ca

package
v1.11.0-beta1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 15, 2021 License: MPL-2.0 Imports: 33 Imported by: 57

Documentation

Index

Constants

View Source
const (
	// RootTemplateARN is the AWS-defined template we need to use when issuing a
	// root cert.
	RootTemplateARN = "arn:aws:acm-pca:::template/RootCACertificate/V1"

	// IntermediateTemplateARN is the AWS-defined template we need to use when
	// issuing an intermediate cert.
	IntermediateTemplateARN = "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1"

	// LeafTemplateARN is the AWS-defined template we need to use when issuing a
	// leaf cert.
	LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"

	// RootTTL is the validity duration for root certs we create.
	AWSRootTTL = 5 * 365 * 24 * time.Hour

	// IntermediateTTL is the validity duration for the intermediate certs we
	// create.
	AWSIntermediateTTL = 1 * 365 * 24 * time.Hour

	// SignTimout is the maximum time we will spend waiting (polling) for a leaf
	// certificate to be signed.
	AWSSignTimeout = 45 * time.Second

	// CreateTimeout is the maximum time we will spend waiting (polling)
	// for the CA to be created.
	AWSCreateTimeout = 2 * time.Minute

	// AWSStateCAARNKey is the key in the provider State we store the ARN of the
	// CA we created if any.
	AWSStateCAARNKey = "CA_ARN"
)
View Source
const VaultCALeafCertRole = "leaf-cert"

Variables

View Source
var (
	// NotBefore will be CertificateTimeDriftBuffer in the past to account for
	// time drift between different servers.
	CertificateTimeDriftBuffer = time.Minute

	ErrNotInitialized = errors.New("provider not initialized")
)
View Source
var ErrBackendNotInitialized = fmt.Errorf("backend not initialized")
View Source
var ErrBackendNotMounted = fmt.Errorf("backend not mounted")
View Source
var ErrRateLimited = errors.New("operation rate limited by CA provider")

ErrRateLimited is a sentinel error value Providers may return from any method to indicate that the operation can't complete due to a temporary rate limit. In the case of signing new certificates, Consul clients will respect this and intelligently backoff to optimize rotation rollout time while reducing load on servers and CA provider.

View Source
var KeyTestCases = []struct {
	Desc    string
	KeyType string
	KeyBits int
}{
	{
		Desc:    "Default Key Type (EC 256)",
		KeyType: connect.DefaultPrivateKeyType,
		KeyBits: connect.DefaultPrivateKeyBits,
	},
	{
		Desc:    "RSA 2048",
		KeyType: "rsa",
		KeyBits: 2048,
	},
}

KeyTestCases is a list of the important CA key types that we should test against when signing. For now leaf keys are always EC P256 but CA can be EC (any NIST curve) or RSA (2048, 4096). Providers must be able to complete all signing operations with both types that includes:

  • Sign must be able to sign EC P256 leaf with all these types of CA key
  • CrossSignCA must be able to sign all these types of new CA key with all these types of old CA key.
  • SignIntermediate muse bt able to sign all the types of secondary intermediate CA key with all these types of primary CA key

Functions

func ApplyCARequestToStore added in v1.8.7

func ApplyCARequestToStore(store *state.Store, req *structs.CARequest) (interface{}, error)

func EnsureTrailingNewline added in v1.8.14

func EnsureTrailingNewline(cert string) string

EnsureTrailingNewline this is used to fix a case where the provider do not return a new line after the certificate as per the specification see GH-8178 for more context

func ParseAWSCAConfig added in v1.7.0

func ParseAWSCAConfig(raw map[string]interface{}) (*structs.AWSCAProviderConfig, error)

ParseAWSCAConfig parses and validates AWS CA Provider configuration.

func ParseConsulCAConfig

func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)

func ParseVaultCAConfig

func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)

func SkipIfVaultNotPresent added in v1.7.13

func SkipIfVaultNotPresent(t testing.T)

SkipIfVaultNotPresent skips the test if the vault binary is not in PATH.

These tests may be skipped in CI. They are run as part of a separate integration test suite.

Types

type AWSProvider added in v1.7.0

type AWSProvider struct {
	// contains filtered or unexported fields
}

AWSProvider implements Provider for AWS ACM PCA

func NewAWSProvider added in v1.11.0

func NewAWSProvider(logger hclog.Logger) *AWSProvider

NewAWSProvider returns a new AWSProvider

func (*AWSProvider) ActiveIntermediate added in v1.7.0

func (a *AWSProvider) ActiveIntermediate() (string, error)

ActiveIntermediate implements Provider

func (*AWSProvider) ActiveRoot added in v1.7.0

func (a *AWSProvider) ActiveRoot() (string, error)

ActiveRoot implements Provider

func (*AWSProvider) Cleanup added in v1.7.0

func (a *AWSProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup implements Provider

func (*AWSProvider) Configure added in v1.7.0

func (a *AWSProvider) Configure(cfg ProviderConfig) error

Configure implements Provider

func (*AWSProvider) CrossSignCA added in v1.7.0

func (a *AWSProvider) CrossSignCA(newCA *x509.Certificate) (string, error)

CrossSignCA implements Provider

func (*AWSProvider) GenerateIntermediate added in v1.7.0

func (a *AWSProvider) GenerateIntermediate() (string, error)

GenerateIntermediate implements Provider

func (*AWSProvider) GenerateIntermediateCSR added in v1.7.0

func (a *AWSProvider) GenerateIntermediateCSR() (string, error)

