From 3e26abaa66bec0729cfc1a8c9cdc63bf2cbdef92 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 17 May 2023 13:33:09 +0200 Subject: [PATCH 01/12] Add `--ca-kms` flag The `--ca-kms` flag can be used to specify a different KMS to be used for the CA signer. --- command/certificate/create.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/command/certificate/create.go b/command/certificate/create.go index a216deb65..6a5b8f8de 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -446,6 +446,9 @@ the **--ca** flag.`, Name: "insecure", Hidden: true, }, + cli.StringFlag{ + Name: "ca-kms", + }, }, } } @@ -644,6 +647,7 @@ func createAction(ctx *cli.Context) error { if err != nil { return err } + certTemplate := certificate.GetCertificate() if parent == nil { parent = certTemplate @@ -766,9 +770,9 @@ func parseSigner(ctx *cli.Context, defaultSigner crypto.Signer) (*x509.Certifica var ( caCert = ctx.String("ca") caKey = ctx.String("ca-key") + caKMS = ctx.String("ca-kms") profile = ctx.String("profile") template = ctx.String("template") - kms = ctx.String("kms") ) // Check required flags when profile is used. @@ -819,7 +823,7 @@ func parseSigner(ctx *cli.Context, defaultSigner crypto.Signer) (*x509.Certifica opts = append(opts, pemutil.WithPasswordFile(passFile)) } - signer, err := cryptoutil.CreateSigner(kms, caKey, opts...) + signer, err := cryptoutil.CreateSigner(caKMS, caKey, opts...) if err != nil { return nil, nil, err } From 72cff05119b60a1ce7c7798e00e4a827d23bde33 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 18 May 2023 00:25:13 +0200 Subject: [PATCH 02/12] Pass key to be signed as signer for the CSR instead of signing key Before this commit the CSR (used internally to prepare the final certificate to be signed) was signed using the key that would sign the final certificate instead of by the key to be signed. This commit passes in `priv` instead of `signer`. This could lead to non-backwards compatible issues, but I think those shouldn't happen often. --- command/certificate/create.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command/certificate/create.go b/command/certificate/create.go index 6a5b8f8de..5796cc588 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -635,7 +635,7 @@ func createAction(ctx *cli.Context) error { } // Create X.509 certificate used as base for the certificate - cr, err := x509util.CreateCertificateRequest(subject, sans, signer) + cr, err := x509util.CreateCertificateRequest(subject, sans, priv) if err != nil { return err } From a62d6ad125874df274e3808938fdca5e38775164 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 25 May 2023 15:59:27 +0200 Subject: [PATCH 03/12] Add `--skip-csr-signature` option When creating a certificate for a public key backed by a KMS that doesn't allow the key to also be used for signing, or in cases where the private key isn't readily available to sign the CSR, `--skip-csr-signature` can be passed to skip signing the (internally used) CSR. This option is not compatible with `--csr`, because that requires a CSR with a valid signature to be produced. --- command/certificate/create.go | 56 +++++++++++++++++++++---------- command/certificate/sign.go | 2 +- go.mod | 14 ++++---- go.sum | 29 ++++++++-------- internal/cryptoutil/cryptoutil.go | 6 +++- 5 files changed, 66 insertions(+), 41 deletions(-) diff --git a/command/certificate/create.go b/command/certificate/create.go index 5796cc588..1fe94fa09 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -447,7 +447,12 @@ the **--ca** flag.