Add ACME permanent-identifier identifier type

2 years ago · 2ac8b69da2
parent aacd6f4cc6
commit 2ac8b69da2
4 changed files with 400 additions and 20 deletions
--- a/acme/api/order.go
+++ b/acme/api/order.go
@ -33,7 +33,7 @@ func (n *NewOrderRequest) Validate() error {
 		return acme.NewError(acme.ErrorMalformedType, "identifiers list cannot be empty")
 	}
 	for _, id := range n.Identifiers {
-		if !(id.Type == acme.DNS || id.Type == acme.IP) {
+		if !(id.Type == acme.DNS || id.Type == acme.IP || id.Type == acme.PermanentIdentifier) {
 			return acme.NewError(acme.ErrorMalformedType, "identifier type unsupported: %s", id.Type)
 		}
 		if id.Type == acme.IP && net.ParseIP(id.Value) == nil {
@ -373,6 +373,8 @@ func challengeTypes(az *acme.Authorization) []acme.ChallengeType {
 		if !az.Wildcard {
 			chTypes = append(chTypes, []acme.ChallengeType{acme.HTTP01, acme.TLSALPN01}...)
 		}
+	case acme.PermanentIdentifier:
+		chTypes = []acme.ChallengeType{acme.DEVICEATTEST01}
 	default:
 		chTypes = []acme.ChallengeType{}
 	}
--- a/acme/order.go
+++ b/acme/order.go
@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"

+	"github.com/google/go-attestation/oid"
+	attest_x509 "github.com/google/go-attestation/x509"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"go.step.sm/crypto/x509util"
 )
@ -21,6 +23,8 @@ const (
 	IP IdentifierType = "ip"
 	// DNS is the ACME dns identifier type
 	DNS IdentifierType = "dns"
+	// DNS is the ACME dns identifier type
+	PermanentIdentifier IdentifierType = "permanent-identifier"
 )

 // Identifier encodes the type that an order pertains to.
@ -151,6 +155,11 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 		return err
 	}

+	deviceIDs, err := o.deviceIDs(csr)
+	if err != nil {
+		return err
+	}
+
 	// Get authorizations from the ACME provisioner.
 	ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
 	signOps, err := p.AuthorizeSign(ctx, "")
@ -162,13 +171,13 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	data := x509util.NewTemplateData()
 	data.SetCommonName(csr.Subject.CommonName)
 	data.Set(x509util.SANsKey, sans)
+	data.SetPermanentIdentifiers(deviceIDs)

 	templateOptions, err := provisioner.TemplateOptions(p.GetOptions(), data)
 	if err != nil {
 		return WrapErrorISE(err, "error creating template options from ACME provisioner")
 	}
 	signOps = append(signOps, templateOptions)
-
 	// Sign a new certificate.
 	certChain, err := auth.Sign(csr, provisioner.SignOptions{
 		NotBefore: provisioner.NewTimeDuration(o.NotBefore),
@ -207,7 +216,8 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 	// order the DNS names and IP addresses, so that they can be compared against the canonicalized CSR
 	orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers))
 	orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers))
-	indexDNS, indexIP := 0, 0
+	orderPIDs := make([]string, numberOfIdentifierType(PermanentIdentifier, o.Identifiers))
+	indexDNS, indexIP, indexPID := 0, 0, 0
 	for _, n := range o.Identifiers {
 		switch n.Type {
 		case DNS:
@ -216,6 +226,9 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 		case IP:
 			orderIPs[indexIP] = net.ParseIP(n.Value) // NOTE: this assumes are all valid IPs at this time; or will result in nil entries
 			indexIP++
+		case PermanentIdentifier:
+			orderPIDs[indexPID] = n.Value
+			indexPID++
 		default:
 			return sans, NewErrorISE("unsupported identifier type in order: %s", n.Type)
 		}
@ -269,6 +282,25 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 	return sans, nil
 }

+func (o *Order) deviceIDs(csr *x509.CertificateRequest) ([]x509util.PermanentIdentifier, error) {
+	var permIDs []x509util.PermanentIdentifier
+	for _, ext := range csr.Extensions {
+		if ext.Id.Equal(oid.SubjectAltName) {
+			san, err := attest_x509.ParseSubjectAltName(ext)
+			if err != nil {
+				return nil, err
+			}
+			for _, pi := range san.PermanentIdentifiers {
+				permIDs = append(permIDs, x509util.PermanentIdentifier{
+					Value:    pi.IdentifierValue,
+					Assigner: pi.Assigner,
+				})
+			}
+		}
+	}
+	return permIDs, nil
+}
+
 // numberOfIdentifierType returns the number of Identifiers that
 // are of type typ.
 func numberOfIdentifierType(typ IdentifierType, ids []Identifier) int {
--- a/go.mod
+++ b/go.mod
@ -16,25 +16,19 @@ require (
 	github.com/ThalesIgnite/crypto11 v1.2.4
 	github.com/aws/aws-sdk-go v1.37.0
 	github.com/dgraph-io/ristretto v0.0.4-0.20200906165740-41ebdbffecfd // indirect
-	github.com/fatih/color v1.9.0 // indirect
-	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/go-chi/chi v4.0.2+incompatible
-	github.com/go-kit/kit v0.10.0 // indirect
 	github.com/go-piv/piv-go v1.7.0
-	github.com/go-sql-driver/mysql v1.6.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.5.7
+	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9
+	github.com/google/go-cmp v0.5.8
 	github.com/google/uuid v1.3.0
 	github.com/googleapis/gax-go/v2 v2.1.1
 	github.com/hashicorp/vault/api v1.3.1
 	github.com/hashicorp/vault/api/auth/approle v0.1.1
 	github.com/hashicorp/vault/api/auth/kubernetes v0.1.0
-	github.com/jhump/protoreflect v1.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.13 // indirect
 	github.com/micromdm/scep/v2 v2.1.0
-	github.com/miekg/pkcs11 v1.0.3 // indirect
 	github.com/newrelic/go-agent v2.15.0+incompatible
 	github.com/pkg/errors v0.9.1
 	github.com/rs/xid v1.2.1
@ -44,7 +38,6 @@ require (
 	github.com/smallstep/nosql v0.4.0
 	github.com/stretchr/testify v1.7.1
 	github.com/urfave/cli v1.22.4
-	go.etcd.io/bbolt v1.3.6 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.0
 	go.step.sm/crypto v0.16.2
@ -52,7 +45,6 @@ require (
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	golang.org/x/net v0.0.0-20220403103023-749bd193bc2b
 	golang.org/x/sys v0.0.0-20220405052023-b1e9470b6e64 // indirect
-	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
 	google.golang.org/api v0.70.0
 	google.golang.org/genproto v0.0.0-20220401170504-314d38edb7de
 	google.golang.org/grpc v1.45.0
@ -68,3 +60,7 @@ require (

 // use github.com/smallstep/pkcs7 fork with patches applied
 replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20211016004704-52592125d6f6
+
+replace go.step.sm/crypto => github.com/brandonweeks/crypto v0.16.2-0.20220531234114-45e4f06ca16b
+
+replace github.com/google/go-attestation => github.com/brandonweeks/go-attestation v0.0.0-20220602235615-164122a1d59b
--- a/go.sum
+++ b/go.sum