2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2018-05-23 21:43:40 +00:00
|
|
|
package ca
|
2018-04-20 08:30:34 +00:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"crypto/rand"
|
2018-09-12 20:44:15 +00:00
|
|
|
"crypto/sha256"
|
2018-04-20 08:30:34 +00:00
|
|
|
"crypto/x509"
|
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
|
"encoding/pem"
|
2018-09-07 02:18:54 +00:00
|
|
|
"errors"
|
2018-04-20 08:30:34 +00:00
|
|
|
"fmt"
|
|
|
|
|
"math/big"
|
|
|
|
|
"net/url"
|
|
|
|
|
"sync"
|
|
|
|
|
"time"
|
|
|
|
|
|
2021-06-25 18:00:00 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
|
|
|
|
|
2018-04-20 08:30:34 +00:00
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
|
)
|
|
|
|
|
|
2020-10-09 11:35:42 +00:00
|
|
|
var (
|
2020-09-18 08:13:29 +00:00
|
|
|
// NotBefore will be CertificateTimeDriftBuffer in the past to account for
|
|
|
|
|
// time drift between different servers.
|
|
|
|
|
CertificateTimeDriftBuffer = time.Minute
|
|
|
|
|
|
2020-10-09 11:35:42 +00:00
|
|
|
ErrNotInitialized = errors.New("provider not initialized")
|
|
|
|
|
)
|
2018-09-07 02:18:54 +00:00
|
|
|
|
2018-05-09 22:12:31 +00:00
|
|
|
type ConsulProvider struct {
|
2018-09-11 23:43:04 +00:00
|
|
|
Delegate ConsulProviderStateDelegate
|
|
|
|
|
|
2018-09-13 02:52:24 +00:00
|
|
|
config *structs.ConsulCAProviderConfig
|
|
|
|
|
id string
|
|
|
|
|
clusterID string
|
2019-11-18 14:22:19 +00:00
|
|
|
isPrimary bool
|
2018-09-13 02:52:24 +00:00
|
|
|
spiffeID *connect.SpiffeIDSigning
|
2021-07-12 18:04:34 +00:00
|
|
|
logger hclog.Logger
|
2018-09-13 02:52:24 +00:00
|
|
|
|
2019-11-11 20:57:16 +00:00
|
|
|
// testState is only used to test Consul leader's handling of providers that
|
|
|
|
|
// need to persist state. Consul provider actually manages it's state directly
|
|
|
|
|
// in the FSM since it is highly sensitive not (root private keys) not just
|
|
|
|
|
// metadata for lookups. We could make a whole mock provider to keep this out
|
|
|
|
|
// of Consul but that would still need to be configurable through real config
|
|
|
|
|
// and is a lot more boilerplate to test this for equivalent functionality.
|
|
|
|
|
testState map[string]string
|
|
|
|
|
|
2018-04-20 08:30:34 +00:00
|
|
|
sync.RWMutex
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-05 21:39:21 +00:00
|
|
|
var _ Provider = (*ConsulProvider)(nil)
|
|
|
|
|
|
2021-07-12 18:04:34 +00:00
|
|
|
// NewConsulProvider returns a new ConsulProvider that is ready to be used.
|
|
|
|
|
func NewConsulProvider(delegate ConsulProviderStateDelegate, logger hclog.Logger) *ConsulProvider {
|
|
|
|
|
return &ConsulProvider{Delegate: delegate, logger: logger}
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-09 22:12:31 +00:00
|
|
|
type ConsulProviderStateDelegate interface {
|
2021-11-12 00:03:52 +00:00
|
|
|
ProviderState(id string) (*structs.CAConsulProviderState, error)
|
2020-01-09 15:32:19 +00:00
|
|
|
ApplyCARequest(*structs.CARequest) (interface{}, error)
|
2018-05-03 19:50:45 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-13 16:12:07 +00:00
|
|
|
func hexStringHash(input string) string {
|
|
|
|
|
hash := sha256.Sum256([]byte(input))
|
|
|
|
|
return connect.HexString(hash[:])
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-11 23:43:04 +00:00
|
|
|
// Configure sets up the provider using the given configuration.
|
2019-11-18 14:22:19 +00:00
|
|
|
func (c *ConsulProvider) Configure(cfg ProviderConfig) error {
|
2018-09-07 02:18:54 +00:00
|
|
|
// Parse the raw config and update our ID.
