Merge branch 'master' into hs/acme-revocation

3 years ago · 3bc3957b06
parent 0524122191 53ebd85327
commit 3bc3957b06
18 changed files with 151 additions and 118 deletions
--- a/README.md
+++ b/README.md
@ -42,6 +42,8 @@ To get up and running quickly, or as an alternative to running your own `step-ca
 [![GitHub stars](https://img.shields.io/github/stars/smallstep/certificates.svg?style=social)](https://github.com/smallstep/certificates/stargazers)
 [![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs)

+![star us](https://github.com/smallstep/certificates/raw/master/docs/images/star.gif)
+
 ## Features

 ### 🦾 A fast, stable, flexible private CA
--- a/api/api.go
+++ b/api/api.go
@ -348,7 +348,7 @@ func (h *caHandler) ProvisionerKey(w http.ResponseWriter, r *http.Request) {
 func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) {
 	roots, err := h.Authority.GetRoots()
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error getting roots"))
 		return
 	}

@ -366,7 +366,7 @@ func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) {
 func (h *caHandler) Federation(w http.ResponseWriter, r *http.Request) {
 	federated, err := h.Authority.GetFederation()
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error getting federated roots"))
 		return
 	}

--- a/api/revoke.go
+++ b/api/revoke.go
@ -96,7 +96,7 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := h.Authority.Revoke(ctx, opts); err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error revoking certificate"))
 		return
 	}

--- a/api/sign.go
+++ b/api/sign.go
@ -74,7 +74,7 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {

 	certChain, err := h.Authority.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing certificate"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)
--- a/api/ssh.go
+++ b/api/ssh.go
@ -293,7 +293,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {

 	cert, err := h.Authority.SignSSH(ctx, publicKey, opts, signOpts...)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 		return
 	}

@ -301,7 +301,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 	if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
 		addUserCert, err := h.Authority.SignSSHAddUser(ctx, addUserPublicKey, cert)
 		if err != nil {
-			WriteError(w, errs.ForbiddenErr(err))
+			WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 			return
 		}
 		addUserCertificate = &SSHCertificate{addUserCert}
@ -326,7 +326,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {

 		certChain, err := h.Authority.Sign(cr, provisioner.SignOptions{}, signOpts...)
 		if err != nil {
-			WriteError(w, errs.ForbiddenErr(err))
+			WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
 			return
 		}
 		identityCertificate = certChainToPEM(certChain)
--- a/api/sshRekey.go
+++ b/api/sshRekey.go
@ -68,7 +68,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {

 	newCert, err := h.Authority.RekeySSH(ctx, oldCert, publicKey, signOpts...)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error rekeying ssh certificate"))
 		return
 	}

@ -78,7 +78,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {

 	identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}

--- a/api/sshRenew.go
+++ b/api/sshRenew.go
@ -60,7 +60,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {

 	newCert, err := h.Authority.RenewSSH(ctx, oldCert)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error renewing ssh certificate"))
 		return
 	}

@ -70,7 +70,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {

 	identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
 		return
 	}

--- a/api/sshRevoke.go
+++ b/api/sshRevoke.go
@ -75,7 +75,7 @@ func (h *caHandler) SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	opts.OTT = body.OTT

 	if err := h.Authority.Revoke(ctx, opts); err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))
 		return
 	}

--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -9,12 +9,14 @@ import (
 	"encoding/asn1"
 	"encoding/json"
 	"net"
+	"net/http"
 	"net/url"
 	"reflect"
 	"time"

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/x509util"
 )

