Merge branch 'master' into ahmet2mir-feat/vault

CHANGELOG.md

@@ -6,15 +6,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased - 0.18.3] - DATE
 ### Added
-- Added support for renew after expiry using the claim `allowRenewAfterExpiry`.
+- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
 - Added support for `extraNames` in X.509 templates.
 - Added RA support using a Vault instance as the CA.
+- Added support for automatic configuration of linked RAs.
 ### Changed
 - Made SCEP CA URL paths dynamic
 - Support two latest versions of Go (1.17, 1.18)
 ### Deprecated
 ### Removed
 ### Fixed
+- Fixed admin credentials on RAs.
 ### Security
 
 ## [0.18.2] - 2022-03-01

README.md

@@ -54,7 +54,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te
 - [Short-lived certificates](https://smallstep.com/blog/passive-revocation.html) with automated enrollment, renewal, and passive revocation
 - Capable of high availability (HA) deployment using [root federation](https://smallstep.com/blog/step-v0.8.3-federation-root-rotation.html) and/or multiple intermediaries
 - Can operate as [an online intermediate CA for an existing root CA](https://smallstep.com/docs/tutorials/intermediate-ca-new-ca)
-- [Badger, BoltDB, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)
+- [Badger, BoltDB, Postgres, and MySQL database backends](https://smallstep.com/docs/step-ca/configuration#databases)
 
 ### ⚙️ Many ways to automate
 

authority/authorize.go

@@ -130,22 +130,24 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 	// According to "rfc7519 JSON Web Token" acceptable skew should be no
 	// more than a few minutes.
 	if err := claims.ValidateWithLeeway(jose.Expected{
-		Issuer: prov.GetName(),
-		Time:   time.Now().UTC(),
+		Time: time.Now().UTC(),
 	}, time.Minute); err != nil {
 		return nil, admin.WrapError(admin.ErrorUnauthorizedType, err, "x5c.authorizeToken; invalid x5c claims")
 	}
 
 	// validate audience: path matches the current path
-	if r.URL.Path != claims.Audience[0] {
-		return nil, admin.NewError(admin.ErrorUnauthorizedType,
-			"x5c.authorizeToken; x5c token has invalid audience "+
-				"claim (aud); expected %s, but got %s", r.URL.Path, claims.Audience)
+	if !matchesAudience(claims.Audience, a.config.Audience(r.URL.Path)) {
+		return nil, admin.NewError(admin.ErrorUnauthorizedType, "x5c.authorizeToken; x5c token has invalid audience claim (aud)")
+	}
+
+	// validate issuer: old versions used the provisioner name, new version uses
+	// 'step-admin-client/1.0'
+	if claims.Issuer != "step-admin-client/1.0" && claims.Issuer != prov.GetName() {
+		return nil, admin.NewError(admin.ErrorUnauthorizedType, "x5c.authorizeToken; x5c token has invalid issuer claim (iss)")
 	}
 
 	if claims.Subject == "" {
-		return nil, admin.NewError(admin.ErrorUnauthorizedType,
-			"x5c.authorizeToken; x5c token subject cannot be empty")
+		return nil, admin.NewError(admin.ErrorUnauthorizedType, "x5c.authorizeToken; x5c token subject cannot be empty")
 	}
 
 	var (
@@ -156,7 +158,7 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 	adminSANs := append([]string{leaf.Subject.CommonName}, leaf.DNSNames...)
 	adminSANs = append(adminSANs, leaf.EmailAddresses...)
 	for _, san := range adminSANs {
-		if adm, ok = a.LoadAdminBySubProv(san, claims.Issuer); ok {
+		if adm, ok = a.LoadAdminBySubProv(san, prov.GetName()); ok {
 			adminFound = true
 			break
 		}
@@ -285,9 +287,16 @@ func (a *Authority) authorizeRenew(cert *x509.Certificate) error {
 	if isRevoked {
 		return errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
 	}
-	p, ok := a.provisioners.LoadByCertificate(cert)
-	if !ok {
-		return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+	p, err := a.LoadProvisionerByCertificate(cert)
+	if err != nil {
+		var ok bool
+		// For backward compatibility this method will also succeed if the
+		// certificate does not have a provisioner extension. LoadByCertificate
+		// returns the noop provisioner if this happens, and it allows
+		// certificate renewals.
+		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
+			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+		}
 	}
 	if err := p.AuthorizeRenew(context.Background(), cert); err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
@@ -386,16 +395,15 @@ func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.
 		return nil, errs.InternalServerErr(err, errs.WithMessage("error validating renew token"))
 	}
 
