Create plugin for cfssl #109
Comments
|
I'm currently investigating this, but it doesn't look like there's a particularly good fit. In particular, CFSSL ignores most fields in a CSR, substituting them for it's own values as specified by the signing policy (see here). Because of this, a CFSSL Issuer plugin would only be able to used for single purpose certificates. This could be solved in a few ways - First, Issuer plugins could support instancing, similar to Source or Destination plugins (i.e. add an endpoint for defining multiple sources per plugin, similar to here). Alternately, CFSSL could be updated to support a passthrough signing profile, though that could potentially be a large security risk. |
|
Thats unfortunate, I haven't looked at CFSSL that closely but does it by any chance support those configurations via it's JSON API? I know for our internal CA most of the fields are ignored in the CSR but it allows those options to be passed along side the CSR. That is why https://github.com/Netflix/lemur/blob/master/lemur/plugins/lemur_verisign/plugin.py#L141 |
|
CFSSL does support selecting which profile to use for the sign operation through it's API, but not modifying them. It may be worth providing this plugin despite the limitation, it's more that it doesn't fit my use-case. Essentially, I would like to use Lemur for the following:
The StartSSL and Vault aspects of this are simple enough, the only real problem is issuing the different types of certificates from CFSSL. In CFSSL, the EKUs with which to sign a certificate are determined by the signing profile - in order to issue the different types of certificates, a CFSSL IssuerPlugin would have to send signing_profile="ipsec", etc, along with the request. The required profile could be inferred from the issuer_options as you recommend, but the signing profiles are entirely user-specific, because CloudFlare provides no profiles by default. I suppose this could be done with a config option, providing a mapping from issuer_options to signing profile, but that's not a very elegant solution. However, I've just discovered a setting in CFSSL that allows you to whitelist certain fields from the CSR - I'm going to offer a patch upstream to extend it to support key usages - if they accept, that'll be a much more viable option. |
|
Sounds awesome! Do you currently use Hashicorps Vault? Do you like it? Also, be aware I have not yet implemented all of the various CSR options (my CAs didn't validate them). But they should be pretty trivial to implement as they should be supported by cryptography. https://github.com/Netflix/lemur/blob/master/lemur/certificates/service.py#L354 |
|
Here is the discussion for the whitelist support in CFSSL. |
|
Maybe another approach could be to allow plugins to have custom views. Those will be ship with plugins. In that cfssl plugin (or whatever) could hook certificates views to add custom field like profile. It's more complex, but in that way Lemur is more tunable. |
|
I am open to the idea that each, authority/ca/plugin could potentially have different views. This would require quite a bit of refactoring though. They way I would envision it working would be a plugin would provide a series of options. Upon creation of an authority, you would select which options you want to be presented to to the user. (Say you never wanted them to change the Org for this particular authority). What options are available would be stored on the authority object itself and rendered/validated appropriately by the UI. This isn't entirely different from how other plugins already work, it could be argued that Authority plugins should behave similarly. This isn't a huge priority for us in the near term (there is no internal use case at the moment). But would be willing to see PR's and put it on the backlog of potential enhancements. |
|
Just want to +1 for a cfssl plugin for lemur. |
Updates the requirements on [tox](https://github.com/tox-dev/tox) to permit the latest version. - [Release notes](https://github.com/tox-dev/tox/releases) - [Changelog](https://github.com/tox-dev/tox/blob/3.23.0/docs/changelog.rst) - [Commits](tox-dev/tox@3.21.0...3.23.0) Co-authored-by: spotify-dependabot[bot] <5661+spotify-dependabot[bot]@users.noreply.ghe.spotify.net>
It might be interesting to write a lemur plugin to talk to cloudflare's PKI toolkit:
https://github.com/cloudflare/cfssl
The text was updated successfully, but these errors were encountered: