sshpop provisioner + ssh renew | revoke | rekey first pass

Author: dopey

api/api.go

@@ -38,7 +38,7 @@ type Authority interface {
 	LoadProvisionerByCertificate(*x509.Certificate) (provisioner.Interface, error)
 	LoadProvisionerByID(string) (provisioner.Interface, error)
 	GetProvisioners(cursor string, limit int) (provisioner.List, string, error)
-	Revoke(*authority.RevokeOptions) error
+	Revoke(context.Context, *authority.RevokeOptions) error
 	GetEncryptedKey(kid string) (string, error)
 	GetRoots() (federation []*x509.Certificate, err error)
 	GetFederation() ([]*x509.Certificate, error)
@@ -252,6 +252,9 @@ func (h *caHandler) Route(r Router) {
 	r.MethodFunc("GET", "/federation", h.Federation)
 	// SSH CA
 	r.MethodFunc("POST", "/ssh/sign", h.SSHSign)
+	r.MethodFunc("POST", "/ssh/renew", h.SSHRenew)
+	r.MethodFunc("POST", "/ssh/revoke", h.SSHRevoke)
+	r.MethodFunc("POST", "/ssh/rekey", h.SSHRekey)
 	r.MethodFunc("GET", "/ssh/roots", h.SSHRoots)
 	r.MethodFunc("GET", "/ssh/federation", h.SSHFederation)
 	r.MethodFunc("POST", "/ssh/config", h.SSHConfig)

api/revoke.go

@@ -1,10 +1,12 @@
 package api
 
 import (
+	"context"
 	"net/http"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
 	"golang.org/x/crypto/ocsp"
 )
@@ -63,10 +65,15 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
 		PassiveOnly: body.Passive,
 	}
 
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RevokeMethod)
 	// A token indicates that we are using the api via a provisioner token,
 	// otherwise it is assumed that the certificate is revoking itself over mTLS.
 	if len(body.OTT) > 0 {
 		logOtt(w, body.OTT)
+		if _, err := h.Authority.Authorize(ctx, body.OTT); err != nil {
+			WriteError(w, Unauthorized(err))
+			return
+		}
 		opts.OTT = body.OTT
 	} else {
 		// If no token is present, then the request must be made over mTLS and
@@ -77,11 +84,18 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		opts.Crt = r.TLS.PeerCertificates[0]
+		if opts.Crt.SerialNumber.String() != opts.Serial {
+			WriteError(w, BadRequest(errors.New("revoke: serial number in mtls certificate different than body")))
+			return
+		}
+		// TODO: should probably be checking if the certificate was revoked here.
+		// Will need to thread that request down to the authority, so will need
+		// to add API for that.
 		logCertificate(w, opts.Crt)
 		opts.MTLS = true
 	}
 
-	if err := h.Authority.Revoke(opts); err != nil {
+	if err := h.Authority.Revoke(ctx, opts); err != nil {
 		WriteError(w, Forbidden(err))
 		return
 	}

api/ssh.go

@@ -16,6 +16,8 @@ import (
 // SSHAuthority is the interface implemented by a SSH CA authority.
 type SSHAuthority interface {
 	SignSSH(key ssh.PublicKey, opts provisioner.SSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
+	RenewSSH(cert *ssh.Certificate) (*ssh.Certificate, error)
+	RekeySSH(cert *ssh.Certificate, key ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error)
 	SignSSHAddUser(key ssh.PublicKey, cert *ssh.Certificate) (*ssh.Certificate, error)
 	GetSSHRoots() (*authority.SSHKeys, error)
 	GetSSHFederation() (*authority.SSHKeys, error)
@@ -67,7 +69,8 @@ type SSHCertificate struct {
 	*ssh.Certificate `json:"omitempty"`
 }
 
