok = %v, want true", ok) + return + } + fn(context.Background(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }) +} + +func TestNew(t *testing.T) { + caURL, client := testCAHelper(t) + type args struct { + ctx context.Context + opts apiv1.Options + } + tests := []struct { + name string + args args + want *StepCAS + wantErr bool + }{ + {"ok", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, &StepCAS{ + iss: &x5cIssuer{ + caURL: caURL, + certFile: testX5CPath, + keyFile: testX5CKeyPath, + issuer: "X5C", + }, + client: client, + fingerprint: testRootFingerprint, + }, false}, + {"ok jwk", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "jwk", + Provisioner: "ra@doe.org", + Key: testX5CKeyPath, + }, + }}, &StepCAS{ + iss: &jwkIssuer{ + caURL: caURL, + keyFile: testX5CKeyPath, + issuer: "ra@doe.org", + }, + client: client, + fingerprint: testRootFingerprint, + }, false}, + {"fail authority", args{context.TODO(), apiv1.Options{ + CertificateAuthority: "", + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail fingerprint", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: "", + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail type", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail provisioner", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail provisioner jwk", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "jwk", + Provisioner: "", + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail certificate", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: "", + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail key", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: "", + }, + }}, nil, true}, + {"fail key jwk", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "jwk", + Provisioner: "ra@smallstep.com", + Key: "", + }, + }}, nil, true}, + {"bad authority", args{context.TODO(), apiv1.Options{ + CertificateAuthority: "https://foobar", + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail parse url", args{context.TODO(), apiv1.Options{ + CertificateAuthority: "::failparse", + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail new client", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: "foobar", + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail new x5c issuer", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "x5c", + Provisioner: "X5C", + Certificate: testX5CPath + ".missing", + Key: testX5CKeyPath, + }, + }}, nil, true}, + {"fail new jwk issuer", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "jwk", + Provisioner: "ra@doe.org", + Key: testX5CKeyPath + ".missing", + }, + }}, nil, true}, + {"bad issuer", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: nil}}, nil, true}, + {"bad issuer type", args{context.TODO(), apiv1.Options{ + CertificateAuthority: caURL.String(), + CertificateAuthorityFingerprint: testRootFingerprint, + CertificateIssuer: &apiv1.CertificateIssuer{ + Type: "fail", + Provisioner: "X5C", + Certificate: testX5CPath, + Key: testX5CKeyPath, + }, + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := New(tt.args.ctx, tt.args.opts) + if (err != nil) != tt.wantErr { + t.Errorf("New() error = %v, wantErr %v", err, tt.wantErr) + return + } + // We cannot compare client + if got != nil && tt.want != nil { + got.client = tt.want.client + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestStepCAS_CreateCertificate(t *testing.T) { + caURL, client := testCAHelper(t) + x5c := testX5CIssuer(t, caURL, "") + jwk := testJWKIssuer(t, caURL, "") + x5cEnc := testX5CIssuer(t, caURL, testPassword) + jwkEnc := testJWKIssuer(t, caURL, testPassword) + x5cBad := testX5CIssuer(t, caURL, "bad-password") + jwkBad := testJWKIssuer(t, caURL, "bad-password") + + type fields struct { + iss stepIssuer + client *ca.Client + fingerprint string + } + type args struct { + req *apiv1.CreateCertificateRequest + } + tests := []struct { + name string + fields fields + args args + want *apiv1.CreateCertificateResponse + wantErr bool + }{ + {"ok", fields{x5c, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, &apiv1.CreateCertificateResponse{ + Certificate: testCrt, + CertificateChain: []*x509.Certificate{testIssCrt}, + }, false}, + {"ok