open-consul/agent/connect/csr.go

package connect

import (
	"bytes"
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/asn1"
	"encoding/pem"
	"net"
	"net/url"
)

// SigAlgoForKey returns the preferred x509.SignatureAlgorithm for a given key
// based on it's type. If the key type is not supported we return
// ECDSAWithSHA256 on the basis that it will fail anyway and we've already type
// checked keys by the time we call this in general.
func SigAlgoForKey(key crypto.Signer) x509.SignatureAlgorithm {
	if _, ok := key.(*rsa.PrivateKey); ok {
		return x509.SHA256WithRSA
	}
	// We default to ECDSA but don't bother detecting invalid key types as we do
	// that in lots of other places and it will fail anyway if we try to sign with
	// an incompatible type.
	return x509.ECDSAWithSHA256
}

// SigAlgoForKeyType returns the preferred x509.SignatureAlgorithm for a given
// key type string from configuration or an existing cert. If the key type is
// not supported we return ECDSAWithSHA256 on the basis that it will fail anyway
// and we've already type checked config by the time we call this in general.
func SigAlgoForKeyType(keyType string) x509.SignatureAlgorithm {
	switch keyType {
	case "rsa":
		return x509.SHA256WithRSA
	case "ec":
		fallthrough
	default:
		return x509.ECDSAWithSHA256
	}
}

// CreateCSR returns a CSR to sign the given service with SAN entries
// along with the PEM-encoded private key for this certificate.
func CreateCSR(uri CertURI, privateKey crypto.Signer,
	dnsNames []string, ipAddresses []net.IP, extensions ...pkix.Extension) (string, error) {
	template := &x509.CertificateRequest{
		URIs:               []*url.URL{uri.URI()},
		SignatureAlgorithm: SigAlgoForKey(privateKey),
		ExtraExtensions:    extensions,
		DNSNames:           dnsNames,
		IPAddresses:        ipAddresses,
	}
	HackSANExtensionForCSR(template)

	// Create the CSR itself
	var csrBuf bytes.Buffer
	bs, err := x509.CreateCertificateRequest(rand.Reader, template, privateKey)
	if err != nil {
		return "", err
	}

	err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})
	if err != nil {
		return "", err
	}

	return csrBuf.String(), nil
}

// CreateCSR returns a CA CSR to sign the given service along with the PEM-encoded
// private key for this certificate.
func CreateCACSR(uri CertURI, privateKey crypto.Signer) (string, error) {
	ext, err := CreateCAExtension()
	if err != nil {
		return "", err
	}

	return CreateCSR(uri, privateKey, nil, nil, ext)
}

// CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints
// IsCA field ()
func CreateCAExtension() (pkix.Extension, error) {
	type basicConstraints struct {
		IsCA       bool `asn1:"optional"`
		MaxPathLen int  `asn1:"optional"`
	}
	basicCon := basicConstraints{IsCA: true, MaxPathLen: 0}
	bitstr, err := asn1.Marshal(basicCon)
	if err != nil {
		return pkix.Extension{}, err
	}

	return pkix.Extension{
		Id:       []int{2, 5, 29, 19}, // from x509 package
		Critical: true,
		Value:    bitstr,
	}, nil
}
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`package connect`

			`import (`
			`"bytes"`
			`"crypto"`
			`"crypto/rand"`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 2019-11-01 13:20:26 +00:00			`"crypto/rsa"`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`"crypto/x509"`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`"crypto/x509/pkix"`
			`"encoding/asn1"`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`"encoding/pem"`
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`"net"`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`"net/url"`
			`)`

Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 2019-11-01 13:20:26 +00:00			`// SigAlgoForKey returns the preferred x509.SignatureAlgorithm for a given key`
			`// based on it's type. If the key type is not supported we return`
			`// ECDSAWithSHA256 on the basis that it will fail anyway and we've already type`
			`// checked keys by the time we call this in general.`
			`func SigAlgoForKey(key crypto.Signer) x509.SignatureAlgorithm {`
			`if _, ok := key.(*rsa.PrivateKey); ok {`
			`return x509.SHA256WithRSA`
			`}`
			`// We default to ECDSA but don't bother detecting invalid key types as we do`
			`// that in lots of other places and it will fail anyway if we try to sign with`
			`// an incompatible type.`
			`return x509.ECDSAWithSHA256`
			`}`