|
2019-11-18 14:22:19 +00:00
|
|
|
config, err := ParseConsulCAConfig(cfg.RawConfig)
|
2018-04-20 08:30:34 +00:00
|
|
|
if err != nil {
|
2018-09-07 02:18:54 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
c.config = config
|
2021-07-13 16:12:07 +00:00
|
|
|
c.id = hexStringHash(fmt.Sprintf("%s,%s,%s,%d,%v", config.PrivateKey, config.RootCert, config.PrivateKeyType, config.PrivateKeyBits, cfg.IsPrimary))
|
2019-11-18 14:22:19 +00:00
|
|
|
c.clusterID = cfg.ClusterID
|
|
|
|
|
c.isPrimary = cfg.IsPrimary
|
2021-11-05 22:20:24 +00:00
|
|
|
c.spiffeID = connect.SpiffeIDSigningForCluster(c.clusterID)
|
2018-09-07 02:18:54 +00:00
|
|
|
|
2019-11-11 20:57:16 +00:00
|
|
|
// Passthrough test state for state handling tests. See testState doc.
|
2019-11-21 17:40:29 +00:00
|
|
|
c.parseTestState(cfg.RawConfig, cfg.State)
|
2019-11-11 20:57:16 +00:00
|
|
|
|
2018-09-07 02:18:54 +00:00
|
|
|
// Exit early if the state store has an entry for this provider's config.
|
2021-11-12 00:03:52 +00:00
|
|
|
providerState, err := c.Delegate.ProviderState(c.id)
|
2018-09-07 02:18:54 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-08-07 12:29:48 +00:00
|
|
|
if providerState != nil {
|
2018-09-07 02:18:54 +00:00
|
|
|
return nil
|
2018-08-07 12:29:48 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-13 16:12:07 +00:00
|
|
|
oldIDs := []string{
|
|
|
|
|
hexStringHash(fmt.Sprintf("%s,%s,%v", config.PrivateKey, config.RootCert, cfg.IsPrimary)),
|
|
|
|
|
fmt.Sprintf("%s,%s", config.PrivateKey, config.RootCert),
|
2018-09-12 20:44:15 +00:00
|
|
|
}
|
|
|
|
|
|
2021-11-02 18:02:10 +00:00
|
|
|
// Check if there are any entries with old ID schemes.
|
2021-07-13 16:12:07 +00:00
|
|
|
for _, oldID := range oldIDs {
|
2021-11-12 00:03:52 +00:00
|
|
|
providerState, err = c.Delegate.ProviderState(oldID)
|
2021-07-13 16:12:07 +00:00
|
|
|
if err != nil {
|
2018-09-12 20:44:15 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-13 16:12:07 +00:00
|
|
|
// Found an entry with the old ID, so update it to the new ID and
|
|
|
|
|
// delete the old entry.
|
|
|
|
|
if providerState != nil {
|
|
|
|
|
newState := *providerState
|
|
|
|
|
newState.ID = c.id
|
|
|
|
|
createReq := &structs.CARequest{
|
|
|
|
|
Op: structs.CAOpSetProviderState,
|
|
|
|
|
ProviderState: &newState,
|
|
|
|
|
}
|
|
|
|
|
if _, err := c.Delegate.ApplyCARequest(createReq); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
deleteReq := &structs.CARequest{
|
|
|
|
|
Op: structs.CAOpDeleteProviderState,
|
|
|
|
|
ProviderState: providerState,
|
|
|
|
|
}
|
|
|
|
|
if _, err := c.Delegate.ApplyCARequest(deleteReq); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
2018-09-12 20:44:15 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-07 02:18:54 +00:00
|
|
|
args := &structs.CARequest{
|
|
|
|
|
Op: structs.CAOpSetProviderState,
|
2021-06-22 21:25:38 +00:00
|
|
|
ProviderState: &structs.CAConsulProviderState{ID: c.id},
|
2018-09-07 02:18:54 +00:00
|
|
|
}
|
2020-01-09 15:32:19 +00:00
|
|
|
if _, err := c.Delegate.ApplyCARequest(args); err != nil {
|
2018-09-07 02:18:54 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-12 18:04:34 +00:00
|
|
|
c.logger.Debug("consul CA provider configured", "id", c.id, "is_primary", c.isPrimary)
|
2019-11-11 20:30:01 +00:00
|
|
|
|
2018-09-07 02:18:54 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-11 20:57:16 +00:00
|
|
|
// State implements Provider. Consul actually does store all it's state in raft
|
|
|
|
|
// but it manages it independently through a separate table already so this is a
|
|
|
|
|
// no-op. This method just passes through testState which allows tests to verify
|
|
|
|
|
// state handling behavior without needing to plumb a full test mock provider
|
|
|
|
|
// right through Consul server code.
|
|
|
|
|
func (c *ConsulProvider) State() (map[string]string, error) {
|
|
|
|
|
return c.testState, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-03 15:40:33 +00:00
|
|
|
// GenerateCAChain initializes a new root certificate and private key if needed.