with password", fields{x5cEnc, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, &apiv1.CreateCertificateResponse{ + Certificate: testCrt, + CertificateChain: []*x509.Certificate{testIssCrt}, + }, false}, + {"ok jwk", fields{jwk, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, &apiv1.CreateCertificateResponse{ + Certificate: testCrt, + CertificateChain: []*x509.Certificate{testIssCrt}, + }, false}, + {"ok jwk with password", fields{jwkEnc, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, &apiv1.CreateCertificateResponse{ + Certificate: testCrt, + CertificateChain: []*x509.Certificate{testIssCrt}, + }, false}, + {"fail CSR", fields{x5c, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: nil, + Lifetime: time.Hour, + }}, nil, true}, + {"fail lifetime", fields{x5c, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: 0, + }}, nil, true}, + {"fail sign token", fields{mockErrIssuer{}, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, nil, true}, + {"fail client sign", fields{x5c, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testFailCR, + Lifetime: time.Hour, + }}, nil, true}, + {"fail password", fields{x5cBad, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, nil, true}, + {"fail jwk password", fields{jwkBad, client, testRootFingerprint}, args{&apiv1.CreateCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &StepCAS{ + iss: tt.fields.iss, + client: tt.fields.client, + fingerprint: tt.fields.fingerprint, + } + got, err := s.CreateCertificate(tt.args.req) + if (err != nil) != tt.wantErr { + t.Errorf("StepCAS.CreateCertificate() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("StepCAS.CreateCertificate() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestStepCAS_RenewCertificate(t *testing.T) { + caURL, client := testCAHelper(t) + x5c := testX5CIssuer(t, caURL, "") + jwk := testJWKIssuer(t, caURL, "") + + type fields struct { + iss stepIssuer + client *ca.Client + fingerprint string + } + type args struct { + req *apiv1.RenewCertificateRequest + } + tests := []struct { + name string + fields fields + args args + want *apiv1.RenewCertificateResponse + wantErr bool + }{ + {"not implemented", fields{x5c, client, testRootFingerprint}, args{&apiv1.RenewCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, nil, true}, + {"not implemented jwk", fields{jwk, client, testRootFingerprint}, args{&apiv1.RenewCertificateRequest{ + CSR: testCR, + Lifetime: time.Hour, + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &StepCAS{ + iss: tt.fields.iss, + client: tt.fields.client, + fingerprint: tt.fields.fingerprint, + } + got, err := s.RenewCertificate(tt.args.req) + if (err != nil) != tt.wantErr { + t.Errorf("StepCAS.RenewCertificate() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("StepCAS.RenewCertificate() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestStepCAS_RevokeCertificate(t *testing.T) { + caURL, client := testCAHelper(t) + x5c := testX5CIssuer(t, caURL, "") + jwk := testJWKIssuer(t, caURL, "") + x5cEnc := testX5CIssuer(t, caURL, testPassword) + jwkEnc := testJWKIssuer(t, caURL, testPassword) + x5cBad := testX5CIssuer(t, caURL, "bad-password") + jwkBad := testJWKIssuer(t, caURL, "bad-password") + + type fields struct { + iss stepIssuer + client *ca.Client + fingerprint string + } + type args struct { + req *apiv1.RevokeCertificateRequest + } + tests := []struct { + name string + fields fields + args args + want *apiv1.RevokeCertificateResponse + wantErr bool + }{ + {"ok serial number", fields{x5c, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: nil, + }}, &apiv1.RevokeCertificateResponse{}, false}, + {"ok certificate", fields{x5c, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "", + Certificate: testCrt, + }}, &apiv1.RevokeCertificateResponse{ + Certificate: testCrt, + }, false}, + {"ok both", fields{x5c, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: testCrt, + }}, &apiv1.RevokeCertificateResponse{ + Certificate: testCrt, + }, false}, + {"ok with password", fields{x5cEnc, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: nil, + }}, &apiv1.RevokeCertificateResponse{}, false}, + {"ok serial number