`, Hidden: true, }, cli.StringFlag{ - Name: "ca-kms", + Name: "ca-kms", + Usage: "The to configure the KMS used for signing the certificate", + }, + cli.BoolFlag{ + Name: "skip-csr-signature", + Usage: "Skip creating and signing a CSR", }, }, } @@ -488,17 +493,22 @@ func createAction(ctx *cli.Context) error { } var ( - sans = ctx.StringSlice("san") - profile = ctx.String("profile") - templateFile = ctx.String("template") - bundle = ctx.Bool("bundle") - subtle = ctx.Bool("subtle") + sans = ctx.StringSlice("san") + profile = ctx.String("profile") + templateFile = ctx.String("template") + bundle = ctx.Bool("bundle") + subtle = ctx.Bool("subtle") + skipCSRSignature = ctx.Bool("skip-csr-signature") ) if ctx.IsSet("profile") && templateFile != "" { return errs.IncompatibleFlagWithFlag(ctx, "profile", "template") } + if ctx.Bool("csr") && skipCSRSignature { + return errs.IncompatibleFlagWithFlag(ctx, "csr", "skip-csr-signature") + } + // Read template if passed var template string if templateFile != "" { @@ -558,7 +568,7 @@ func createAction(ctx *cli.Context) error { // Create certificate request data := x509util.CreateTemplateData(subject, sans) data.SetUserData(userData) - csr, err := x509util.NewCertificateRequest(priv, x509util.WithTemplate(template, data)) + csr, err := x509util.NewCertificateRequest(priv, x509util.WithTemplate[*x509.CertificateRequest](template, data)) if err != nil { return err } @@ -634,21 +644,31 @@ func createAction(ctx *cli.Context) error { defaultValidity = defaultTemplatevalidity } - // Create X.509 certificate used as base for the certificate - cr, err := x509util.CreateCertificateRequest(subject, sans, priv) - if err != nil { - return err - } - // Create X.509 certificate templateData := x509util.CreateTemplateData(subject, sans) templateData.SetUserData(userData) - certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate(template, templateData)) - if err != nil { - return err + + var certTemplate = &x509.Certificate{} + if skipCSRSignature { + certTemplate.PublicKey = pub + certificate, err := x509util.NewCertificateFromX509(certTemplate, x509util.WithTemplate[*x509.Certificate](template, templateData)) + if err != nil { + return err + } + certTemplate = certificate.GetCertificate() + } else { + // Create X.509 certificate used as base for the certificate + cr, err := x509util.CreateCertificateRequest(subject, sans, priv) + if err != nil { + return err + } + certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate[*x509.CertificateRequest](template, templateData)) + if err != nil { + return err + } + certTemplate = certificate.GetCertificate() } - certTemplate := certificate.GetCertificate() if parent == nil { parent = certTemplate } @@ -770,7 +790,7 @@ func parseSigner(ctx *cli.Context, defaultSigner crypto.Signer) (*x509.Certifica var ( caCert = ctx.String("ca") caKey = ctx.String("ca-key") - caKMS = ctx.String("ca-kms") + caKMS = ctx.String("ca-kms") // TODO: ensure "softkms:" is handled correctly profile = ctx.String("profile") template = ctx.String("template") ) diff --git a/command/certificate/sign.go b/command/certificate/sign.go index b762457be..8f2df2f3c 100644 --- a/command/certificate/sign.go +++ b/command/certificate/sign.go @@ -329,7 +329,7 @@ func signAction(ctx *cli.Context) error { // Create certificate template from csr. data := createTemplateData(csr, maxPathLen) data.SetUserData(userData) - tpl, err := x509util.NewCertificate(csr, x509util.WithTemplate(template, data)) + tpl, err := x509util.NewCertificate(csr, x509util.WithTemplate[*x509.CertificateRequest](template, data)) if err != nil { return err } diff --git a/go.mod b/go.mod index 167ed5a1c..3801cbe67 100644 --- a/go.mod +++ b/go.mod @@ -21,13 +21,13 @@ require ( github.com/smallstep/truststore v0.12.1 github.com/smallstep/zcrypto v0.0.0-20221001003018-1ab2364d2a91 github.com/smallstep/zlint v0.0.0-20220930192201-67fb4aa21910 - github.com/stretchr/testify v1.8.2 + github.com/stretchr/testify v1.8.3 github.com/urfave/cli v1.22.13 