certificates/ca/identity/identity.go
Mariano Cano c5234e9c61 Refactor tls tunnel connections.
New method will use an identity-like file with the configuration
used to create the (m)TLS connection to the tunnel.
2021-04-21 16:20:53 -07:00

336 lines
9.1 KiB
Go

package identity
import (
"bytes"
"crypto"
"crypto/tls"
"crypto/x509"
"encoding/json"
"encoding/pem"
"io/ioutil"
"net/http"
"os"
"path/filepath"
"strings"
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/api"
"go.step.sm/cli-utils/config"
"go.step.sm/crypto/pemutil"
)
// Type represents the different types of identity files.
type Type string
// Disabled represents a disabled identity type
const Disabled Type = ""
// MutualTLS represents the identity using mTLS.
const MutualTLS Type = "mTLS"
// TunnelTLS represents an identity using a (m)TLS tunnel.
//
// TunnelTLS can be optionally configured with client certificates and a root
// file with the CAs to trust. By default it will use the system truststore
// instead of the CA truststore.
const TunnelTLS Type = "tTLS"
// DefaultLeeway is the duration for matching not before claims.
const DefaultLeeway = 1 * time.Minute
// IdentityFile contains the location of the identity file.
var IdentityFile = filepath.Join(config.StepPath(), "config", "identity.json")
// DefaultsFile contains the location of the defaults file.
var DefaultsFile = filepath.Join(config.StepPath(), "config", "defaults.json")
// Identity represents the identity file that can be used to authenticate with
// the CA.
type Identity struct {
Type string `json:"type"`
Certificate string `json:"crt"`
Key string `json:"key"`
// Host is the tunnel host for a TunnelTLS (tTLS) identity.
Host string `json:"host,omitempty"`
// Root is the CA bundle of root CAs used in TunnelTLS to trust the
// certificate of the host.
Root string `json:"root,omitempty"`
}
// LoadIdentity loads an identity present in the given filename.
func LoadIdentity(filename string) (*Identity, error) {
b, err := ioutil.ReadFile(filename)
if err != nil {
return nil, errors.Wrapf(err, "error reading %s", filename)
}
identity := new(Identity)
if err := json.Unmarshal(b, &identity); err != nil {
return nil, errors.Wrapf(err, "error unmarshaling %s", filename)
}
return identity, nil
}
// LoadDefaultIdentity loads the default identity.
func LoadDefaultIdentity() (*Identity, error) {
return LoadIdentity(IdentityFile)
}
// configDir and identityDir are used in WriteDefaultIdentity for testing
// purposes.
var (
configDir = filepath.Join(config.StepPath(), "config")
identityDir = filepath.Join(config.StepPath(), "identity")
)
// WriteDefaultIdentity writes the given certificates and key and the
// identity.json pointing to the new files.
func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error {
if err := os.MkdirAll(configDir, 0700); err != nil {
return errors.Wrap(err, "error creating config directory")
}
if err := os.MkdirAll(identityDir, 0700); err != nil {
return errors.Wrap(err, "error creating identity directory")
}
certFilename := filepath.Join(identityDir, "identity.crt")
keyFilename := filepath.Join(identityDir, "identity_key")
// Write certificate
if err := writeCertificate(certFilename, certChain); err != nil {
return err
}
// Write key
buf := new(bytes.Buffer)
block, err := pemutil.Serialize(key)
if err != nil {
return err
}
if err := pem.Encode(buf, block); err != nil {
return errors.Wrap(err, "error encoding identity key")
}
if err := ioutil.WriteFile(keyFilename, buf.Bytes(), 0600); err != nil {
return errors.Wrap(err, "error writing identity certificate")
}
// Write identity.json
buf.Reset()
enc := json.NewEncoder(buf)
enc.SetIndent("", " ")
if err := enc.Encode(Identity{
Type: string(MutualTLS),
Certificate: certFilename,
Key: keyFilename,
}); err != nil {
return errors.Wrap(err, "error writing identity json")
}
if err := ioutil.WriteFile(IdentityFile, buf.Bytes(), 0600); err != nil {
return errors.Wrap(err, "error writing identity certificate")
}
return nil
}
// writeCertificate writes the given certificate on disk.
func writeCertificate(filename string, certChain []api.Certificate) error {
buf := new(bytes.Buffer)
for _, crt := range certChain {
block := &pem.Block{
Type: "CERTIFICATE",
Bytes: crt.Raw,
}
if err := pem.Encode(buf, block); err != nil {
return errors.Wrap(err, "error encoding certificate")
}
}
if err := ioutil.WriteFile(filename, buf.Bytes(), 0600); err != nil {
return errors.Wrap(err, "error writing certificate")
}
return nil
}
// Kind returns the type for the given identity.
