Merge pull request smallstep#1204 from smallstep/herman/improve-scep-marshaling

Improve SCEP provisioner marshaling

Author: hslatman

api/api.go

@@ -224,8 +224,39 @@ type RootResponse struct {
 // ProvisionersResponse is the response object that returns the list of
 // provisioners.
 type ProvisionersResponse struct {
-	Provisioners provisioner.List `json:"provisioners"`
-	NextCursor   string           `json:"nextCursor"`
+	Provisioners provisioner.List
+	NextCursor   string
+}
+
+// MarshalJSON implements json.Marshaler. It marshals the ProvisionersResponse
+// into a byte slice.
+//
+// Special treatment is given to the SCEP provisioner, as it contains a
+// challenge secret that MUST NOT be leaked in (public) HTTP responses. The
+// challenge value is thus redacted in HTTP responses.
+func (p ProvisionersResponse) MarshalJSON() ([]byte, error) {
+	for _, item := range p.Provisioners {
+		scepProv, ok := item.(*provisioner.SCEP)
+		if !ok {
+			continue
+		}
+
+		old := scepProv.ChallengePassword
+		scepProv.ChallengePassword = "*** REDACTED ***"
+		defer func(p string) { //nolint:gocritic // defer in loop required to restore initial state of provisioners
+			scepProv.ChallengePassword = p
+		}(old)
+	}
+
+	var list = struct {
+		Provisioners []provisioner.Interface `json:"provisioners"`
+		NextCursor   string                  `json:"nextCursor"`
+	}{
+		Provisioners: []provisioner.Interface(p.Provisioners),
+		NextCursor:   p.NextCursor,
+	}
+
+	return json.Marshal(list)
 }
 
 // ProvisionerKeyResponse is the response object that returns the encrypted key

api/api_test.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"crypto/dsa" //nolint
+	"crypto/dsa" //nolint:staticcheck // support legacy algorithms
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
@@ -28,7 +28,9 @@ import (
 
 	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
+	sassert "github.com/stretchr/testify/assert"
 	"golang.org/x/crypto/ssh"
+	squarejose "gopkg.in/square/go-jose.v2"
 
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
@@ -1564,3 +1566,94 @@ func mustCertificate(t *testing.T, pub, priv interface{}) *x509.Certificate {
 	}
 	return cert
 }
+
+func TestProvisionersResponse_MarshalJSON(t *testing.T) {
+
+	k := map[string]any{
+		"use": "sig",
+		"kty": "EC",
+		"kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc",
+		"crv": "P-256",
+		"alg": "ES256",
+		"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
+		"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
+	}
+	key := squarejose.JSONWebKey{}
+	b, err := json.Marshal(k)
+	assert.FatalError(t, err)
+	err = json.Unmarshal(b, &key)
+	assert.FatalError(t, err)
+
+	r := ProvisionersResponse{
+		Provisioners: provisioner.List{
+			&provisioner.SCEP{
+				Name:                          "scep",
+				Type:                          "scep",
+				ChallengePassword:             "not-so-secret",
+				MinimumPublicKeyLength:        2048,
+				EncryptionAlgorithmIdentifier: 2,
+			},
+			&provisioner.JWK{
+				EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
+				Key:          &key,
+				Name:         "step-cli",
+				Type:         "JWK",
+			},
+		},
+		NextCursor: "next",
+	}
+
+	expected := map[string]any{
+		"provisioners": []map[string]any{
+			{
+				"type":                          "scep",
+				"name":                          "scep",
+				"challenge":                     "*** REDACTED ***",
+				"minimumPublicKeyLength":        2048,
+				"encryptionAlgorithmIdentifier": 2,
+			},
+			{
+				"type": "JWK",
+				"name": "step-cli",
+				"key": map[string]any{
+					"use": "sig",
+					"kty": "EC",
+					"kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc",
+					"crv": "P-256",
+					"alg": "ES256",
+					"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
+					"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
+				},
+				"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
+			},
+		},
+		"nextCursor": "next",
+	}
+
+	expBytes, err := json.Marshal(expected)
+	sassert.NoError(t, err)
+
+	br, err := r.MarshalJSON()
+	sassert.NoError(t, err)
+	sassert.JSONEq(t, string(expBytes), string(br))
+
+	keyCopy := key
+	expList := provisioner.List{
+		&provisioner.SCEP{
+			Name:                          "scep",
+			Type:                          "scep",
+			ChallengePassword:             "not-so-secret",
+			MinimumPublicKeyLength:        2048,
+			EncryptionAlgorithmIdentifier: 2,
+		},
+		&provisioner.JWK{
+			EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
+			Key:          &keyCopy,
+			Name:         "step-cli",
+			Type:         "JWK",
+		},
+	}
+
+	// MarshalJSON must not affect the struct properties itself
+	sassert.Equal(t, expList, r.Provisioners)
+}