@ -83,19 +85,19 @@ type emailOnlyIdentity string
 func (e emailOnlyIdentity) Valid(req *x509.CertificateRequest) error {
 	switch {
 	case len(req.DNSNames) > 0:
-		return errors.New("certificate request cannot contain DNS names")
+		return errs.Forbidden("certificate request cannot contain DNS names")
 	case len(req.IPAddresses) > 0:
-		return errors.New("certificate request cannot contain IP addresses")
+		return errs.Forbidden("certificate request cannot contain IP addresses")
 	case len(req.URIs) > 0:
-		return errors.New("certificate request cannot contain URIs")
+		return errs.Forbidden("certificate request cannot contain URIs")
 	case len(req.EmailAddresses) == 0:
-		return errors.New("certificate request does not contain any email address")
+		return errs.Forbidden("certificate request does not contain any email address")
 	case len(req.EmailAddresses) > 1:
-		return errors.New("certificate request contains too many email addresses")
+		return errs.Forbidden("certificate request contains too many email addresses")
 	case req.EmailAddresses[0] == "":
-		return errors.New("certificate request cannot contain an empty email address")
+		return errs.Forbidden("certificate request cannot contain an empty email address")
 	case req.EmailAddresses[0] != string(e):
-		return errors.Errorf("certificate request does not contain the valid email address, got %s, want %s", req.EmailAddresses[0], e)
+		return errs.Forbidden("certificate request does not contain the valid email address - got %s, want %s", req.EmailAddresses[0], e)
 	default:
 		return nil
 	}
@ -108,12 +110,13 @@ type defaultPublicKeyValidator struct{}
 func (v defaultPublicKeyValidator) Valid(req *x509.CertificateRequest) error {
 	switch k := req.PublicKey.(type) {
 	case *rsa.PublicKey:
-		if k.Size() < 256 {
-			return errors.New("rsa key in CSR must be at least 2048 bits (256 bytes)")
+		if k.Size() < keyutil.MinRSAKeyBytes {
+			return errs.Forbidden("certificate request RSA key must be at least %d bits (%d bytes)",
+				8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes)
 		}
 	case *ecdsa.PublicKey, ed25519.PublicKey:
 	default:
-		return errors.Errorf("unrecognized public key of type '%T' in CSR", k)
+		return errs.BadRequest("certificate request key of type '%T' is not supported", k)
 	}
 	return nil
 }
@ -139,11 +142,12 @@ func (v publicKeyMinimumLengthValidator) Valid(req *x509.CertificateRequest) err
 	case *rsa.PublicKey:
 		minimumLengthInBytes := v.length / 8
 		if k.Size() < minimumLengthInBytes {
-			return errors.Errorf("rsa key in CSR must be at least %d bits (%d bytes)", v.length, minimumLengthInBytes)
+			return errs.Forbidden("certificate request RSA key must be at least %d bits (%d bytes)",
+				v.length, minimumLengthInBytes)
 		}
 	case *ecdsa.PublicKey, ed25519.PublicKey:
 	default:
-		return errors.Errorf("unrecognized public key of type '%T' in CSR", k)
+		return errs.BadRequest("certificate request key of type '%T' is not supported", k)
 	}
 	return nil
 }
@ -158,7 +162,7 @@ func (v commonNameValidator) Valid(req *x509.CertificateRequest) error {
 		return nil
 	}
 	if req.Subject.CommonName != string(v) {
-		return errors.Errorf("certificate request does not contain the valid common name; requested common name = %s, token subject = %s", req.Subject.CommonName, v)
+		return errs.Forbidden("certificate request does not contain the valid common name - got %s, want %s", req.Subject.CommonName, v)
 	}
 	return nil
 }
@ -176,7 +180,7 @@ func (v commonNameSliceValidator) Valid(req *x509.CertificateRequest) error {
 			return nil
 		}
 	}
-	return errors.Errorf("certificate request does not contain the valid common name, got %s, want %s", req.Subject.CommonName, v)
+	return errs.Forbidden("certificate request does not contain the valid common name - got %s, want %s", req.Subject.CommonName, v)
 }

 // dnsNamesValidator validates the DNS names SAN of a certificate request.
@ -197,7 +201,7 @@ func (v dnsNamesValidator) Valid(req *x509.CertificateRequest) error {
 		got[s] = true
 	}
 	if !reflect.DeepEqual(want, got) {
-		return errors.Errorf("certificate request does not contain the valid DNS names - got %v, want %v", req.DNSNames, v)
+		return errs.Forbidden("certificate request does not contain the valid DNS names - got %v, want %v", req.DNSNames, v)
 	}
 	return nil
 }
@ -220,7 +224,7 @@ func (v ipAddressesValidator) Valid(req *x509.CertificateRequest) error {
 		got[ip.String()] = true
 	}
 	if !reflect.DeepEqual(want, got) {
-		return errors.Errorf("IP Addresses claim failed - got %v, want %v", req.IPAddresses, v)
+		return errs.Forbidden("certificate request does not contain the valid IP addresses - got %v, want %v", req.IPAddresses, v)
 	}
 	return nil
 }
@ -243,7 +247,7 @@ func (v emailAddressesValidator) Valid(req *x509.CertificateRequest) error {
 		got[s] = true
 	}
 	if !reflect.DeepEqual(want, got) {
-		return errors.Errorf("certificate request does not contain the valid Email Addresses - got %v, want %v", req.EmailAddresses, v)
+		return errs.Forbidden("certificate request does not contain the valid email addresses - got %v, want %v", req.EmailAddresses, v)
 	}
 	return nil
 }
@ -266,7 +270,7 @@ func (v urisValidator) Valid(req *x509.CertificateRequest) error {
 		got[u.String()] = true
 	}
 	if !reflect.DeepEqual(want, got) {
-		return errors.Errorf("URIs claim failed - got %v, want %v", req.URIs, v)
+		return errs.Forbidden("certificate request does not contain the valid URIs - got %v, want %v", req.URIs, v)
 	}
 	return nil
 }
@ -334,15 +338,15 @@ func (v profileLimitDuration) Modify(cert *x509.Certificate, so SignOptions) err
 		backdate = -1 * so.Backdate
 	}
 	if notBefore.Before(v.notBefore) {
-		return errors.Errorf("requested certificate notBefore (%s) is before "+
-			"the active validity window of the provisioning credential (%s)",
+		return errs.Forbidden(
+			"requested certificate notBefore (%s) is before the active validity window of the provisioning credential (%s)",
 			notBefore, v.notBefore)
 	}