|
|
|
|
|
func (c *ConsulProvider) GenerateCAChain() (CAChainResult, error) {
|
2020-06-23 17:43:24 +00:00
|
|
|
providerState, err := c.getState()
|
2018-08-07 12:29:48 +00:00
|
|
|
if err != nil {
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{}, err
|
2018-09-07 02:18:54 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-18 14:22:19 +00:00
|
|
|
if !c.isPrimary {
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{}, fmt.Errorf("provider is not the root certificate authority")
|
2018-09-07 02:18:54 +00:00
|
|
|
}
|
|
|
|
|
if providerState.RootCert != "" {
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{PEM: providerState.RootCert}, nil
|
2018-04-21 01:46:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Generate a private key if needed
|
2018-09-07 02:18:54 +00:00
|
|
|
newState := *providerState
|
|
|
|
|
if c.config.PrivateKey == "" {
|
2019-07-30 21:47:39 +00:00
|
|
|
_, pk, err := connect.GeneratePrivateKeyWithConfig(c.config.PrivateKeyType, c.config.PrivateKeyBits)
|
2018-04-21 01:46:02 +00:00
|
|
|
if err != nil {
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{}, err
|
2018-04-21 01:46:02 +00:00
|
|
|
}
|
|
|
|
|
newState.PrivateKey = pk
|
|
|
|
|
} else {
|
2018-09-07 02:18:54 +00:00
|
|
|
newState.PrivateKey = c.config.PrivateKey
|
2018-04-21 01:46:02 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
// Generate the root CA if necessary
|
2018-09-07 02:18:54 +00:00
|
|
|
if c.config.RootCert == "" {
|
2020-01-09 15:32:19 +00:00
|
|
|
nextSerial, err := c.incrementAndGetNextSerialNumber()
|
|
|
|
|
if err != nil {
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{}, fmt.Errorf("error computing next serial number: %v", err)
|
2020-01-09 15:32:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-11-02 18:02:10 +00:00
|
|
|
ca, err := c.generateCA(newState.PrivateKey, nextSerial, c.config.RootCertTTL)
|
2018-04-24 23:16:37 +00:00
|
|
|
if err != nil {
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{}, fmt.Errorf("error generating CA: %v", err)
|
2018-04-24 23:16:37 +00:00
|
|
|
}
|
|
|
|
|
newState.RootCert = ca
|
|
|
|
|
} else {
|
2018-09-07 02:18:54 +00:00
|
|
|
newState.RootCert = c.config.RootCert
|
2018-04-21 01:46:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Write the provider state
|
|
|
|
|
args := &structs.CARequest{
|
|
|
|
|
Op: structs.CAOpSetProviderState,
|
|
|
|
|
ProviderState: &newState,
|
|
|
|
|
}
|
2020-01-09 15:32:19 +00:00
|
|
|
if _, err := c.Delegate.ApplyCARequest(args); err != nil {
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{}, err
|
2018-04-21 01:46:02 +00:00
|
|
|
}
|
|
|
|
|
|
2023-04-03 15:40:33 +00:00
|
|
|
return CAChainResult{PEM: newState.RootCert}, nil
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-13 02:52:24 +00:00
|
|
|
// GenerateIntermediateCSR creates a private key and generates a CSR
|
|
|
|
|
// for another datacenter's root to sign.
|
2022-12-05 21:39:21 +00:00
|
|
|
func (c *ConsulProvider) GenerateIntermediateCSR() (string, string, error) {
|
2020-06-23 17:43:24 +00:00
|
|
|
providerState, err := c.getState()
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
2022-12-05 21:39:21 +00:00
|
|
|
return "", "", err
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-18 14:22:19 +00:00
|
|
|
if c.isPrimary {
|
2022-12-05 21:39:21 +00:00
|
|
|
return "", "", fmt.Errorf("provider is the root certificate authority, " +
|
2018-09-13 02:52:24 +00:00
|
|
|
"cannot generate an intermediate CSR")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create a new private key and CSR.
|
2019-07-30 21:47:39 +00:00
|
|
|
signer, pk, err := connect.GeneratePrivateKeyWithConfig(c.config.PrivateKeyType, c.config.PrivateKeyBits)
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
2022-12-05 21:39:21 +00:00
|
|
|
return "", "", err
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
2021-06-25 18:00:00 +00:00
|
|
|
csr, err := connect.CreateCACSR(c.spiffeID, signer)
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
2022-12-05 21:39:21 +00:00
|
|
|
return "", "", err
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Write the new provider state to the store.
|
|
|
|
|
newState := *providerState
|
|
|
|
|
newState.PrivateKey = pk
|
|
|
|
|
args := &structs.CARequest{
|
|
|
|
|
Op: structs.CAOpSetProviderState,
|
|
|
|
|
ProviderState: &newState,
|
|
|
|
|
}
|
2020-01-09 15:32:19 +00:00
|
|
|
if _, err := c.Delegate.ApplyCARequest(args); err != nil {
|
2022-12-05 21:39:21 +00:00
|
|
|
return "", "", err
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
2022-12-05 21:39:21 +00:00
|
|
|
return csr, "", nil
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-13 20:09:07 +00:00
|
|
|
// SetIntermediate validates that the given intermediate is for the right private key
|
|
|
|
|
// and writes the given intermediate and root certificates to the state.
