open-consul/tlsutil/generate.go

package tlsutil

import (
	"bytes"
	"crypto"
	"crypto/ecdsa"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"math/big"
	"net"
	"time"

	"net/url"

	"github.com/hashicorp/consul/agent/connect"
)

// GenerateSerialNumber returns random bigint generated with crypto/rand
func GenerateSerialNumber() (*big.Int, error) {
	l := new(big.Int).Lsh(big.NewInt(1), 128)
	s, err := rand.Int(rand.Reader, l)
	if err != nil {
		return nil, err
	}
	return s, nil
}

// GeneratePrivateKey generates a new ecdsa private key
func GeneratePrivateKey() (crypto.Signer, string, error) {
	return connect.GeneratePrivateKey()
}

type CAOpts struct {
	Signer              crypto.Signer
	Serial              *big.Int
	ClusterID           string
	Days                int
	PermittedDNSDomains []string
	Domain              string
	Name                string
}

type CertOpts struct {
	Signer      crypto.Signer
	CA          string
	Serial      *big.Int
	Name        string
	Days        int
	DNSNames    []string
	IPAddresses []net.IP
	ExtKeyUsage []x509.ExtKeyUsage
}

// GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)
func GenerateCA(opts CAOpts) (string, string, error) {
	signer := opts.Signer
	var pk string
	if signer == nil {
		var err error
		signer, pk, err = GeneratePrivateKey()
		if err != nil {
			return "", "", err
		}
	}

	id, err := keyID(signer.Public())
	if err != nil {
		return "", "", err
	}

	sn := opts.Serial
	if sn == nil {
		var err error
		sn, err = GenerateSerialNumber()
		if err != nil {
			return "", "", err
		}
	}
	name := opts.Name
	if name == "" {
		name = fmt.Sprintf("Consul Agent CA %d", sn)
	}

	days := opts.Days
	if opts.Days == 0 {
		days = 365
	}

	var uris []*url.URL
	if opts.ClusterID != "" {
		spiffeID := connect.SpiffeIDSigning{ClusterID: opts.ClusterID, Domain: opts.Domain}
		uris = []*url.URL{spiffeID.URI()}
	}

	// Create the CA cert
	template := x509.Certificate{
		SerialNumber: sn,
		URIs:         uris,
		Subject: pkix.Name{
			Country:       []string{"US"},
			PostalCode:    []string{"94105"},
			Province:      []string{"CA"},
			Locality:      []string{"San Francisco"},
			StreetAddress: []string{"101 Second Street"},
			Organization:  []string{"HashiCorp Inc."},
			CommonName:    name,
		},
		BasicConstraintsValid: true,
		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature,
		IsCA:                  true,
		NotAfter:              time.Now().AddDate(0, 0, days),
		NotBefore:             time.Now(),
		AuthorityKeyId:        id,
		SubjectKeyId:          id,
	}

	if len(opts.PermittedDNSDomains) > 0 {
		template.PermittedDNSDomainsCritical = true
		template.PermittedDNSDomains = opts.PermittedDNSDomains
	}
	bs, err := x509.CreateCertificate(
		rand.Reader, &template, &template, signer.Public(), signer)
	if err != nil {
		return "", "", fmt.Errorf("error generating CA certificate: %s", err)
	}

	var buf bytes.Buffer
	err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
	if err != nil {
		return "", "", fmt.Errorf("error encoding private key: %s", err)
	}

	return buf.String(), pk, nil
}

// GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)
func GenerateCert(opts CertOpts) (string, string, error) {
	parent, err := parseCert(opts.CA)
	if err != nil {
		return "", "", err
	}

	signee, pk, err := GeneratePrivateKey()
	if err != nil {
		return "", "", err
	}

	id, err := keyID(signee.Public())
	if err != nil {
		return "", "", err
	}

	sn := opts.Serial
	if sn == nil {
		var err error
		sn, err = GenerateSerialNumber()
		if err != nil {
			return "", "", err
		}
	}

	template := x509.Certificate{
		SerialNumber:          sn,
		Subject:               pkix.Name{CommonName: opts.Name},
		BasicConstraintsValid: true,
		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
		ExtKeyUsage:           opts.ExtKeyUsage,
		IsCA:                  false,
		NotAfter:              time.Now().AddDate(0, 0, opts.Days),
		NotBefore:             time.Now(),
		SubjectKeyId:          id,
		DNSNames:              opts.DNSNames,
		IPAddresses:           opts.IPAddresses,
	}

	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)
	if err != nil {
		return "", "", err
	}

	var buf bytes.Buffer
	err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
	if err != nil {
		return "", "", fmt.Errorf("error encoding private key: %s", err)
	}

	return buf.String(), pk, nil
}

// KeyId returns a x509 KeyId from the given signing key.
func keyID(raw interface{}) ([]byte, error) {
	switch raw.(type) {
	case *ecdsa.PublicKey:
	case *rsa.PublicKey:
	default:
		return nil, fmt.Errorf("invalid key type: %T", raw)
	}

