diff --git a/authority/authority.go b/authority/authority.go index c112bc25..a2f502ab 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -62,9 +62,10 @@ type Authority struct { x509Enforcers []provisioner.CertificateEnforcer // SCEP CA - scepOptions *scep.Options - validateSCEP bool - scepAuthority *scep.Authority + scepOptions *scep.Options + validateSCEP bool + scepAuthority *scep.Authority + scepKeyManager provisioner.SCEPKeyManager // SSH CA sshHostPassword []byte @@ -255,7 +256,10 @@ func (a *Authority) ReloadAdminResources(ctx context.Context) error { provClxn := provisioner.NewCollection(provisionerConfig.Audiences) for _, p := range provList { if err := p.Init(provisionerConfig); err != nil { - return err + log.Printf("failed to initialize %s provisioner %q: %v\n", p.GetType(), p.GetName(), err) + p = provisioner.Disabled{ + Interface: p, Reason: err, + } } if err := provClxn.Store(p); err != nil { return err diff --git a/authority/authorize.go b/authority/authorize.go index 02147687..9fdde3be 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -64,6 +64,10 @@ func (a *Authority) getProvisionerFromToken(token string) (provisioner.Interface if !ok { return nil, nil, fmt.Errorf("provisioner not found or invalid audience (%s)", strings.Join(claims.Audience, ", ")) } + // If the provisioner is disabled, send an appropriate message to the client + if _, ok := p.(provisioner.Disabled); ok { + return nil, nil, errs.New(http.StatusUnauthorized, "provisioner %q is disabled due to an initialization error", p.GetName()) + } return p, &claims, nil } diff --git a/authority/options.go b/authority/options.go index 55c27321..9738b391 100644 --- a/authority/options.go +++ b/authority/options.go @@ -226,6 +226,16 @@ func WithFullSCEPOptions(options *scep.Options) Option { } } +// WithSCEPKeyManager defines the key manager used on SCEP provisioners. +// +// This feature is EXPERIMENTAL and might change at any time. +func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option { + return func(a *Authority) error { + a.scepKeyManager = skm + return nil + } +} + // WithSSHUserSigner defines the signer used to sign SSH user certificates. func WithSSHUserSigner(s crypto.Signer) Option { return func(a *Authority) error { diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go index a9b17066..cc82da32 100644 --- a/authority/provisioner/provisioner.go +++ b/authority/provisioner/provisioner.go @@ -10,6 +10,7 @@ import ( "strings" "github.com/pkg/errors" + kmsapi "go.step.sm/crypto/kms/apiv1" "golang.org/x/crypto/ssh" "github.com/smallstep/certificates/errs" @@ -33,6 +34,31 @@ type Interface interface { AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) } +// Disabled represents a disabled provisioner. Disabled provisioners are created +// when the Init methods fails. +type Disabled struct { + Interface + Reason error +} + +// MarshalJSON returns the JSON encoding of the provisioner with the disabled +// reason. +func (p Disabled) MarshalJSON() ([]byte, error) { + provisionerJSON, err := json.Marshal(p.Interface) + if err != nil { + return nil, err + } + reasonJSON, err := json.Marshal(struct { + Disabled bool `json:"disabled"` + DisabledReason string `json:"disabledReason"` + }{true, p.Reason.Error()}) + if err != nil { + return nil, err + } + reasonJSON[0] = ',' + return append(provisionerJSON[:len(provisionerJSON)-1], reasonJSON...), nil +} + // ErrAllowTokenReuse is an error that is returned by provisioners that allows // the reuse of tokens. // @@ -206,6 +232,13 @@ type SSHKeys struct { HostKeys []ssh.PublicKey } +// SCEPKeyManager is a KMS interface that combines a KeyManager with a +// Decrypter. +type SCEPKeyManager interface { + kmsapi.KeyManager + kmsapi.Decrypter +} + // Config defines the default parameters used in the initialization of // provisioners. type Config struct { @@ -226,6 +259,8 @@ type Config struct { AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc // WebhookClient is an http client to use in webhook request WebhookClient *http.Client + // SCEPKeyManager, if defined, is the interface used by SCEP provisioners. + SCEPKeyManager SCEPKeyManager } type provisioner struct { diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index f4067bc5..7213285c 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -15,7 +15,6 @@ import ( "go.step.sm/crypto/kms" kmsapi "go.step.sm/crypto/kms/apiv1" - "go.step.sm/crypto/kms/uri" "go.step.sm/linkedca" "github.com/smallstep/certificates/webhook" @@ -59,7 +58,7 @@ type SCEP struct { encryptionAlgorithm int challengeValidationController *challengeValidationController notificationController *notificationController - keyManager kmsapi.KeyManager + keyManager SCEPKeyManager decrypter crypto.Decrypter decrypterCertificate *x509.Certificate signer crypto.Signer @@ -269,34 +268,38 @@ func (s *SCEP) Init(config Config) (err