go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 go.step.sm/cli-utils v0.7.6 go.step.sm/crypto v0.30.0 go.step.sm/linkedca v0.19.1 - golang.org/x/crypto v0.8.0 + golang.org/x/crypto v0.9.0 golang.org/x/sys v0.8.0 golang.org/x/term v0.8.0 google.golang.org/protobuf v1.30.0 @@ -81,11 +81,11 @@ require ( github.com/google/btree v1.1.2 // indirect github.com/google/certificate-transparency-go v1.1.4 // indirect github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect - github.com/google/go-tpm-tools v0.3.11 // indirect + github.com/google/go-tpm-tools v0.3.12 // indirect github.com/google/go-tspi v0.3.0 // indirect github.com/google/s2a-go v0.1.3 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect - github.com/googleapis/gax-go/v2 v2.8.0 // indirect + github.com/googleapis/gax-go/v2 v2.9.0 // indirect github.com/huandu/xstrings v1.4.0 // indirect github.com/imdario/mergo v0.3.13 // indirect github.com/jackc/chunkreader/v2 v2.0.1 // indirect @@ -124,11 +124,11 @@ require ( go.opencensus.io v0.24.0 // indirect golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0 // indirect golang.org/x/mod v0.8.0 // indirect - golang.org/x/net v0.9.0 // indirect + golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.7.0 // indirect golang.org/x/text v0.9.0 // indirect golang.org/x/tools v0.6.0 // indirect - google.golang.org/api v0.121.0 // indirect + google.golang.org/api v0.123.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect google.golang.org/grpc v1.55.0 // indirect @@ -136,3 +136,5 @@ require ( howett.net/plist v1.0.0 // indirect k8s.io/klog/v2 v2.90.0 // indirect ) + +replace go.step.sm/crypto => ./../crypto diff --git a/go.sum b/go.sum index 80fb46eab..4afff19b1 100644 --- a/go.sum +++ b/go.sum @@ -168,7 +168,7 @@ github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.44.259 h1:7yDn1dcv4DZFMKpu+2exIH5O6ipNj9qXrKfdMUaIJwY= +github.com/aws/aws-sdk-go v1.44.267 h1:Asrp6EMqqRxZvjK0NjzkWcrOk15RnWtupuUrUuZMabk= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= @@ -441,7 +441,7 @@ github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOm github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVggX6TC1Zw6Jx74AKp7QNH2QE= github.com/google/go-replayers/httpreplay v0.1.0/go.mod h1:YKZViNhiGgqdBlUbI2MwGpq4pXxNmhJLPHQ7cv2b5no= -github.com/google/go-sev-guest v0.5.2 h1:dlCehnxU9aJWEIcTb0j7oZ/yM4qeno7AO6zWokb4mu0= +github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0= github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= github.com/google/go-tpm v0.3.2/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg= @@ -452,8 +452,8 @@ github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N github.com/google/go-tpm-tools v0.2.1/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4= github.com/google/go-tpm-tools v0.3.1/go.mod h1:PSg+r5hSZI5tP3X7LBQx2sW1VSZUqZHBSrKyDqrB21U= github.com/google/go-tpm-tools v0.3.9/go.mod h1:22JvWmHcD5w55cs+nMeqDGDxgNS15/2pDq2cLqnc3rc= -github.com/google/go-tpm-tools v0.3.11 h1:imObhmECgDS+ua4aAVPkMfCzE9LTZjS/MmVMCrAG4VY= -github.com/google/go-tpm-tools v0.3.11/go.mod h1:5UcOsOyG5B2hWhKsqNI3TtOjTcZs5sh+3913uMN29Y8= +github.com/google/go-tpm-tools v0.3.12 h1:hpWglH4RaZnGVbgOK3IThI5K++jnFvjQ94EIN34xrUU= +github.com/google/go-tpm-tools v0.3.12/go.mod h1:2OtmyPGPuaWWIOjr+IDhNQb6t5njjbSmZtzc350Q6Ro= github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI= @@ -502,8 +502,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5 github.com/googleapis/gax-go v2.0.2+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.8.0 h1:UBtEZqx1bjXtOQ5BVTkuYghXrr3N4V123VKJK67vJZc= -github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/gax-go/v2 v2.9.0 h1:ie5/2yPjucjZW6fEGjLhS5+PhEg6owWMrFB5d7TFFhw= +github.com/googleapis/gax-go/v2 v2.9.0/go.mod