func (i *Identity) Kind() Type {
switch strings.ToLower(i.Type) {
case "":
return Disabled
case "mtls":
return MutualTLS
case "ttls":
return TunnelTLS
default:
return Type(i.Type)
}
}
// Validate validates the identity object.
func (i *Identity) Validate() error {
switch i.Kind() {
case Disabled:
return nil
case MutualTLS:
if i.Certificate == "" {
return errors.New("identity.crt cannot be empty")
}
if i.Key == "" {
return errors.New("identity.key cannot be empty")
}
if err := fileExists(i.Certificate); err != nil {
return err
}
return fileExists(i.Key)
case TunnelTLS:
if i.Host == "" {
return errors.New("tunnel.crt cannot be empty")
}
if i.Certificate != "" {
if err := fileExists(i.Certificate); err != nil {
return err
}
if i.Key == "" {
return errors.New("tunnel.key cannot be empty")
}
if err := fileExists(i.Key); err != nil {
return err
}
}
if i.Root != "" {
if err := fileExists(i.Root); err != nil {
return err
}
}
return nil
default:
return errors.Errorf("unsupported identity type %s", i.Type)
}
}
// TLSCertificate returns a tls.Certificate for the identity.
func (i *Identity) TLSCertificate() (tls.Certificate, error) {
fail := func(err error) (tls.Certificate, error) { return tls.Certificate{}, err }
switch i.Kind() {
case Disabled:
return tls.Certificate{}, nil
case MutualTLS, TunnelTLS:
crt, err := tls.LoadX509KeyPair(i.Certificate, i.Key)
if err != nil {
return fail(errors.Wrap(err, "error creating identity certificate"))
}
// Check if certificate is expired.
x509Cert, err := x509.ParseCertificate(crt.Certificate[0])
if err != nil {
return fail(errors.Wrap(err, "error creating identity certificate"))
}
now := time.Now().Truncate(time.Second)
if now.Add(DefaultLeeway).Before(x509Cert.NotBefore) {
return fail(errors.New("certificate is not yet valid"))
}
if now.After(x509Cert.NotAfter) {
return fail(errors.New("certificate is already expired"))
}
return crt, nil
default:
return fail(errors.Errorf("unsupported identity type %s", i.Type))
}
}
// GetClientCertificateFunc returns a method that can be used as the
// GetClientCertificate property in a tls.Config.
func (i *Identity) GetClientCertificateFunc() func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
return func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
crt, err := tls.LoadX509KeyPair(i.Certificate, i.Key)
if err != nil {
return nil, errors.Wrap(err, "error loading identity certificate")
}
return &crt, nil
}
}
// GetCertPool returns a x509.CertPool if the identity defines a custom root.
func (i *Identity) GetCertPool() (*x509.CertPool, error) {
if i.Root == "" {
return nil, nil
}
b, err := ioutil.ReadFile(i.Root)
if err != nil {
return nil, errors.Wrap(err, "error reading identity root")
}
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(b) {
return nil, errors.Errorf("error pasing identity root: %s does not contain any certificate", i.Root)
}
return pool, nil
}
// Renewer is that interface that a renew client must implement.
type Renewer interface {
GetRootCAs() *x509.CertPool
Renew(tr http.RoundTripper) (*api.SignResponse, error)
}
// Renew renews the current identity certificate using a client with a renew
// method.
func (i *Identity) Renew(client Renewer) error {
switch i.Kind() {
case Disabled:
return nil
case MutualTLS, TunnelTLS:
cert, err := i.TLSCertificate()
if err != nil {
return err
}
tr := http.DefaultTransport.(*http.Transport).Clone()
tr.TLSClientConfig = &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: client.GetRootCAs(),
PreferServerCipherSuites: true,
}
sign, err := client.Renew(tr)
if err != nil {
return err
}
if sign.CertChainPEM == nil || len(sign.CertChainPEM) == 0 {
sign.CertChainPEM = []api.Certificate{sign.ServerPEM, sign.CaPEM}
}
// Write certificate
buf := new(bytes.Buffer)
for _, crt := range sign.CertChainPEM {
block := &pem.Block{
Type: "CERTIFICATE",
Bytes: crt.Raw,
}
if err := pem.Encode(buf, block); err != nil {
return errors.Wrap(err, "error encoding identity certificate")
}
}
certFilename := filepath.Join(identityDir, "identity.crt")
if err := ioutil.WriteFile(certFilename, buf.Bytes(), 0600); err != nil {
return errors.Wrap(err, "error writing identity certificate")
}
return nil
default:
return errors.Errorf("unsupported identity type %s", i.Type)
}
}
func fileExists(filename string) error {
info, err := os.Stat(filename)
if err != nil {
return errors.Wrapf(err, "error reading %s", filename)
}
if info.IsDir() {
return errors.Errorf("error reading %s: file is a directory", filename)
}
return nil
}