From 623e387fb0a4f9ff25a13f75d97f20c13a529bda Mon Sep 17 00:00:00 2001 From: Gary Belvin Date: Tue, 1 Jun 2021 17:35:36 +0100 Subject: [PATCH 1/7] Allow configuration of PKCS11 subject name --- cmd/step-pkcs11-init/main.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index fd9dbc72..50e5608b 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -35,8 +35,10 @@ type Config struct { RootOnly bool RootObject string RootKeyObject string + RootSubject string CrtObject string CrtKeyObject string + CrtSubject string SSHHostKeyObject string SSHUserKeyObject string RootFile string @@ -97,8 +99,10 @@ func main() { flag.StringVar(&c.Pin, "pin", "", "PKCS #11 PIN") flag.StringVar(&c.RootObject, "root-cert", "pkcs11:id=7330;object=root-cert", "PKCS #11 URI with object id and label to store the root certificate.") flag.StringVar(&c.RootKeyObject, "root-key", "pkcs11:id=7330;object=root-key", "PKCS #11 URI with object id and label to store the root key.") + flag.StringVar(&c.RootSubject, "root-name", "PKCS #11 Smallstep Root", "Subject and Issuer of the root certificate.") flag.StringVar(&c.CrtObject, "crt-cert", "pkcs11:id=7331;object=intermediate-cert", "PKCS #11 URI with object id and label to store the intermediate certificate.") flag.StringVar(&c.CrtKeyObject, "crt-key", "pkcs11:id=7331;object=intermediate-key", "PKCS #11 URI with object id and label to store the intermediate certificate.") + flag.StringVar(&c.CrtSubject, "crt-name", "PKCS #11 Smallstep Intermediate", "Subject of the intermediate certificate.") flag.StringVar(&c.SSHHostKeyObject, "ssh-host-key", "pkcs11:id=7332;object=ssh-host-key", "PKCS #11 URI with object id and label to store the key used to sign SSH host certificates.") flag.StringVar(&c.SSHUserKeyObject, "ssh-user-key", "pkcs11:id=7333;object=ssh-user-key", "PKCS #11 URI with object id and label to store the key used to sign SSH user certificates.") flag.BoolVar(&c.RootOnly, "root-only", false, "Store only only the root certificate and sign and intermediate.") @@ -294,8 +298,8 @@ func createPKI(k kms.KeyManager, c Config) error { BasicConstraintsValid: true, MaxPathLen: 1, MaxPathLenZero: false, - Issuer: pkix.Name{CommonName: "PKCS #11 Smallstep Root"}, - Subject: pkix.Name{CommonName: "PKCS #11 Smallstep Root"}, + Issuer: pkix.Name{CommonName: c.RootSubject}, + Subject: pkix.Name{CommonName: c.RootSubject}, SerialNumber: mustSerialNumber(), SubjectKeyId: mustSubjectKeyID(resp.PublicKey), AuthorityKeyId: mustSubjectKeyID(resp.PublicKey), @@ -373,7 +377,7 @@ func createPKI(k kms.KeyManager, c Config) error { MaxPathLen: 0, MaxPathLenZero: true, Issuer: root.Subject, - Subject: pkix.Name{CommonName: "YubiKey Smallstep Intermediate"}, + Subject: pkix.Name{CommonName: c.CrtSubject}, SerialNumber: mustSerialNumber(), SubjectKeyId: mustSubjectKeyID(publicKey), } From c264e8f580091b8b4a0af6fe1fec0fcd7cdd2302 Mon Sep 17 00:00:00 2001 From: Gary Belvin Date: Tue, 1 Jun 2021 17:46:00 +0100 Subject: [PATCH 2/7] Configurable pkcs11-init output paths --- cmd/step-pkcs11-init/main.