 	notAfter := so.NotAfter.RelativeTime(notBefore)
 	if notAfter.After(v.notAfter) {
-		return errors.Errorf("requested certificate notAfter (%s) is after "+
-			"the expiration of the provisioning credential (%s)",
+		return errs.Forbidden(
+			"requested certificate notAfter (%s) is after the expiration of the provisioning credential (%s)",
 			notAfter, v.notAfter)
 	}
 	if notAfter.IsZero() {
@ -388,14 +392,14 @@ func (v *validityValidator) Valid(cert *x509.Certificate, o SignOptions) error {
 		return errs.BadRequest("notAfter cannot be before notBefore; na=%v, nb=%v", na, nb)
 	}
 	if d < v.min {
-		return errs.BadRequest("requested duration of %v is less than the authorized minimum certificate duration of %v", d, v.min)
+		return errs.Forbidden("requested duration of %v is less than the authorized minimum certificate duration of %v", d, v.min)
 	}
 	// NOTE: this check is not "technically correct". We're allowing the max
 	// duration of a cert to be "max + backdate" and not all certificates will
 	// be backdated (e.g. if a user passes the NotBefore value then we do not
 	// apply a backdate). This is good enough.
 	if d > v.max+o.Backdate {
-		return errs.BadRequest("requested duration of %v is more than the authorized maximum certificate duration of %v", d, v.max+o.Backdate)
+		return errs.Forbidden("requested duration of %v is more than the authorized maximum certificate duration of %v", d, v.max+o.Backdate)
 	}
 	return nil
 }
@ -422,16 +426,15 @@ func newForceCNOption(forceCN bool) *forceCNOption {

 func (o *forceCNOption) Modify(cert *x509.Certificate, _ SignOptions) error {
 	if !o.ForceCN {
-		// Forcing CN is disabled, do nothing to certificate
 		return nil
 	}

+	// Force the common name to be the first DNS if not provided.
 	if cert.Subject.CommonName == "" {
-		if len(cert.DNSNames) > 0 {
-			cert.Subject.CommonName = cert.DNSNames[0]
-		} else {
-			return errors.New("Cannot force CN, DNSNames is empty")
+		if len(cert.DNSNames) == 0 {
+			return errs.BadRequest("cannot force common name, DNS names is empty")
 		}
+		cert.Subject.CommonName = cert.DNSNames[0]
 	}

