mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Make serving SCEP endpoints optional

Browse source 
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.

The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
This commit is contained in:
Herman Slatman 2021-03-26 15:44:45 +01:00
parent 69d701062a
commit b815478981
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
3 changed files with 46 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
authority/authority.go
View file

@ -440,6 +440,8 @@ func (a *Authority) CloseForReload() {
// requiresDecrypter returns whether the Authority // requiresDecrypter returns whether the Authority
// requires a KMS that provides a crypto.Decrypter // requires a KMS that provides a crypto.Decrypter
// Currently this is only required when SCEP is
// enabled.
func (a *Authority) requiresDecrypter() bool { func (a *Authority) requiresDecrypter() bool {
return a.requiresSCEPService() return a.requiresSCEPService()
} }

72
ca/ca.go
View file

@ -115,6 +115,7 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
ca.auth = auth
tlsConfig, err := ca.getTLSConfig(auth) tlsConfig, err := ca.getTLSConfig(auth)
if err != nil { if err != nil {
@ -166,29 +167,35 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
acmeRouterHandler.Route(r) acmeRouterHandler.Route(r)
}) })
scepPrefix := "scep" if ca.shouldServeSCEPEndpoints() {
scepAuthority, err := scep.New(auth, scep.AuthorityOptions{ scepPrefix := "scep"
Service: auth.GetSCEPService(), scepAuthority, err := scep.New(auth, scep.AuthorityOptions{
DNS: dns, Service: auth.GetSCEPService(),
Prefix: scepPrefix, DNS: dns,
}) Prefix: scepPrefix,
if err != nil { })
return nil, errors.Wrap(err, "error creating SCEP authority") if err != nil {
} return nil, errors.Wrap(err, "error creating SCEP authority")
scepRouterHandler := scepAPI.New(scepAuthority) }
mux.Route("/"+scepPrefix, func(r chi.Router) { scepRouterHandler := scepAPI.New(scepAuthority)
scepRouterHandler.Route(r)
})
// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10), // According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
// SCEP operations are performed using HTTP, so that's why the API is mounted // SCEP operations are performed using HTTP, so that's why the API is mounted
// to the insecure mux. To my current understanding there's no strong reason // to the insecure mux.
// to not use HTTPS also, so that's why I've kept the API endpoints in both insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
// muxes and both HTTP as well as HTTPS can be used to request certificates scepRouterHandler.Route(r)
// using SCEP. })
insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
scepRouterHandler.Route(r) // The RFC also mentions usage of HTTPS, but seems to advise
}) // against it, because of potential interoperability issues.
// Currently I think it's not bad to use HTTPS also, so that's
// why I've kept the API endpoints in both muxes and both HTTP
// as well as HTTPS can be used to request certificates
// using SCEP.
mux.Route("/"+scepPrefix, func(r chi.Router) {
scepRouterHandler.Route(r)
})
}
// helpful routine for logging all routes // helpful routine for logging all routes
//dumpRoutes(mux) //dumpRoutes(mux)
@ -213,14 +220,15 @@ func (ca *CA) Init(config *authority.Config) (*CA, error) {
insecureHandler = logger.Middleware(insecureHandler) insecureHandler = logger.Middleware(insecureHandler)
} }
ca.auth = auth
ca.srv = server.New(config.Address, handler, tlsConfig) ca.srv = server.New(config.Address, handler, tlsConfig)
// TODO: instead opt for having a single server.Server but two // only start the insecure server if the insecure address is configured
// http.Servers handling the HTTP and HTTPS handler? The latter // and, currently, also only when it should serve SCEP endpoints.
// will probably introduce more complexity in terms of graceful if ca.shouldServeSCEPEndpoints() && config.InsecureAddress != "" {
// reload. // TODO: instead opt for having a single server.Server but two
if config.InsecureAddress != "" { // http.Servers handling the HTTP and HTTPS handler? The latter
// will probably introduce more complexity in terms of graceful
// reload.
ca.insecureSrv = server.New(config.InsecureAddress, insecureHandler, nil) ca.insecureSrv = server.New(config.InsecureAddress, insecureHandler, nil)
} }
@ -375,6 +383,14 @@ func (ca *CA) getTLSConfig(auth *authority.Authority) (*tls.Config, error) {
return tlsConfig, nil return tlsConfig, nil
} }
// shouldMountSCEPEndpoints returns if the CA should be
// configured with endpoints for SCEP. This is assumed to be
// true if a SCEPService exists, which is true in case a
// SCEP provisioner was configured.
func (ca *CA) shouldServeSCEPEndpoints() bool {
return ca.auth.GetSCEPService() != nil
}
//nolint // ignore linters to allow keeping this function around for debugging //nolint // ignore linters to allow keeping this function around for debugging
func dumpRoutes(mux chi.Routes) { func dumpRoutes(mux chi.Routes) {
// helpful routine for logging all routes // // helpful routine for logging all routes //

1
scep/scep.go
View file

@ -33,7 +33,6 @@ var (
oidSCEPtransactionID = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 7} oidSCEPtransactionID = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 7}
oidSCEPfailInfoText = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 24} oidSCEPfailInfoText = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 24}
//oidChallengePassword = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7} //oidChallengePassword = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}
) )
// PKIMessage defines the possible SCEP message types // PKIMessage defines the possible SCEP message types