	// This is not standard; RFC allows any unique identifier as long as they
	// match in subject/authority chains but suggests specific hashing of DER
	// bytes of public key including DER tags.
	bs, err := x509.MarshalPKIXPublicKey(raw)
	if err != nil {
		return nil, err
	}

	// String formatted
	kID := sha256.Sum256(bs)
	return kID[:], nil
}

func parseCert(pemValue string) (*x509.Certificate, error) {
	// The _ result below is not an error but the remaining PEM bytes.
	block, _ := pem.Decode([]byte(pemValue))
	if block == nil {
		return nil, fmt.Errorf("no PEM-encoded data found")
	}

	if block.Type != "CERTIFICATE" {
		return nil, fmt.Errorf("first PEM-block should be CERTIFICATE type")
	}

	return x509.ParseCertificate(block.Bytes)
}

// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key
// is expected to be the first block in the PEM value.
func ParseSigner(pemValue string) (crypto.Signer, error) {
	return connect.ParseSigner(pemValue)
}

func Verify(caString, certString, dns string) error {
	roots := x509.NewCertPool()
	ok := roots.AppendCertsFromPEM([]byte(caString))
	if !ok {
		return fmt.Errorf("failed to parse root certificate")
	}

	cert, err := parseCert(certString)
	if err != nil {
		return fmt.Errorf("failed to parse certificate")
	}

	opts := x509.VerifyOptions{
		DNSName: fmt.Sprint(dns),
		Roots:   roots,
	}

	_, err = cert.Verify(opts)
	return err
}
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`package tlsutil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`import (`
			`"bytes"`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/rand"`
Reuse Connect.parseSigner.Adds change from #8898 Co-authored-by: Aliaksandr Mianzhynski <amenzhinsky@gmail.com> 2021-01-20 22:37:06 +00:00			`"crypto/rsa"`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`"crypto/sha256"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"fmt"`
			`"math/big"`
			`"net"`
			`"time"`
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492) The fields in the certs are meant to hold the original binary representation of this data, not some ascii-encoded version. The only time we should be colon-hex-encoding fields is for display purposes or marshaling through non-TLS mediums (like RPC). 2019-09-23 17:52:35 +00:00
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`"net/url"`
connect/ca: cease including the common name field in generated certs (#10424) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS 2021-06-25 18:00:00 +00:00
			`"github.com/hashicorp/consul/agent/connect"`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`)`

			`// GenerateSerialNumber returns random bigint generated with crypto/rand`
			`func GenerateSerialNumber() (*big.Int, error) {`
			`l := new(big.Int).Lsh(big.NewInt(1), 128)`
			`s, err := rand.Int(rand.Reader, l)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return s, nil`
			`}`

			`// GeneratePrivateKey generates a new ecdsa private key`
			`func GeneratePrivateKey() (crypto.Signer, string, error) {`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 2019-07-30 21:47:39 +00:00			`return connect.GeneratePrivateKey()`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`type CAOpts struct {`
			`Signer crypto.Signer`
			`Serial *big.Int`
			`ClusterID string`
			`Days int`
			`PermittedDNSDomains []string`
			`Domain string`
			`Name string`
			`}`

introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`type CertOpts struct {`
			`Signer crypto.Signer`
			`CA string`
			`Serial *big.Int`
			`Name string`
			`Days int`
			`DNSNames []string`
			`IPAddresses []net.IP`
			`ExtKeyUsage []x509.ExtKeyUsage`
			`}`

Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`// GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`func GenerateCA(opts CAOpts) (string, string, error) {`
			`signer := opts.Signer`
			`var pk string`
			`if signer == nil {`
			`var err error`
			`signer, pk, err = GeneratePrivateKey()`
			`if err != nil {`
			`return "", "", err`
			`}`
			`}`

Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`id, err := keyID(signer.Public())`
			`if err != nil {`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`return "", "", err`
			`}`

			`sn := opts.Serial`
			`if sn == nil {`
			`var err error`
			`sn, err = GenerateSerialNumber()`
			`if err != nil {`
			`return "", "", err`
			`}`
			`}`
			`name := opts.Name`
			`if name == "" {`
			`name = fmt.Sprintf("Consul Agent CA %d", sn)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`days := opts.Days`
			`if opts.Days == 0 {`
			`days = 365`
			`}`

			`var uris []*url.URL`
			`if opts.ClusterID != "" {`
			`spiffeID := connect.SpiffeIDSigning{ClusterID: opts.ClusterID, Domain: opts.Domain}`
			`uris = []*url.URL{spiffeID.URI()}`
			`}`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`// Create the CA cert`
			`template := x509.Certificate{`
			`SerialNumber: sn,`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`URIs: uris,`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`Subject: pkix.Name{`
			`Country: []string{"US"},`
			`PostalCode: []string{"94105"},`
			`Province: []string{"CA"},`
			`Locality: []string{"San Francisco"},`
			`StreetAddress: []string{"101 Second Street"},`
			`Organization: []string{"HashiCorp Inc."},`
			`CommonName: name,`
			`},`
			`BasicConstraintsValid: true,`
			`KeyUsage: x509.KeyUsageCertSign \| x509.KeyUsageCRLSign \| x509.KeyUsageDigitalSignature,`
			`IsCA: true,`
			`NotAfter: time.Now().AddDate(0, 0, days),`
			`NotBefore: time.Now(),`
			`AuthorityKeyId: id,`
			`SubjectKeyId: id,`
			`}`

Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`if len(opts.PermittedDNSDomains) > 0 {`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`template.PermittedDNSDomainsCritical = true`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`template.PermittedDNSDomains = opts.PermittedDNSDomains`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`
			`bs, err := x509.CreateCertificate(`
			`rand.Reader, &template, &template, signer.Public(), signer)`
			`if err != nil {`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`return "", "", fmt.Errorf("error generating CA certificate: %s", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

			`var buf bytes.Buffer`
			`err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})`
			`if err != nil {`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`return "", "", fmt.Errorf("error encoding private key: %s", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`return buf.String(), pk, nil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

			`// GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`func GenerateCert(opts CertOpts) (string, string, error) {`
			`parent, err := parseCert(opts.CA)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`if err != nil {`
			`return "", "", err`
			`}`

			`signee, pk, err := GeneratePrivateKey()`
			`if err != nil {`
			`return "", "", err`
			`}`

			`id, err := keyID(signee.Public())`
			`if err != nil {`
			`return "", "", err`
			`}`

introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`sn := opts.Serial`
			`if sn == nil {`
			`var err error`
			`sn, err = GenerateSerialNumber()`
			`if err != nil {`
			`return "", "", err`
			`}`
			`}`

Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`template := x509.Certificate{`
			`SerialNumber: sn,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`Subject: pkix.Name{CommonName: opts.Name},`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`BasicConstraintsValid: true,`
			`KeyUsage: x509.KeyUsageDigitalSignature \| x509.KeyUsageKeyEncipherment,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`ExtKeyUsage: opts.ExtKeyUsage,`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`IsCA: false,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`NotAfter: time.Now().AddDate(0, 0, opts.Days),`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`NotBefore: time.Now(),`
			`SubjectKeyId: id,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`DNSNames: opts.DNSNames,`
			`IPAddresses: opts.IPAddresses,`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`if err != nil {`
			`return "", "", err`
			`}`

			`var buf bytes.Buffer`
			`err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})`
			`if err != nil {`
			`return "", "", fmt.Errorf("error encoding private key: %s", err)`
			`}`

			`return buf.String(), pk, nil`
			`}`

			`// KeyId returns a x509 KeyId from the given signing key.`
			`func keyID(raw interface{}) ([]byte, error) {`
			`switch raw.(type) {`
			`case *ecdsa.PublicKey:`
Add RSA Support to KeyID 2020-04-09 05:24:18 +00:00			`case *rsa.PublicKey:`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`default:`
			`return nil, fmt.Errorf("invalid key type: %T", raw)`
			`}`

			`// This is not standard; RFC allows any unique identifier as long as they`
			`// match in subject/authority chains but suggests specific hashing of DER`
			`// bytes of public key including DER tags.`
			`bs, err := x509.MarshalPKIXPublicKey(raw)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// String formatted`
			`kID := sha256.Sum256(bs)`
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492) The fields in the certs are meant to hold the original binary representation of this data, not some ascii-encoded version. The only time we should be colon-hex-encoding fields is for display purposes or marshaling through non-TLS mediums (like RPC). 2019-09-23 17:52:35 +00:00			`return kID[:], nil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

			`func parseCert(pemValue string) (*x509.Certificate, error) {`
			`// The _ result below is not an error but the remaining PEM bytes.`
			`block, _ := pem.Decode([]byte(pemValue))`
			`if block == nil {`
			`return nil, fmt.Errorf("no PEM-encoded data found")`
			`}`

			`if block.Type != "CERTIFICATE" {`
			`return nil, fmt.Errorf("first PEM-block should be CERTIFICATE type")`
			`}`

			`return x509.ParseCertificate(block.Bytes)`
			`}`

			`// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key`
			`// is expected to be the first block in the PEM value.`
			`func ParseSigner(pemValue string) (crypto.Signer, error) {`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00			`return connect.ParseSigner(pemValue)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

			`func Verify(caString, certString, dns string) error {`
			`roots := x509.NewCertPool()`
			`ok := roots.AppendCertsFromPEM([]byte(caString))`
			`if !ok {`
			`return fmt.Errorf("failed to parse root certificate")`
			`}`

			`cert, err := parseCert(certString)`
			`if err != nil {`
			`return fmt.Errorf("failed to parse certificate")`
			`}`

			`opts := x509.VerifyOptions{`
ci: Add staticcheck and fix most errors Three of the checks are temporarily disabled to limit the size of the diff, and allow us to enable all the other checks in CI. In a follow up we can fix the issues reported by the other checks one at a time, and enable them. 2020-05-14 21:02:52 +00:00			`DNSName: fmt.Sprint(dns),`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`Roots: roots,`
			`}`

			`_, err = cert.Verify(opts)`
			`return err`
			`}`