jwk", fields{jwk, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: nil, + }}, &apiv1.RevokeCertificateResponse{}, false}, + {"ok certificate jwk", fields{jwk, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "", + Certificate: testCrt, + }}, &apiv1.RevokeCertificateResponse{ + Certificate: testCrt, + }, false}, + {"ok both jwk", fields{jwk, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: testCrt, + }}, &apiv1.RevokeCertificateResponse{ + Certificate: testCrt, + }, false}, + {"ok jwk with password", fields{jwkEnc, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: nil, + }}, &apiv1.RevokeCertificateResponse{}, false}, + {"fail request", fields{x5c, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "", + Certificate: nil, + }}, nil, true}, + {"fail revoke token", fields{mockErrIssuer{}, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + }}, nil, true}, + {"fail client revoke", fields{x5c, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "fail", + }}, nil, true}, + {"fail password", fields{x5cBad, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: nil, + }}, nil, true}, + {"fail jwk password", fields{jwkBad, client, testRootFingerprint}, args{&apiv1.RevokeCertificateRequest{ + SerialNumber: "ok", + Certificate: nil, + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &StepCAS{ + iss: tt.fields.iss, + client: tt.fields.client, + fingerprint: tt.fields.fingerprint, + } + got, err := s.RevokeCertificate(tt.args.req) + if (err != nil) != tt.wantErr { + t.Errorf("StepCAS.RevokeCertificate() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("StepCAS.RevokeCertificate() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestStepCAS_GetCertificateAuthority(t *testing.T) { + caURL, client := testCAHelper(t) + x5c := testX5CIssuer(t, caURL, "") + jwk := testJWKIssuer(t, caURL, "") + + type fields struct { + iss stepIssuer + client *ca.Client + fingerprint string + } + type args struct { + req *apiv1.GetCertificateAuthorityRequest + } + tests := []struct { + name string + fields fields + args args + want *apiv1.GetCertificateAuthorityResponse + wantErr bool + }{ + {"ok", fields{x5c, client, testRootFingerprint}, args{&apiv1.GetCertificateAuthorityRequest{ + Name: caURL.String(), + }}, &apiv1.GetCertificateAuthorityResponse{ + RootCertificate: testRootCrt, + }, false}, + {"ok jwk", fields{jwk, client, testRootFingerprint}, args{&apiv1.GetCertificateAuthorityRequest{ + Name: caURL.String(), + }}, &apiv1.GetCertificateAuthorityResponse{ + RootCertificate: testRootCrt, + }, false}, + {"fail fingerprint", fields{x5c, client, "fail"}, args{&apiv1.GetCertificateAuthorityRequest{ + Name: caURL.String(), + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &StepCAS{ + iss: tt.fields.iss, + client: tt.fields.client, + fingerprint: tt.fields.fingerprint, + } + got, err := s.GetCertificateAuthority(tt.args.req) + if (err != nil) != tt.wantErr { + t.Errorf("StepCAS.GetCertificateAuthority() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("StepCAS.GetCertificateAuthority() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/cas/stepcas/x5c_issuer.go b/cas/stepcas/x5c_issuer.go new file mode 100644 index 00000000..da4aa27e --- /dev/null +++ b/cas/stepcas/x5c_issuer.go @@ -0,0 +1,185 @@ +package stepcas + +import ( + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" + "net/url" + "time" + + "github.com/pkg/errors" + "github.com/smallstep/certificates/cas/apiv1" + "go.step.sm/crypto/jose" + "go.step.sm/crypto/pemutil" + "go.step.sm/crypto/randutil" +) + +const defaultValidity = 5 * time.Minute + +// timeNow returns the current time. +// This method is used for unit testing purposes. +var timeNow = func() time.Time { + return time.Now() +} + +type x5cIssuer struct { + caURL *url.URL + issuer string + certFile string + keyFile string + password string +} + +// newX5CIssuer create a new x5c token issuer. The given configuration should be +// already validate. +func newX5CIssuer(caURL *url.URL, cfg *apiv1.CertificateIssuer) (*x5cIssuer, error) { + _, err := newX5CSigner(cfg.Certificate, cfg.Key, cfg.Password) + if err != nil { + return nil, err + } + + return &x5cIssuer{ + caURL: caURL, + issuer: cfg.Provisioner, + certFile: cfg.Certificate, + keyFile: cfg.Key, + password: cfg.Password, + }, nil +} + +func (i *x5cIssuer) SignToken(subject string, sans []string) (string, error) { + aud := i.caURL.ResolveReference(&url.URL{ + Path: "/1.0/sign", + Fragment: "x5c/" + i.issuer, + }).String() + + return i.createToken(aud, subject, sans) +} + +func (i *x5cIssuer) RevokeToken(subject string) (string, error) { + aud := i.caURL.ResolveReference(&url.URL{ + Path: "/1.0/revoke", + Fragment: "x5c/" + i.issuer, + }).String() + + return i.createToken(aud, subject, nil) +} + +func (i *x5cIssuer) Lifetime(d time.Duration) time.Duration { + cert, err := pemutil.ReadCertificate(i.certFile, pemutil.WithFirstBlock()) + if err != nil { + return d + } + now := timeNow() + if now.Add(d + time.Minute).After(cert.NotAfter) { + return cert.NotAfter.Sub(now) - time.Minute + } + return d +} + +func (i *x5cIssuer) createToken(aud, sub string, sans []string) (string, error) { + signer, err := newX5CSigner(i.certFile, i.keyFile, i.password) + if err != nil { + return "", err + } + + id, err := randutil.Hex(64) // 256 bits + if err != nil { + return "", err + } + + claims := defaultClaims(i.issuer, sub, aud, id) + builder := jose.Signed(signer).Claims(claims) + if len(sans) > 0 { + builder = builder.Claims(map[string]interface{}{ + "sans": sans, + }) + } + + tok, err := builder.CompactSerialize() + if err != nil { + return "", errors.Wrap(err, "error signing token") + } + + return tok, nil +} + +func defaultClaims(iss, sub, aud, id string) jose.Claims { + now := timeNow() + return jose.Claims{ + ID: id, + Issuer: iss, + Subject: sub, + Audience: jose.Audience{aud}, + Expiry: jose.NewNumericDate(now.Add(defaultValidity)), + NotBefore: jose.NewNumericDate(now), + IssuedAt: jose.NewNumericDate(now), + } +} + +func readKey(keyFile, password string) (crypto.Signer, error) { + var opts []pemutil.Options + if password != "" { + opts = append(opts, pemutil.WithPassword([]byte(password))) + } + key, err := pemutil.Read(keyFile, opts...) + if err != nil { + return nil, err + } + signer, ok := key.(crypto.Signer) + if !ok { + return nil, errors.New("key is not a crypto.Signer") + } + return signer, nil +} + +func newX5CSigner(certFile, keyFile, password string) (jose.Signer, error) { + signer, err := readKey(keyFile, password) + if err != nil { + return nil, err + } + kid, err := jose.Thumbprint(&jose.JSONWebKey{Key: signer.Public()}) + if err != nil { + return nil, err + } + certs, err := jose.ValidateX5C(certFile, signer) + if err != nil { + return nil, errors.Wrap(err, "error validating x5c certificate chain and key") + } + + so := new(jose.SignerOptions) + so.WithType("JWT") + so.WithHeader("kid", kid) + so.WithHeader("x5c", certs) + return newJoseSigner(signer, so) +} + +func newJoseSigner(key crypto.Signer, so *jose.SignerOptions) (jose.Signer, error) { + var alg jose.SignatureAlgorithm + switch k := key.Public().(type) { + case *ecdsa.PublicKey: + switch k.Curve.Params().Name { + case "P-256": + alg = jose.ES256 + case "P-384": + alg = jose.ES384 + case "P-521": + alg = jose.ES512 + default: + return nil, errors.Errorf("unsupported elliptic curve %s", k.Curve.Params().Name) + } + case ed25519.PublicKey: + alg = jose.EdDSA + case *rsa.PublicKey: + alg = jose.DefaultRSASigAlgorithm + default: + return nil, errors.Errorf("unsupported key type %T", k) + } + + signer, err := jose.NewSigner(jose.SigningKey{Algorithm: alg, Key: key}, so) + if err != nil { + return nil, errors.Wrap(err, "error creating jose.Signer") + } + return signer, nil +} diff --git a/cas/stepcas/x5c_issuer_test.go b/cas/stepcas/x5c_issuer_test.go new file mode 100644 index 00000000..a3190255 --- /dev/null +++ b/cas/stepcas/x5c_issuer_test.go @@ -0,0 +1,277 @@ +package stepcas + +import ( + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "io" + "net/url" + "reflect" + "testing" + "time" + + "go.step.sm/crypto/jose" +) + +type noneSigner []byte + +func (b noneSigner) Public() crypto.PublicKey { + return []byte(b) +} + +func (b noneSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { + return digest, nil +} + +func fakeTime(t *testing.T) { + t.Helper() + tmp := timeNow + t.Cleanup(func() { + timeNow = tmp + }) + timeNow = func() time.Time { + return testX5CCrt.NotBefore + } +} + +func Test_x5cIssuer_SignToken(t *testing.T) { + caURL, err := url.Parse("https://ca.smallstep.com") + if err != nil { + t.Fatal(err) + } + type fields struct { + caURL *url.URL + certFile string + keyFile string + issuer string + } + type args struct { + subject string + sans []string + } + type claims struct { + Aud []string `json:"aud"` + Sub string `json:"sub"` + Sans []string `json:"sans"` + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{"doe", []string{"doe.org"}}, false}, + {"fail crt", fields{caURL, "", testX5CKeyPath, "X5C"}, args{"doe", []string{"doe.org"}}, true}, + {"fail key", fields{caURL, testX5CPath, "", "X5C"}, args{"doe", []string{"doe.org"}}, true}, + {"fail no signer", fields{caURL, testIssKeyPath, testIssPath, "X5C"}, args{"doe", []string{"doe.org"}}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + i := &x5cIssuer{ + caURL: tt.fields.caURL, + certFile: tt.fields.certFile, + keyFile: tt.fields.keyFile, + issuer: tt.fields.issuer, + } + got, err := i.SignToken(tt.args.subject, tt.args.sans) + if (err != nil) != tt.wantErr { + t.Errorf("x5cIssuer.SignToken() error = %v, wantErr %v", err, tt.wantErr) + } + if !tt.wantErr { + jwt, err := jose.ParseSigned(got) + if err != nil { + t.Errorf("jose.ParseSigned() error = %v", err) + } + var c claims + want := claims{ + Aud: []string{tt.fields.caURL.String() + "/1.0/sign#x5c/X5C"}, + Sub: tt.args.subject, + Sans: tt.args.sans, + } + if err := jwt.Claims(testX5CKey.Public(), &c); err != nil { + t.Errorf("jwt.Claims() error = %v", err) + } + if !reflect.DeepEqual(c, want) { + t.Errorf("jwt.Claims() claims = %#v, want %#v", c, want) + } + } + }) + } +} + +func Test_x5cIssuer_RevokeToken(t *testing.T) { + caURL, err := url.Parse("https://ca.smallstep.com") + if err != nil { + t.Fatal(err) + } + type fields struct { + caURL *url.URL + certFile string + keyFile string + issuer string + } + type args struct { + subject string + } + type claims struct { + Aud []string `json:"aud"` + Sub string `json:"sub"` + Sans []string `json:"sans"` + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{"doe"}, false}, + {"fail crt", fields{caURL, "", testX5CKeyPath, "X5C"}, args{"doe"}, true}, + {"fail key", fields{caURL, testX5CPath, "", "X5C"}, args{"doe"}, true}, + {"fail no signer", fields{caURL, testIssKeyPath, testIssPath, "X5C"}, args{"doe"}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + i := &x5cIssuer{ + caURL: tt.fields.caURL, + certFile: tt.fields.certFile, + keyFile: tt.fields.keyFile, + issuer: tt.fields.issuer, + } + got, err := i.RevokeToken(tt.args.subject) + if (err != nil) != tt.wantErr { + t.Errorf("x5cIssuer.RevokeToken() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !tt.wantErr { + jwt, err := jose.ParseSigned(got) + if err != nil { + t.Errorf("jose.ParseSigned() error = %v", err) + } + var c claims + want := claims{ + Aud: []string{tt.fields.caURL.String() + "/1.0/revoke#x5c/X5C"}, + Sub: tt.args.subject, + } + if err := jwt.Claims(testX5CKey.Public(), &c); err != nil { + t.Errorf("jwt.Claims() error = %v", err) + } + if !reflect.DeepEqual(c, want) { + t.Errorf("jwt.Claims() claims = %#v, want %#v", c, want) + } + } + }) + } +} + +func Test_x5cIssuer_Lifetime(t *testing.T) { + fakeTime(t) + caURL, err := url.Parse("https://ca.smallstep.com") + if err != nil { + t.Fatal(err) + } + + // With a leeway of 1m the max duration will be 59m. + maxDuration := testX5CCrt.NotAfter.Sub(timeNow()) - time.Minute + + type fields struct { + caURL *url.URL + certFile string + keyFile string + issuer string + } + type args struct { + d time.Duration + } + tests := []struct { + name string + fields fields + args args + want time.Duration + }{ + {"ok 0s", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{0}, 0}, + {"ok 1m", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{time.Minute}, time.Minute}, + {"ok max-1m", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{maxDuration - time.Minute}, maxDuration - time.Minute}, + {"ok max", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{maxDuration}, maxDuration}, + {"ok max+1m", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{maxDuration + time.Minute}, maxDuration}, + {"ok fail", fields{caURL, testX5CPath + ".missing", testX5CKeyPath, "X5C"}, args{maxDuration + time.Minute}, maxDuration + time.Minute}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + i := &x5cIssuer{ + caURL: tt.fields.caURL, + certFile: tt.fields.certFile, + keyFile: tt.fields.keyFile, + issuer: tt.fields.issuer, + } + if got := i.Lifetime(tt.args.d); got != tt.want { + t.Errorf("x5cIssuer.Lifetime() = %v, want %v", got, tt.want) + } + }) + } +} + +func Test_newJoseSigner(t *testing.T) { + mustSigner := func(args ...interface{}) crypto.Signer { + if err := args[len(args)-1]; err != nil { + t.Fatal(err) + } + for _, a := range args { + if s, ok := a.(crypto.Signer); ok { + return s + } + } + t.Fatal("signer not found") + return nil + } + + p224 := mustSigner(ecdsa.GenerateKey(elliptic.P224(), rand.Reader)) + p256 := mustSigner(ecdsa.GenerateKey(elliptic.P256(), rand.Reader)) + p384 := mustSigner(ecdsa.GenerateKey(elliptic.P384(), rand.Reader)) + p521 := mustSigner(ecdsa.GenerateKey(elliptic.P521(), rand.Reader)) + edKey := mustSigner(ed25519.GenerateKey(rand.Reader)) + rsaKey := mustSigner(rsa.GenerateKey(rand.Reader, 2048)) + + type args struct { + key crypto.Signer + so *jose.SignerOptions + } + tests := []struct { + name string + args args + want []jose.Header + wantErr bool + }{ + {"p256", args{p256, nil}, []jose.Header{{Algorithm: "ES256"}}, false}, + {"p384", args{p384, new(jose.SignerOptions).WithType("JWT")}, []jose.Header{{Algorithm: "ES384", ExtraHeaders: map[jose.HeaderKey]interface{}{"typ": "JWT"}}}, false}, + {"p521", args{p521, new(jose.SignerOptions).WithHeader("kid", "the-kid")}, []jose.Header{{Algorithm: "ES512", KeyID: "the-kid"}}, false}, + {"ed25519", args{edKey, nil}, []jose.Header{{Algorithm: "EdDSA"}}, false}, + {"rsa", args{rsaKey, nil}, []jose.Header{{Algorithm: "RS256"}}, false}, + {"fail p224", args{p224, nil}, nil, true}, + {"fail signer", args{noneSigner{1, 2, 3}, nil}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := newJoseSigner(tt.args.key, tt.args.so) + if (err != nil) != tt.wantErr { + t.Errorf("newJoseSigner() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !tt.wantErr { + jws, err := got.Sign([]byte("{}")) + if err != nil { + t.Errorf("jose.Signer.Sign() err = %v", err) + } + jwt, err := jose.ParseSigned(jws.FullSerialize()) + if err != nil { + t.Errorf("jose.ParseSigned() err = %v", err) + } + if !reflect.DeepEqual(jwt.Headers, tt.want) { + t.Errorf("jose.Header got = %v, want = %v", jwt.Headers, tt.want) + } + } + }) + } +} diff --git a/cmd/step-ca/main.go b/cmd/step-ca/main.go index dad9cdbe..a243022a 100644 --- a/cmd/step-ca/main.go +++ b/cmd/step-ca/main.go @@ -37,6 +37,7 @@ import ( // Enabled cas interfaces. _ "github.com/smallstep/certificates/cas/cloudcas" _ "github.com/smallstep/certificates/cas/softcas" + _ "github.com/smallstep/certificates/cas/stepcas" ) // commit and buildTime are filled in during build by the Makefile diff --git a/go.mod b/go.mod index b362b2d8..fbc27c5e 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/smallstep/nosql v0.3.6 github.com/urfave/cli v1.22.4 go.step.sm/cli-utils v0.2.0 - go.step.sm/crypto v0.7.3 + go.step.sm/crypto v0.8.0 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 golang.org/x/net v0.0.0-20210119194325-5f4716e94777 google.golang.org/api v0.33.0 diff --git a/go.sum b/go.sum index e1140a96..37e51dd6 100644 --- a/go.sum +++ b/go.sum @@ -322,8 +322,8 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.step.sm/cli-utils v0.2.0 h1:hpVu9+6dpv/7/Bd8nGJFc3V+gQ+TciSJRTu9TavDUQ4= go.step.sm/cli-utils v0.2.0/go.mod h1:+t4qCp5NO+080DdGkJxEh3xL5S4TcYC2JTPLMM72b6Y= go.step.sm/crypto v0.6.1/go.mod h1:AKS4yMZVZD4EGjpSkY4eibuMenrvKCscb+BpWMet8c0= -go.step.sm/crypto v0.7.3 h1:uWkT0vsaZVixgn5x6Ojqittry9PiyVn2ihEYG/qOxV8= -go.step.sm/crypto v0.7.3/go.mod h1:AKS4yMZVZD4EGjpSkY4eibuMenrvKCscb+BpWMet8c0= +go.step.sm/crypto v0.8.0 h1:S4qBPyy3hR7KWLybSkHB0H14pwFfYkom4RZ96JzmXig= +go.step.sm/crypto v0.8.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=