authority/provisioner/provisioner.go

@@ -10,8 +10,9 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/errs"
 	"golang.org/x/crypto/ssh"
+
+	"github.com/smallstep/certificates/errs"
 )
 
 // Interface is the interface that all provisioner types must implement.

authority/provisioner/scep.go

@@ -39,7 +39,6 @@ type SCEP struct {
 	Options                       *Options `json:"options,omitempty"`
 	Claims                        *Claims  `json:"claims,omitempty"`
 	ctl                           *Controller
-	secretChallengePassword       string
 	encryptionAlgorithm           int
 	challengeValidationController *challengeValidationController
 }
@@ -159,10 +158,6 @@ func (s *SCEP) Init(config Config) (err error) {
 		return errors.New("provisioner name cannot be empty")
 	}
 
-	// Mask the actual challenge value, so it won't be marshaled
-	s.secretChallengePassword = s.ChallengePassword
-	s.ChallengePassword = "*** redacted ***"
-
 	// Default to 2048 bits minimum public key length (for CSRs) if not set
 	if s.MinimumPublicKeyLength == 0 {
 		s.MinimumPublicKeyLength = 2048
@@ -206,11 +201,6 @@ func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 	}, nil
 }
 
-// GetChallengePassword returns the challenge password
-func (s *SCEP) GetChallengePassword() string {
-	return s.secretChallengePassword
-}
-
 // GetCapabilities returns the CA capabilities
 func (s *SCEP) GetCapabilities() []string {
 	return s.Capabilities
@@ -241,7 +231,7 @@ func (s *SCEP) ValidateChallenge(ctx context.Context, challenge, transactionID s
 	case validationMethodWebhook:
 		return s.challengeValidationController.Validate(ctx, challenge, transactionID)
 	default:
-		if subtle.ConstantTimeCompare([]byte(s.secretChallengePassword), []byte(challenge)) == 0 {
+		if subtle.ConstantTimeCompare([]byte(s.ChallengePassword), []byte(challenge)) == 0 {
 			return errors.New("invalid challenge password provided")
 		}
 		return nil
@@ -264,7 +254,7 @@ func (s *SCEP) selectValidationMethod() validationMethod {
 	if len(s.challengeValidationController.webhooks) > 0 {
 		return validationMethodWebhook
 	}
-	if s.secretChallengePassword != "" {
+	if s.ChallengePassword != "" {
 		return validationMethodStatic
 	}
 	return validationMethodNone

authority/provisioners.go

@@ -1223,7 +1223,7 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 				Data: &linkedca.ProvisionerDetails_SCEP{
 					SCEP: &linkedca.SCEPProvisioner{
 						ForceCn:                       p.ForceCN,
-						Challenge:                     p.GetChallengePassword(),
+						Challenge:                     p.ChallengePassword,
 						Capabilities:                  p.Capabilities,
 						MinimumPublicKeyLength:        int32(p.MinimumPublicKeyLength),
 						IncludeRoot:                   p.IncludeRoot,

authority/provisioners_test.go

@@ -9,14 +9,17 @@ import (
 	"testing"
 	"time"
 
