open-vault/builtin/logical/pki/storage.go
Alexander Scheel 8acbf7f480
Add PSS support to PKI Secrets Engine (#16519)
* Add PSS signature support to Vault PKI engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use issuer's RevocationSigAlg for CRL signing

We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add use_pss, revocation_signature_algorithm docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PSS to signature role issuance test matrix

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow roots to self-identify revocation alg

When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.

With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add clearer error message on failed import

When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add case insensitive SigAlgo matching

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Convert UsePSS back to regular bool

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor PSS->certTemplate into helper function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Proper string output on rev_sig_alg display

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Copy root's SignatureAlgorithm for CRL building

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 12:42:24 -04:00

1027 lines
30 KiB
Go

package pki
import (
"bytes"
"context"
"crypto"
"crypto/x509"
"fmt"
"strings"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/helper/errutil"
"github.com/hashicorp/vault/sdk/logical"
)
const (
storageKeyConfig = "config/keys"
storageIssuerConfig = "config/issuers"
keyPrefix = "config/key/"
issuerPrefix = "config/issuer/"
storageLocalCRLConfig = "crls/config"
legacyMigrationBundleLogKey = "config/legacyMigrationBundleLog"
legacyCertBundlePath = "config/ca_bundle"
legacyCRLPath = "crl"
// Used as a quick sanity check for a reference id lookups...
uuidLength = 36
maxRolesToScanOnIssuerChange = 100
maxRolesToFindOnIssuerChange = 10
)
type keyID string
func (p keyID) String() string {
return string(p)
}
type issuerID string
func (p issuerID) String() string {
return string(p)
}
type crlID string
func (p crlID) String() string {
return string(p)
}
const (
IssuerRefNotFound = issuerID("not-found")
KeyRefNotFound = keyID("not-found")
)
type keyEntry struct {
ID keyID `json:"id"`
Name string `json:"name"`
PrivateKeyType certutil.PrivateKeyType `json:"private_key_type"`
PrivateKey string `json:"private_key"`
}
func (e keyEntry) getManagedKeyUUID() (UUIDKey, error) {
if !e.isManagedPrivateKey() {
return "", errutil.InternalError{Err: "getManagedKeyId called on a key id %s (%s) "}
}
return extractManagedKeyId([]byte(e.PrivateKey))
}
func (e keyEntry) isManagedPrivateKey() bool {
return e.PrivateKeyType == certutil.ManagedPrivateKey
}
type issuerUsage uint
const (
ReadOnlyUsage issuerUsage = iota
IssuanceUsage issuerUsage = 1 << iota
CRLSigningUsage issuerUsage = 1 << iota
// When adding a new usage in the future, we'll need to create a usage
// mask field on the IssuerEntry and handle migrations to a newer mask,
// inferring a value for the new bits.
AllIssuerUsages issuerUsage = ReadOnlyUsage | IssuanceUsage | CRLSigningUsage
)
var namedIssuerUsages = map[string]issuerUsage{
"read-only": ReadOnlyUsage,
"issuing-certificates": IssuanceUsage,
"crl-signing": CRLSigningUsage,
}
func (i *issuerUsage) ToggleUsage(usages ...issuerUsage) {
for _, usage := range usages {
*i ^= usage
}
}
func (i issuerUsage) HasUsage(usage issuerUsage) bool {
return (i & usage) == usage
}
func (i issuerUsage) Names() string {
var names []string
var builtUsage issuerUsage
for name, usage := range namedIssuerUsages {
if i.HasUsage(usage) {
names = append(names, name)
builtUsage.ToggleUsage(usage)
}
}
if i != builtUsage {
// Found some unknown usage, we should indicate this in the names.
