File: jwk_issuer.go

package info (click to toggle)
golang-github-smallstep-certificates 0.20.0-5
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 23,144 kB
  • sloc: sh: 278; makefile: 170
file content (157 lines) | stat: -rw-r--r-- 3,927 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
 
package stepcas

import (
	"crypto"
	"encoding/json"
	"net/url"
	"time"

	"github.com/pkg/errors"
	"github.com/smallstep/certificates/authority/provisioner"
	"github.com/smallstep/certificates/ca"
	"github.com/smallstep/certificates/cas/apiv1"
	"go.step.sm/cli-utils/ui"
	"go.step.sm/crypto/jose"
	"go.step.sm/crypto/randutil"
)

type jwkIssuer struct {
	caURL  *url.URL
	issuer string
	signer jose.Signer
}

func newJWKIssuer(caURL *url.URL, client *ca.Client, cfg *apiv1.CertificateIssuer) (*jwkIssuer, error) {
	var err error
	var signer jose.Signer
	// Read the key from the CA if not provided.
	// Or read it from a PEM file.
	if cfg.Key == "" {
		p, err := findProvisioner(client, provisioner.TypeJWK, cfg.Provisioner)
		if err != nil {
			return nil, err
		}
		kid, key, ok := p.GetEncryptedKey()
		if !ok {
			return nil, errors.Errorf("provisioner with name %s does not have an encrypted key", cfg.Provisioner)
		}
		signer, err = newJWKSignerFromEncryptedKey(kid, key, cfg.Password)
		if err != nil {
			return nil, err
		}
	} else {
		signer, err = newJWKSigner(cfg.Key, cfg.Password)
		if err != nil {
			return nil, err
		}
	}

	return &jwkIssuer{
		caURL:  caURL,
		issuer: cfg.Provisioner,
		signer: signer,
	}, nil
}

func (i *jwkIssuer) SignToken(subject string, sans []string) (string, error) {
	aud := i.caURL.ResolveReference(&url.URL{
		Path: "/1.0/sign",
	}).String()
	return i.createToken(aud, subject, sans)
}

func (i *jwkIssuer) RevokeToken(subject string) (string, error) {
	aud := i.caURL.ResolveReference(&url.URL{
		Path: "/1.0/revoke",
	}).String()
	return i.createToken(aud, subject, nil)
}

func (i *jwkIssuer) Lifetime(d time.Duration) time.Duration {
	return d
}

func (i *jwkIssuer) createToken(aud, sub string, sans []string) (string, error) {
	id, err := randutil.Hex(64) // 256 bits
	if err != nil {
		return "", err
	}

	claims := defaultClaims(i.issuer, sub, aud, id)
	builder := jose.Signed(i.signer).Claims(claims)
	if len(sans) > 0 {
		builder = builder.Claims(map[string]interface{}{
			"sans": sans,
		})
	}

	tok, err := builder.CompactSerialize()
	if err != nil {
		return "", errors.Wrap(err, "error signing token")
	}

	return tok, nil
}

func newJWKSigner(keyFile, password string) (jose.Signer, error) {
	signer, err := readKey(keyFile, password)
	if err != nil {
		return nil, err
	}
	kid, err := jose.Thumbprint(&jose.JSONWebKey{Key: signer.Public()})
	if err != nil {
		return nil, err
	}
	so := new(jose.SignerOptions)
	so.WithType("JWT")
	so.WithHeader("kid", kid)
	return newJoseSigner(signer, so)
}

func newJWKSignerFromEncryptedKey(kid, key, password string) (jose.Signer, error) {
	var jwk jose.JSONWebKey

	// If the password is empty it will use the password prompter.
	b, err := jose.Decrypt([]byte(key),
		jose.WithPassword([]byte(password)),
		jose.WithPasswordPrompter("Please enter the password to decrypt the provisioner key", func(msg string) ([]byte, error) {
			return ui.PromptPassword(msg)
		}))
	if err != nil {
		return nil, err
	}

	// Decrypt returns the JSON representation of the JWK.
	if err := json.Unmarshal(b, &jwk); err != nil {
		return nil, errors.Wrap(err, "error parsing provisioner key")
	}

	signer, ok := jwk.Key.(crypto.Signer)
	if !ok {
		return nil, errors.New("error parsing provisioner key: key is not a crypto.Signer")
	}

	so := new(jose.SignerOptions)
	so.WithType("JWT")
	so.WithHeader("kid", kid)
	return newJoseSigner(signer, so)
}

func findProvisioner(client *ca.Client, typ provisioner.Type, name string) (provisioner.Interface, error) {
	cursor := ""
	for {
		ps, err := client.Provisioners(ca.WithProvisionerCursor(cursor))
		if err != nil {
			return nil, err
		}
		for _, p := range ps.Provisioners {
			if p.GetType() == typ && p.GetName() == name {
				return p, nil
			}
		}
		if ps.NextCursor == "" {
			return nil, errors.Errorf("provisioner with name %s was not found", name)
		}
		cursor = ps.NextCursor
	}
}