Merge pull request #29 from smallstep/sans

Add SANs support
2019-02-05 21:40:19 -06:00 · 2019-02-05 21:40:19 -06:00 · 91f183a62a
commit 91f183a62a
parent 55155d1207 3415a1fef8
10 changed files with 154 additions and 84 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -18,12 +18,9 @@

 [[projects]]
  branch = "master"
-  digest = "1:5f3371d6e432e3c4e0ceabb14b5c0679827ce8b96bbd963fa923977782e8e99b"
+  digest = "1:454adc7f974228ff789428b6dc098638c57a64aa0718f0bd61e53d3cd39d7a75"
  name = "github.com/chzyer/readline"
-  packages = [
-    ".",
-    "runes",
-  ]
+  packages = ["."]
  pruneopts = "UT"
  revision = "2972be24d48e78746da79ba8e24e8b488c9880de"

@ -214,8 +211,8 @@
  revision = "de77670473b5492f5d0bce155b5c01534c2d13f7"

 [[projects]]
-  branch = "master"
-  digest = "1:9e42b7ce7fce33796a870bbbd4e5fdf7c25f3a243ca355d7d9be52f88e3526d5"
+  branch = "sans"
+  digest = "1:4c9e30abfe7c119eb4d40287f6c23f854f3ad71c69206d8dc6402e1fef14ac88"
  name = "github.com/smallstep/cli"
  packages = [
    "command",
@ -234,7 +231,7 @@
    "utils",
  ]
  pruneopts = "UT"
-  revision = "a633fd7f7eff2e8ba4026189241a60968b3767d6"
+  revision = "1379a62e0cf06b164d35e20a912d017ac8bad071"

 [[projects]]
  branch = "master"
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -45,7 +45,7 @@ required = [
  name = "github.com/go-chi/chi"

 [[override]]
-  branch = "master"
+  branch = "sans"
  name = "github.com/smallstep/cli"

 [prune]
--- a/authority/authorize.go
+++ b/authority/authorize.go
@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/crypto/x509util"
 	"gopkg.in/square/go-jose.v2/jwt"
 )

@ -16,6 +17,12 @@ type idUsed struct {
 	Subject string `json:"sub,omitempty"`
 }

+// Claims extends jwt.Claims with step attributes.
+type Claims struct {
+	jwt.Claims
+	SANs []string `json:"sans,omitempty"`
+}
+
 // matchesAudience returns true if A and B share at least one element.
 func matchesAudience(as, bs []string) bool {
 	if len(bs) == 0 || len(as) == 0 {
@ -48,7 +55,7 @@ func stripPort(rawurl string) string {
 func (a *Authority) Authorize(ott string) ([]interface{}, error) {
 	var (
 		errContext = map[string]interface{}{"ott": ott}
-		claims     = jwt.Claims{}
+		claims     = Claims{}
 	)

 	// Validate payload
@ -113,10 +120,21 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) {
 			http.StatusUnauthorized, errContext}
 	}

+	// NOTE: This is for backwards compatibility with older versions of cli
+	// and certificates. Older versions added the token subject as the only SAN
+	// in a CSR by default.
+	if len(claims.SANs) == 0 {
+		claims.SANs = []string{claims.Subject}
+	}
+	dnsNames, ips := x509util.SplitSANs(claims.SANs)
+	if err != nil {
+		return nil, err
+	}
+
 	signOps := []interface{}{
 		&commonNameClaim{claims.Subject},
-		&dnsNamesClaim{claims.Subject},
-		&ipAddressesClaim{claims.Subject},
+		&dnsNamesClaim{dnsNames},
+		&ipAddressesClaim{ips},
 		p,
 	}

--- a/authority/claims.go
+++ b/authority/claims.go
@ -2,6 +2,7 @@ package authority

 import (
 	"net"
+	"reflect"
 	"time"