names = append(names, fmt.Sprintf("unknown:%v", i^builtUsage))
}
return strings.Join(names, ",")
}
func NewIssuerUsageFromNames(names []string) (issuerUsage, error) {
var result issuerUsage
for index, name := range names {
usage, ok := namedIssuerUsages[name]
if !ok {
return ReadOnlyUsage, fmt.Errorf("unknown name for usage at index %v: %v", index, name)
}
result.ToggleUsage(usage)
}
return result, nil
}
type issuerEntry struct {
ID issuerID `json:"id"`
Name string `json:"name"`
KeyID keyID `json:"key_id"`
Certificate string `json:"certificate"`
CAChain []string `json:"ca_chain"`
ManualChain []issuerID `json:"manual_chain"`
SerialNumber string `json:"serial_number"`
LeafNotAfterBehavior certutil.NotAfterBehavior `json:"not_after_behavior"`
Usage issuerUsage `json:"usage"`
RevocationSigAlg x509.SignatureAlgorithm `json:"revocation_signature_algorithm"`
}
type localCRLConfigEntry struct {
IssuerIDCRLMap map[issuerID]crlID `json:"issuer_id_crl_map"`
CRLNumberMap map[crlID]int64 `json:"crl_number_map"`
}
type keyConfigEntry struct {
DefaultKeyId keyID `json:"default"`
}
type issuerConfigEntry struct {
DefaultIssuerId issuerID `json:"default"`
}
type storageContext struct {
Context context.Context
Storage logical.Storage
Backend *backend
}
func (b *backend) makeStorageContext(ctx context.Context, s logical.Storage) *storageContext {
return &storageContext{
Context: ctx,
Storage: s,
Backend: b,
}
}
func (sc *storageContext) listKeys() ([]keyID, error) {
strList, err := sc.Storage.List(sc.Context, keyPrefix)
if err != nil {
return nil, err
}
keyIds := make([]keyID, 0, len(strList))
for _, entry := range strList {
keyIds = append(keyIds, keyID(entry))
}
return keyIds, nil
}
func (sc *storageContext) fetchKeyById(keyId keyID) (*keyEntry, error) {
if len(keyId) == 0 {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch pki key: empty key identifier")}
}
entry, err := sc.Storage.Get(sc.Context, keyPrefix+keyId.String())
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch pki key: %v", err)}
}
if entry == nil {
// FIXME: Dedicated/specific error for this?
return nil, errutil.UserError{Err: fmt.Sprintf("pki key id %s does not exist", keyId.String())}
}
var key keyEntry
if err := entry.DecodeJSON(&key); err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to decode pki key with id %s: %v", keyId.String(), err)}
}
return &key, nil
}
func (sc *storageContext) writeKey(key keyEntry) error {
keyId := key.ID
json, err := logical.StorageEntryJSON(keyPrefix+keyId.String(), key)
if err != nil {
return err
}
return sc.Storage.Put(sc.Context, json)
}
func (sc *storageContext) deleteKey(id keyID) (bool, error) {
config, err := sc.getKeysConfig()
if err != nil {
return false, err
}
wasDefault := false
if config.DefaultKeyId == id {
wasDefault = true
config.DefaultKeyId = keyID("")
if err := sc.setKeysConfig(config); err != nil {
return wasDefault, err
}
}
return wasDefault, sc.Storage.Delete(sc.Context, keyPrefix+id.String())
}
func (sc *storageContext) importKey(keyValue string, keyName string, keyType certutil.PrivateKeyType) (*keyEntry, bool, error) {
// importKey imports the specified PEM-format key (from keyValue) into
// the new PKI storage format. The first return field is a reference to
// the new key; the second is whether or not the key already existed
// during import (in which case, *key points to the existing key reference
// and identifier); the last return field is whether or not an error
// occurred.