 	return nil
@ -456,7 +459,7 @@ func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValue
 func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOptions) error {
 	ext, err := createProvisionerExtension(o.Type, o.Name, o.CredentialID, o.KeyValuePairs...)
 	if err != nil {
-		return err
+		return errs.NewError(http.StatusInternalServerError, err, "error creating certificate")
 	}
 	// Prepend the provisioner extension. In the auth.Sign code we will
 	// force the resulting certificate to only have one extension, the
@ -477,7 +480,7 @@ func createProvisionerExtension(typ int, name, credentialID string, keyValuePair
 		KeyValuePairs: keyValuePairs,
 	})
 	if err != nil {
-		return pkix.Extension{}, errors.Wrapf(err, "error marshaling provisioner extension")
+		return pkix.Extension{}, errors.Wrap(err, "error marshaling provisioner extension")
 	}
 	return pkix.Extension{
 		Id:       stepOIDProvisioner,
--- a/authority/provisioner/sign_options_test.go
+++ b/authority/provisioner/sign_options_test.go
@ -77,12 +77,12 @@ func Test_defaultPublicKeyValidator_Valid(t *testing.T) {
 		{
 			"fail/unrecognized-key-type",
 			&x509.CertificateRequest{PublicKey: "foo"},
-			errors.New("unrecognized public key of type 'string' in CSR"),
+			errors.New("certificate request key of type 'string' is not supported"),
 		},
 		{
 			"fail/rsa/too-short",
 			shortRSA,
-			errors.New("rsa key in CSR must be at least 2048 bits (256 bytes)"),
+			errors.New("certificate request RSA key must be at least 2048 bits (256 bytes)"),
 		},
 		{
 			"ok/rsa",
@ -303,14 +303,14 @@ func Test_defaultSANsValidator_Valid(t *testing.T) {
 			return test{
 				csr:          &x509.CertificateRequest{EmailAddresses: []string{"max@fx.com", "mariano@fx.com"}},
 				expectedSANs: []string{"dcow@fx.com"},
-				err:          errors.New("certificate request does not contain the valid Email Addresses"),
+				err:          errors.New("certificate request does not contain the valid email addresses"),
 			}
 		},
 		"fail/ipAddressesValidator": func() test {
 			return test{
 				csr:          &x509.CertificateRequest{IPAddresses: []net.IP{net.ParseIP("1.1.1.1"), net.ParseIP("127.0.0.1")}},
 				expectedSANs: []string{"127.0.0.1"},
-				err:          errors.New("IP Addresses claim failed"),
+				err:          errors.New("certificate request does not contain the valid IP addresses"),
 			}
 		},
 		"fail/urisValidator": func() test {
@ -321,7 +321,7 @@ func Test_defaultSANsValidator_Valid(t *testing.T) {
 			return test{
 				csr:          &x509.CertificateRequest{URIs: []*url.URL{u1, u2}},
 				expectedSANs: []string{"urn:uuid:ddfe62ba-7e99-4bc1-83b3-8f57fe3e9959"},
-				err:          errors.New("URIs claim failed"),
+				err:          errors.New("certificate request does not contain the valid URIs"),
 			}
 		},
 		"ok": func() test {
@ -512,7 +512,7 @@ func Test_forceCN_Option(t *testing.T) {
 					Subject:  pkix.Name{},
 					DNSNames: []string{},
 				},
-				err: errors.New("Cannot force CN, DNSNames is empty"),
+				err: errors.New("cannot force common name, DNS names is empty"),
 			}
 		},
 	}
--- a/authority/provisioner/sign_ssh_options.go
+++ b/authority/provisioner/sign_ssh_options.go
@ -56,7 +56,12 @@ type SignSSHOptions struct {
 // Validate validates the given SignSSHOptions.
 func (o SignSSHOptions) Validate() error {
 	if o.CertType != "" && o.CertType != SSHUserCert && o.CertType != SSHHostCert {
-		return errs.BadRequest("unknown certificate type '%s'", o.CertType)
+		return errs.BadRequest("certType '%s' is not valid", o.CertType)
+	}
+	for _, p := range o.Principals {
+		if p == "" {
+			return errs.BadRequest("principals cannot contain empty values")
+		}
 	}
 	return nil
 }
@ -75,7 +80,7 @@ func (o SignSSHOptions) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
 	case SSHHostCert:
 		cert.CertType = ssh.HostCert
 	default:
-		return errors.Errorf("ssh certificate has an unknown type - %s", o.CertType)
+		return errs.BadRequest("ssh certificate has an unknown type '%s'", o.CertType)
 	}

 	cert.KeyId = o.KeyID
@ -95,7 +100,7 @@ func (o SignSSHOptions) ModifyValidity(cert *ssh.Certificate) error {
 		cert.ValidBefore = uint64(o.ValidBefore.RelativeTime(t).Unix())
 	}
 	if cert.ValidAfter > 0 && cert.ValidBefore > 0 && cert.ValidAfter > cert.ValidBefore {
-		return errors.New("ssh certificate valid after cannot be greater than valid before")
+		return errs.BadRequest("ssh certificate validAfter cannot be greater than validBefore")
 	}
 	return nil
 }
@ -104,16 +109,16 @@ func (o SignSSHOptions) ModifyValidity(cert *ssh.Certificate) error {
 // ignores zero values.
 func (o SignSSHOptions) match(got SignSSHOptions) error {
 	if o.CertType != "" && got.CertType != "" && o.CertType != got.CertType {
-		return errors.Errorf("ssh certificate type does not match - got %v, want %v", got.CertType, o.CertType)
+		return errs.Forbidden("ssh certificate type does not match - got %v, want %v", got.CertType, o.CertType)
 	}
 	if len(o.Principals) > 0 && len(got.Principals) > 0 && !containsAllMembers(o.Principals, got.Principals) {
-		return errors.Errorf("ssh certificate principals does not match - got %v, want %v", got.Principals, o.Principals)
+		return errs.Forbidden("ssh certificate principals does not match - got %v, want %v", got.Principals, o.Principals)
 	}
 	if !o.ValidAfter.IsZero() && !got.ValidAfter.IsZero() && !o.ValidAfter.Equal(&got.ValidAfter) {
-		return errors.Errorf("ssh certificate valid after does not match - got %v, want %v", got.ValidAfter, o.ValidAfter)
+		return errs.Forbidden("ssh certificate validAfter does not match - got %v, want %v", got.ValidAfter, o.ValidAfter)
 	}
 	if !o.ValidBefore.IsZero() && !got.ValidBefore.IsZero() && !o.ValidBefore.Equal(&got.ValidBefore) {
-		return errors.Errorf("ssh certificate valid before does not match - got %v, want %v", got.ValidBefore, o.ValidBefore)
+		return errs.Forbidden("ssh certificate validBefore does not match - got %v, want %v", got.ValidBefore, o.ValidBefore)
 	}
 	return nil
 }
@ -206,7 +211,7 @@ func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate, _ SignSSHOpt
 		cert.Extensions["permit-user-rc"] = ""
 		return nil
 	default:
-		return errors.New("ssh certificate type has not been set or is invalid")
+		return errs.BadRequest("ssh certificate has an unknown type '%d'", cert.CertType)
 	}
 }