error) { ) // parse the decrypter key PEM contents if available - if decryptionKeyPEM := s.DecrypterKeyPEM; len(decryptionKeyPEM) > 0 { + if len(s.DecrypterKeyPEM) > 0 { // try reading the PEM for validation - block, rest := pem.Decode(decryptionKeyPEM) + block, rest := pem.Decode(s.DecrypterKeyPEM) if len(rest) > 0 { return errors.New("failed parsing decrypter key: trailing data") } if block == nil { return errors.New("failed parsing decrypter key: no PEM block found") } + opts := kms.Options{ Type: kmsapi.SoftKMS, } - if s.keyManager, err = kms.New(context.Background(), opts); err != nil { + km, err := kms.New(context.Background(), opts) + if err != nil { return fmt.Errorf("failed initializing kms: %w", err) } - kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter) + scepKeyManager, ok := km.(SCEPKeyManager) if !ok { return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type) } - if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ - DecryptionKeyPEM: decryptionKeyPEM, + s.keyManager = scepKeyManager + + if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ + DecryptionKeyPEM: s.DecrypterKeyPEM, Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating decrypter: %w", err) } if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ - SigningKeyPEM: decryptionKeyPEM, // TODO(hs): support distinct signer key in the future? + SigningKeyPEM: s.DecrypterKeyPEM, // TODO(hs): support distinct signer key in the future? Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { @@ -304,41 +307,44 @@ func (s *SCEP) Init(config Config) (err error) { } } - if decryptionKeyURI := s.DecrypterKeyURI; decryptionKeyURI != "" { - u, err := uri.Parse(s.DecrypterKeyURI) + if s.DecrypterKeyURI != "" { + kmsType, err := kmsapi.TypeOf(s.DecrypterKeyURI) if err != nil { return fmt.Errorf("failed parsing decrypter key: %w", err) } - var kmsType kmsapi.Type - switch { - case u.Scheme != "": - kmsType = kms.Type(u.Scheme) - default: - kmsType = kmsapi.SoftKMS - } - opts := kms.Options{ - Type: kmsType, - URI: s.DecrypterKeyURI, - } - if s.keyManager, err = kms.New(context.Background(), opts); err != nil { - return fmt.Errorf("failed initializing kms: %w", err) - } - kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter) - if !ok { - return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type) - } - if kmsType != "softkms" { // TODO(hs): this should likely become more transparent? - decryptionKeyURI = u.Opaque - } - if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ - DecryptionKey: decryptionKeyURI, + + if config.SCEPKeyManager != nil { + s.keyManager = config.SCEPKeyManager + } else { + if kmsType == kmsapi.DefaultKMS { + kmsType = kmsapi.SoftKMS + } + opts := kms.Options{ + Type: kmsType, + URI: s.DecrypterKeyURI, + } + km, err := kms.New(context.Background(), opts) + if err != nil { + return fmt.Errorf("failed initializing kms: %w", err) + } + scepKeyManager, ok := km.(SCEPKeyManager) + if !ok { + return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type) + } + s.keyManager = scepKeyManager + } + + // Create decrypter and signer with the same key: + // TODO(hs): support distinct signer key in the future? + if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ + DecryptionKey: s.DecrypterKeyURI, Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating decrypter: %w", err) } if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ - SigningKey: decryptionKeyURI, // TODO(hs): support distinct signer key in the future? + SigningKey: s.DecrypterKeyURI, Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { diff --git a/authority/provisioner/scep_test.go b/authority/provisioner/scep_test.go index 2e9f3419..abdbe7a0 100644 --- a/authority/provisioner/scep_test.go +++ b/authority/provisioner/scep_test.go @@ -2,19 +2,27 @@ package provisioner import ( "context" + "crypto" + "crypto/rand" + "crypto/rsa" "crypto/x509" + "crypto/x509/pkix" "encoding/json" + "encoding/pem" "errors" "net/http" "net/http/httptest" + "os" + "path/filepath" "testing" + "github.com/smallstep/certificates/webhook" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - + "go.step.sm/crypto/kms/softkms" + "go.step.sm/crypto/minica" + "go.step.sm/crypto/pemutil" "go.step.sm/linkedca" - - "github.com/smallstep/certificates/webhook" ) func Test_challengeValidationController_Validate(t *testing.T) { @@ -366,3 +374,273 @@ func TestSCEP_ValidateChallenge(t *testing.T) { }) } } + +func TestSCEP_Init(t *testing.T) { + serialize := func(key crypto.PrivateKey, password string) []byte { + var opts []pemutil.Options + if password == "" { + opts = append(opts, pemutil.WithPasswordPrompt("no password", func(s string) ([]byte, error) { + return nil, nil + })) + } else { + opts = append(opts, pemutil.WithPassword([]byte("password"))) + } + block, err := pemutil.Serialize(key, opts...) + require.NoError(t, err) + return