 	"github.com/pkg/errors"
@ -42,43 +43,43 @@ func (c *commonNameClaim) Valid(crt *x509.Certificate) error {
 }

 type dnsNamesClaim struct {
-	name string
+	names []string
 }

 // Valid checks that certificate request common name matches the one configured.
 func (c *dnsNamesClaim) Valid(crt *x509.Certificate) error {
-	if len(crt.DNSNames) == 0 {
-		return nil
+	tokMap := make(map[string]int)
+	for _, e := range c.names {
+		tokMap[e] = 1
 	}
-	for _, name := range crt.DNSNames {
-		if name != c.name {
-			return errors.Errorf("DNS names claim failed - got %s, want %s", name, c.name)
-		}
+	crtMap := make(map[string]int)
+	for _, e := range crt.DNSNames {
+		crtMap[e] = 1
+	}
+	if !reflect.DeepEqual(tokMap, crtMap) {
+		return errors.Errorf("DNS names claim failed - got %s, want %s", crt.DNSNames, c.names)
 	}
 	return nil
 }

 type ipAddressesClaim struct {
-	name string
+	ips []net.IP
 }

 // Valid checks that certificate request common name matches the one configured.
 func (c *ipAddressesClaim) Valid(crt *x509.Certificate) error {
-	if len(crt.IPAddresses) == 0 {
-		return nil
+	tokMap := make(map[string]int)
+	for _, e := range c.ips {
+		tokMap[e.String()] = 1
 	}
-
-	// If it's an IP validate that only that ip is in IP addresses
-	if requestedIP := net.ParseIP(c.name); requestedIP != nil {
-		for _, ip := range crt.IPAddresses {
-			if !ip.Equal(requestedIP) {
-				return errors.Errorf("IP addresses claim failed - got %s, want %s", ip, requestedIP)
-			}
-		}
-		return nil
+	crtMap := make(map[string]int)
+	for _, e := range crt.IPAddresses {
+		crtMap[e.String()] = 1
 	}
-
-	return errors.Errorf("IP addresses claim failed - got %v, want none", crt.IPAddresses)
+	if !reflect.DeepEqual(tokMap, crtMap) {
+		return errors.Errorf("IP Addresses claim failed - got %v, want %v", crt.IPAddresses, c.ips)
+	}
+	return nil
 }

 // certTemporalClaim validates the certificate temporal validity settings.
--- a/authority/claims_test.go
+++ b/authority/claims_test.go
@ -52,23 +52,28 @@ func TestIPAddressesClaim_Valid(t *testing.T) {
 		crt *x509.Certificate
 		err error
 	}{
-		"unexpected-ip": {
-			iac: &ipAddressesClaim{name: "127.0.0.1"},
+		"unexpected-ip-in-crt": {
+			iac: &ipAddressesClaim{ips: []net.IP{net.ParseIP("127.0.0.1")}},
 			crt: &x509.Certificate{IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("1.1.1.1")}},
-			err: errors.New("IP addresses claim failed - got 1.1.1.1, want 127.0.0.1"),
+			err: errors.New("IP Addresses claim failed - got [127.0.0.1 1.1.1.1], want [127.0.0.1]"),
+		},
+		"missing-ip-in-crt": {
+			iac: &ipAddressesClaim{ips: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("1.1.1.1")}},
+			crt: &x509.Certificate{IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}},
+			err: errors.New("IP Addresses claim failed - got [127.0.0.1], want [127.0.0.1 1.1.1.1]"),
 		},
 		"invalid-matcher-nonempty-ips": {
-			iac: &ipAddressesClaim{name: "invalid"},
+			iac: &ipAddressesClaim{ips: []net.IP{}},
 			crt: &x509.Certificate{IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}},
-			err: errors.New("IP addresses claim failed - got [127.0.0.1], want none"),
+			err: errors.New("IP Addresses claim failed - got [127.0.0.1], want []"),
 		},
 		"ok": {
-			iac: &ipAddressesClaim{name: "127.0.0.1"},
+			iac: &ipAddressesClaim{ips: []net.IP{net.ParseIP("127.0.0.1")}},
 			crt: &x509.Certificate{IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}},
 		},
-		"ok-empty-ips": {
-			iac: &ipAddressesClaim{name: "127.0.0.1"},
-			crt: &x509.Certificate{IPAddresses: []net.IP{}},
+		"ok-multiple-identical-ip-entries": {
+			iac: &ipAddressesClaim{ips: []net.IP{net.ParseIP("127.0.0.1")}},
+			crt: &x509.Certificate{IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("127.0.0.1"), net.ParseIP("127.0.0.1")}},
 		},
 	}