+	"go.step.sm/crypto/jose"
+	"go.step.sm/crypto/keyutil"
+	"go.step.sm/linkedca"
+
+	"github.com/stretchr/testify/require"
+
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	"go.step.sm/crypto/jose"
-	"go.step.sm/crypto/keyutil"
-	"go.step.sm/linkedca"
 )
 
 func TestGetEncryptedKey(t *testing.T) {
@@ -29,19 +32,19 @@ func TestGetEncryptedKey(t *testing.T) {
 	tests := map[string]func(t *testing.T) *ek{
 		"ok": func(t *testing.T) *ek {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
-			assert.FatalError(t, err)
+			require.NoError(t, err)
 			a, err := New(c)
-			assert.FatalError(t, err)
+			require.NoError(t, err)
 			return &ek{
 				a:   a,
 				kid: c.AuthorityConfig.Provisioners[1].(*provisioner.JWK).Key.KeyID,
 			}
 		},
 		"fail-not-found": func(t *testing.T) *ek {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
-			assert.FatalError(t, err)
+			require.NoError(t, err)
 			a, err := New(c)
-			assert.FatalError(t, err)
+			require.NoError(t, err)
 			return &ek{
 				a:    a,
 				kid:  "foo",
@@ -95,9 +98,16 @@ func TestGetProvisioners(t *testing.T) {
 	tests := map[string]func(t *testing.T) *gp{
 		"ok": func(t *testing.T) *gp {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
-			assert.FatalError(t, err)
+			require.NoError(t, err)
 			a, err := New(c)
-			assert.FatalError(t, err)
+			require.NoError(t, err)
+			return &gp{a: a}
+		},
+		"ok/rsa": func(t *testing.T) *gp {
+			c, err := LoadConfiguration("../ca/testdata/rsaca.json")
+			require.NoError(t, err)
+			a, err := New(c)
+			require.NoError(t, err)
 			return &gp{a: a}
 		},
 	}
@@ -111,13 +121,13 @@ func TestGetProvisioners(t *testing.T) {
 				if assert.NotNil(t, tc.err) {
 					var sc render.StatusCodedError
 					if assert.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") {
-						assert.Equals(t, sc.StatusCode(), tc.code)
+						assert.Equals(t, tc.code, sc.StatusCode())
 					}
-					assert.HasPrefix(t, err.Error(), tc.err.Error())
+					assert.HasPrefix(t, tc.err.Error(), err.Error())
 				}
 			} else {
 				if assert.Nil(t, tc.err) {
-					assert.Equals(t, ps, tc.a.config.AuthorityConfig.Provisioners)
+					assert.Equals(t, tc.a.config.AuthorityConfig.Provisioners, ps)
 					assert.Equals(t, "", next)
 				}
 			}
@@ -127,20 +137,20 @@ func TestGetProvisioners(t *testing.T) {
 
 func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
 	_, priv, err := keyutil.GenerateDefaultKeyPair()
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	csr := getCSR(t, priv)
 
 	sign := func(a *Authority, extraOpts ...provisioner.SignOption) *x509.Certificate {
 		key, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
-		assert.FatalError(t, err)
+		require.NoError(t, err)
 		token, err := generateToken("smallstep test", "step-cli", testAudiences.Sign[0], []string{"test.smallstep.com"}, time.Now(), key)
-		assert.FatalError(t, err)
+		require.NoError(t, err)
 		ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SignMethod)
 		opts, err := a.Authorize(ctx, token)
-		assert.FatalError(t, err)
+		require.NoError(t, err)
 		opts = append(opts, extraOpts...)
 		certs, err := a.Sign(csr, provisioner.SignOptions{}, opts...)
-		assert.FatalError(t, err)
+		require.NoError(t, err)
 		return certs[0]
 	}
 	getProvisioner := func(a *Authority, name string) provisioner.Interface {
@@ -169,9 +179,7 @@ func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
 		},
 		MGetCertificateData: func(serialNumber string) (*db.CertificateData, error) {
 			p, err := a1.LoadProvisionerByName("dev")
-			if err != nil {
-				t.Fatal(err)
-			}
+			require.NoError(t, err)
 			return &db.CertificateData{
 				Provisioner: &db.ProvisionerData{
 					ID:   p.GetID(),
@@ -186,9 +194,7 @@ func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
 	a2.adminDB = &mockAdminDB{
 		MGetCertificateData: (func(s string) (*db.CertificateData, error) {
 			p, err := a2.LoadProvisionerByName("dev")
-			if err != nil {
-				t.Fatal(err)
-			}
+			require.NoError(t, err)
 			return &db.CertificateData{
 				Provisioner: &db.ProvisionerData{
 					ID:   p.GetID(),