8acbf7f480
* Add PSS signature support to Vault PKI engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Use issuer's RevocationSigAlg for CRL signing We introduce a new parameter on issuers, revocation_signature_algorithm to control the signature algorithm used during CRL signing. This is because the SignatureAlgorithm value from the certificate itself is incorrect for this purpose: a RSA root could sign an ECDSA intermediate with say, SHA256WithRSA, but when the intermediate goes to sign a CRL, it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When coupled with support for PSS-only keys, allowing the user to set the signature algorithm value as desired seems like the best approach. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add use_pss, revocation_signature_algorithm docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add PSS to signature role issuance test matrix Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Allow roots to self-identify revocation alg When using PSS support with a managed key, sometimes the underlying device will not support PKCS#1v1.5 signatures. This results in CRL building failing, unless we update the entry's signature algorithm prior to building the CRL for the new root. With a RSA-type key and use_pss=true, we use the signature bits value to decide which hash function to use for PSS support. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add clearer error message on failed import When CRL building fails during cert/key import, due to PSS failures, give a better indication to the user that import succeeded its just CRL building that failed. This tells them the parameter to adjust on the issuer and warns that CRL building will fail until this is fixed. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add case insensitive SigAlgo matching Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Convert UsePSS back to regular bool Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor PSS->certTemplate into helper function Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Proper string output on rev_sig_alg display Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Copy root's SignatureAlgorithm for CRL building Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
458 lines
15 KiB
Go
458 lines
15 KiB
Go
package pki
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/certutil"
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
|
"github.com/hashicorp/vault/sdk/helper/errutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
func pathIssue(b *backend) *framework.Path {
|
|
pattern := "issue/" + framework.GenericNameRegex("role")
|
|
return buildPathIssue(b, pattern)
|
|
}
|
|
|
|
func pathIssuerIssue(b *backend) *framework.Path {
|
|
pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/issue/" + framework.GenericNameRegex("role")
|
|
return buildPathIssue(b, pattern)
|
|
}
|
|
|
|
func buildPathIssue(b *backend, pattern string) *framework.Path {
|
|
ret := &framework.Path{
|
|
Pattern: pattern,
|
|
|
|
Operations: map[logical.Operation]framework.OperationHandler{
|
|
logical.UpdateOperation: &framework.PathOperation{
|
|
Callback: b.metricsWrap("issue", roleRequired, b.pathIssue),
|
|
},
|
|
},
|
|
|
|
HelpSynopsis: pathIssueHelpSyn,
|
|
HelpDescription: pathIssueHelpDesc,
|
|
}
|
|
|
|
ret.Fields = addNonCACommonFields(map[string]*framework.FieldSchema{})
|
|
return ret
|
|
}
|
|
|
|
func pathSign(b *backend) *framework.Path {
|
|
pattern := "sign/" + framework.GenericNameRegex("role")
|
|
return buildPathSign(b, pattern)
|
|
}
|
|
|
|
func pathIssuerSign(b *backend) *framework.Path {
|
|
pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign/" + framework.GenericNameRegex("role")
|
|
return buildPathSign(b, pattern)
|
|
}
|
|
|
|
func buildPathSign(b *backend, pattern string) *framework.Path {
|
|
ret := &framework.Path{
|
|
Pattern: pattern,
|
|
|
|