h1:qf/E3rjAvrwLsAnQW+IClIu+z03yUf4KOoO82NfZ+QY= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ= @@ -960,8 +960,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= +github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0= github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0= @@ -1059,8 +1060,6 @@ go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16g go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.step.sm/cli-utils v0.7.6 h1:YkpLVrepmy2c5+eaz/wduiGxlgrRx3YdAStE37if25g= go.step.sm/cli-utils v0.7.6/go.mod h1:j+FxFZ2gbWkAJl0eded/rksuxmNqWpmyxbkXcukGJaY= -go.step.sm/crypto v0.30.0 h1:EzqPTvW1g6kxEnfIf/exDW+MhHGeEhtoNMhQX7P/UwI= -go.step.sm/crypto v0.30.0/go.mod h1:6jFFgUoafyHvb6rNq3NJrBByof4SCzj1n8ThyXuMVAM= go.step.sm/linkedca v0.19.1 h1:uY0ByT/uB3FCQ8zIo9mU7MWG7HKf5sDXNEBeN94MuP8= go.step.sm/linkedca v0.19.1/go.mod h1:vPV2ad3LFQJmV7XWt87VlnJSs6UOqgsbVGVWe3veEmI= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1108,8 +1107,8 @@ golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= -golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ= -golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= +golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= +golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1208,8 +1207,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= -golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1484,8 +1483,8 @@ google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtuk google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= -google.golang.org/api v0.121.0 h1:8Oopoo8Vavxx6gt+sgs8s8/X60WBAtKQq6JqnkF+xow= -google.golang.org/api v0.121.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms= +google.golang.org/api v0.123.0 h1:yHVU//vA+qkOhm4reEC9LtzHVUCN/IqqNRl1iQ9xE20= +google.golang.org/api v0.123.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= diff --git a/internal/cryptoutil/cryptoutil.go b/internal/cryptoutil/cryptoutil.go index 02965bd39..47cabb145 100644 --- a/internal/cryptoutil/cryptoutil.go +++ b/internal/cryptoutil/cryptoutil.go @@ -138,9 +138,13 @@ func IsKMSSigner(signer crypto.Signer) (ok bool) { } // IsX509Signer returns true if the given signer is supported by Go's -// crypto/x509 package to sign sign X509 certificates. This methods returns true +// crypto/x509 package to sign X509 certificates. This methods returns true // for ECDSA, RSA and Ed25519 keys, but if the kms is `sshagentkms:` it will // only return true for Ed25519 keys. +// TODO(hs): introspect the KMS key to verify that it can actually be +// used for signing? E.g. for Google Cloud KMS RSA keys can be used for +// signing or decryption, but only one of those at a time. Trying to use +// a signing key to decrypt data will result in an error from Cloud KMS. func IsX509Signer(signer crypto.Signer) bool { pub := signer.Public() if ks, ok := signer.(*kmsSigner); ok { From 45ea8b939a1d28227897feaa2bc4c6d2ca8c5207 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 26 May 2023 16:01:43 +0200 Subject: [PATCH 04/12] Use `NewCertificateFromX509` from https://github.com/smallstep/crypto/pull/248 Instead of relying on a new implementation based on generics, https://github.com/smallstep/crypto/pull/248 was created to have a minimal implementation for supporting signing public keys. --- command/certificate/create.go | 6 +++--- command/certificate/sign.go | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/command/certificate/create.go b/command/certificate/create.go index 1fe94fa09..02736b606 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -568,7 +568,7 @@ func createAction(ctx *cli.Context) error { // Create certificate request data := x509util.CreateTemplateData(subject, sans) data.SetUserData(userData) - csr, err := x509util.NewCertificateRequest(priv, x509util.WithTemplate[*x509.CertificateRequest](template, data)) + csr, err := x509util.NewCertificateRequest(priv, x509util.WithTemplate(template, data)) if err != nil { return err } @@ -651,7 +651,7 @@ func createAction(ctx *cli.Context) error { var certTemplate = &x509.Certificate{} if skipCSRSignature { certTemplate.PublicKey = pub - certificate, err := x509util.NewCertificateFromX509(certTemplate, x509util.WithTemplate[*x509.Certificate](template, templateData)) + certificate, err := x509util.NewCertificateFromX509(certTemplate, x509util.WithTemplate(template, templateData)) if err != nil { return err } @@ -662,7 +662,7 @@ func createAction(ctx *cli.Context) error { if err != nil { return err } - certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate[*x509.CertificateRequest](template, templateData)) + certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate(template, templateData)) if err != nil { return err } diff --git a/command/certificate/sign.go b/command/certificate/sign.go index 8f2df2f3c..b762457be 100644 --- a/command/certificate/sign.go +++ b/command/certificate/sign.go @@ -329,7 +329,7 @@ func signAction(ctx *cli.Context) error { // Create certificate template from csr. data := createTemplateData(csr, maxPathLen) data.SetUserData(userData) - tpl, err := x509util.NewCertificate(csr, x509util.WithTemplate[*x509.CertificateRequest](template, data)) + tpl, err := x509util.NewCertificate(csr, x509util.WithTemplate(template, data)) if err != nil { return err } From 82cfd5fadb717976da111f13cdf98d9d2c27d5db Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 31 May 2023 19:32:00 +0200 Subject: [PATCH 05/12] Update to latest `go.step.sm/crypto` release --- go.mod | 12 +++++------- go.sum | 22 ++++++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 3801cbe67..108d8e080 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/urfave/cli v1.22.13 go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 go.step.sm/cli-utils v0.7.6 - go.step.sm/crypto v0.30.0 + go.step.sm/crypto v0.31.1 go.step.sm/linkedca v0.19.1 golang.org/x/crypto v0.9.0 golang.org/x/sys v0.8.0 @@ -83,9 +83,9 @@ require ( github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect github.com/google/go-tpm-tools v0.3.12 // indirect github.com/google/go-tspi v0.3.0 // indirect - github.com/google/s2a-go v0.1.3 // indirect + github.com/google/s2a-go v0.1.4 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect - github.com/googleapis/gax-go/v2 v2.9.0 // indirect + github.com/googleapis/gax-go/v2 v2.9.1 // indirect github.com/huandu/xstrings v1.4.0 // indirect github.com/imdario/mergo v0.3.13 // indirect github.com/jackc/chunkreader/v2 v2.0.1 // indirect @@ -125,10 +125,10 @@ require ( golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0 // indirect golang.org/x/mod v0.8.0 // indirect golang.org/x/net v0.10.0 // indirect - golang.org/x/oauth2 v0.7.0 // indirect + golang.org/x/oauth2 v0.8.0 // indirect golang.org/x/text v0.9.0 // indirect golang.org/x/tools v0.6.0 // indirect - google.golang.org/api v0.123.0 // indirect + google.golang.org/api v0.124.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect google.golang.org/grpc v1.55.0 // indirect @@ -136,5 +136,3 @@ require ( howett.net/plist v1.0.0 // indirect k8s.io/klog/v2 v2.90.0 // indirect ) - -replace go.step.sm/crypto => ./../crypto diff --git a/go.sum b/go.sum index 4afff19b1..b9b26461e 100644 --- a/go.sum +++ b/go.sum @@ -168,7 +168,7 @@ github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.44.267 h1:Asrp6EMqqRxZvjK0NjzkWcrOk15RnWtupuUrUuZMabk= +github.com/aws/aws-sdk-go v1.44.271 h1:aa+Nu2JcnFmW1TLIz/67SS7KPq1I1Adl4RmExSMjGVo= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= @@ -483,8 +483,8 @@ github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg= -github.com/google/s2a-go