@ -272,7 +277,7 @@ func (m *sshLimitDuration) Modify(cert *ssh.Certificate, o SignSSHOptions) error

 	certValidAfter := time.Unix(int64(cert.ValidAfter), 0)
 	if certValidAfter.After(m.NotAfter) {
-		return errors.Errorf("provisioning credential expiration (%s) is before requested certificate validAfter (%s)",
+		return errs.Forbidden("provisioning credential expiration (%s) is before requested certificate validAfter (%s)",
 			m.NotAfter, certValidAfter)
 	}

@ -285,7 +290,7 @@ func (m *sshLimitDuration) Modify(cert *ssh.Certificate, o SignSSHOptions) error
 	} else {
 		certValidBefore := time.Unix(int64(cert.ValidBefore), 0)
 		if m.NotAfter.Before(certValidBefore) {
-			return errors.Errorf("provisioning credential expiration (%s) is before requested certificate validBefore (%s)",
+			return errs.Forbidden("provisioning credential expiration (%s) is before requested certificate validBefore (%s)",
 				m.NotAfter, certValidBefore)
 		}
 	}
@ -319,11 +324,11 @@ type sshCertOptionsRequireValidator struct {
 func (v *sshCertOptionsRequireValidator) Valid(got SignSSHOptions) error {
 	switch {
 	case v.CertType && got.CertType == "":
-		return errors.New("ssh certificate certType cannot be empty")
+		return errs.BadRequest("ssh certificate certType cannot be empty")
 	case v.KeyID && got.KeyID == "":
-		return errors.New("ssh certificate keyID cannot be empty")
+		return errs.BadRequest("ssh certificate keyID cannot be empty")
 	case v.Principals && len(got.Principals) == 0:
-		return errors.New("ssh certificate principals cannot be empty")
+		return errs.BadRequest("ssh certificate principals cannot be empty")
 	default:
 		return nil
 	}
@ -354,7 +359,7 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti
 	case 0:
 		return errs.BadRequest("ssh certificate type has not been set")
 	default:
-		return errs.BadRequest("unknown ssh certificate type %d", cert.CertType)
+		return errs.BadRequest("ssh certificate has an unknown type '%d'", cert.CertType)
 	}

 	// To not take into account the backdate, time.Now() will be used to
@ -363,9 +368,9 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti

 	switch {
 	case dur < min:
-		return errs.BadRequest("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
+		return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min)
 	case dur > max+opts.Backdate:
-		return errs.BadRequest("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
+		return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate)
 	default:
 		return nil
 	}
@ -381,25 +386,25 @@ type sshCertDefaultValidator struct{}
 func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error {
 	switch {
 	case len(cert.Nonce) == 0:
-		return errors.New("ssh certificate nonce cannot be empty")
+		return errs.Forbidden("ssh certificate nonce cannot be empty")
 	case cert.Key == nil:
-		return errors.New("ssh certificate key cannot be nil")
+		return errs.Forbidden("ssh certificate key cannot be nil")
 	case cert.Serial == 0:
-		return errors.New("ssh certificate serial cannot be 0")
+		return errs.Forbidden("ssh certificate serial cannot be 0")
 	case cert.CertType != ssh.UserCert && cert.CertType != ssh.HostCert:
-		return errors.Errorf("ssh certificate has an unknown type: %d", cert.CertType)
+		return errs.Forbidden("ssh certificate has an unknown type '%d'", cert.CertType)
 	case cert.KeyId == "":
-		return errors.New("ssh certificate key id cannot be empty")
+		return errs.Forbidden("ssh certificate key id cannot be empty")
 	case cert.ValidAfter == 0:
-		return errors.New("ssh certificate validAfter cannot be 0")
+		return errs.Forbidden("ssh certificate validAfter cannot be 0")
 	case cert.ValidBefore < uint64(now().Unix()):
-		return errors.New("ssh certificate validBefore cannot be in the past")
+		return errs.Forbidden("ssh certificate validBefore cannot be in the past")
 	case cert.ValidBefore < cert.ValidAfter:
-		return errors.New("ssh certificate validBefore cannot be before validAfter")
+		return errs.Forbidden("ssh certificate validBefore cannot be before validAfter")
 	case cert.SignatureKey == nil:
-		return errors.New("ssh certificate signature key cannot be nil")
+		return errs.Forbidden("ssh certificate signature key cannot be nil")
 	case cert.Signature == nil:
-		return errors.New("ssh certificate signature cannot be nil")
+		return errs.Forbidden("ssh certificate signature cannot be nil")
 	default:
 		return nil
 	}
@ -409,27 +414,31 @@ func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, o SignSSHOptions)
 type sshDefaultPublicKeyValidator struct{}