|
2022-12-05 21:39:21 +00:00
|
|
|
func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM, _ string) error {
|
2020-06-23 17:43:24 +00:00
|
|
|
providerState, err := c.getState()
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-18 14:22:19 +00:00
|
|
|
if c.isPrimary {
|
2018-09-13 02:52:24 +00:00
|
|
|
return fmt.Errorf("cannot set an intermediate using another root in the primary datacenter")
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-06 00:08:26 +00:00
|
|
|
if err = validateSetIntermediate(intermediatePEM, rootPEM, c.spiffeID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := validateIntermediateSignedByPrivateKey(intermediatePEM, providerState.PrivateKey); err != nil {
|
2018-09-13 02:52:24 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update the state
|
|
|
|
|
newState := *providerState
|
|
|
|
|
newState.IntermediateCert = intermediatePEM
|
|
|
|
|
newState.RootCert = rootPEM
|
|
|
|
|
args := &structs.CARequest{
|
|
|
|
|
Op: structs.CAOpSetProviderState,
|
|
|
|
|
ProviderState: &newState,
|
|
|
|
|
}
|
2020-01-09 15:32:19 +00:00
|
|
|
if _, err := c.Delegate.ApplyCARequest(args); err != nil {
|
2018-09-13 02:52:24 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-03 15:40:33 +00:00
|
|
|
func (c *ConsulProvider) ActiveLeafSigningCert() (string, error) {
|
2020-06-23 17:43:24 +00:00
|
|
|
providerState, err := c.getState()
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-01 20:39:20 +00:00
|
|
|
if c.isPrimary {
|
|
|
|
|
return providerState.RootCert, nil
|
|
|
|
|
}
|
2018-09-13 02:52:24 +00:00
|
|
|
return providerState.IntermediateCert, nil
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-21 01:46:02 +00:00
|
|
|
// Remove the state store entry for this provider instance.
|
2021-01-15 18:20:27 +00:00
|
|
|
func (c *ConsulProvider) Cleanup(_ bool, _ map[string]interface{}) error {
|
|
|
|
|
// This method only gets called for final cleanup. Therefore we don't
|
|
|
|
|
// need to worry about the case where a ca config update is made to
|
|
|
|
|
// change the cert ttls but leaving the private key and root cert the
|
|
|
|
|
// same. Changing those would change the id field on the provider.
|
2018-04-21 01:46:02 +00:00
|
|
|
args := &structs.CARequest{
|
|
|
|
|
Op: structs.CAOpDeleteProviderState,
|
|
|
|
|
ProviderState: &structs.CAConsulProviderState{ID: c.id},
|
|
|
|
|
}
|
2020-01-09 15:32:19 +00:00
|
|
|
if _, err := c.Delegate.ApplyCARequest(args); err != nil {
|
2018-04-21 01:46:02 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-20 08:30:34 +00:00
|
|
|
// Sign returns a new certificate valid for the given SpiffeIDService
|
|
|
|
|
// using the current CA.
|
2018-05-09 22:12:31 +00:00
|
|
|
func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
|
2021-06-25 18:00:00 +00:00
|
|
|
connect.HackSANExtensionForCSR(csr)
|
|
|
|
|
|
2018-04-21 01:46:02 +00:00
|
|
|
// Lock during the signing so we don't use the same index twice
|
|
|
|
|
// for different cert serial numbers.
|
|
|
|
|
c.Lock()
|
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
2018-04-20 08:30:34 +00:00
|
|
|
// Get the provider state
|
2020-06-23 17:43:24 +00:00
|
|
|
providerState, err := c.getState()
|
2018-04-20 08:30:34 +00:00
|
|
|
if err != nil {
|
2018-04-24 23:31:42 +00:00
|
|
|
return "", err
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
2019-01-22 19:15:09 +00:00
|
|
|
if providerState.PrivateKey == "" {
|
|
|
|
|
return "", ErrNotInitialized
|
|
|
|
|
}
|
2018-04-20 08:30:34 +00:00
|
|
|
|
2018-04-21 03:39:51 +00:00
|
|
|
// Create the keyId for the cert from the signing private key.