//
// Normalize whitespace before beginning. See note in importIssuer as to
// why we do this.
keyValue = strings.TrimSpace(keyValue) + "\n"
//
// Before we can import a known key, we first need to know if the key
// exists in storage already. This means iterating through all known
// keys and comparing their private value against this value.
knownKeys, err := sc.listKeys()
if err != nil {
return nil, false, err
}
// Get our public key from the current inbound key, to compare against all the other keys.
var pkForImportingKey crypto.PublicKey
if keyType == certutil.ManagedPrivateKey {
managedKeyUUID, err := extractManagedKeyId([]byte(keyValue))
if err != nil {
return nil, false, errutil.InternalError{Err: fmt.Sprintf("failed extracting managed key uuid from key: %v", err)}
}
pkForImportingKey, err = getManagedKeyPublicKey(sc.Context, sc.Backend, managedKeyUUID)
if err != nil {
return nil, false, err
}
} else {
pkForImportingKey, err = getPublicKeyFromBytes([]byte(keyValue))
if err != nil {
return nil, false, err
}
}
foundExistingKeyWithName := false
for _, identifier := range knownKeys {
existingKey, err := sc.fetchKeyById(identifier)
if err != nil {
return nil, false, err
}
areEqual, err := comparePublicKey(sc, existingKey, pkForImportingKey)
if err != nil {
return nil, false, err
}
if areEqual {
// Here, we don't need to stitch together the issuer entries,
// because the last run should've done that for us (or, when
// importing an issuer).
return existingKey, true, nil
}
// Allow us to find an existing matching key with a different name before erroring out
if keyName != "" && existingKey.Name == keyName {
foundExistingKeyWithName = true
}
}
// Another key with a different value is using the keyName so reject this request.
if foundExistingKeyWithName {
return nil, false, errutil.UserError{Err: fmt.Sprintf("an existing key is using the requested key name value: %s", keyName)}
}
// Haven't found a key, so we've gotta create it and write it into storage.
var result keyEntry
result.ID = genKeyId()
result.Name = keyName
result.PrivateKey = keyValue
result.PrivateKeyType = keyType
// Finally, we can write the key to storage.
if err := sc.writeKey(result); err != nil {
return nil, false, err
}
// Before we return below, we need to iterate over _all_ issuers and see if
// one of them has a missing KeyId link, and if so, point it back to
// ourselves. We fetch the list of issuers up front, even when don't need
// it, to give ourselves a better chance of succeeding below.
knownIssuers, err := sc.listIssuers()
if err != nil {
return nil, false, err
}
issuerDefaultSet, err := sc.isDefaultIssuerSet()
if err != nil {
return nil, false, err
}
// Now, for each issuer, try and compute the issuer<->key link if missing.
for _, identifier := range knownIssuers {
existingIssuer, err := sc.fetchIssuerById(identifier)
if err != nil {
return nil, false, err
}
// If the KeyID value is already present, we can skip it.
if len(existingIssuer.KeyID) > 0 {
continue
}
// Otherwise, compare public values. Note that there might be multiple
// certificates (e.g., cross-signed) with the same key.
cert, err := existingIssuer.GetCertificate()
if err != nil {
// Malformed issuer.
return nil, false, err
}
equal, err := certutil.ComparePublicKeysAndType(cert.PublicKey, pkForImportingKey)
if err != nil {
return nil, false, err
}
if equal {
// These public keys are equal, so this key entry must be the
// corresponding private key to this issuer; update it accordingly.
existingIssuer.KeyID = result.ID
if err := sc.writeIssuer(existingIssuer); err != nil {
return nil, false, err
}
// If there was no prior default value set and/or we had no known
// issuers when we started, set this issuer as default.
if !issuerDefaultSet {
err = sc.updateDefaultIssuerId(existingIssuer.ID)
if err != nil {
return nil, false, err
}
issuerDefaultSet = true
}
}
}
// If there was no prior default value set and/or we had no known
// keys when we started, set this key as default.
keyDefaultSet, err := sc.isDefaultKeySet()
if err != nil {
return nil, false, err
}
if len(knownKeys) == 0 || !keyDefaultSet {
if err = sc.updateDefaultKeyId(result.ID); err != nil {
return nil, false, err
}
}
// All done; return our new key reference.