 // Valid checks that certificate request common name matches the one configured.
+//
+// TODO: this is the only validator that checks the key type. We should execute
+// this before the signing. We should add a new validations interface or extend
+// SSHCertOptionsValidator with the key.
 func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error {
 	if cert.Key == nil {
-		return errors.New("ssh certificate key cannot be nil")
+		return errs.BadRequest("ssh certificate key cannot be nil")
 	}
 	switch cert.Key.Type() {
 	case ssh.KeyAlgoRSA:
 		_, in, ok := sshParseString(cert.Key.Marshal())
 		if !ok {
-			return errors.New("ssh certificate key is invalid")
+			return errs.BadRequest("ssh certificate key is invalid")
 		}
 		key, err := sshParseRSAPublicKey(in)
 		if err != nil {
-			return err
+			return errs.BadRequestErr(err, "error parsing public key")
 		}
 		if key.Size() < keyutil.MinRSAKeyBytes {
-			return errors.Errorf("ssh certificate key must be at least %d bits (%d bytes)",
+			return errs.Forbidden("ssh certificate key must be at least %d bits (%d bytes)",
 				8*keyutil.MinRSAKeyBytes, keyutil.MinRSAKeyBytes)
 		}
 		return nil
 	case ssh.KeyAlgoDSA:
-		return errors.New("ssh certificate key algorithm (DSA) is not supported")
+		return errs.BadRequest("ssh certificate key algorithm (DSA) is not supported")
 	default:
 		return nil
 	}
--- a/authority/provisioner/sign_ssh_options_test.go
+++ b/authority/provisioner/sign_ssh_options_test.go
@ -49,14 +49,14 @@ func TestSSHOptions_Modify(t *testing.T) {
 			return test{
 				so:   SignSSHOptions{CertType: "foo"},
 				cert: new(ssh.Certificate),
-				err:  errors.Errorf("ssh certificate has an unknown type - foo"),
+				err:  errors.Errorf("ssh certificate has an unknown type 'foo'"),
 			}
 		},
 		"fail/validAfter-greater-validBefore": func() test {
 			return test{
 				so:   SignSSHOptions{CertType: "user"},
 				cert: &ssh.Certificate{ValidAfter: uint64(15), ValidBefore: uint64(10)},
-				err:  errors.Errorf("ssh certificate valid after cannot be greater than valid before"),
+				err:  errors.Errorf("ssh certificate validAfter cannot be greater than validBefore"),
 			}
 		},
 		"ok/user-cert": func() test {
@ -136,14 +136,14 @@ func TestSSHOptions_Match(t *testing.T) {
 			return test{
 				so:  SignSSHOptions{ValidAfter: NewTimeDuration(time.Now().Add(1 * time.Minute))},
 				cmp: SignSSHOptions{ValidAfter: NewTimeDuration(time.Now().Add(5 * time.Minute))},
-				err: errors.Errorf("ssh certificate valid after does not match"),
+				err: errors.Errorf("ssh certificate validAfter does not match"),
 			}
 		},
 		"fail/validBefore": func() test {
 			return test{
 				so:  SignSSHOptions{ValidBefore: NewTimeDuration(time.Now().Add(1 * time.Minute))},
 				cmp: SignSSHOptions{ValidBefore: NewTimeDuration(time.Now().Add(5 * time.Minute))},
-				err: errors.Errorf("ssh certificate valid before does not match"),
+				err: errors.Errorf("ssh certificate validBefore does not match"),
 			}
 		},
 		"ok/original-empty": func() test {
@ -394,7 +394,7 @@ func Test_sshDefaultExtensionModifier_Modify(t *testing.T) {
 			return test{
 				modifier: sshDefaultExtensionModifier{},
 				cert:     cert,
-				err:      errors.New("ssh certificate type has not been set or is invalid"),
+				err:      errors.New("ssh certificate has an unknown type '3'"),
 			}
 		},
 		"ok/host": func() test {
@ -518,7 +518,7 @@ func Test_sshCertDefaultValidator_Valid(t *testing.T) {
 			"fail/unexpected-cert-type",
 			// UserCert = 1, HostCert = 2
 			&ssh.Certificate{Nonce: []byte("foo"), Key: sshPub, CertType: 3, Serial: 1},
-			errors.New("ssh certificate has an unknown type: 3"),
+			errors.New("ssh certificate has an unknown type '3'"),
 		},
 		{
 			"fail/empty-cert-key-id",
@ -725,7 +725,7 @@ func Test_sshCertValidityValidator(t *testing.T) {
 				ValidBefore: uint64(now().Add(10 * time.Minute).Unix()),
 			},
 			SignSSHOptions{},
-			errors.New("unknown ssh certificate type 3"),
+			errors.New("ssh certificate has an unknown type '3'"),
 		},
 		{
 			"fail/duration<min",
--- a/authority/ssh.go
+++ b/authority/ssh.go
@ -9,7 +9,6 @@ import (
 	"strings"
 	"time"

-	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
@ -174,7 +173,7 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 		// validate the given SSHOptions
 		case provisioner.SSHCertOptionsValidator:
 			if err := o.Valid(opts); err != nil {
-				return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH")
+				return nil, errs.BadRequestErr(err, "error validating ssh certificate options")
 			}

 		default:
@ -214,7 +213,7 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// Use provisioner modifiers.
 	for _, m := range mods {
 		if err := m.Modify(certTpl, opts); err != nil {
-			return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH")
+			return nil, errs.ForbiddenErr(err, "error creating ssh certificate")
 		}
 	}

@ -244,7 +243,7 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// User provisioners validators.
 	for _, v := range validators {
 		if err := v.Valid(cert, opts); err != nil {
-			return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH")
+			return nil, errs.ForbiddenErr(err, "error validating ssh certificate")
 		}
 	}

@ -382,7 +381,7 @@ func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub
 	// Apply validators from provisioner.
 	for _, v := range validators {
 		if err := v.Valid(cert, provisioner.SignSSHOptions{Backdate: backdate}); err != nil {
-			return nil, errs.Wrap(http.StatusForbidden, err, "rekeySSH")
+			return nil, errs.ForbiddenErr(err, "error validating ssh certificate")
 		}
 	}

@ -407,12 +406,12 @@ func (a *Authority) storeSSHCertificate(cert *ssh.Certificate) error {
 // the given certificate.
 func IsValidForAddUser(cert *ssh.Certificate) error {
 	if cert.CertType != ssh.UserCert {
-		return errors.New("certificate is not a user certificate")
+		return errs.Forbidden("certificate is not a user certificate")
 	}

 	switch len(cert.ValidPrincipals) {
 	case 0:
-		return errors.New("certificate does not have any principals")
+		return errs.Forbidden("certificate does not have any principals")
 	case 1:
 		return nil
 	case 2:
@ -421,9 +420,9 @@ func IsValidForAddUser(cert *ssh.Certificate) error {
 		if strings.Index(cert.ValidPrincipals[1], "@") > 0 {
 			return nil
 		}
-		return errors.New("certificate does not have only one principal")
+		return errs.Forbidden("certificate does not have only one principal")
 	default:
-		return errors.New("certificate does not have only one principal")
+		return errs.Forbidden("certificate does not have only one principal")
 	}
 }

@ -433,7 +432,7 @@ func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subje
 		return nil, errs.NotImplemented("signSSHAddUser: user certificate signing is not enabled")
 	}
 	if err := IsValidForAddUser(subject); err != nil {
-		return nil, errs.Wrap(http.StatusForbidden, err, "signSSHAddUser")
+		return nil, err
 	}

 	nonce, err := randutil.ASCII(32)
--- a/authority/tls.go
+++ b/authority/tls.go
@ -94,7 +94,10 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 		// Validate the given certificate request.
 		case provisioner.CertificateRequestValidator:
 			if err := k.Valid(csr); err != nil {
-				return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+				return nil, errs.ApplyOptions(
+					errs.ForbiddenErr(err, "error validating certificate"),
+					opts...,
+				)
 			}

 		// Validates the unsigned certificate template.
@ -131,26 +134,38 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign

 	// Set default subject
 	if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
-		return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+		return nil, errs.ApplyOptions(
+			errs.ForbiddenErr(err, "error creating certificate"),
+			opts...,
+		)
 	}

 	for _, m := range certModifiers {
 		if err := m.Modify(leaf, signOpts); err != nil {
-			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+			return nil, errs.ApplyOptions(
+				errs.ForbiddenErr(err, "error creating certificate"),
+				opts...,
+			)
 		}
 	}