|
2018-04-20 08:30:34 +00:00
|
|
|
signer, err := connect.ParseSigner(providerState.PrivateKey)
|
|
|
|
|
if err != nil {
|
2018-04-24 23:31:42 +00:00
|
|
|
return "", err
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
if signer == nil {
|
2018-09-13 02:52:24 +00:00
|
|
|
return "", ErrNotInitialized
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
keyId, err := connect.KeyId(signer.Public())
|
|
|
|
|
if err != nil {
|
2018-04-24 23:31:42 +00:00
|
|
|
return "", err
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2020-01-22 10:28:28 +00:00
|
|
|
// Create the subjectKeyId for the cert from the csr public key.
|
|
|
|
|
subjectKeyID, err := connect.KeyId(csr.PublicKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-20 08:30:34 +00:00
|
|
|
// Parse the CA cert
|
2023-04-03 15:40:33 +00:00
|
|
|
certPEM, err := c.ActiveLeafSigningCert()
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
caCert, err := connect.ParseCert(certPEM)
|
2018-04-20 08:30:34 +00:00
|
|
|
if err != nil {
|
2018-04-24 23:31:42 +00:00
|
|
|
return "", fmt.Errorf("error parsing CA cert: %s", err)
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2020-01-09 15:32:19 +00:00
|
|
|
nextSerial, err := c.incrementAndGetNextSerialNumber()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error computing next serial number: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-20 08:30:34 +00:00
|
|
|
// Cert template for generation
|
|
|
|
|
sn := &big.Int{}
|
2020-01-09 15:32:19 +00:00
|
|
|
sn.SetUint64(nextSerial)
|
2018-06-20 19:28:54 +00:00
|
|
|
// Sign the certificate valid from 1 minute in the past, this helps it be
|
2019-03-06 17:13:28 +00:00
|
|
|
// accepted right away even when nodes are not in close time sync across the
|
2018-06-20 19:28:54 +00:00
|
|
|
// cluster. A minute is more than enough for typical DC clock drift.
|
|
|
|
|
effectiveNow := time.Now().Add(-1 * time.Minute)
|
2018-04-20 08:30:34 +00:00
|
|
|
template := x509.Certificate{
|
2019-11-01 13:20:26 +00:00
|
|
|
SerialNumber: sn,
|
|
|
|
|
URIs: csr.URIs,
|
|
|
|
|
Signature: csr.Signature,
|
|
|
|
|
// We use the correct signature algorithm for the CA key we are signing with
|
|
|
|
|
// regardless of the algorithm used to sign the CSR signature above since
|
|
|
|
|
// the leaf might use a different key type.
|
|
|
|
|
SignatureAlgorithm: connect.SigAlgoForKey(signer),
|
2018-04-20 08:30:34 +00:00
|
|
|
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
|
|
|
|
|
PublicKey: csr.PublicKey,
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
KeyUsage: x509.KeyUsageDataEncipherment |
|
|
|
|
|
x509.KeyUsageKeyAgreement |
|
|
|
|
|
x509.KeyUsageDigitalSignature |
|
|
|
|
|
x509.KeyUsageKeyEncipherment,
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{
|
|
|
|
|
x509.ExtKeyUsageClientAuth,
|
|
|
|
|
x509.ExtKeyUsageServerAuth,
|
|
|
|
|
},
|
2018-07-16 09:46:10 +00:00
|
|
|
NotAfter: effectiveNow.Add(c.config.LeafCertTTL),
|
2018-06-20 19:28:54 +00:00
|
|
|
NotBefore: effectiveNow,
|
2018-04-20 08:30:34 +00:00
|
|
|
AuthorityKeyId: keyId,
|
2020-01-22 10:28:28 +00:00
|
|
|
SubjectKeyId: subjectKeyID,
|
2020-01-17 22:25:26 +00:00
|
|
|
DNSNames: csr.DNSNames,
|
|
|
|
|
IPAddresses: csr.IPAddresses,
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create the certificate, PEM encode it and return that value.
|
|
|
|
|
var buf bytes.Buffer
|
|
|
|
|
bs, err := x509.CreateCertificate(
|
2018-04-30 21:23:49 +00:00
|
|
|
rand.Reader, &template, caCert, csr.PublicKey, signer)
|
2018-04-20 08:30:34 +00:00
|
|
|
if err != nil {
|
2018-04-24 23:31:42 +00:00
|
|
|
return "", fmt.Errorf("error generating certificate: %s", err)
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
|
|
|
|
|
if err != nil {
|
2018-05-09 16:15:29 +00:00
|
|
|
return "", fmt.Errorf("error encoding certificate: %s", err)
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set the response
|
2018-04-24 23:31:42 +00:00
|
|
|
return buf.String(), nil
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-09-13 02:52:24 +00:00
|
|
|
// SignIntermediate will validate the CSR to ensure the trust domain in the
|
|
|
|
|
// URI SAN matches the local one and that basic constraints for a CA certificate
|
|
|
|
|
// are met. It should return a signed CA certificate with a path length constraint
|
|
|
|
|
// of 0 to ensure that the certificate cannot be used to generate further CA certs.