return &result, false, nil
}
func (i issuerEntry) GetCertificate() (*x509.Certificate, error) {
cert, err := parseCertificateFromBytes([]byte(i.Certificate))
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to parse certificate from issuer: %s: %v", err.Error(), i.ID)}
}
return cert, nil
}
func (i issuerEntry) EnsureUsage(usage issuerUsage) error {
// We want to spit out a nice error message about missing usages.
if i.Usage.HasUsage(usage) {
return nil
}
issuerRef := fmt.Sprintf("id:%v", i.ID)
if len(i.Name) > 0 {
issuerRef = fmt.Sprintf("%v / name:%v", issuerRef, i.Name)
}
// These usages differ at some point in time. We've gotta find the first
// usage that differs and return a logical-sounding error message around
// that difference.
for name, candidate := range namedIssuerUsages {
if usage.HasUsage(candidate) && !i.Usage.HasUsage(candidate) {
return fmt.Errorf("requested usage %v for issuer [%v] but only had usage %v", name, issuerRef, i.Usage.Names())
}
}
// Maybe we have an unnamed usage that's requested.
return fmt.Errorf("unknown delta between usages: %v -> %v / for issuer [%v]", usage.Names(), i.Usage.Names(), issuerRef)
}
func (i issuerEntry) CanMaybeSignWithAlgo(algo x509.SignatureAlgorithm) error {
// Hack: Go isn't kind enough expose its lovely signatureAlgorithmDetails
// informational struct for our usage. However, we don't want to actually
// fetch the private key and attempt a signature with this algo (as we'll
// mint new, previously unsigned material in the process that could maybe
// be potentially abused if it leaks).
//
// So...
//
// ...we maintain our own mapping of cert.PKI<->sigAlgos. Notably, we
// exclude DSA support as the PKI engine has never supported DSA keys.
if algo == x509.UnknownSignatureAlgorithm {
// Special cased to indicate upgrade and letting Go automatically
// chose the correct value.
return nil
}
cert, err := i.GetCertificate()
if err != nil {
return fmt.Errorf("unable to parse issuer's potential signature algorithm types: %v", err)
}
switch cert.PublicKeyAlgorithm {
case x509.RSA:
switch algo {
case x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA,
x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS,
x509.SHA512WithRSAPSS:
return nil
}
case x509.ECDSA:
switch algo {
case x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512:
return nil
}
case x509.Ed25519:
switch algo {
case x509.PureEd25519:
return nil
}
}
return fmt.Errorf("unable to use issuer of type %v to sign with %v key type", cert.PublicKeyAlgorithm.String(), algo.String())
}
func (sc *storageContext) listIssuers() ([]issuerID, error) {
strList, err := sc.Storage.List(sc.Context, issuerPrefix)
if err != nil {
return nil, err
}
issuerIds := make([]issuerID, 0, len(strList))
for _, entry := range strList {
issuerIds = append(issuerIds, issuerID(entry))
}
return issuerIds, nil
}
func (sc *storageContext) resolveKeyReference(reference string) (keyID, error) {
if reference == defaultRef {
// Handle fetching the default key.
config, err := sc.getKeysConfig()
if err != nil {
return keyID("config-error"), err
}
if len(config.DefaultKeyId) == 0 {
return KeyRefNotFound, fmt.Errorf("no default key currently configured")
}
return config.DefaultKeyId, nil
}
// Lookup by a direct get first to see if our reference is an ID, this is quick and cached.
if len(reference) == uuidLength {
entry, err := sc.Storage.Get(sc.Context, keyPrefix+reference)
if err != nil {
return keyID("key-read"), err
}
if entry != nil {
return keyID(reference), nil
}
}
// ... than to pull all keys from storage.
keys, err := sc.listKeys()
if err != nil {
return keyID("list-error"), err
}
for _, keyId := range keys {
key, err := sc.fetchKeyById(keyId)
if err != nil {
return keyID("key-read"), err
}
if key.Name == reference {
return key.ID, nil
}
}
// Otherwise, we must not have found the key.