Operations: map[logical.Operation]framework.OperationHandler{
|
|
logical.UpdateOperation: &framework.PathOperation{
|
|
Callback: b.metricsWrap("sign", roleRequired, b.pathSign),
|
|
},
|
|
},
|
|
|
|
HelpSynopsis: pathSignHelpSyn,
|
|
HelpDescription: pathSignHelpDesc,
|
|
}
|
|
|
|
ret.Fields = addNonCACommonFields(map[string]*framework.FieldSchema{})
|
|
|
|
ret.Fields["csr"] = &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Default: "",
|
|
Description: `PEM-format CSR to be signed.`,
|
|
}
|
|
|
|
return ret
|
|
}
|
|
|
|
func pathIssuerSignVerbatim(b *backend) *framework.Path {
|
|
pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" + framework.OptionalParamRegex("role")
|
|
return buildPathIssuerSignVerbatim(b, pattern)
|
|
}
|
|
|
|
func pathSignVerbatim(b *backend) *framework.Path {
|
|
pattern := "sign-verbatim" + framework.OptionalParamRegex("role")
|
|
return buildPathIssuerSignVerbatim(b, pattern)
|
|
}
|
|
|
|
func buildPathIssuerSignVerbatim(b *backend, pattern string) *framework.Path {
|
|
ret := &framework.Path{
|
|
Pattern: pattern,
|
|
Fields: map[string]*framework.FieldSchema{},
|
|
|
|
Operations: map[logical.Operation]framework.OperationHandler{
|
|
logical.UpdateOperation: &framework.PathOperation{
|
|
Callback: b.metricsWrap("sign-verbatim", roleOptional, b.pathSignVerbatim),
|
|
},
|
|
},
|
|
|
|
HelpSynopsis: pathIssuerSignVerbatimHelpSyn,
|
|
HelpDescription: pathIssuerSignVerbatimHelpDesc,
|
|
}
|
|
|
|
ret.Fields = addNonCACommonFields(ret.Fields)
|
|
|
|
ret.Fields["csr"] = &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Default: "",
|
|
Description: `PEM-format CSR to be signed. Values will be
|
|
taken verbatim from the CSR, except for
|
|
basic constraints.`,
|
|
}
|
|
|
|
ret.Fields["key_usage"] = &framework.FieldSchema{
|
|
Type: framework.TypeCommaStringSlice,
|
|
Default: []string{"DigitalSignature", "KeyAgreement", "KeyEncipherment"},
|
|
Description: `A comma-separated string or list of key usages (not extended
|
|
key usages). Valid values can be found at
|
|
https://golang.org/pkg/crypto/x509/#KeyUsage
|
|
-- simply drop the "KeyUsage" part of the name.
|
|
To remove all key usages from being set, set
|
|
this value to an empty list.`,
|
|
}
|
|
|
|
ret.Fields["ext_key_usage"] = &framework.FieldSchema{
|
|
Type: framework.TypeCommaStringSlice,
|
|
Default: []string{},
|
|
Description: `A comma-separated string or list of extended key usages. Valid values can be found at
|
|
https://golang.org/pkg/crypto/x509/#ExtKeyUsage
|
|
-- simply drop the "ExtKeyUsage" part of the name.
|
|
To remove all key usages from being set, set
|
|
this value to an empty list.`,
|
|
}
|
|
|
|
ret.Fields["ext_key_usage_oids"] = &framework.FieldSchema{
|
|
Type: framework.TypeCommaStringSlice,
|
|
Description: `A comma-separated string or list of extended key usage oids.`,
|
|
}
|
|
|
|
ret.Fields["signature_bits"] = &framework.FieldSchema{
|
|
Type: framework.TypeInt,
|
|
Default: 0,
|
|
Description: `The number of bits to use in the signature
|
|
algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
|
|
SHA-2-512. Defaults to 0 to automatically detect based on key length
|
|
(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
Value: 0,
|
|
},
|
|
}
|
|
|
|
ret.Fields["use_pss"] = &framework.FieldSchema{
|
|
Type: framework.TypeBool,
|
|
Default: false,
|
|
Description: `Whether or not to use PSS signatures when using a
|
|
RSA key-type issuer. Defaults to false.`,
|
|
}
|
|
|
|
return ret
|
|
}
|
|
|
|
const (
|
|
pathIssuerSignVerbatimHelpSyn = `Issue a certificate directly based on the provided CSR.`
|
|
pathIssuerSignVerbatimHelpDesc = `
|
|
This API endpoint allows for directly signing the specified certificate
|
|
signing request (CSR) without the typical role-based validation. This
|
|
allows for attributes from the CSR to be directly copied to the resulting
|
|
certificate.