 	// Certificate validation.
 	for _, v := range certValidators {
 		if err := v.Valid(leaf, signOpts); err != nil {
-			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+			return nil, errs.ApplyOptions(
+				errs.ForbiddenErr(err, "error validating certificate"),
+				opts...,
+			)
 		}
 	}

 	// Certificate modifiers after validation
 	for _, m := range certEnforcers {
 		if err := m.Enforce(leaf); err != nil {
-			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+			return nil, errs.ApplyOptions(
+				errs.ForbiddenErr(err, "error creating certificate"),
+				opts...,
+			)
 		}
 	}

--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -281,8 +281,8 @@ func TestAuthority_Sign(t *testing.T) {
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  signOpts,
-				err:       errors.New("authority.Sign: default ASN1DN template cannot be nil"),
-				code:      http.StatusUnauthorized,
+				err:       errors.New("default ASN1DN template cannot be nil"),
+				code:      http.StatusForbidden,
 			}
 		},
 		"fail create cert": func(t *testing.T) *signTest {
@ -309,8 +309,8 @@ func TestAuthority_Sign(t *testing.T) {
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  _signOpts,
-				err:       errors.New("authority.Sign: requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
-				code:      http.StatusBadRequest,
+				err:       errors.New("requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
+				code:      http.StatusForbidden,
 			}
 		},
 		"fail validate sans when adding common name not in claims": func(t *testing.T) *signTest {
@ -322,8 +322,8 @@ func TestAuthority_Sign(t *testing.T) {
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  signOpts,
-				err:       errors.New("authority.Sign: certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
-				code:      http.StatusUnauthorized,
+				err:       errors.New("certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
+				code:      http.StatusForbidden,
 			}
 		},
 		"fail rsa key too short": func(t *testing.T) *signTest {
@ -348,8 +348,8 @@ ZYtQ9Ot36qc=
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  signOpts,
-				err:       errors.New("authority.Sign: rsa key in CSR must be at least 2048 bits (256 bytes)"),
-				code:      http.StatusUnauthorized,
+				err:       errors.New("certificate request RSA key must be at least 2048 bits (256 bytes)"),
+				code:      http.StatusForbidden,
 			}
 		},
 		"fail store cert in db": func(t *testing.T) *signTest {
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -200,8 +200,8 @@ ZEp7knvU2psWRw==
 			return &signTest{
 				ca:     ca,
 				body:   string(body),
-				status: http.StatusUnauthorized,
-				errMsg: errs.UnauthorizedDefaultMsg,
+				status: http.StatusForbidden,
+				errMsg: errs.ForbiddenPrefix,
 			}
 		},
 		"ok": func(t *testing.T) *signTest {
--- a/docs/images/star.gif
+++ b/docs/images/star.gif
--- a/errs/error.go
+++ b/errs/error.go
@ -169,7 +169,8 @@ func StatusCodeError(code int, e error, opts ...Option) error {
 	case http.StatusUnauthorized:
 		return UnauthorizedErr(e, opts...)
 	case http.StatusForbidden:
-		return ForbiddenErr(e, opts...)
+		opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg))
+		return NewErr(http.StatusForbidden, e, opts...)
 	case http.StatusInternalServerError:
 		return InternalServerErr(e, opts...)
 	case http.StatusNotImplemented:
@ -199,12 +200,18 @@ var (
 	// BadRequestPrefix is the prefix added to the bad request messages that are
 	// directly sent to the cli.
 	BadRequestPrefix = "The request could not be completed: "
+
+	// ForbiddenPrefix is the prefix added to the forbidden messates that are
+	// sent to the cli.
+	ForbiddenPrefix = "The request was forbidden by the certificate authority: "
 )

 func formatMessage(status int, msg string) string {
 	switch status {
 	case http.StatusBadRequest:
 		return BadRequestPrefix + msg + "."
+	case http.StatusForbidden:
+		return ForbiddenPrefix + msg + "."
 	default:
 		return msg
 	}
@ -356,14 +363,12 @@ func UnauthorizedErr(err error, opts ...Option) error {

 // Forbidden creates a 403 error with the given format and arguments.
 func Forbidden(format string, args ...interface{}) error {
-	args = append(args, withDefaultMessage(ForbiddenDefaultMsg))
-	return Errorf(http.StatusForbidden, format, args...)
+	return New(http.StatusForbidden, format, args...)
 }

 // ForbiddenErr returns an 403 error with the given error.
-func ForbiddenErr(err error, opts ...Option) error {
-	opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg))
-	return NewErr(http.StatusForbidden, err, opts...)
+func ForbiddenErr(err error, format string, args ...interface{}) error {
+	return NewError(http.StatusForbidden, err, format, args...)
 }

 // NotFound creates a 404 error with the given format and arguments.