			`// SigAlgoForKeyType returns the preferred x509.SignatureAlgorithm for a given`
			`// key type string from configuration or an existing cert. If the key type is`
			`// not supported we return ECDSAWithSHA256 on the basis that it will fail anyway`
			`// and we've already type checked config by the time we call this in general.`
			`func SigAlgoForKeyType(keyType string) x509.SignatureAlgorithm {`
			`switch keyType {`
			`case "rsa":`
			`return x509.SHA256WithRSA`
			`case "ec":`
			`fallthrough`
			`default:`
			`return x509.ECDSAWithSHA256`
			`}`
			`}`

auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`// CreateCSR returns a CSR to sign the given service with SAN entries`
			`// along with the PEM-encoded private key for this certificate.`
connect/ca: cease including the common name field in generated certs (#10424) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS 2021-06-25 18:00:00 +00:00			`func CreateCSR(uri CertURI, privateKey crypto.Signer,`
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`dnsNames []string, ipAddresses []net.IP, extensions ...pkix.Extension) (string, error) {`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`template := &x509.CertificateRequest{`
			`URIs: []*url.URL{uri.URI()},`
Fix support for RSA CA keys in Connect. (#6638) * Allow RSA CA certs for consul and vault providers to correctly sign EC leaf certs. * Ensure key type ad bits are populated from CA cert and clean up tests * Add integration test and fix error when initializing secondary CA with RSA key. * Add more tests, fix review feedback * Update docs with key type config and output * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> 2019-11-01 13:20:26 +00:00			`SignatureAlgorithm: SigAlgoForKey(privateKey),`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`ExtraExtensions: extensions,`
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944) * Add CreateCSRWithSAN * Use CreateCSRWithSAN in auto_encrypt and cache * Copy DNSNames and IPAddresses to cert * Verify auto_encrypt.sign returns cert with SAN * provide configuration options for auto_encrypt dnssan and ipsan * rename CreateCSRWithSAN to CreateCSR 2020-01-17 22:25:26 +00:00			`DNSNames: dnsNames,`
			`IPAddresses: ipAddresses,`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00			`}`
connect/ca: cease including the common name field in generated certs (#10424) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS 2021-06-25 18:00:00 +00:00			`HackSANExtensionForCSR(template)`
Generate CSR using real trust-domain 2018-05-09 16:15:29 +00:00
			`// Create the CSR itself`
			`var csrBuf bytes.Buffer`
			`bs, err := x509.CreateCertificateRequest(rand.Reader, template, privateKey)`
			`if err != nil {`
			`return "", err`
			`}`

			`err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})`
			`if err != nil {`
			`return "", err`
			`}`

			`return csrBuf.String(), nil`
			`}`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00
			`// CreateCSR returns a CA CSR to sign the given service along with the PEM-encoded`
			`// private key for this certificate.`
connect/ca: cease including the common name field in generated certs (#10424) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS 2021-06-25 18:00:00 +00:00			`func CreateCACSR(uri CertURI, privateKey crypto.Signer) (string, error) {`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`ext, err := CreateCAExtension()`
			`if err != nil {`
			`return "", err`
			`}`

connect/ca: cease including the common name field in generated certs (#10424) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS 2021-06-25 18:00:00 +00:00			`return CreateCSR(uri, privateKey, nil, nil, ext)`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`}`

			`// CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints`
			`// IsCA field ()`
			`func CreateCAExtension() (pkix.Extension, error) {`
			`type basicConstraints struct {`
			IsCA bool `asn1:"optional"`
			MaxPathLen int `asn1:"optional"`
			`}`
			`basicCon := basicConstraints{IsCA: true, MaxPathLen: 0}`
			`bitstr, err := asn1.Marshal(basicCon)`
			`if err != nil {`
			`return pkix.Extension{}, err`
			`}`

			`return pkix.Extension{`
			`Id: []int{2, 5, 29, 19}, // from x509 package`
			`Critical: true,`
			`Value: bitstr,`
			`}, nil`
			`}`