@ -92,21 +97,22 @@ func TestDNSNamesClaim_Valid(t *testing.T) {
 		crt *x509.Certificate
 		err error
 	}{
-		"wrong-dns-name": {
-			dnc: &dnsNamesClaim{name: "foo"},
+		"unexpected-dns-name-in-crt": {
+			dnc: &dnsNamesClaim{names: []string{"foo"}},
 			crt: &x509.Certificate{DNSNames: []string{"foo", "bar"}},
-			err: errors.New("DNS names claim failed - got bar, want foo"),
+			err: errors.New("DNS names claim failed - got [foo bar], want [foo]"),
 		},
 		"ok": {
-			dnc: &dnsNamesClaim{name: "foo"},
-			crt: &x509.Certificate{DNSNames: []string{"foo"}},
+			dnc: &dnsNamesClaim{names: []string{"foo", "bar"}},
+			crt: &x509.Certificate{DNSNames: []string{"bar", "foo"}},
 		},
-		"ok-empty-dnsNames": {
-			dnc: &dnsNamesClaim{"foo"},
-			crt: &x509.Certificate{},
+		"missing-dns-name-in-crt": {
+			dnc: &dnsNamesClaim{names: []string{"foo", "bar"}},
+			crt: &x509.Certificate{DNSNames: []string{"foo"}},
+			err: errors.New("DNS names claim failed - got [foo], want [foo bar]"),
 		},
 		"ok-multiple-identical-dns-entries": {
-			dnc: &dnsNamesClaim{name: "foo"},
+			dnc: &dnsNamesClaim{names: []string{"foo"}},
 			crt: &x509.Certificate{DNSNames: []string{"foo", "foo", "foo"}},
 		},
 	}
--- a/authority/tls.go
+++ b/authority/tls.go
@ -129,10 +129,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts SignOptions, ext
 		return nil, nil, &apiError{errors.Wrap(err, "sign: error converting x509 csr to stepx509 csr"),
 			http.StatusInternalServerError, errContext}
 	}
-	// DNSNames and IPAddresses are validated but to avoid duplications we will
-	// clean them as x509util.NewLeafProfileWithCSR will set the right values.
-	stepCSR.DNSNames = nil
-	stepCSR.IPAddresses = nil