pem.EncodeToMemory(block) + } + + ca, err := minica.New() + require.NoError(t, err) + + key, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + badKey, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + + cert, err := ca.Sign(&x509.Certificate{ + Subject: pkix.Name{CommonName: "SCEP decryptor"}, + PublicKey: key.Public(), + }) + require.NoError(t, err) + + certPEM := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", Bytes: cert.Raw, + }) + certPEMWithIntermediate := append(pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", Bytes: cert.Raw, + }), pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", Bytes: ca.Intermediate.Raw, + })...) + + keyPEM := serialize(key, "password") + keyPEMNoPassword := serialize(key, "") + badKeyPEM := serialize(badKey, "password") + + tmp := t.TempDir() + path := filepath.Join(tmp, "rsa.priv") + pathNoPassword := filepath.Join(tmp, "rsa.key") + + require.NoError(t, os.WriteFile(path, keyPEM, 0600)) + require.NoError(t, os.WriteFile(pathNoPassword, keyPEMNoPassword, 0600)) + + type args struct { + config Config + } + tests := []struct { + name string + s *SCEP + args args + wantErr bool + }{ + {"ok", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok no password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEMNoPassword, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 1, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok with uri", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 1024, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + path, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 2, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok with uri no password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 2048, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + pathNoPassword, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 3, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok with SCEPKeyManager", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 2048, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + pathNoPassword, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 4, + }, args{Config{Claims: globalProvisionerClaims, SCEPKeyManager: &softkms.SoftKMS{}}}, false}, + {"ok intermediate", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: nil, + DecrypterKeyPEM: nil, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"fail type", &SCEP{ + Type: "", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail name", &SCEP{ + Type: "SCEP", + Name: "", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail minimumPublicKeyLength", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 2001, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail encryptionAlgorithmIdentifier", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 5, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail negative encryptionAlgorithmIdentifier", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: -1, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail key decode", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: []byte("not a pem"), + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail certificate decode", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: []byte("not a pem"), + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail certificate with intermediate", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEMWithIntermediate, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail decrypter password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "badpassword", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail uri", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=missing.key", + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail uri password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + path, + DecrypterKeyPassword: "badpassword", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail uri type", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "foo:path=" + path, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail missing certificate", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: nil, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail key match", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: badKeyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if tt.name == "fail key type" { + t.Log(1) + } + if err := tt.s.Init(tt.args.config); (err != nil) != tt.wantErr { + t.Errorf("SCEP.Init() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/authority/provisioners.go b/authority/provisioners.go index 34cc75ed..1502ea2b 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -201,6 +201,7 @@ func (a *Authority) generateProvisionerConfig(ctx context.Context) (provisioner. AuthorizeRenewFunc: a.authorizeRenewFunc, AuthorizeSSHRenewFunc: a.authorizeSSHRenewFunc, WebhookClient: a.webhookClient, + SCEPKeyManager: a.scepKeyManager, }, nil }