Merge branch 'master' into herman/allow-deny

Author: hslatman

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
 - Added support for `extraNames` in X.509 templates.
+- Added RA support using a Vault instance as the CA.
 - Added support for automatic configuration of linked RAs.
 ### Changed
 - Made SCEP CA URL paths dynamic

authority/config/config.go

@@ -71,6 +71,7 @@ type Config struct {
 	TLS              *TLSOptions          `json:"tls,omitempty"`
 	Password         string               `json:"password,omitempty"`
 	Templates        *templates.Templates `json:"templates,omitempty"`
+	CommonName       string               `json:"commonName,omitempty"`
 }
 
 // ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer
@@ -177,6 +178,9 @@ func (c *Config) Init() {
 	if c.AuthorityConfig == nil {
 		c.AuthorityConfig = &AuthConfig{}
 	}
+	if c.CommonName == "" {
+		c.CommonName = "Step Online CA"
+	}
 	c.AuthorityConfig.init()
 }
 

authority/tls.go

@@ -591,7 +591,7 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 	}
 
 	// Create initial certificate request.
-	cr, err := x509util.CreateCertificateRequest("Step Online CA", sans, signer)
+	cr, err := x509util.CreateCertificateRequest(a.config.CommonName, sans, signer)
 	if err != nil {
 		return fatal(err)
 	}

ca/adminClient.go

@@ -91,6 +91,13 @@ func (c *AdminClient) generateAdminToken(aud *url.URL) (string, error) {
 		return "", err
 	}
 
+	// Drop any query string parameter from the token audience
+	aud = &url.URL{
+		Scheme: aud.Scheme,
+		Host:   aud.Host,
+		Path:   aud.Path,
+	}
+
 	now := time.Now()
 	tokOptions := []token.Options{
 		token.WithJWTID(jwtID),

cas/apiv1/options.go

@@ -3,6 +3,7 @@ package apiv1
 import (
 	"crypto"
 	"crypto/x509"
+	"encoding/json"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/kms"
@@ -15,8 +16,9 @@ type Options struct {
 	Type string `json:"type"`
 
 	// CertificateAuthority reference:
-	// In StepCAS the value is the CA url, e.g. "https://ca.smallstep.com:9000".
+	// In StepCAS the value is the CA url, e.g., "https://ca.smallstep.com:9000".
 	// In CloudCAS the format is "projects/*/locations/*/certificateAuthorities/*".
+	// In VaultCAS the value is the url, e.g., "https://vault.smallstep.com".
 	CertificateAuthority string `json:"certificateAuthority,omitempty"`
 
 	// CertificateAuthorityFingerprint is the root fingerprint used to
@@ -69,6 +71,9 @@ type Options struct {
 	CaPool     string `json:"-"`
 	CaPoolTier string `json:"-"`
 	GCSBucket  string `json:"-"`
+
+	// Generic structure to configure any CAS
+	Config json.RawMessage `json:"config,omitempty"`
 }
 
 // CertificateIssuer contains the properties used to use the StepCAS certificate

cas/apiv1/services.go

@@ -45,6 +45,8 @@ const (
 	CloudCAS = "cloudcas"
 	// StepCAS is a CertificateAuthorityService using another step-ca instance.
 	StepCAS = "stepcas"
+	// VaultCAS is a CertificateAuthorityService using Hasicorp Vault PKI.
+	VaultCAS = "vaultcas"
 )
 
 // String returns a string from the type. It will always return the lower case