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index fd9dbc72..16aba223 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -35,8 +35,11 @@ type Config struct { RootOnly bool RootObject string RootKeyObject string + RootPath string CrtObject string + CrtPath string CrtKeyObject string + CrtKeyPath string SSHHostKeyObject string SSHUserKeyObject string RootFile string @@ -96,9 +99,12 @@ func main() { flag.StringVar(&c.KMS, "kms", kmsuri, "PKCS #11 URI with the module-path and token to connect to the module.") flag.StringVar(&c.Pin, "pin", "", "PKCS #11 PIN") flag.StringVar(&c.RootObject, "root-cert", "pkcs11:id=7330;object=root-cert", "PKCS #11 URI with object id and label to store the root certificate.") + flag.StringVar(&c.RootPath, "root-cert-path", "root_ca.crt", "Location to write the root certificate.") flag.StringVar(&c.RootKeyObject, "root-key", "pkcs11:id=7330;object=root-key", "PKCS #11 URI with object id and label to store the root key.") flag.StringVar(&c.CrtObject, "crt-cert", "pkcs11:id=7331;object=intermediate-cert", "PKCS #11 URI with object id and label to store the intermediate certificate.") + flag.StringVar(&c.CrtPath, "crt-cert-path", "intermediate_ca.crt", "Location to write the intermediate certificate.") flag.StringVar(&c.CrtKeyObject, "crt-key", "pkcs11:id=7331;object=intermediate-key", "PKCS #11 URI with object id and label to store the intermediate certificate.") + flag.StringVar(&c.CrtKeyPath, "crt-key-path", "intermediate_ca_key", "Location to write the intermediate private key.") flag.StringVar(&c.SSHHostKeyObject, "ssh-host-key", "pkcs11:id=7332;object=ssh-host-key", "PKCS #11 URI with object id and label to store the key used to sign SSH host certificates.") flag.StringVar(&c.SSHUserKeyObject, "ssh-user-key", "pkcs11:id=7333;object=ssh-user-key", "PKCS #11 URI with object id and label to store the key used to sign SSH user certificates.") flag.BoolVar(&c.RootOnly, "root-only", false, "Store only only the root certificate and sign and intermediate.") @@ -320,7 +326,7 @@ func createPKI(k kms.KeyManager, c Config) error { } } - if err = fileutil.WriteFile("root_ca.crt", pem.EncodeToMemory(&pem.Block{ + if err = fileutil.WriteFile(c.RootPath, pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: b, }), 0600); err != nil { @@ -328,7 +334,7 @@ func createPKI(k kms.KeyManager, c Config) error { } ui.PrintSelected("Root Key", resp.Name) - ui.PrintSelected("Root Certificate", "root_ca.crt") + ui.PrintSelected("Root Certificate", c.RootPath) } // Intermediate Certificate @@ -346,7 +352,7 @@ func createPKI(k kms.KeyManager, c Config) error { return err } - _, err = pemutil.Serialize(priv, pemutil.WithPassword(pass), pemutil.ToFile("intermediate_ca_key", 0600)) + _, err = pemutil.Serialize(priv, pemutil.WithPassword(pass), pemutil.ToFile(c.CrtKeyPath, 0600)) if err != nil { return err } @@ -397,7 +403,7 @@ func createPKI(k kms.KeyManager, c Config) error { } } - if err = fileutil.WriteFile("intermediate_ca.crt", pem.EncodeToMemory(&pem.Block{ + if err = fileutil.WriteFile(c.CrtPath, pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE", Bytes: b, }), 0600); err != nil { @@ -405,12 +411,12 @@ func createPKI(k kms.KeyManager, c Config) error { } if c.RootOnly { - ui.PrintSelected("Intermediate Key", "intermediate_ca_key") + ui.PrintSelected("Intermediate Key", c.CrtKeyPath) } else { ui.PrintSelected("Intermediate Key", keyName) } - ui.PrintSelected("Intermediate Certificate", "intermediate_ca.crt") + ui.PrintSelected("Intermediate Certificate", c.CrtPath) if c.SSHHostKeyObject != "" { resp, err := k.CreateKey(&apiv1.CreateKeyRequest{ From c4d0c8a18e51cb3f4f8d16863ca21115789aefc7 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 11 Jun 2021 21:40:04 -0700 Subject: [PATCH 3/7] Fix credentials file parameter on awskms --- kms/awskms/awskms.