return KeyRefNotFound, errutil.UserError{Err: fmt.Sprintf("unable to find PKI key for reference: %v", reference)}
}
// fetchIssuerById returns an issuerEntry based on issuerId, if none found an error is returned.
func (sc *storageContext) fetchIssuerById(issuerId issuerID) (*issuerEntry, error) {
if len(issuerId) == 0 {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch pki issuer: empty issuer identifier")}
}
entry, err := sc.Storage.Get(sc.Context, issuerPrefix+issuerId.String())
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch pki issuer: %v", err)}
}
if entry == nil {
// FIXME: Dedicated/specific error for this?
return nil, errutil.UserError{Err: fmt.Sprintf("pki issuer id %s does not exist", issuerId.String())}
}
var issuer issuerEntry
if err := entry.DecodeJSON(&issuer); err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to decode pki issuer with id %s: %v", issuerId.String(), err)}
}
return &issuer, nil
}
func (sc *storageContext) writeIssuer(issuer *issuerEntry) error {
issuerId := issuer.ID
json, err := logical.StorageEntryJSON(issuerPrefix+issuerId.String(), issuer)
if err != nil {
return err
}
return sc.Storage.Put(sc.Context, json)
}
func (sc *storageContext) deleteIssuer(id issuerID) (bool, error) {
config, err := sc.getIssuersConfig()
if err != nil {
return false, err
}
wasDefault := false
if config.DefaultIssuerId == id {
wasDefault = true
config.DefaultIssuerId = issuerID("")
if err := sc.setIssuersConfig(config); err != nil {
return wasDefault, err
}
}
return wasDefault, sc.Storage.Delete(sc.Context, issuerPrefix+id.String())
}
func (sc *storageContext) importIssuer(certValue string, issuerName string) (*issuerEntry, bool, error) {
// importIssuers imports the specified PEM-format certificate (from
// certValue) into the new PKI storage format. The first return field is a
// reference to the new issuer; the second is whether or not the issuer
// already existed during import (in which case, *issuer points to the
// existing issuer reference and identifier); the last return field is
// whether or not an error occurred.
// Before we begin, we need to ensure the PEM formatted certificate looks
// good. Restricting to "just" `CERTIFICATE` entries is a little
// restrictive, as it could be a `X509 CERTIFICATE` entry or a custom
// value wrapping an actual DER cert. So validating the contents of the
// PEM header is out of the question (and validating the contents of the
// PEM block is left to our GetCertificate call below).
//
// However, we should trim all leading and trailing spaces and add a
// single new line. This allows callers to blindly concatenate PEM
// blobs from the API and get roughly what they'd expect.
//
// Discussed further in #11960 and RFC 7468.
certValue = strings.TrimSpace(certValue) + "\n"
// Extracting the certificate is necessary for two reasons: first, it lets
// us fetch the serial number; second, for the public key comparison with
// known keys.
issuerCert, err := parseCertificateFromBytes([]byte(certValue))
if err != nil {
return nil, false, err
}
// Ensure this certificate is a usable as a CA certificate.
if !issuerCert.BasicConstraintsValid || !issuerCert.IsCA {
return nil, false, errutil.UserError{Err: "Refusing to import non-CA certificate"}
}
// Before we can import a known issuer, we first need to know if the issuer
// exists in storage already. This means iterating through all known
// issuers and comparing their private value against this value.
knownIssuers, err := sc.listIssuers()
if err != nil {
return nil, false, err
}
foundExistingIssuerWithName := false
for _, identifier := range knownIssuers {
existingIssuer, err := sc.fetchIssuerById(identifier)
if err != nil {
return nil, false, err
}
existingIssuerCert, err := existingIssuer.GetCertificate()
if err != nil {
return nil, false, err
}
if areCertificatesEqual(existingIssuerCert, issuerCert) {
// Here, we don't need to stitch together the key entries,
// because the last run should've done that for us (or, when
// importing a key).