 	issIdentity := a.intermediateIdentity
 	leaf, err := x509util.NewLeafProfileWithCSR(stepCSR, issIdentity.Crt,
--- a/ca/bootstrap_test.go
+++ b/ca/bootstrap_test.go
@ -94,6 +94,7 @@ func generateBootstrapToken(ca, subject, sha string) string {
 	cl := struct {
 		SHA string `json:"sha"`
 		jwt.Claims
+		SANS []string `json:"sans"`
 	}{
 		SHA: sha,
 		Claims: jwt.Claims{
@ -104,6 +105,7 @@ func generateBootstrapToken(ca, subject, sha string) string {
 			Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
 			Audience:  []string{ca + "/sign"},
 		},
+		SANS: []string{subject},
 	}
 	raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 	if err != nil {
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -154,13 +154,19 @@ ZEp7knvU2psWRw==
 		"fail commonname-claim": func(t *testing.T) *signTest {
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
-			cl := jwt.Claims{
-				Subject:   "invalid",
-				Issuer:    "step-cli",
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
-				Audience:  validAud,
-				ID:        jti,
+			cl := struct {
+				jwt.Claims
+				SANS []string `json:"sans"`
+			}{
+				Claims: jwt.Claims{
+					Subject:   "invalid",
+					Issuer:    "step-cli",
+					NotBefore: jwt.NewNumericDate(now),
+					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Audience:  validAud,
+					ID:        jti,
+				},
+				SANS: []string{"invalid"},
 			}
 			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
@ -181,13 +187,52 @@ ZEp7knvU2psWRw==
 		"ok": func(t *testing.T) *signTest {
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
-			cl := jwt.Claims{
-				Subject:   "test.smallstep.com",
-				Issuer:    "step-cli",
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
-				Audience:  validAud,
-				ID:        jti,
+			cl := struct {
+				jwt.Claims
+				SANS []string `json:"sans"`
+			}{
+				Claims: jwt.Claims{
+					Subject:   "test.smallstep.com",
+					Issuer:    "step-cli",
+					NotBefore: jwt.NewNumericDate(now),
+					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Audience:  validAud,
+					ID:        jti,
+				},
+				SANS: []string{"test.smallstep.com"},
+			}
+			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			assert.FatalError(t, err)
+			csr, err := getCSR(priv)
+			assert.FatalError(t, err)
+			body, err := json.Marshal(&api.SignRequest{
+				CsrPEM:    api.CertificateRequest{CertificateRequest: csr},
+				OTT:       raw,
+				NotBefore: now,
+				NotAfter:  leafExpiry,
+			})
+			assert.FatalError(t, err)
+			return &signTest{
+				ca:     ca,
+				body:   string(body),
+				status: http.StatusCreated,
+			}
+		},
+		"ok-backwards-compat-missing-subject-SAN": func(t *testing.T) *signTest {
+			jti, err := randutil.ASCII(32)
+			assert.FatalError(t, err)
+			cl := struct {
+				jwt.Claims
+				SANS []string `json:"sans"`
+			}{
+				Claims: jwt.Claims{
+					Subject:   "test.smallstep.com",
+					Issuer:    "step-cli",
+					NotBefore: jwt.NewNumericDate(now),
+					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Audience:  validAud,
+					ID:        jti,
+				},
 			}
 			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
--- a/ca/client.go
+++ b/ca/client.go
@ -15,7 +15,6 @@ import (
 	"encoding/pem"
 	"io"
 	"io/ioutil"
-	"net"
 	"net/http"
 	"net/url"
 	"strconv"
@ -23,6 +22,8 @@ import (

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/api"
+	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/cli/crypto/x509util"
 	"gopkg.in/square/go-jose.v2/jwt"
 )

@ -442,7 +443,7 @@ func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "error parsing ott")
 	}
-	var claims jwt.Claims
+	var claims authority.Claims
 	if err := token.UnsafeClaimsWithoutVerification(&claims); err != nil {
 		return nil, nil, errors.Wrap(err, "error parsing ott")
 	}
@ -452,17 +453,15 @@ func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
 		return nil, nil, errors.Wrap(err, "error generating key")
 	}

+	dnsNames, ips := x509util.SplitSANs(claims.SANs)
+
 	template := &x509.CertificateRequest{
 		Subject: pkix.Name{
 			CommonName: claims.Subject,
 		},
 		SignatureAlgorithm: x509.ECDSAWithSHA256,
-	}
-
-	if ip := net.ParseIP(claims.Subject); ip != nil {
-		template.IPAddresses = append(template.IPAddresses, ip)
-	} else {
-		template.DNSNames = append(template.DNSNames, claims.Subject)
+		DNSNames:           dnsNames,
+		IPAddresses:        ips,
 	}

 	csr, err := x509.CreateCertificateRequest(rand.Reader, template, pk)
--- a/ca/tls_test.go
+++ b/ca/tls_test.go
@ -39,13 +39,19 @@ func generateOTT(subject string) string {
 	if err != nil {
 		panic(err)
 	}
-	cl := jwt.Claims{
-		ID:        id,
-		Subject:   subject,
-		Issuer:    "mariano",
-		NotBefore: jwt.NewNumericDate(now),
-		Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
-		Audience:  []string{"https://127.0.0.1:0/sign"},
+	cl := struct {
+		jwt.Claims
+		SANS []string `json:"sans"`
+	}{
+		Claims: jwt.Claims{
+			ID:        id,
+			Subject:   subject,
+			Issuer:    "mariano",
+			NotBefore: jwt.NewNumericDate(now),
+			Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+			Audience:  []string{"https://127.0.0.1:0/sign"},
+		},
+		SANS: []string{subject},
 	}
 	raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
 	if err != nil {