-// SSHGetHostsResponse
+// SSHGetHostsResponse is the response object that returns the list of valid
+// hosts for SSH.
 type SSHGetHostsResponse struct {
 	Hosts []string `json:"hosts"`
 }

api/sshRekey.go

@@ -0,0 +1,78 @@
+package api
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"golang.org/x/crypto/ssh"
+)
+
+// SSHRekeyRequest is the request body of an SSH certificate request.
+type SSHRekeyRequest struct {
+	OTT       string `json:"ott"`
+	PublicKey []byte `json:"publicKey"` //base64 encoded
+}
+
+// Validate validates the SSHSignRekey.
+func (s *SSHRekeyRequest) Validate() error {
+	switch {
+	case len(s.OTT) == 0:
+		return errors.New("missing or empty ott")
+	case len(s.PublicKey) == 0:
+		return errors.New("missing or empty public key")
+	default:
+		return nil
+	}
+}
+
+// SSHRekeyResponse is the response object that returns the SSH certificate.
+type SSHRekeyResponse struct {
+	Certificate SSHCertificate `json:"crt"`
+}
+
+// SSHRekey is an HTTP handler that reads an RekeySSHRequest with a one-time-token
+// (ott) from the body and creates a new SSH certificate with the information in
+// the request.
+func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
+	var body SSHRekeyRequest
+	if err := ReadJSON(r.Body, &body); err != nil {
+		WriteError(w, BadRequest(errors.Wrap(err, "error reading request body")))
+		return
+	}
+
+	logOtt(w, body.OTT)
+	if err := body.Validate(); err != nil {
+		WriteError(w, BadRequest(err))
+		return
+	}
+
+	publicKey, err := ssh.ParsePublicKey(body.PublicKey)
+	if err != nil {
+		WriteError(w, BadRequest(errors.Wrap(err, "error parsing publicKey")))
+		return
+	}
+
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RekeySSHMethod)
+	signOpts, err := h.Authority.Authorize(ctx, body.OTT)
+	if err != nil {
+		WriteError(w, Unauthorized(err))
+		return
+	}
+	oldCert, err := provisioner.ExtractSSHPOPCert(body.OTT)
+	if err != nil {
+		WriteError(w, InternalServerError(err))
+	}
+
+	newCert, err := h.Authority.RekeySSH(oldCert, publicKey, signOpts...)
+	if err != nil {
+		WriteError(w, Forbidden(err))
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	JSON(w, &SSHSignResponse{
+		Certificate: SSHCertificate{newCert},
+	})
+}

api/sshRenew.go

@@ -0,0 +1,68 @@
+package api
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/authority/provisioner"
+)
+
+// SSHRenewRequest is the request body of an SSH certificate request.
+type SSHRenewRequest struct {
+	OTT string `json:"ott"`
+}
+
+// Validate validates the SSHSignRequest.
+func (s *SSHRenewRequest) Validate() error {
+	switch {
+	case len(s.OTT) == 0:
+		return errors.New("missing or empty ott")
+	default:
+		return nil
+	}
+}
+
+// SSHRenewResponse is the response object that returns the SSH certificate.
+type SSHRenewResponse struct {
+	Certificate SSHCertificate `json:"crt"`
+}
+
+// SSHRenew is an HTTP handler that reads an RenewSSHRequest with a one-time-token
+// (ott) from the body and creates a new SSH certificate with the information in
+// the request.
+func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
+	var body SSHRenewRequest
+	if err := ReadJSON(r.Body, &body); err != nil {
+		WriteError(w, BadRequest(errors.Wrap(err, "error reading request body")))
+		return
+	}
+
+	logOtt(w, body.OTT)
+	if err := body.Validate(); err != nil {
+		WriteError(w, BadRequest(err))
+		return
+	}
+
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RenewSSHMethod)
+	_, err := h.Authority.Authorize(ctx, body.OTT)
+	if err != nil {
+		WriteError(w, Unauthorized(err))
+		return
+	}
+	oldCert, err := provisioner.ExtractSSHPOPCert(body.OTT)
+	if err != nil {
+		WriteError(w, InternalServerError(err))
+	}
+
+	newCert, err := h.Authority.RenewSSH(oldCert)
+	if err != nil {
+		WriteError(w, Forbidden(err))
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	JSON(w, &SSHSignResponse{
+		Certificate: SSHCertificate{newCert},
+	})
+}