-	p, ok := a.provisioners.LoadByCertificate(leaf)
-	if !ok {
+	p, err := a.LoadProvisionerByCertificate(leaf)
+	if err != nil {
 		return nil, errs.Unauthorized("error validating renew token: cannot get provisioner from certificate")
 	}
 	if err := a.UseToken(ott, p); err != nil {
 		return nil, err
 	}
 
 	if err := claims.ValidateWithLeeway(jose.Expected{
-		Issuer:  p.GetName(),
 		Subject: leaf.Subject.CommonName,
 		Time:    time.Now().UTC(),
 	}, time.Minute); err != nil {
@@ -420,6 +428,12 @@ func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.
 		return nil, errs.InternalServerErr(err, errs.WithMessage("error validating renew token: invalid audience claim (aud)"))
 	}
 
+	// validate issuer: old versions used the provisioner name, new version uses
+	// 'step-ca-client/1.0'
+	if claims.Issuer != "step-ca-client/1.0" && claims.Issuer != p.GetName() {
+		return nil, admin.NewError(admin.ErrorUnauthorizedType, "error validating renew token: invalid issuer claim (iss)")
+	}
+
 	return leaf, nil
 }
 

authority/authorize_test.go

@@ -847,6 +847,29 @@ func TestAuthority_authorizeRenew(t *testing.T) {
 				cert: fooCrt,
 			}
 		},
+		"ok/from db": func(t *testing.T) *authorizeTest {
+			a := testAuthority(t)
+			a.db = &db.MockAuthDB{
+				MIsRevoked: func(key string) (bool, error) {
+					return false, nil
+				},
+				MGetCertificateData: func(serialNumber string) (*db.CertificateData, error) {
+					p, ok := a.provisioners.LoadByName("step-cli")
+					if !ok {
+						t.Fatal("provisioner step-cli not found")
+					}
+					return &db.CertificateData{
+						Provisioner: &db.ProvisionerData{
+							ID: p.GetID(),
+						},
+					}, nil
+				},
+			}
+			return &authorizeTest{
+				auth: a,
+				cert: fooCrt,
+			}
+		},
 	}
 
 	for name, genTestCase := range tests {
@@ -1381,7 +1404,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	t1, c1 := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/renew"},
 		Subject:   "test.example.com",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now),
 		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
 	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
@@ -1400,7 +1423,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	t2, c2 := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/renew"},
 		Subject:   "test.example.com",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now),
 		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
 		IssuedAt:  jose.NewNumericDate(now),
@@ -1417,12 +1440,31 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 		})
 		return nil
 	}))
-	badSigner, _ := generateX5cToken(a1, otherSigner, jose.Claims{
+	t3, c3 := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/renew"},
 		Subject:   "test.example.com",
 		Issuer:    "step-cli",
 		NotBefore: jose.NewNumericDate(now),
 		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
+	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
+		cert.NotBefore = now
+		cert.NotAfter = now.Add(time.Hour)
+		b, err := asn1.Marshal(stepProvisionerASN1{int(provisioner.TypeJWK), []byte("step-cli"), nil, nil})
+		if err != nil {
+			return err
+		}
+		cert.ExtraExtensions = append(cert.ExtraExtensions, pkix.Extension{
+			Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1},
+			Value: b,
+		})
+		return nil
+	}))
+	badSigner, _ := generateX5cToken(a1, otherSigner, jose.Claims{
+		Audience:  []string{"https://example.com/1.0/renew"},
+		Subject:   "test.example.com",
+		Issuer:    "step-ca-client/1.0",
+		NotBefore: jose.NewNumericDate(now),
+		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
 	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
 		cert.NotBefore = now
 		cert.NotAfter = now.Add(time.Hour)
@@ -1439,7 +1481,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	badProvisioner, _ := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/renew"},
 		Subject:   "test.example.com",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now),
 		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
 	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
@@ -1477,7 +1519,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	badSubject, _ := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/renew"},
 		Subject:   "bad-subject",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now),
 		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
 	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
@@ -1496,7 +1538,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	badNotBefore, _ := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/sign"},
 		Subject:   "test.example.com",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now.Add(5 * time.Minute)),
 		Expiry:    jose.NewNumericDate(now.Add(10 * time.Minute)),
 	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
@@ -1515,7 +1557,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	badExpiry, _ := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/sign"},
 		Subject:   "test.example.com",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now.Add(-5 * time.Minute)),
 		Expiry:    jose.NewNumericDate(now.Add(-time.Minute)),
 	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
@@ -1534,7 +1576,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	badIssuedAt, _ := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/sign"},
 		Subject:   "test.example.com",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now),
 		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
 		IssuedAt:  jose.NewNumericDate(now.Add(5 * time.Minute)),
@@ -1554,7 +1596,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	badAudience, _ := generateX5cToken(a1, signer, jose.Claims{
 		Audience:  []string{"https://example.com/1.0/sign"},
 		Subject:   "test.example.com",
-		Issuer:    "step-cli",
+		Issuer:    "step-ca-client/1.0",
 		NotBefore: jose.NewNumericDate(now),
 		Expiry:    jose.NewNumericDate(now.Add(5 * time.Minute)),
 	}, provisioner.CertificateEnforcerFunc(func(cert *x509.Certificate) error {
@@ -1584,6 +1626,7 @@ func TestAuthority_AuthorizeRenewToken(t *testing.T) {
 	}{
 		{"ok", a1, args{ctx, t1}, c1, false},
 		{"ok expired cert", a1, args{ctx, t2}, c2, false},
+		{"ok provisioner issuer", a1, args{ctx, t3}, c3, false},
 		{"fail token", a1, args{ctx, "not.a.token"}, nil, true},
 		{"fail token reuse", a1, args{ctx, t1}, nil, true},
 		{"fail token signature", a1, args{ctx, badSigner}, nil, true},