v0.1.3 h1:FAgZmpLl/SXurPEZyCMPBIiiYeTbqfjlbdnCNTAkbGE= -github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/trillian v1.3.11/go.mod h1:0tPraVHrSDkA3BO6vKX67zgLXs6SsOAbHEivX+9mPgw= github.com/google/trillian v1.3.14-0.20210409160123-c5ea3abd4a41/go.mod h1:1dPv0CUjNQVFEDuAUFhZql16pw/VlPgaX8qj+g5pVzQ= @@ -502,8 +502,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5 github.com/googleapis/gax-go v2.0.2+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.9.0 h1:ie5/2yPjucjZW6fEGjLhS5+PhEg6owWMrFB5d7TFFhw= -github.com/googleapis/gax-go/v2 v2.9.0/go.mod h1:qf/E3rjAvrwLsAnQW+IClIu+z03yUf4KOoO82NfZ+QY= +github.com/googleapis/gax-go/v2 v2.9.1 h1:DpTpJqzZ3NvX9zqjhIuI1oVzYZMvboZe+3LoeEIJjHM= +github.com/googleapis/gax-go/v2 v2.9.1/go.mod h1:4FG3gMrVZlyMp5itSYKMU9z/lBE7+SbnUOvzH2HqbEY= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ= @@ -1060,6 +1060,8 @@ go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16g go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.step.sm/cli-utils v0.7.6 h1:YkpLVrepmy2c5+eaz/wduiGxlgrRx3YdAStE37if25g= go.step.sm/cli-utils v0.7.6/go.mod h1:j+FxFZ2gbWkAJl0eded/rksuxmNqWpmyxbkXcukGJaY= +go.step.sm/crypto v0.31.1 h1:Ua2asApVvWP3DP26L1q1fHGV1Ud/w8VQUA6JQyj2TUI= +go.step.sm/crypto v0.31.1/go.mod h1:gFQ/XlQIIiFRfZrXglqKbrX9bgC1HmsASErev9sZN4A= go.step.sm/linkedca v0.19.1 h1:uY0ByT/uB3FCQ8zIo9mU7MWG7HKf5sDXNEBeN94MuP8= go.step.sm/linkedca v0.19.1/go.mod h1:vPV2ad3LFQJmV7XWt87VlnJSs6UOqgsbVGVWe3veEmI= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -1228,8 +1230,8 @@ golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= -golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= +golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1243,7 +1245,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= golang.org/x/sys v0.0.0-20170728174421-0f826bdd13b5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1483,8 +1485,8 @@ google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtuk google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= -google.golang.org/api v0.123.0 h1:yHVU//vA+qkOhm4reEC9LtzHVUCN/IqqNRl1iQ9xE20= -google.golang.org/api v0.123.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms= +google.golang.org/api v0.124.0 h1:dP6Ef1VgOGqQ8eiv4GiY8RhmeyqzovcXBYPDUYG8Syo= +google.golang.org/api v0.124.0/go.mod h1:xu2HQurE5gi/3t1aFCvhPD781p0a3p11sdunTJ2BlP4= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= From b29e3fbf568bb7028e18ea9b5a009b55b5801634 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 31 May 2023 23:13:05 +0200 Subject: [PATCH 06/12] Add examples for using `--ca-kms` and `--skip-csr-signature` --- command/certificate/create.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/command/certificate/create.go b/command/certificate/create.go index 02736b606..739c045b6 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -350,6 +350,28 @@ $ step certificate create \ --key 'pkcs11:id=4001' \ 'My KMS Intermediate' intermediate_ca.crt ''' + +Create an intermediate certificate for an RSA decryption key in Google Cloud KMS, signed by a root stored on disk, using : +''' +$ step certificate create \ + --profile intermediate-ca \ + --kms cloudkms: \ + --ca root_ca.crt --ca-key root_ca_key \ + --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \ + --skip-csr-signature \ + 'My RSA Intermediate' intermediate_rsa_ca.crt +''' + +Create an intermediate certificate for an RSA signing key in Google Cloud KMS, signed by a root stored in an HSM, using : +''' +$ step certificate create \ + --profile intermediate-ca \ + --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ + --kms cloudkms: \ + --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ + --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \ + 'My RSA Intermediate' intermediate_rsa_ca.crt +''' `, Flags: []cli.Flag{ flags.KMSUri, From 6dbe189883cf0008813aa199684e341b372524fa Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 4 Aug 2023 12:30:29 +0200 Subject: [PATCH 07/12] Upgrade `golang.org/x/net` to `v0.13.0` --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 623caebdc..9b17270e0 100644 --- a/go.mod +++ b/go.mod @@ -123,7 +123,7 @@ require ( go.opencensus.io v0.24.0 // indirect golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0 // indirect golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.12.0 // indirect + golang.org/x/net v0.13.0 // indirect golang.org/x/oauth2 v0.9.0 // indirect golang.org/x/text v0.11.0 // indirect golang.org/x/tools v0.8.0 // indirect diff --git a/go.sum b/go.sum index 01c7a3068..e1e4eb383 100644 --- a/go.sum +++ b/go.sum @@ -1205,8 +1205,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= -golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY= +golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= From fd609e9aa7c322b632a51524dcc1af4be5f84d74 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 9 Aug 2023 12:48:47 +0200 Subject: [PATCH 08/12] Add `--ca-kms` and `--skip-csr-signature` flags to usage text --- command/certificate/create.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/command/certificate/create.go b/command/certificate/create.go index 739c045b6..6f11098cb 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -45,10 +45,10 @@ func createCommand() cli.Command { [**--template**=] [**--set**=] [**--set-file**=] [**--not-before**=] [**--not-after**=] [**--password-file**=] [**--ca**=] -[**--ca-key**=] [**--ca-password-file**=] +[**--ca-key**=] [**--ca-kms**=] [**--ca-password-file**=] [**--san**=] [**--bundle**] [**--key**=] [**--kty**=] [**--curve**=] [**--size**=] -[**--no-password**] [**--insecure**]`, +[**--skip-csr-signature**] [**--no-password**] [**--insecure**]`, Description: `**step certificate create** generates a certificate or a certificate signing request (CSR) that can be signed later using 'step certificate sign' (or some other tool) to produce a certificate. @@ -812,7 +812,7 @@ func parseSigner(ctx *cli.Context, defaultSigner crypto.Signer) (*x509.Certifica var ( caCert = ctx.String("ca") caKey = ctx.String("ca-key") - caKMS = ctx.String("ca-kms") // TODO: ensure "softkms:" is handled correctly + caKMS = ctx.String("ca-kms") profile = ctx.String("profile") template = ctx.String("template") ) From ce5c69ac40f5f550a756afc0d5e941ef3e57bf4a Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 9 Aug 2023 12:57:56 +0200 Subject: [PATCH 09/12] Update changelog with `--ca-kms` and `--skip-csr-signature` --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70635fb6d..4de80b221 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,10 +37,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - Detect OIDC tokens issued by Kubernetes (smallstep/cli#953). - Add support for Smallstep Managed Endpoint X509 extension (smallstep/cli#989). +- Support signing a certificate for a private key that can only be used for encryption with the `--skip-csr-signature` flag in `step certificate create`. Some KMSs restrict key usage to a single type of cryptographic operation. This blocks RSA decryption keys from being used to sign a CSR for their public key. Using the `--skip-csr-signature` flag, the public key is used directly with a certificate template, removing the need for the CSR signature. ### Changed - Increase PBKDF2 iterations to 600k (smallstep/cli#949). +- `--kms` flag is no longer used for the CA (signing) key for `step certificate create`. It was replaced by the `--ca-kms` flag (smallstep/cli#942). ### Fixed From 53e0bab65f910395a19f51c386e17d1e9143f341 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 9 Aug 2023 13:04:34 +0200 Subject: [PATCH 10/12] Make usage text flags flow better --- command/certificate/create.