Make serving SCEP endpoints optional

Only when a SCEP provisioner is enabled, the SCEP endpoints will now be available. The SCEP endpoints will be served on an "insecure" server, without TLS, only when an additional "insecureAddress" and a SCEP provisioner are configured for the CA.
2021-03-26 15:44:45 +01:00 · 2021-03-26 15:44:45 +01:00 · b815478981
commit b815478981
parent 69d701062a
3 changed files with 46 additions and 29 deletions
--- a/authority/authority.go
+++ b/authority/authority.go
@ -440,6 +440,8 @@ func (a *Authority) CloseForReload() {

 // requiresDecrypter returns whether the Authority
 // requires a KMS that provides a crypto.Decrypter
+// Currently this is only required when SCEP is
+// enabled.
 func (a *Authority) requiresDecrypter() bool {
 	return a.requiresSCEPService()
 }
--- a/ca/ca.go
+++ b/ca/ca.go
@ -115,6 +115,7 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
 	if err != nil {
 		return nil, err
 	}
+	ca.auth = auth

 	tlsConfig, err := ca.getTLSConfig(auth)
 	if err != nil {
@ -166,29 +167,35 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
 		acmeRouterHandler.Route(r)
 	})

-	scepPrefix := "scep"
-	scepAuthority, err := scep.New(auth, scep.AuthorityOptions{
-		Service: auth.GetSCEPService(),
-		DNS:     dns,
-		Prefix:  scepPrefix,
-	})
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating SCEP authority")
-	}
-	scepRouterHandler := scepAPI.New(scepAuthority)
-	mux.Route("/"+scepPrefix, func(r chi.Router) {
-		scepRouterHandler.Route(r)
-	})
+	if ca.shouldServeSCEPEndpoints() {
+		scepPrefix := "scep"
+		scepAuthority, err := scep.New(auth, scep.AuthorityOptions{
+			Service: auth.GetSCEPService(),
+			DNS:     dns,
+			Prefix:  scepPrefix,
+		})
+		if err != nil {
+			return nil, errors.Wrap(err, "error creating SCEP authority")
+		}
+		scepRouterHandler := scepAPI.New(scepAuthority)

-	// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
-	// SCEP operations are performed using HTTP, so that's why the API is mounted
-	// to the insecure mux. To my current understanding there's no strong reason
-	// to not use HTTPS also, so that's why I've kept the API endpoints in both
-	// muxes and both HTTP as well as HTTPS can be used to request certificates
-	// using SCEP.
-	insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
-		scepRouterHandler.Route(r)
-	})
+		// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
+		// SCEP operations are performed using HTTP, so that's why the API is mounted
+		// to the insecure mux.
+		insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
+			scepRouterHandler.Route(r)
+		})
+
+		// The RFC also mentions usage of HTTPS, but seems to advise
+		// against it, because of potential interoperability issues.
+		// Currently I think it's not bad to use HTTPS also, so that's
+		// why I've kept the API endpoints in both muxes and both HTTP
+		// as well as HTTPS can be used to request certificates
+		// using SCEP.
+		mux.Route("/"+scepPrefix, func(r chi.Router) {
+			scepRouterHandler.Route(r)
+		})
+	}

 	// helpful routine for logging all routes
 	//dumpRoutes(mux)
@ -213,14 +220,15 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
 		insecureHandler = logger.Middleware(insecureHandler)
 	}

-	ca.auth = auth
 	ca.srv = server.New(config.Address, handler, tlsConfig)

-	// TODO: instead opt for having a single server.Server but two
-	// http.Servers handling the HTTP and HTTPS handler? The latter
-	// will probably introduce more complexity in terms of graceful
-	// reload.
-	if config.InsecureAddress != "" {
+	// only start the insecure server if the insecure address is configured
+	// and, currently, also only when it should serve SCEP endpoints.
+	if ca.shouldServeSCEPEndpoints() && config.InsecureAddress != "" {
+		// TODO: instead opt for having a single server.Server but two
+		// http.Servers handling the HTTP and HTTPS handler? The latter
+		// will probably introduce more complexity in terms of graceful
+		// reload.
 		ca.insecureSrv = server.New(config.InsecureAddress, insecureHandler, nil)
 	}

@ -375,6 +383,14 @@ func (ca *CA) getTLSConfig(auth *authority.Authority) (*tls.Config, error) {
 	return tlsConfig, nil
 }

+// shouldMountSCEPEndpoints returns if the CA should be
+// configured with endpoints for SCEP. This is assumed to be
+// true if a SCEPService exists, which is true in case a
+// SCEP provisioner was configured.
+func (ca *CA) shouldServeSCEPEndpoints() bool {
+	return ca.auth.GetSCEPService() != nil
+}
+
 //nolint // ignore linters to allow keeping this function around for debugging
 func dumpRoutes(mux chi.Routes) {
 	// helpful routine for logging all routes //
--- a/scep/scep.go
+++ b/scep/scep.go
@ -33,7 +33,6 @@ var (
 	oidSCEPtransactionID  = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 7}
 	oidSCEPfailInfoText   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 24}
 	//oidChallengePassword  = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}
-
 )

 // PKIMessage defines the possible SCEP message types