|
|
|
|
Usually the role-based sign operations (/sign and /issue) are preferred to
|
|
this operation.
|
|
|
|
Note that this is a very privileged operation and should be extremely
|
|
restricted in terms of who is allowed to use it. All values will be taken
|
|
directly from the incoming CSR. No further verification of attribute are
|
|
performed, except as permitted by this endpoint's parameters.
|
|
|
|
See the API documentation for more information about required parameters.
|
|
`
|
|
)
|
|
|
|
// pathIssue issues a certificate and private key from given parameters,
|
|
// subject to role restrictions
|
|
func (b *backend) pathIssue(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry) (*logical.Response, error) {
|
|
if role.KeyType == "any" {
|
|
return logical.ErrorResponse("role key type \"any\" not allowed for issuing certificates, only signing"), nil
|
|
}
|
|
|
|
return b.pathIssueSignCert(ctx, req, data, role, false, false)
|
|
}
|
|
|
|
// pathSign issues a certificate from a submitted CSR, subject to role
|
|
// restrictions
|
|
func (b *backend) pathSign(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry) (*logical.Response, error) {
|
|
return b.pathIssueSignCert(ctx, req, data, role, true, false)
|
|
}
|
|
|
|
// pathSignVerbatim issues a certificate from a submitted CSR, *not* subject to
|
|
// role restrictions
|
|
func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry) (*logical.Response, error) {
|
|
entry := &roleEntry{
|
|
AllowLocalhost: true,
|
|
AllowAnyName: true,
|
|
AllowIPSANs: true,
|
|
AllowWildcardCertificates: new(bool),
|
|
EnforceHostnames: false,
|
|
KeyType: "any",
|
|
UseCSRCommonName: true,
|
|
UseCSRSANs: true,
|
|
AllowedOtherSANs: []string{"*"},
|
|
AllowedSerialNumbers: []string{"*"},
|
|
AllowedURISANs: []string{"*"},
|
|
CNValidations: []string{"disabled"},
|
|
GenerateLease: new(bool),
|
|
KeyUsage: data.Get("key_usage").([]string),
|
|
ExtKeyUsage: data.Get("ext_key_usage").([]string),
|
|
ExtKeyUsageOIDs: data.Get("ext_key_usage_oids").([]string),
|
|
SignatureBits: data.Get("signature_bits").(int),
|
|
UsePSS: data.Get("use_pss").(bool),
|
|
}
|
|
*entry.AllowWildcardCertificates = true
|
|
|
|
*entry.GenerateLease = false
|
|
|
|
if role != nil {
|
|
if role.TTL > 0 {
|
|
entry.TTL = role.TTL
|
|
}
|
|
if role.MaxTTL > 0 {
|
|
entry.MaxTTL = role.MaxTTL
|
|
}
|
|
if role.GenerateLease != nil {
|
|
*entry.GenerateLease = *role.GenerateLease
|
|
}
|
|
if role.NotBeforeDuration > 0 {
|
|
entry.NotBeforeDuration = role.NotBeforeDuration
|
|
}
|
|
entry.NoStore = role.NoStore
|
|
entry.Issuer = role.Issuer
|
|
}
|
|
|
|
if len(entry.Issuer) == 0 {
|
|
entry.Issuer = defaultRef
|
|
}
|
|
|
|
return b.pathIssueSignCert(ctx, req, data, entry, true, true)
|
|
}
|
|
|
|
func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry, useCSR, useCSRValues bool) (*logical.Response, error) {
|
|
// If storing the certificate and on a performance standby, forward this request on to the primary
|
|
// Allow performance secondaries to generate and store certificates locally to them.