|
|
|
|
|
func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error) {
|
2020-06-23 17:43:24 +00:00
|
|
|
providerState, err := c.getState()
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-21 17:40:29 +00:00
|
|
|
err = validateSignIntermediate(csr, c.spiffeID)
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the signing private key.
|
|
|
|
|
signer, err := connect.ParseSigner(providerState.PrivateKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2019-11-01 13:20:26 +00:00
|
|
|
subjectKeyID, err := connect.KeyId(csr.PublicKey)
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse the CA cert
|
|
|
|
|
caCert, err := connect.ParseCert(providerState.RootCert)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error parsing CA cert: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-09 15:32:19 +00:00
|
|
|
nextSerial, err := c.incrementAndGetNextSerialNumber()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error computing next serial number: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-13 02:52:24 +00:00
|
|
|
// Cert template for generation
|
|
|
|
|
sn := &big.Int{}
|
2020-01-09 15:32:19 +00:00
|
|
|
sn.SetUint64(nextSerial)
|
2018-09-13 02:52:24 +00:00
|
|
|
// Sign the certificate valid from 1 minute in the past, this helps it be
|
2019-03-06 17:13:28 +00:00
|
|
|
// accepted right away even when nodes are not in close time sync across the
|
2018-09-13 02:52:24 +00:00
|
|
|
// cluster. A minute is more than enough for typical DC clock drift.
|
2020-09-18 08:13:29 +00:00
|
|
|
effectiveNow := time.Now().Add(-1 * CertificateTimeDriftBuffer)
|
2018-09-13 02:52:24 +00:00
|
|
|
template := x509.Certificate{
|
|
|
|
|
SerialNumber: sn,
|
2021-06-25 18:00:00 +00:00
|
|
|
DNSNames: csr.DNSNames,
|
|
|
|
|
EmailAddresses: csr.EmailAddresses,
|
|
|
|
|
IPAddresses: csr.IPAddresses,
|
2018-09-13 02:52:24 +00:00
|
|
|
URIs: csr.URIs,
|
2021-06-25 18:00:00 +00:00
|
|
|
ExtraExtensions: csr.ExtraExtensions,
|
|
|
|
|
Subject: csr.Subject,
|
2018-09-13 02:52:24 +00:00
|
|
|
Signature: csr.Signature,
|
2019-11-01 13:20:26 +00:00
|
|
|
SignatureAlgorithm: connect.SigAlgoForKey(signer),
|
2018-09-13 02:52:24 +00:00
|
|
|
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
|
|
|
|
|
PublicKey: csr.PublicKey,
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
KeyUsage: x509.KeyUsageCertSign |
|
|
|
|
|
x509.KeyUsageCRLSign |
|
|
|
|
|
x509.KeyUsageDigitalSignature,
|
|
|
|
|
IsCA: true,
|
|
|
|
|
MaxPathLenZero: true,
|
2020-01-17 22:27:13 +00:00
|
|
|
NotAfter: effectiveNow.Add(c.config.IntermediateCertTTL),
|
2018-09-13 02:52:24 +00:00
|
|
|
NotBefore: effectiveNow,
|
2019-11-01 13:20:26 +00:00
|
|
|
SubjectKeyId: subjectKeyID,
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create the certificate, PEM encode it and return that value.
|
|
|
|
|
var buf bytes.Buffer
|
|
|
|
|
bs, err := x509.CreateCertificate(
|
|
|
|
|
rand.Reader, &template, caCert, csr.PublicKey, signer)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error generating certificate: %s", err)
|
|
|
|
|
}
|
|
|
|
|
err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error encoding certificate: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set the response
|
|
|
|
|
return buf.String(), nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-19 23:46:18 +00:00
|
|
|
// CrossSignCA returns the given CA cert signed by the current active root.
