|
|
|
@ -43,6 +43,8 @@ type Authority struct {
|
|
|
|
|
linkedCAToken string
|
|
|
|
|
|
|
|
|
|
// X509 CA
|
|
|
|
|
password []byte
|
|
|
|
|
issuerPassword []byte
|
|
|
|
|
x509CAService cas.CertificateAuthorityService
|
|
|
|
|
rootX509Certs []*x509.Certificate
|
|
|
|
|
rootX509CertPool *x509.CertPool
|
|
|
|
@ -53,6 +55,8 @@ type Authority struct {
|
|
|
|
|
scepService *scep.Service
|
|
|
|
|
|
|
|
|
|
// SSH CA
|
|
|
|
|
sshHostPassword []byte
|
|
|
|
|
sshUserPassword []byte
|
|
|
|
|
sshCAUserCertSignKey ssh.Signer
|
|
|
|
|
sshCAHostCertSignKey ssh.Signer
|
|
|
|
|
sshCAUserCerts []ssh.PublicKey
|
|
|
|
@ -206,6 +210,21 @@ func (a *Authority) init() error {
|
|
|
|
|
|
|
|
|
|
var err error
|
|
|
|
|
|
|
|
|
|
// Set password if they are not set.
|
|
|
|
|
var configPassword []byte
|
|
|
|
|
if a.config.Password != "" {
|
|
|
|
|
configPassword = []byte(a.config.Password)
|
|
|
|
|
}
|
|
|
|
|
if configPassword != nil && a.password == nil {
|
|
|
|
|
a.password = configPassword
|
|
|
|
|
}
|
|
|
|
|
if a.sshHostPassword == nil {
|
|
|
|
|
a.sshHostPassword = a.password
|
|
|
|
|
}
|
|
|
|
|
if a.sshUserPassword == nil {
|
|
|
|
|
a.sshUserPassword = a.password
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Automatically enable admin for all linked cas.
|
|
|
|
|
if a.linkedCAToken != "" {
|
|
|
|
|
a.config.AuthorityConfig.EnableAdmin = true
|
|
|
|
@ -238,6 +257,11 @@ func (a *Authority) init() error {
|
|
|
|
|
options = *a.config.AuthorityConfig.Options
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set the issuer password if passed in the flags.
|
|
|
|
|
if options.CertificateIssuer != nil && a.issuerPassword != nil {
|
|
|
|
|
options.CertificateIssuer.Password = string(a.issuerPassword)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Read intermediate and create X509 signer for default CAS.
|
|
|
|
|
if options.Is(casapi.SoftCAS) {
|
|
|
|
|
options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
|
|
|
|
@ -246,7 +270,7 @@ func (a *Authority) init() error {
|
|
|
|
|
}
|
|
|
|
|
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
|
|
|
|
SigningKey: a.config.IntermediateKey,
|
|
|
|
|
Password: []byte(a.config.Password),
|
|
|
|
|
Password: []byte(a.password),
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
@ -315,7 +339,7 @@ func (a *Authority) init() error {
|
|
|
|
|
if a.config.SSH.HostKey != "" {
|
|
|
|
|
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
|
|
|
|
SigningKey: a.config.SSH.HostKey,
|
|
|
|
|
Password: []byte(a.config.Password),
|
|
|
|
|
Password: []byte(a.sshHostPassword),
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
@ -341,7 +365,7 @@ func (a *Authority) init() error {
|
|
|
|
|
if a.config.SSH.UserKey != "" {
|
|
|
|
|
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
|
|
|
|
SigningKey: a.config.SSH.UserKey,
|
|
|
|
|
Password: []byte(a.config.Password),
|
|
|
|
|
Password: []byte(a.sshUserPassword),
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
@ -420,7 +444,7 @@ func (a *Authority) init() error {
|
|
|
|
|
}
|
|
|
|
|
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
|
|
|
|
SigningKey: a.config.IntermediateKey,
|
|
|
|
|
Password: []byte(a.config.Password),
|
|
|
|
|
Password: []byte(a.password),
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
@ -429,7 +453,7 @@ func (a *Authority) init() error {
|
|
|
|
|
if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
|
|
|
|
|
options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
|
|
|
|
|
DecryptionKey: a.config.IntermediateKey,
|
|
|
|
|
Password: []byte(a.config.Password),
|
|
|
|
|
Password: []byte(a.password),
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
@ -475,7 +499,7 @@ func (a *Authority) init() error {
|
|
|
|
|
}
|
|
|
|
|
if len(provs) == 0 && !strings.EqualFold(a.config.AuthorityConfig.DeploymentType, "linked") {
|
|
|
|
|
// Create First Provisioner
|
|
|
|
|
prov, err := CreateFirstProvisioner(context.Background(), a.adminDB, a.config.Password)
|
|
|
|
|
prov, err := CreateFirstProvisioner(context.Background(), a.adminDB, string(a.password))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return admin.WrapErrorISE(err, "error creating first provisioner")
|
|
|
|
|
}
|
|
|
|
|