open-consul/agent/connect/csr.go

package connect

import (
	"bytes"
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/asn1"
	"encoding/pem"
	"net"
	"net/url"
)

// SigAlgoForKey returns the preferred x509.SignatureAlgorithm for a given key
// based on it's type. If the key type is not supported we return
// ECDSAWithSHA256 on the basis that it will fail anyway and we've already type
// checked keys by the time we call this in general.
func SigAlgoForKey(key crypto.Signer) x509.SignatureAlgorithm {
	if _, ok := key.(*rsa.PrivateKey); ok {
		return x509.SHA256WithRSA
	}
	// We default to ECDSA but don't bother detecting invalid key types as we do
	// that in lots of other places and it will fail anyway if we try to sign with
	// an incompatible type.
	return x509.ECDSAWithSHA256
}

// SigAlgoForKeyType returns the preferred x509.SignatureAlgorithm for a given
// key type string from configuration or an existing cert. If the key type is
// not supported we return ECDSAWithSHA256 on the basis that it will fail anyway
// and we've already type checked config by the time we call this in general.
func SigAlgoForKeyType(keyType string) x509.SignatureAlgorithm {
	switch keyType {
	case "rsa":
		return x509.SHA256WithRSA
	case "ec":
		fallthrough
	default:
		return x509.ECDSAWithSHA256
	}
}

// CreateCSR returns a CSR to sign the given service with SAN entries
// along with the PEM-encoded private key for this certificate.
func CreateCSR(uri CertURI, commonName string, privateKey crypto.Signer,
	dnsNames []string, ipAddresses []net.IP, extensions ...pkix.Extension) (string, error) {
	template := &x509.CertificateRequest{
		URIs:               []*url.URL{uri.URI()},
		SignatureAlgorithm: SigAlgoForKey(privateKey),
		ExtraExtensions:    extensions,
		Subject:            pkix.Name{CommonName: commonName},
		DNSNames:           dnsNames,
		IPAddresses:        ipAddresses,
	}

	// Create the CSR itself
	var csrBuf bytes.Buffer
	bs, err := x509.CreateCertificateRequest(rand.Reader, template, privateKey)
	if err != nil {
		return "", err
	}

	err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})
	if err != nil {
		return "", err
	}

	return csrBuf.String(), nil
}

// CreateCSR returns a CA CSR to sign the given service along with the PEM-encoded
// private key for this certificate.
func CreateCACSR(uri CertURI, commonName string, privateKey crypto.Signer) (string, error) {
	ext, err := CreateCAExtension()
	if err != nil {
		return "", err
	}

	return CreateCSR(uri, commonName, privateKey, nil, nil, ext)
}

// CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints
// IsCA field ()
func CreateCAExtension() (pkix.Extension, error) {
	type basicConstraints struct {
		IsCA       bool `asn1:"optional"`
		MaxPathLen int  `asn1:"optional"`
	}
	basicCon := basicConstraints{IsCA: true, MaxPathLen: 0}
	bitstr, err := asn1.Marshal(basicCon)
	if err != nil {
		return pkix.Extension{}, err
	}

	return pkix.Extension{
		Id:       []int{2, 5, 29, 19}, // from x509 package
		Critical: true,
		Value:    bitstr,
	}, nil
}
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`package connect`

			`import (`
			`"bytes"`
			`"crypto"`
			`"crypto/rand"`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 2019-11-01 13:20:26 +00:00			`"crypto/rsa"`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`"crypto/x509"`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`"crypto/x509/pkix"`
			`"encoding/asn1"`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`"encoding/pem"`
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`"net"`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`"net/url"`
			`)`

Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 2019-11-01 13:20:26 +00:00			`// SigAlgoForKey returns the preferred x509.SignatureAlgorithm for a given key`
			`// based on it's type. If the key type is not supported we return`
			`// ECDSAWithSHA256 on the basis that it will fail anyway and we've already type`
			`// checked keys by the time we call this in general.`
			`func SigAlgoForKey(key crypto.Signer) x509.SignatureAlgorithm {`
			`if _, ok := key.(*rsa.PrivateKey); ok {`
			`return x509.SHA256WithRSA`
			`}`
			`// We default to ECDSA but don't bother detecting invalid key types as we do`
			`// that in lots of other places and it will fail anyway if we try to sign with`
			`// an incompatible type.`
			`return x509.ECDSAWithSHA256`
			`}`

			`// SigAlgoForKeyType returns the preferred x509.SignatureAlgorithm for a given`
			`// key type string from configuration or an existing cert. If the key type is`
			`// not supported we return ECDSAWithSHA256 on the basis that it will fail anyway`
			`// and we've already type checked config by the time we call this in general.`
			`func SigAlgoForKeyType(keyType string) x509.SignatureAlgorithm {`
			`switch keyType {`
			`case "rsa":`
			`return x509.SHA256WithRSA`
			`case "ec":`
			`fallthrough`
			`default:`
			`return x509.ECDSAWithSHA256`
			`}`
			`}`

auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`// CreateCSR returns a CSR to sign the given service with SAN entries`
			`// along with the PEM-encoded private key for this certificate.`
Make all Connect Cert Common Names valid FQDNs (#6423) 2019-11-11 17:11:54 +00:00			`func CreateCSR(uri CertURI, commonName string, privateKey crypto.Signer,`
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`dnsNames []string, ipAddresses []net.IP, extensions ...pkix.Extension) (string, error) {`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`template := &x509.CertificateRequest{`
			`URIs: []*url.URL{uri.URI()},`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 2019-11-01 13:20:26 +00:00			`SignatureAlgorithm: SigAlgoForKey(privateKey),`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`ExtraExtensions: extensions,`
Make all Connect Cert Common Names valid FQDNs (#6423) 2019-11-11 17:11:54 +00:00			`Subject: pkix.Name{CommonName: commonName},`
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`DNSNames: dnsNames,`
			`IPAddresses: ipAddresses,`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`}`

			`// Create the CSR itself`
			`var csrBuf bytes.Buffer`
			`bs, err := x509.CreateCertificateRequest(rand.Reader, template, privateKey)`
			`if err != nil {`
			`return "", err`
			`}`

			`err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})`
			`if err != nil {`
			`return "", err`
			`}`

			`return csrBuf.String(), nil`
			`}`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00
			`// CreateCSR returns a CA CSR to sign the given service along with the PEM-encoded`
			`// private key for this certificate.`
Make all Connect Cert Common Names valid FQDNs (#6423) 2019-11-11 17:11:54 +00:00			`func CreateCACSR(uri CertURI, commonName string, privateKey crypto.Signer) (string, error) {`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`ext, err := CreateCAExtension()`
			`if err != nil {`
			`return "", err`
			`}`

auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`return CreateCSR(uri, commonName, privateKey, nil, nil, ext)`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`}`

			`// CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints`
			`// IsCA field ()`
			`func CreateCAExtension() (pkix.Extension, error) {`
			`type basicConstraints struct {`
			IsCA bool `asn1:"optional"`
			MaxPathLen int `asn1:"optional"`
			`}`
			`basicCon := basicConstraints{IsCA: true, MaxPathLen: 0}`
			`bitstr, err := asn1.Marshal(basicCon)`
			`if err != nil {`
			`return pkix.Extension{}, err`
			`}`

			`return pkix.Extension{`
			`Id: []int{2, 5, 29, 19}, // from x509 package`
			`Critical: true,`
			`Value: bitstr,`
			`}, nil`
			`}`