|
|
if !role.NoStore && b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
|
|
return nil, logical.ErrReadOnly
|
|
}
|
|
|
|
// We prefer the issuer from the role in two cases:
|
|
//
|
|
// 1. On the legacy sign-verbatim paths, as we always provision an issuer
|
|
// in both the role and role-less cases, and
|
|
// 2. On the legacy sign/:role or issue/:role paths, as the issuer was
|
|
// set on the role directly (either via upgrade or not). Note that
|
|
// the updated issuer/:ref/{sign,issue}/:role path is not affected,
|
|
// and we instead pull the issuer out of the path instead (which
|
|
// allows users with access to those paths to manually choose their
|
|
// issuer in desired scenarios).
|
|
var issuerName string
|
|
if strings.HasPrefix(req.Path, "sign-verbatim/") || strings.HasPrefix(req.Path, "sign/") || strings.HasPrefix(req.Path, "issue/") {
|
|
issuerName = role.Issuer
|
|
if len(issuerName) == 0 {
|
|
issuerName = defaultRef
|
|
}
|
|
} else {
|
|
// Otherwise, we must have a newer API which requires an issuer
|
|
// reference. Fetch it in this case
|
|
issuerName = getIssuerRef(data)
|
|
if len(issuerName) == 0 {
|
|
return logical.ErrorResponse("missing issuer reference"), nil
|
|
}
|
|
}
|
|
|
|
format := getFormat(data)
|
|
if format == "" {
|
|
return logical.ErrorResponse(
|
|
`the "format" path parameter must be "pem", "der", or "pem_bundle"`), nil
|
|
}
|
|
|
|
var caErr error
|
|
sc := b.makeStorageContext(ctx, req.Storage)
|
|
signingBundle, caErr := sc.fetchCAInfo(issuerName, IssuanceUsage)
|
|
if caErr != nil {
|
|
switch caErr.(type) {
|
|
case errutil.UserError:
|
|
return nil, errutil.UserError{Err: fmt.Sprintf(
|
|
"could not fetch the CA certificate (was one set?): %s", caErr)}
|
|
default:
|
|
return nil, errutil.InternalError{Err: fmt.Sprintf(
|
|
"error fetching CA certificate: %s", caErr)}
|
|
}
|
|
}
|
|
|
|
input := &inputBundle{
|
|
req: req,
|
|
apiData: data,
|
|
role: role,
|
|
}
|
|
var parsedBundle *certutil.ParsedCertBundle
|
|
var err error
|
|
if useCSR {
|
|
parsedBundle, err = signCert(b, input, signingBundle, false, useCSRValues)
|
|
} else {
|
|
parsedBundle, err = generateCert(sc, input, signingBundle, false, rand.Reader)
|
|
}
|
|
if err != nil {
|
|
switch err.(type) {
|
|
case errutil.UserError:
|
|
return logical.ErrorResponse(err.Error()), nil
|
|
case errutil.InternalError:
|
|
return nil, err
|
|
default:
|
|
return nil, fmt.Errorf("error signing/generating certificate: %w", err)
|
|
}
|
|
}
|
|
|
|
signingCB, err := signingBundle.ToCertBundle()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error converting raw signing bundle to cert bundle: %w", err)
|
|
}
|
|
|
|
cb, err := parsedBundle.ToCertBundle()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error converting raw cert bundle to cert bundle: %w", err)
|
|
}
|
|
|
|
respData := map[string]interface{}{
|
|
"expiration": int64(parsedBundle.Certificate.NotAfter.Unix()),
|
|
"serial_number": cb.SerialNumber,
|
|
}
|
|
|
|
switch format {
|
|
case "pem":
|
|
respData["issuing_ca"] = signingCB.Certificate
|
|
respData["certificate"] = cb.Certificate
|
|
if cb.CAChain != nil && len(cb.CAChain) > 0 {
|
|
respData["ca_chain"] = cb.CAChain
|
|
}
|
|
if !useCSR {
|
|
respData["private_key"] = cb.PrivateKey
|
|
respData["private_key_type"] = cb.PrivateKeyType
|
|
}
|
|
|
|
case "pem_bundle":
|
|
respData["issuing_ca"] = signingCB.Certificate
|
