1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
package stepcas
import (
"context"
"net/url"
"strings"
"time"
"github.com/google/uuid"
"github.com/pkg/errors"
"github.com/smallstep/certificates/ca"
"github.com/smallstep/certificates/cas/apiv1"
)
// raAuthorityNS is a custom namespace used to generate endpoint ids based on
// the authority id.
var raAuthorityNS = uuid.MustParse("d6f14c1f-2f92-47bf-a04f-7b2c11382edd")
// newServerEndpointID returns a uuid v5 using raAuthorityNS as the namespace.
// The return uuid will be used as the server endpoint id, it will be unique per
// authority.
func newServerEndpointID(data string) uuid.UUID {
return uuid.NewSHA1(raAuthorityNS, []byte(data))
}
type raInfo struct {
AuthorityID string `json:"authorityId,omitempty"`
EndpointID string `json:"endpointId,omitempty"`
ProvisionerID string `json:"provisionerId,omitempty"`
ProvisionerType string `json:"provisionerType,omitempty"`
ProvisionerName string `json:"provisionerName,omitempty"`
}
type stepIssuer interface {
SignToken(subject string, sans []string, info *raInfo) (string, error)
RevokeToken(subject string) (string, error)
Lifetime(d time.Duration) time.Duration
}
// newStepIssuer returns the configured step issuer.
func newStepIssuer(ctx context.Context, caURL *url.URL, client *ca.Client, iss *apiv1.CertificateIssuer) (stepIssuer, error) {
if err := validateCertificateIssuer(iss); err != nil {
return nil, err
}
switch strings.ToLower(iss.Type) {
case "x5c":
return newX5CIssuer(caURL, iss)
case "jwk":
return newJWKIssuer(ctx, caURL, client, iss)
default:
return nil, errors.Errorf("stepCAS `certificateIssuer.type` %s is not supported", iss.Type)
}
}
// validateCertificateIssuer validates the configuration of the certificate
// issuer.
func validateCertificateIssuer(iss *apiv1.CertificateIssuer) error {
switch {
case iss == nil:
return errors.New("stepCAS 'certificateIssuer' cannot be nil")
case iss.Type == "":
return errors.New("stepCAS `certificateIssuer.type` cannot be empty")
}
switch strings.ToLower(iss.Type) {
case "x5c":
return validateX5CIssuer(iss)
case "jwk":
return validateJWKIssuer(iss)
default:
return errors.Errorf("stepCAS `certificateIssuer.type` %s is not supported", iss.Type)
}
}
// validateX5CIssuer validates the configuration of x5c issuer.
func validateX5CIssuer(iss *apiv1.CertificateIssuer) error {
switch {
case iss.Certificate == "":
return errors.New("stepCAS `certificateIssuer.crt` cannot be empty")
case iss.Key == "":
return errors.New("stepCAS `certificateIssuer.key` cannot be empty")
case iss.Provisioner == "":
return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty")
default:
return nil
}
}
// validateJWKIssuer validates the configuration of jwk issuer. If the key is
// not given, then it will download it from the CA. If the password is not set
// it will be prompted.
func validateJWKIssuer(iss *apiv1.CertificateIssuer) error {
switch iss.Provisioner {
case "":
return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty")
default:
return nil
}
}
|