return existingIssuer, true, nil
}
// Allow us to find an existing matching issuer with a different name before erroring out
if issuerName != "" && existingIssuer.Name == issuerName {
foundExistingIssuerWithName = true
}
}
if foundExistingIssuerWithName {
return nil, false, errutil.UserError{Err: fmt.Sprintf("another issuer is using the requested name: %s", issuerName)}
}
// Haven't found an issuer, so we've gotta create it and write it into
// storage.
var result issuerEntry
result.ID = genIssuerId()
result.Name = issuerName
result.Certificate = certValue
result.LeafNotAfterBehavior = certutil.ErrNotAfterBehavior
result.Usage.ToggleUsage(IssuanceUsage, CRLSigningUsage)
// We shouldn't add CSRs or multiple certificates in this
countCertificates := strings.Count(result.Certificate, "-BEGIN ")
if countCertificates != 1 {
return nil, false, fmt.Errorf("bad issuer: potentially multiple PEM blobs in one certificate storage entry:\n%v", result.Certificate)
}
result.SerialNumber = strings.TrimSpace(certutil.GetHexFormatted(issuerCert.SerialNumber.Bytes(), ":"))
// Before we return below, we need to iterate over _all_ keys and see if
// one of them a public key matching this certificate, and if so, update our
// link accordingly. We fetch the list of keys up front, even may not need
// it, to give ourselves a better chance of succeeding below.
knownKeys, err := sc.listKeys()
if err != nil {
return nil, false, err
}
// Now, for each key, try and compute the issuer<->key link. We delay
// writing issuer to storage as we won't need to update the key, only
// the issuer.
for _, identifier := range knownKeys {
existingKey, err := sc.fetchKeyById(identifier)
if err != nil {
return nil, false, err
}
equal, err := comparePublicKey(sc, existingKey, issuerCert.PublicKey)
if err != nil {
return nil, false, err
}
if equal {
result.KeyID = existingKey.ID
// Here, there's exactly one stored key with the same public key
// as us, per guarantees in importKey; as we're importing an
// issuer, there's no other keys or issuers we'd need to read or
// update, so exit.
break
}
}
// Finally, rebuild the chains. In this process, because the provided
// reference issuer is non-nil, we'll save this issuer to storage.
if err := sc.rebuildIssuersChains(&result); err != nil {
return nil, false, err
}
// If there was no prior default value set and/or we had no known
// issuers when we started, set this issuer as default.
issuerDefaultSet, err := sc.isDefaultIssuerSet()
if err != nil {
return nil, false, err
}
if (len(knownIssuers) == 0 || !issuerDefaultSet) && len(result.KeyID) != 0 {
if err = sc.updateDefaultIssuerId(result.ID); err != nil {
return nil, false, err
}
}
// All done; return our new key reference.
