From 184e8e9f713bf39e82f4677452998bb003de6e6d Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Tue, 5 May 2020 12:35:32 -0600 Subject: pki: Embedded ACME server (#3198) * pki: Initial commit of embedded ACME server (#3021) * reverseproxy: Support auto-managed TLS client certificates (#3021) * A little cleanup after today's review session --- modules/caddytls/internalissuer.go | 50 ++++++++++++-------------------------- 1 file changed, 15 insertions(+), 35 deletions(-) (limited to 'modules/caddytls') diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go index 53a1d00..ca43bf8 100644 --- a/modules/caddytls/internalissuer.go +++ b/modules/caddytls/internalissuer.go @@ -17,7 +17,6 @@ package caddytls import ( "bytes" "context" - "crypto" "crypto/x509" "encoding/pem" "fmt" @@ -26,7 +25,6 @@ import ( "github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2/modules/caddypki" "github.com/caddyserver/certmagic" - "github.com/smallstep/certificates/authority" "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/cli/crypto/x509util" ) @@ -73,7 +71,7 @@ func (li *InternalIssuer) Provision(ctx caddy.Context) error { } pkiApp := appModule.(*caddypki.PKI) if li.CA == "" { - li.CA = defaultInternalCAName + li.CA = caddypki.DefaultCAID } ca, ok := pkiApp.CAs[li.CA] if !ok { @@ -98,40 +96,20 @@ func (li InternalIssuer) IssuerKey() string { // Issue issues a certificate to satisfy the CSR. func (li InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error) { // prepare the signing authority - // TODO: eliminate placeholders / needless values - cfg := &authority.Config{ - Address: "placeholder_Address:1", - Root: []string{"placeholder_Root"}, - IntermediateCert: "placeholder_IntermediateCert", - IntermediateKey: "placeholder_IntermediateKey", - DNSNames: []string{"placeholder_DNSNames"}, - AuthorityConfig: &authority.AuthConfig{ - Provisioners: provisioner.List{}, - }, + authCfg := caddypki.AuthorityConfig{ + SignWithRoot: li.SignWithRoot, + } + auth, err := li.ca.NewAuthority(authCfg) + if err != nil { + return nil, err } - // get the root certificate and the issuer cert+key - rootCert := li.ca.RootCertificate() + // get the cert (public key) that will be used for signing var issuerCert *x509.Certificate - var issuerKey interface{} if li.SignWithRoot { - issuerCert = rootCert - var err error - issuerKey, err = li.ca.RootKey() - if err != nil { - return nil, fmt.Errorf("loading signing key: %v", err) - } + issuerCert = li.ca.RootCertificate() } else { issuerCert = li.ca.IntermediateCertificate() - issuerKey = li.ca.IntermediateKey() - } - - auth, err := authority.New(cfg, - authority.WithX509Signer(issuerCert, issuerKey.(crypto.Signer)), - authority.WithX509RootCerts(rootCert), - ) - if err != nil { - return nil, fmt.Errorf("initializing certificate authority: %v", err) } // ensure issued certificate does not expire later than its issuer @@ -161,13 +139,16 @@ func (li InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest }, nil } -// TODO: borrowing from https://github.com/smallstep/certificates/blob/806abb6232a5691198b891d76b9898ea7f269da0/authority/provisioner/sign_options.go#L191-L211 -// as per https://github.com/smallstep/certificates/issues/198. // profileDefaultDuration is a wrapper against x509util.WithOption to conform // the SignOption interface. +// +// This type is borrowed from the smallstep libraries: +// https://github.com/smallstep/certificates/blob/806abb6232a5691198b891d76b9898ea7f269da0/authority/provisioner/sign_options.go#L191-L211 +// as per https://github.com/smallstep/certificates/issues/198. +// +// TODO: In the future, this approach to custom cert lifetimes may not be necessary type profileDefaultDuration time.Duration -// TODO: is there a better way to set cert lifetimes than copying from the smallstep libs? func (d profileDefaultDuration) Option(so provisioner.Options) x509util.WithOption { var backdate time.Duration notBefore := so.NotBefore.Time() @@ -188,7 +169,6 @@ func (d profileDefaultDuration) Option(so provisioner.Options) x509util.WithOpti } const ( - defaultInternalCAName = "local" defaultInternalCertLifetime = 12 * time.Hour ) -- cgit v1.2.3