|
|
|
|
|
func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
2018-04-21 03:39:51 +00:00
|
|
|
c.Lock()
|
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
2019-11-11 21:36:22 +00:00
|
|
|
if c.config.DisableCrossSigning {
|
|
|
|
|
return "", errors.New("cross-signing disabled")
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-21 03:39:51 +00:00
|
|
|
// Get the provider state
|
2020-06-23 17:43:24 +00:00
|
|
|
providerState, err := c.getState()
|
2018-04-21 03:39:51 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
privKey, err := connect.ParseSigner(providerState.PrivateKey)
|
|
|
|
|
if err != nil {
|
2018-04-25 18:34:08 +00:00
|
|
|
return "", fmt.Errorf("error parsing private key %q: %s", providerState.PrivateKey, err)
|
2018-04-21 03:39:51 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
rootCA, err := connect.ParseCert(providerState.RootCert)
|
2018-04-21 03:39:51 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2018-04-24 23:16:37 +00:00
|
|
|
|
2018-06-19 23:46:18 +00:00
|
|
|
keyId, err := connect.KeyId(privKey.Public())
|
2018-04-21 03:39:51 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-09 15:32:19 +00:00
|
|
|
nextSerial, err := c.incrementAndGetNextSerialNumber()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error computing next serial number: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
// Create the cross-signing template from the existing root CA
|
2018-04-21 03:39:51 +00:00
|
|
|
serialNum := &big.Int{}
|
2020-01-09 15:32:19 +00:00
|
|
|
serialNum.SetUint64(nextSerial)
|
2018-06-19 23:46:18 +00:00
|
|
|
template := *cert
|
|
|
|
|
template.SerialNumber = serialNum
|
|
|
|
|
template.SignatureAlgorithm = rootCA.SignatureAlgorithm
|
|
|
|
|
template.AuthorityKeyId = keyId
|
2018-04-21 03:39:51 +00:00
|
|
|
|
2018-06-20 19:28:54 +00:00
|
|
|
// Sign the certificate valid from 1 minute in the past, this helps it be
|
2019-03-06 17:13:28 +00:00
|
|
|
// accepted right away even when nodes are not in close time sync across the
|
2018-06-20 19:28:54 +00:00
|
|
|
// cluster. A minute is more than enough for typical DC clock drift.
|
|
|
|
|
effectiveNow := time.Now().Add(-1 * time.Minute)
|
|
|
|
|
template.NotBefore = effectiveNow
|
|
|
|
|
// This cross-signed cert is only needed during rotation, and only while old
|
|
|
|
|
// leaf certs are still in use. They expire within 3 days currently so 7 is
|
|
|
|
|
// safe. TODO(banks): make this be based on leaf expiry time when that is
|
|
|
|
|
// configurable.
|
2019-03-01 16:25:37 +00:00
|
|
|
template.NotAfter = effectiveNow.AddDate(0, 0, 7)
|
2018-06-20 19:28:54 +00:00
|
|
|
|
2018-04-21 03:39:51 +00:00
|
|
|
bs, err := x509.CreateCertificate(
|
2018-06-19 23:46:18 +00:00
|
|
|
rand.Reader, &template, rootCA, cert.PublicKey, privKey)
|
2018-04-21 03:39:51 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error generating CA certificate: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var buf bytes.Buffer
|
|
|
|
|
err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error encoding private key: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return buf.String(), nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-11 21:36:22 +00:00
|
|
|
// SupportsCrossSigning implements Provider
|
|
|
|
|
func (c *ConsulProvider) SupportsCrossSigning() (bool, error) {
|
|
|
|
|
return !c.config.DisableCrossSigning, nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-13 02:52:24 +00:00
|
|
|
// getState returns the current provider state from the state delegate, and returns
|
|
|
|
|
// ErrNotInitialized if no entry is found.
|
2020-06-23 17:43:24 +00:00
|
|
|
func (c *ConsulProvider) getState() (*structs.CAConsulProviderState, error) {
|
2021-11-12 00:03:52 +00:00
|
|
|
providerState, err := c.Delegate.ProviderState(c.id)
|
2018-09-13 02:52:24 +00:00
|
|
|
if err != nil {
|
2020-06-23 17:43:24 +00:00
|
|
|
return nil, err
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if providerState == nil {
|
2020-06-23 17:43:24 +00:00
|
|
|
return nil, ErrNotInitialized
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
2020-06-23 17:43:24 +00:00
|
|
|
return providerState, nil
|
2018-09-13 02:52:24 +00:00
|
|
|
}
|
|
|
|
|
|
2020-01-09 15:32:19 +00:00
|
|
|
func (c *ConsulProvider) incrementAndGetNextSerialNumber() (uint64, error) {
|
2018-04-27 03:14:37 +00:00
|
|
|
args := &structs.CARequest{
|
2020-01-09 15:32:19 +00:00
|
|
|
Op: structs.CAOpIncrementProviderSerialNumber,
|
2018-04-27 03:14:37 +00:00
|
|
|
}
|
2020-01-09 15:32:19 +00:00
|
|
|
|
|
|
|
|
