From 6f8fe01da170f6e4be09f85ea952c3e0d89f64db Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 23 Nov 2022 19:47:42 -0800 Subject: caddypki: Use go.step.sm/crypto to generate the PKI (#5217) This commit replaces the use of github.com/smallstep/cli to generate the root and intermediate certificates and uses go.step.sm/crypto instead. It also upgrades the version of github.com/smallstep/certificates to the latest version. --- modules/caddypki/ca.go | 10 ++++---- modules/caddypki/certificates.go | 51 ++++++++++++++++++++++++++-------------- 2 files changed, 39 insertions(+), 22 deletions(-) (limited to 'modules/caddypki') diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go index acf8d14..914eddf 100644 --- a/modules/caddypki/ca.go +++ b/modules/caddypki/ca.go @@ -121,7 +121,7 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error { // load the certs and key that will be used for signing var rootCert, interCert *x509.Certificate - var rootKey, interKey any + var rootKey, interKey crypto.Signer var err error if ca.Root != nil { if ca.Root.Format == "" || ca.Root.Format == "pem_file" { @@ -239,7 +239,7 @@ func (ca *CA) NewAuthority(authorityConfig AuthorityConfig) (*authority.Authorit return auth, nil } -func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey any, err error) { +func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) { if ca.Root != nil { return ca.Root.Load() } @@ -276,7 +276,7 @@ func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey any, err error return rootCert, rootKey, nil } -func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey any, err error) { +func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) { repl := ca.newReplacer() rootCert, rootKey, err = generateRoot(repl.ReplaceAll(ca.RootCommonName, "")) @@ -303,7 +303,7 @@ func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey any, err error) { return rootCert, rootKey, nil } -func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) { +func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) { interCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyIntermediateCert()) if err != nil { if !errors.Is(err, fs.ErrNotExist) { @@ -338,7 +338,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Pr return interCert, interKey, nil } -func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.PrivateKey) (interCert *x509.Certificate, interKey crypto.PrivateKey, err error) { +func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) { repl := ca.newReplacer() interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey) diff --git a/modules/caddypki/certificates.go b/modules/caddypki/certificates.go index 442a0ad..c3b88a1 100644 --- a/modules/caddypki/certificates.go +++ b/modules/caddypki/certificates.go @@ -19,33 +19,50 @@ import ( "crypto/x509" "time" - "github.com/smallstep/cli/crypto/x509util" + "go.step.sm/crypto/keyutil" + "go.step.sm/crypto/x509util" ) -func generateRoot(commonName string) (rootCrt *x509.Certificate, privateKey any, err error) { - rootProfile, err := x509util.NewRootProfile(commonName) +func generateRoot(commonName string) (*x509.Certificate, crypto.Signer, error) { + template, signer, err := newCert(commonName, x509util.DefaultRootTemplate, defaultRootLifetime) if err != nil { - return + return nil, nil, err } - rootProfile.Subject().NotAfter = time.Now().Add(defaultRootLifetime) // TODO: make configurable - return newCert(rootProfile) + root, err := x509util.CreateCertificate(template, template, signer.Public(), signer) + if err != nil { + return nil, nil, err + } + return root, signer, nil } -func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.PrivateKey) (cert *x509.Certificate, privateKey crypto.PrivateKey, err error) { - interProfile, err := x509util.NewIntermediateProfile(commonName, rootCrt, rootKey) +func generateIntermediate(commonName string, rootCrt *x509.Certificate, rootKey crypto.Signer) (*x509.Certificate, crypto.Signer, error) { + template, signer, err := newCert(commonName, x509util.DefaultIntermediateTemplate, defaultIntermediateLifetime) if err != nil { - return + return nil, nil, err } - interProfile.Subject().NotAfter = time.Now().Add(defaultIntermediateLifetime) // TODO: make configurable - return newCert(interProfile) + intermediate, err := x509util.CreateCertificate(template, rootCrt, signer.Public(), rootKey) + if err != nil { + return nil, nil, err + } + return intermediate, signer, nil } -func newCert(profile x509util.Profile) (cert *x509.Certificate, privateKey crypto.PrivateKey, err error) { - certBytes, err := profile.CreateCertificate() +func newCert(commonName, templateName string, lifetime time.Duration) (cert *x509.Certificate, signer crypto.Signer, err error) { + signer, err = keyutil.GenerateDefaultSigner() if err != nil { - return + return nil, nil, err } - privateKey = profile.SubjectPrivateKey() - cert, err = x509.ParseCertificate(certBytes) - return + csr, err := x509util.CreateCertificateRequest(commonName, []string{}, signer) + if err != nil { + return nil, nil, err + } + template, err := x509util.NewCertificate(csr, x509util.WithTemplate(templateName, x509util.CreateTemplateData(commonName, []string{}))) + if err != nil { + return nil, nil, err + } + + cert = template.GetCertificate() + cert.NotBefore = time.Now().Truncate(time.Second) + cert.NotAfter = cert.NotBefore.Add(lifetime) + return cert, signer, nil } -- cgit v1.2.3