authority/config/config.go

@@ -26,27 +26,27 @@ var (
 	DefaultBackdate = time.Minute
 	// DefaultDisableRenewal disables renewals per provisioner.
 	DefaultDisableRenewal = false
-	// DefaultAllowRenewAfterExpiry allows renewals even if the certificate is
+	// DefaultAllowRenewalAfterExpiry allows renewals even if the certificate is
 	// expired.
-	DefaultAllowRenewAfterExpiry = false
+	DefaultAllowRenewalAfterExpiry = false
 	// DefaultEnableSSHCA enable SSH CA features per provisioner or globally
 	// for all provisioners.
 	DefaultEnableSSHCA = false
 	// GlobalProvisionerClaims default claims for the Authority. Can be overridden
 	// by provisioner specific claims.
 	GlobalProvisionerClaims = provisioner.Claims{
-		MinTLSDur:             &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
-		MaxTLSDur:             &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultTLSDur:         &provisioner.Duration{Duration: 24 * time.Hour},
-		MinUserSSHDur:         &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
-		MaxUserSSHDur:         &provisioner.Duration{Duration: 24 * time.Hour},
-		DefaultUserSSHDur:     &provisioner.Duration{Duration: 16 * time.Hour},
-		MinHostSSHDur:         &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
-		MaxHostSSHDur:         &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		DefaultHostSSHDur:     &provisioner.Duration{Duration: 30 * 24 * time.Hour},
-		EnableSSHCA:           &DefaultEnableSSHCA,
-		DisableRenewal:        &DefaultDisableRenewal,
-		AllowRenewAfterExpiry: &DefaultAllowRenewAfterExpiry,
+		MinTLSDur:               &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs
+		MaxTLSDur:               &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultTLSDur:           &provisioner.Duration{Duration: 24 * time.Hour},
+		MinUserSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs
+		MaxUserSSHDur:           &provisioner.Duration{Duration: 24 * time.Hour},
+		DefaultUserSSHDur:       &provisioner.Duration{Duration: 16 * time.Hour},
+		MinHostSSHDur:           &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs
+		MaxHostSSHDur:           &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		DefaultHostSSHDur:       &provisioner.Duration{Duration: 30 * 24 * time.Hour},
+		EnableSSHCA:             &DefaultEnableSSHCA,
+		DisableRenewal:          &DefaultDisableRenewal,
+		AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry,
 	}
 )
 
@@ -308,6 +308,18 @@ func (c *Config) GetAudiences() provisioner.Audiences {
 	return audiences
 }
 
+// Audience returns the list of audiences for a given path.
+func (c *Config) Audience(path string) []string {
+	audiences := make([]string, len(c.DNSNames)+1)
+	for i, name := range c.DNSNames {
+		hostname := toHostname(name)
+		audiences[i] = "https://" + hostname + path
+	}
+	// For backward compatibility
+	audiences[len(c.DNSNames)] = path
+	return audiences
+}
+
 func toHostname(name string) string {
 	// ensure an IPv6 address is represented with square brackets when used as hostname
 	if ip := net.ParseIP(name); ip != nil && ip.To4() == nil {

authority/config/config_test.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"fmt"
+	"reflect"
 	"testing"
 
 	"github.com/pkg/errors"
@@ -317,3 +318,38 @@ func Test_toHostname(t *testing.T) {
 		})
 	}
 }
+
+func TestConfig_Audience(t *testing.T) {
+	type fields struct {
+		DNSNames []string
+	}
+	type args struct {
+		path string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   []string
+	}{
+		{"ok", fields{[]string{
+			"ca", "ca.example.com", "127.0.0.1", "::1",
+		}}, args{"/path"}, []string{
+			"https://ca/path",
+			"https://ca.example.com/path",
+			"https://127.0.0.1/path",
+			"https://[::1]/path",
+			"/path",
+		}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Config{
+				DNSNames: tt.fields.DNSNames,
+			}
+			if got := c.Audience(tt.args.path); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Config.Audience() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}