|
respData["certificate"] = cb.ToPEMBundle()
|
|
if cb.CAChain != nil && len(cb.CAChain) > 0 {
|
|
respData["ca_chain"] = cb.CAChain
|
|
}
|
|
if !useCSR {
|
|
respData["private_key"] = cb.PrivateKey
|
|
respData["private_key_type"] = cb.PrivateKeyType
|
|
}
|
|
|
|
case "der":
|
|
respData["certificate"] = base64.StdEncoding.EncodeToString(parsedBundle.CertificateBytes)
|
|
respData["issuing_ca"] = base64.StdEncoding.EncodeToString(signingBundle.CertificateBytes)
|
|
|
|
var caChain []string
|
|
for _, caCert := range parsedBundle.CAChain {
|
|
caChain = append(caChain, base64.StdEncoding.EncodeToString(caCert.Bytes))
|
|
}
|
|
if caChain != nil && len(caChain) > 0 {
|
|
respData["ca_chain"] = caChain
|
|
}
|
|
|
|
if !useCSR {
|
|
respData["private_key"] = base64.StdEncoding.EncodeToString(parsedBundle.PrivateKeyBytes)
|
|
respData["private_key_type"] = cb.PrivateKeyType
|
|
}
|
|
default:
|
|
return nil, fmt.Errorf("unsupported format: %s", format)
|
|
}
|
|
|
|
var resp *logical.Response
|
|
switch {
|
|
case role.GenerateLease == nil:
|
|
return nil, fmt.Errorf("generate lease in role is nil")
|
|
case *role.GenerateLease == false:
|
|
// If lease generation is disabled do not populate `Secret` field in
|
|
// the response
|
|
resp = &logical.Response{
|
|
Data: respData,
|
|
}
|
|
default:
|
|
resp = b.Secret(SecretCertsType).Response(
|
|
respData,
|
|
map[string]interface{}{
|
|
"serial_number": cb.SerialNumber,
|
|
})
|
|
resp.Secret.TTL = parsedBundle.Certificate.NotAfter.Sub(time.Now())
|
|
}
|
|
|
|
if data.Get("private_key_format").(string) == "pkcs8" {
|
|
err = convertRespToPKCS8(resp)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if !role.NoStore {
|
|
err = req.Storage.Put(ctx, &logical.StorageEntry{
|
|
Key: "certs/" + normalizeSerial(cb.SerialNumber),
|
|
Value: parsedBundle.CertificateBytes,
|
|
})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to store certificate locally: %w", err)
|
|
}
|
|
}
|
|
|
|
if useCSR {
|
|
if role.UseCSRCommonName && data.Get("common_name").(string) != "" {
|
|
resp.AddWarning("the common_name field was provided but the role is set with \"use_csr_common_name\" set to true")
|
|
}
|
|
if role.UseCSRSANs && data.Get("alt_names").(string) != "" {
|
|
resp.AddWarning("the alt_names field was provided but the role is set with \"use_csr_sans\" set to true")
|
|
}
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
const pathIssueHelpSyn = `
|
|
Request a certificate using a certain role with the provided details.
|
|
`
|
|
|
|
const pathIssueHelpDesc = `
|
|
This path allows requesting a certificate to be issued according to the
|
|
policy of the given role. The certificate will only be issued if the
|
|
requested details are allowed by the role policy.
|
|
|
|
This path returns a certificate and a private key. If you want a workflow
|
|
that does not expose a private key, generate a CSR locally and use the
|
|
sign path instead.
|
|
`
|
|
|
|
const pathSignHelpSyn = `
|
|
Request certificates using a certain role with the provided details.
|
|
`
|
|
|
|
const pathSignHelpDesc = `
|
|
This path allows requesting certificates to be issued according to the
|
|
policy of the given role. The certificate will only be issued if the
|
|
requested common name is allowed by the role policy.
|
|
|
|
This path requires a CSR; if you want Vault to generate a private key
|
|
for you, use the issue path instead.
|
|
`
|