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/command/certificate/create.go b/command/certificate/create.go index 6f11098cb..72cce54ee 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -44,9 +44,9 @@ func createCommand() cli.Command { [**--kms**=] [**--csr**] [**--profile**=] [**--template**=] [**--set**=] [**--set-file**=] [**--not-before**=] [**--not-after**=] -[**--password-file**=] [**--ca**=] -[**--ca-key**=] [**--ca-kms**=] [**--ca-password-file**=] -[**--san**=] [**--bundle**] [**--key**=] +[**--password-file**=] [**--ca**=] +[**--ca-key**=] [**--ca-password-file**=] +[**--ca-kms**=] [**--san**=] [**--bundle**] [**--key**=] [**--kty**=] [**--curve**=] [**--size**=] [**--skip-csr-signature**] [**--no-password**] [**--insecure**]`, Description: `**step certificate create** generates a certificate or a From 290f81d10390b8cb2ab39d65ce061410628cf8f2 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 9 Aug 2023 20:40:36 +0200 Subject: [PATCH 11/12] Fix some example commands --- command/certificate/create.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/command/certificate/create.go b/command/certificate/create.go index 72cce54ee..a975b6525 100644 --- a/command/certificate/create.go +++ b/command/certificate/create.go @@ -345,8 +345,9 @@ $ step kms create \ 'pkcs11:id=4001;object=intermediate-key' $ step certificate create \ --profile intermediate-ca \ - --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ + --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ + --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ --key 'pkcs11:id=4001' \ 'My KMS Intermediate' intermediate_ca.crt ''' @@ -355,8 +356,8 @@ Create an intermediate certificate for an RSA decryption key in Google Cloud KMS ''' $ step certificate create \ --profile intermediate-ca \ + --ca root_ca.crt --ca-key root_ca_key \ --kms cloudkms: \ - --ca root_ca.crt --ca-key root_ca_key \ --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \ --skip-csr-signature \ 'My RSA Intermediate' intermediate_rsa_ca.crt @@ -367,8 +368,8 @@ Create an intermediate certificate for an RSA signing key in Google Cloud KMS, s $ step certificate create \ --profile intermediate-ca \ --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ + --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ --kms cloudkms: \ - --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \ 'My RSA Intermediate' intermediate_rsa_ca.crt ''' From 9845803ca56b30d21ba310d6b7dcd11dd7475d39 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 9 Aug 2023 21:24:12 +0200 Subject: [PATCH 12/12] Prevent shelling out to KMS plugin for `softkms` --- internal/cryptoutil/cryptoutil.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/internal/cryptoutil/cryptoutil.go b/internal/cryptoutil/cryptoutil.go index 47cabb145..0204cf934 100644 --- a/internal/cryptoutil/cryptoutil.go +++ b/internal/cryptoutil/cryptoutil.go @@ -29,7 +29,7 @@ type Attestor interface { // CreateSigner reads a key from a file with a given name or creates a signer // with the given kms and name uri. func CreateSigner(kms, name string, opts ...pemutil.Options) (crypto.Signer, error) { - if kms == "" { + if kms == "" || isSoftKMS(kms) { s, err := pemutil.Read(name, opts...) if err != nil { return nil, err @@ -43,6 +43,10 @@ func CreateSigner(kms, name string, opts ...pemutil.Options) (crypto.Signer, err return newKMSSigner(kms, name) } +func isSoftKMS(kms string) bool { + return strings.HasPrefix(strings.ToLower(strings.TrimSpace(kms)), "softkms") +} + // LoadCertificate returns a x509.Certificate from a kms or file func LoadCertificate(kms, certPath string) ([]*x509.Certificate, error) { if kms == "" {