return &result, false, nil
}
func areCertificatesEqual(cert1 *x509.Certificate, cert2 *x509.Certificate) bool {
return bytes.Compare(cert1.Raw, cert2.Raw) == 0
}
func (sc *storageContext) setLocalCRLConfig(mapping *localCRLConfigEntry) error {
json, err := logical.StorageEntryJSON(storageLocalCRLConfig, mapping)
if err != nil {
return err
}
return sc.Storage.Put(sc.Context, json)
}
func (sc *storageContext) getLocalCRLConfig() (*localCRLConfigEntry, error) {
entry, err := sc.Storage.Get(sc.Context, storageLocalCRLConfig)
if err != nil {
return nil, err
}
mapping := &localCRLConfigEntry{}
if entry != nil {
if err := entry.DecodeJSON(mapping); err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to decode cluster-local CRL configuration: %v", err)}
}
}
if len(mapping.IssuerIDCRLMap) == 0 {
mapping.IssuerIDCRLMap = make(map[issuerID]crlID)
}
if len(mapping.CRLNumberMap) == 0 {
mapping.CRLNumberMap = make(map[crlID]int64)
}
return mapping, nil
}
func (sc *storageContext) setKeysConfig(config *keyConfigEntry) error {
json, err := logical.StorageEntryJSON(storageKeyConfig, config)
if err != nil {
return err
}
return sc.Storage.Put(sc.Context, json)
}
func (sc *storageContext) getKeysConfig() (*keyConfigEntry, error) {
entry, err := sc.Storage.Get(sc.Context, storageKeyConfig)
if err != nil {
return nil, err
}
keyConfig := &keyConfigEntry{}
if entry != nil {
if err := entry.DecodeJSON(keyConfig); err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to decode key configuration: %v", err)}
}
}
return keyConfig, nil
}
func (sc *storageContext) setIssuersConfig(config *issuerConfigEntry) error {
json, err := logical.StorageEntryJSON(storageIssuerConfig, config)
if err != nil {
return err
}
return sc.Storage.Put(sc.Context, json)
}
func (sc *storageContext) getIssuersConfig() (*issuerConfigEntry, error) {
entry, err := sc.Storage.Get(sc.Context, storageIssuerConfig)
if err != nil {
return nil, err
}
issuerConfig := &issuerConfigEntry{}
if entry != nil {
if err := entry.DecodeJSON(issuerConfig); err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to decode issuer configuration: %v", err)}
}
}
return issuerConfig, nil
}
// Lookup within storage the value of reference, assuming the string is a reference to an issuer entry,
// returning the converted issuerID or an error if not found. This method will not properly resolve the
// special legacyBundleShimID value as we do not want to confuse our special value and a user-provided name of the
// same value.
func (sc *storageContext) resolveIssuerReference(reference string) (issuerID, error) {
if reference == defaultRef {
// Handle fetching the default issuer.
config, err := sc.getIssuersConfig()
if err != nil {
return issuerID("config-error"), err
}
if len(config.DefaultIssuerId) == 0 {
return IssuerRefNotFound, fmt.Errorf("no default issuer currently configured")
}
return config.DefaultIssuerId, nil
}
// Lookup by a direct get first to see if our reference is an ID, this is quick and cached.
if len(reference) == uuidLength {
entry, err := sc.Storage.Get(sc.Context, issuerPrefix+reference)
if err != nil {
return issuerID("issuer-read"), err
}
if entry != nil {
return issuerID(reference), nil
}
}
// ... than to pull all issuers from storage.
issuers, err := sc.listIssuers()
if err != nil {
return issuerID("list-error"), err
}
for _, issuerId := range issuers {
issuer, err := sc.fetchIssuerById(issuerId)
if err != nil {
return issuerID("issuer-read"), err
}
if issuer.Name == reference {
return issuer.ID, nil
}
}
// Otherwise, we must not have found the issuer.
return IssuerRefNotFound, errutil.UserError{Err: fmt.Sprintf("unable to find PKI issuer for reference: %v", reference)}
}
func (sc *storageContext) resolveIssuerCRLPath(reference string) (string, error) {
if sc.Backend.useLegacyBundleCaStorage() {
return legacyCRLPath, nil
}
issuer, err := sc.resolveIssuerReference(reference)
if err != nil {
return legacyCRLPath, err
}
crlConfig, err := sc.getLocalCRLConfig()
if err != nil {
return legacyCRLPath, err
}
if crlId, ok := crlConfig.IssuerIDCRLMap[issuer]; ok && len(crlId) > 0 {
return fmt.Sprintf("crls/%v", crlId), nil
}
return legacyCRLPath, fmt.Errorf("unable to find CRL for issuer: id:%v/ref:%v", issuer, reference)
}
// Builds a certutil.CertBundle from the specified issuer identifier,
// optionally loading the key or not. This method supports loading legacy
// bundles using the legacyBundleShimID issuerId, and if no entry is found will return an error.
func (sc *storageContext) fetchCertBundleByIssuerId(id issuerID, loadKey bool) (*issuerEntry, *certutil.CertBundle, error) {
if id == legacyBundleShimID {
// We have not completed the migration, or started a request in legacy mode, so
// attempt to load the bundle from the legacy location
issuer, bundle, err := getLegacyCertBundle(sc.Context, sc.Storage)
if err != nil {
return nil, nil, err
}
if issuer == nil || bundle == nil {
return nil, nil, errutil.UserError{Err: "no legacy cert bundle exists"}
}
return issuer, bundle, err
}
issuer, err := sc.fetchIssuerById(id)
if err != nil {
return nil, nil, err
}
var bundle certutil.CertBundle
bundle.Certificate = issuer.Certificate
bundle.CAChain = issuer.CAChain
bundle.SerialNumber = issuer.SerialNumber
// Fetch the key if it exists. Sometimes we don't need the key immediately.
if loadKey && issuer.KeyID != keyID("") {
key, err := sc.fetchKeyById(issuer.KeyID)
if err != nil {
return nil, nil, err
}
bundle.PrivateKeyType = key.PrivateKeyType
bundle.PrivateKey = key.PrivateKey
}
return issuer, &bundle, nil
}
func (sc *storageContext) writeCaBundle(caBundle *certutil.CertBundle, issuerName string, keyName string) (*issuerEntry, *keyEntry, error) {
myKey, _, err := sc.importKey(caBundle.PrivateKey, keyName, caBundle.PrivateKeyType)
if err != nil {
return nil, nil, err
}
myIssuer, _, err := sc.importIssuer(caBundle.Certificate, issuerName)
if err != nil {
return nil, nil, err
}
for _, cert := range caBundle.CAChain {
if _, _, err = sc.importIssuer(cert, ""); err != nil {
return nil, nil, err
}
}
return myIssuer, myKey, nil
}
func genIssuerId() issuerID {
return issuerID(genUuid())
}
func genKeyId() keyID {
return keyID(genUuid())
}
func genCRLId() crlID {
return crlID(genUuid())
}
func genUuid() string {
aUuid, err := uuid.GenerateUUID()
if err != nil {
panic(err)
}
return aUuid
}
func (sc *storageContext) isKeyInUse(keyId string) (inUse bool, issuerId string, err error) {
knownIssuers, err := sc.listIssuers()
if err != nil {
return true, "", err
}
for _, issuerId := range knownIssuers {
issuerEntry, err := sc.fetchIssuerById(issuerId)
if err != nil {
return true, issuerId.String(), errutil.InternalError{Err: fmt.Sprintf("unable to fetch pki issuer: %v", err)}
}
if issuerEntry == nil {
return true, issuerId.String(), errutil.InternalError{Err: fmt.Sprintf("Issuer listed: %s does not exist", issuerId.String())}
}
if issuerEntry.KeyID.String() == keyId {
return true, issuerId.String(), nil
}
}
return false, "", nil
}
func (sc *storageContext) checkForRolesReferencing(issuerId string) (timeout bool, inUseBy int32, err error) {
roleEntries, err := sc.Storage.List(sc.Context, "role/")
if err != nil {
return false, 0, err
}
inUseBy = 0
checkedRoles := 0
for _, roleName := range roleEntries {
entry, err := sc.Storage.Get(sc.Context, "role/"+roleName)
if err != nil {
return false, 0, err
}
if entry != nil { // If nil, someone deleted an entry since we haven't taken a lock here so just continue
var role roleEntry
err = entry.DecodeJSON(&role)
if err != nil {
return false, inUseBy, err
}
if role.Issuer == issuerId {
inUseBy = inUseBy + 1
if inUseBy >= maxRolesToFindOnIssuerChange {
return true, inUseBy, nil
}
}
}
checkedRoles = checkedRoles + 1
if checkedRoles >= maxRolesToScanOnIssuerChange {
return true, inUseBy, nil
}
}
return false, inUseBy, nil
}