api/sshRevoke.go

@@ -0,0 +1,98 @@
+package api
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/pkg/errors"
+	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/provisioner"
+	"github.com/smallstep/certificates/logging"
+	"golang.org/x/crypto/ocsp"
+)
+
+// SSHRevokeResponse is the response object that returns the health of the server.
+type SSHRevokeResponse struct {
+	Status string `json:"status"`
+}
+
+// SSHRevokeRequest is the request body for a revocation request.
+type SSHRevokeRequest struct {
+	Serial     string `json:"serial"`
+	OTT        string `json:"ott"`
+	ReasonCode int    `json:"reasonCode"`
+	Reason     string `json:"reason"`
+	Passive    bool   `json:"passive"`
+}
+
+// Validate checks the fields of the RevokeRequest and returns nil if they are ok
+// or an error if something is wrong.
+func (r *SSHRevokeRequest) Validate() (err error) {
+	if r.Serial == "" {
+		return BadRequest(errors.New("missing serial"))
+	}
+	if r.ReasonCode < ocsp.Unspecified || r.ReasonCode > ocsp.AACompromise {
+		return BadRequest(errors.New("reasonCode out of bounds"))
+	}
+	if !r.Passive {
+		return NotImplemented(errors.New("non-passive revocation not implemented"))
+	}
+	if len(r.OTT) == 0 {
+		return BadRequest(errors.New("missing ott"))
+	}
+	return
+}
+
+// Revoke supports handful of different methods that revoke a Certificate.
+//
+// NOTE: currently only Passive revocation is supported.
+func (h *caHandler) SSHRevoke(w http.ResponseWriter, r *http.Request) {
+	var body SSHRevokeRequest
+	if err := ReadJSON(r.Body, &body); err != nil {
+		WriteError(w, BadRequest(errors.Wrap(err, "error reading request body")))
+		return
+	}
+
+	if err := body.Validate(); err != nil {
+		WriteError(w, err)
+		return
+	}
+
+	opts := &authority.RevokeOptions{
+		Serial:      body.Serial,
+		Reason:      body.Reason,
+		ReasonCode:  body.ReasonCode,
+		PassiveOnly: body.Passive,
+	}
+
+	ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.RevokeSSHMethod)
+	// A token indicates that we are using the api via a provisioner token,
+	// otherwise it is assumed that the certificate is revoking itself over mTLS.
+	logOtt(w, body.OTT)
+	if _, err := h.Authority.Authorize(ctx, body.OTT); err != nil {
+		WriteError(w, Unauthorized(err))
+		return
+	}
+	opts.OTT = body.OTT
+
+	if err := h.Authority.Revoke(ctx, opts); err != nil {
+		WriteError(w, Forbidden(err))
+		return
+	}
+
+	logSSHRevoke(w, opts)
+	JSON(w, &SSHRevokeResponse{Status: "ok"})
+}
+
+func logSSHRevoke(w http.ResponseWriter, ri *authority.RevokeOptions) {
+	if rl, ok := w.(logging.ResponseLogger); ok {
+		rl.WithFields(map[string]interface{}{
+			"serial":      ri.Serial,
+			"reasonCode":  ri.ReasonCode,
+			"reason":      ri.Reason,
+			"passiveOnly": ri.PassiveOnly,
+			"mTLS":        ri.MTLS,
+			"ssh":         true,
+		})
+	}
+}

authority/authority.go

@@ -179,8 +179,33 @@ func (a *Authority) init() error {
 		}
 	}
 
+	// Merge global and configuration claims
+	claimer, err := provisioner.NewClaimer(a.config.AuthorityConfig.Claims, globalProvisionerClaims)
+	if err != nil {
+		return err
+	}
+	// TODO: should we also be combining the ssh federated roots here?
+	// If we rotate ssh roots keys, sshpop provisioner will lose ability to
+	// validate old SSH certificates, unless they are added as federated certs.
+	sshKeys, err := a.GetSSHRoots()
+	if err != nil {
+		return err
+	}
+	// Initialize provisioners
+	config := provisioner.Config{
+		Claims:    claimer.Claims(),
+		Audiences: a.config.getAudiences(),
+		DB:        a.db,
+		SSHKeys: &provisioner.SSHKeys{
+			UserKeys: sshKeys.UserKeys,
+			HostKeys: sshKeys.HostKeys,
+		},
+	}
 	// Store all the provisioners
 	for _, p := range a.config.AuthorityConfig.Provisioners {
+		if err := p.Init(config); err != nil {
+			return err
+		}
 		if err := a.provisioners.Store(p); err != nil {
 			return err
 		}