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms/awskms/awskms.go b/kms/awskms/awskms.go index da392989..1706d188 100644 --- a/kms/awskms/awskms.go +++ b/kms/awskms/awskms.go @@ -85,7 +85,7 @@ func New(ctx context.Context, opts apiv1.Options) (*KMS, error) { *o.Config.Region = v } if f := u.Get("credentials-file"); f != "" { - o.SharedConfigFiles = []string{opts.CredentialsFile} + o.SharedConfigFiles = []string{f} } } From 063a09a521bcb1045e2177a5afd6d1f57cf57304 Mon Sep 17 00:00:00 2001 From: Gary Belvin Date: Tue, 15 Jun 2021 12:30:28 +0100 Subject: [PATCH 4/7] Allow reading pin from kms string --- cmd/step-pkcs11-init/main.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index fd9dbc72..4f32107a 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -119,7 +119,12 @@ func main() { fatal(err) } - if u.Pin() == "" && c.Pin == "" { + kmsPin := u.Pin() + if c.Pin == "" && kmsPin != "" { + c.Pin = kmsPin + } + + if c.Pin == "" { pin, err := ui.PromptPassword("What is the PKCS#11 PIN?") if err != nil { fatal(err) From a63a1d648237d63aacd908f3c2e48b1a5017c20c Mon Sep 17 00:00:00 2001 From: Gary Belvin Date: Tue, 15 Jun 2021 18:13:08 +0100 Subject: [PATCH 5/7] Don't double read from u.Pin() --- cmd/step-pkcs11-init/main.go | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index 4f32107a..c0ac997e 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -119,19 +119,6 @@ func main() { fatal(err) } - kmsPin := u.Pin() - if c.Pin == "" && kmsPin != "" { - c.Pin = kmsPin - } - - if c.Pin == "" { - pin, err := ui.PromptPassword("What is the PKCS#11 PIN?") - if err != nil { - fatal(err) - } - c.Pin = string(pin) - } - k, err := kms.New(context.Background(), apiv1.Options{ Type: string(apiv1.PKCS11), URI: c.KMS, From c6bb7aa199db137f70716e94c8a68488e01eec04 Mon Sep 17 00:00:00 2001 From: Gary Belvin Date: Tue, 15 Jun 2021 18:18:29 +0100 Subject: [PATCH 6/7] Add back UI check, but don't read file --- cmd/step-pkcs11-init/main.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index c0ac997e..0f3c8fa6 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -119,6 +119,14 @@ func main() { fatal(err) } + if c.Pin == "" && u.Get("pin-value") == "" && u.Get("pin-source") == "" { + pin, err := ui.PromptPassword("What is the PKCS#11 PIN?") + if err != nil { + fatal(err) + } + c.Pin = string(pin) + } + k, err := kms.New(context.Background(), apiv1.Options{ Type: string(apiv1.PKCS11), URI: c.KMS, From 1fb44068018e9ace78934f27b2587320a8a517e2 Mon Sep 17 00:00:00 2001 From: Gary Belvin Date: Tue, 15 Jun 2021 18:19:42 +0100 Subject: [PATCH 7/7] minimize diff --- cmd/step-pkcs11-init/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index 0f3c8fa6..be30b1ad 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -119,7 +119,7 @@ func main() { fatal(err) } - if c.Pin == "" && u.Get("pin-value") == "" && u.Get("pin-source") == "" { + if u.Get("pin-value") == "" && u.Get("pin-source") == "" && c.Pin == "" { pin, err := ui.PromptPassword("What is the PKCS#11 PIN?") if err != nil { fatal(err)