raw, err := c.Delegate.ApplyCARequest(args)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, err
|
2018-04-27 03:14:37 +00:00
|
|
|
}
|
|
|
|
|
|
2020-01-09 15:32:19 +00:00
|
|
|
return raw.(uint64), nil
|
2018-04-27 03:14:37 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-20 08:30:34 +00:00
|
|
|
// generateCA makes a new root CA using the current private key
|
2021-11-02 18:02:10 +00:00
|
|
|
func (c *ConsulProvider) generateCA(privateKey string, sn uint64, rootCertTTL time.Duration) (string, error) {
|
2018-04-20 08:30:34 +00:00
|
|
|
privKey, err := connect.ParseSigner(privateKey)
|
|
|
|
|
if err != nil {
|
2018-04-25 18:34:08 +00:00
|
|
|
return "", fmt.Errorf("error parsing private key %q: %s", privateKey, err)
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
// The URI (SPIFFE compatible) for the cert
|
2021-11-05 22:28:37 +00:00
|
|
|
id := connect.SpiffeIDSigningForCluster(c.clusterID)
|
2018-04-24 23:16:37 +00:00
|
|
|
keyId, err := connect.KeyId(privKey.Public())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2018-04-21 01:46:02 +00:00
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
// Create the CA cert
|
2019-11-11 17:11:54 +00:00
|
|
|
uid, err := connect.CompactUID()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2019-11-18 14:22:19 +00:00
|
|
|
cn := connect.CACN("consul", uid, c.clusterID, c.isPrimary)
|
2018-04-24 23:16:37 +00:00
|
|
|
serialNum := &big.Int{}
|
|
|
|
|
serialNum.SetUint64(sn)
|
|
|
|
|
template := x509.Certificate{
|
2019-03-06 17:13:28 +00:00
|
|
|
SerialNumber: serialNum,
|
2019-11-11 17:11:54 +00:00
|
|
|
Subject: pkix.Name{CommonName: cn},
|
2019-03-06 17:13:28 +00:00
|
|
|
URIs: []*url.URL{id.URI()},
|
2018-06-21 16:40:56 +00:00
|
|
|
BasicConstraintsValid: true,
|
2018-04-24 23:16:37 +00:00
|
|
|
KeyUsage: x509.KeyUsageCertSign |
|
|
|
|
|
x509.KeyUsageCRLSign |
|
|
|
|
|
x509.KeyUsageDigitalSignature,
|
|
|
|
|
IsCA: true,
|
2021-11-02 18:02:10 +00:00
|
|
|
NotAfter: time.Now().Add(rootCertTTL),
|
2018-04-24 23:16:37 +00:00
|
|
|
NotBefore: time.Now(),
|
|
|
|
|
AuthorityKeyId: keyId,
|
|
|
|
|
SubjectKeyId: keyId,
|
|
|
|
|
}
|
2018-04-21 01:46:02 +00:00
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
bs, err := x509.CreateCertificate(
|
|
|
|
|
rand.Reader, &template, &template, privKey.Public(), privKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("error generating CA certificate: %s", err)
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
var buf bytes.Buffer
|
|
|
|
|
err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
|
2018-04-20 08:30:34 +00:00
|
|
|
if err != nil {
|
2018-04-24 23:16:37 +00:00
|
|
|
return "", fmt.Errorf("error encoding private key: %s", err)
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-04-24 23:16:37 +00:00
|
|
|
return buf.String(), nil
|
2018-04-20 08:30:34 +00:00
|
|
|
}
|
2019-11-11 20:30:01 +00:00
|
|
|
|
2019-11-21 17:40:29 +00:00
|
|
|
func (c *ConsulProvider) parseTestState(rawConfig map[string]interface{}, state map[string]string) {
|
2019-11-11 20:57:16 +00:00
|
|
|
c.testState = nil
|
|
|
|
|
if rawTestState, ok := rawConfig["test_state"]; ok {
|
|
|
|
|
if ts, ok := rawTestState.(map[string]string); ok {
|
|
|
|
|
c.testState = ts
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Secondary's config takes a trip through the state store before Configure
|
2019-11-21 17:40:29 +00:00
|
|
|
// is called and RPC calls that msgpack encode also have the same effect. It
|
|
|
|
|
// means we end up with map[string]string encoded as map[string]interface{}.
|
|
|
|
|
// We just handle that case. There is no struct error handling because this
|
|
|
|
|
// is test-only code (undocumented config key) and we'd rather not leave a
|
|
|
|
|
// way to error CA setup and leave cluster unavailable in prod by
|
|
|
|
|
// accidentally setting a bad test_state config.
|
2019-11-11 20:57:16 +00:00
|
|
|
if ts, ok := rawTestState.(map[string]interface{}); ok {
|
|
|
|
|
c.testState = make(map[string]string)
|
|
|
|
|
for k, v := range ts {
|
|
|
|
|
if s, ok := v.(string); ok {
|
|
|
|
|
c.testState[k] = s
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-11-21 17:40:29 +00:00
|
|
|
// If config didn't explicitly specify test_state to return, but there is some
|
|
|
|
|
// actual state from a previous provider. Just use that since that is expected
|
|
|
|
|
// behavior that providers with state would preserve the state they are passed
|
|
|
|
|
// in the common case.
|
|
|
|
|
if len(state) > 0 && c.testState == nil {
|
|
|
|
|
c.testState = state
|
|
|
|
|
}
|
2019-11-11 20:57:16 +00:00
|
|
|
}
|