GenerateIntermediateCSR implements Provider

func (*AWSProvider) GenerateRoot added in v1.7.0

func (a *AWSProvider) GenerateRoot() error

GenerateRoot implements Provider

func (*AWSProvider) SetIntermediate added in v1.7.0

func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) error

SetIntermediate implements Provider

func (*AWSProvider) Sign added in v1.7.0

func (a *AWSProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign implements Provider

func (*AWSProvider) SignIntermediate added in v1.7.0

func (a *AWSProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate implements Provider

func (*AWSProvider) State added in v1.7.0

func (a *AWSProvider) State() (map[string]string, error)

State implements Provider

func (*AWSProvider) SupportsCrossSigning added in v1.7.0

func (a *AWSProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

type CASigningKeyTypes added in v1.7.0

type CASigningKeyTypes struct {
	Desc           string
	SigningKeyType string
	SigningKeyBits int
	CSRKeyType     string
	CSRKeyBits     int
}

CASigningKeyTypes is a struct with params for tests that sign one CA CSR with another CA key.

func CASigningKeyTypeCases added in v1.7.0

func CASigningKeyTypeCases() []CASigningKeyTypes

CASigningKeyTypeCases returns the cross-product of the important supported CA key types for generating table tests for CA signing tests (CrossSignCA and SignIntermediate).

type ConsulProvider

type ConsulProvider struct {
	Delegate ConsulProviderStateDelegate

	sync.RWMutex
	// contains filtered or unexported fields
}

func NewConsulProvider

func NewConsulProvider(delegate ConsulProviderStateDelegate, logger hclog.Logger) *ConsulProvider

NewConsulProvider returns a new ConsulProvider that is ready to be used.

func TestConsulProvider added in v1.7.0

func TestConsulProvider(t testing.T, d ConsulProviderStateDelegate) *ConsulProvider

TestConsulProvider creates a new ConsulProvider, taking care to stub out it's Logger so that logging calls don't panic. If logging output is important

func (*ConsulProvider) ActiveIntermediate

func (c *ConsulProvider) ActiveIntermediate() (string, error)

We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.

func (*ConsulProvider) ActiveRoot

func (c *ConsulProvider) ActiveRoot() (string, error)

ActiveRoot returns the active root CA certificate.

func (*ConsulProvider) Cleanup

func (c *ConsulProvider) Cleanup(_ bool, _ map[string]interface{}) error

Remove the state store entry for this provider instance.

func (*ConsulProvider) Configure added in v1.3.0

func (c *ConsulProvider) Configure(cfg ProviderConfig) error

Configure sets up the provider using the given configuration.

func (*ConsulProvider) CrossSignCA

func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA returns the given CA cert signed by the current active root.

func (*ConsulProvider) GenerateIntermediate

func (c *ConsulProvider) GenerateIntermediate() (string, error)

We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.

func (*ConsulProvider) GenerateIntermediateCSR added in v1.3.0

func (c *ConsulProvider) GenerateIntermediateCSR() (string, error)

GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign.

func (*ConsulProvider) GenerateRoot added in v1.3.0

func (c *ConsulProvider) GenerateRoot() error

GenerateRoot initializes a new root certificate and private key if needed.

func (*ConsulProvider) SetIntermediate added in v1.3.0

func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM string) error

SetIntermediate validates that the given intermediate is for the right private key and writes the given intermediate and root certificates to the state.

func (*ConsulProvider) Sign

Sign returns a new certificate valid for the given SpiffeIDService using the current CA.

func (*ConsulProvider) SignIntermediate added in v1.3.0

func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate will validate the CSR to ensure the trust domain in the URI SAN matches the local one and that basic constraints for a CA certificate are met. It should return a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.

func (*ConsulProvider) State added in v1.7.0

func (c *ConsulProvider) State() (map[string]string, error)

State implements Provider. Consul actually does store all it's state in raft but it manages it independently through a separate table already so this is a no-op. This method just passes through testState which allows tests to verify state handling behavior without needing to plumb a full test mock provider right through Consul server code.

func (*ConsulProvider) SupportsCrossSigning added in v1.7.0

func (c *ConsulProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

type ConsulProviderStateDelegate

type ConsulProviderStateDelegate interface {
	State() *state.Store
	ApplyCARequest(*structs.CARequest) (interface{}, error)
}

type MockProvider added in v1.4.1

type MockProvider struct {
	mock.Mock
}

MockProvider is an autogenerated mock type for the Provider type

func (*MockProvider) ActiveIntermediate added in v1.4.1

func (_m *MockProvider) ActiveIntermediate() (string, error)

ActiveIntermediate provides a mock function with given fields:

func (*MockProvider) ActiveRoot added in v1.4.1

func (_m *MockProvider) ActiveRoot() (string, error)

ActiveRoot provides a mock function with given fields:

func (*MockProvider) Cleanup added in v1.4.1

func (_m *MockProvider) Cleanup(providerTypeChange bool, config map[string]interface{}) error

Cleanup provides a mock function with given fields: providerTypeChange, config

func (*MockProvider) Configure added in v1.4.1

func (_m *MockProvider) Configure(cfg ProviderConfig) error

Configure provides a mock function with given fields: cfg

func (*MockProvider) CrossSignCA added in v1.4.1

func (_m *MockProvider) CrossSignCA(_a0 *x509.Certificate) (string, error)

CrossSignCA provides a mock function with given fields: _a0

func (*MockProvider) GenerateIntermediate added in v1.4.1

func (_m *MockProvider) GenerateIntermediate() (string, error)

GenerateIntermediate provides a mock function with given fields:

func (*MockProvider) GenerateIntermediateCSR added in v1.4.1

func (_m *MockProvider) GenerateIntermediateCSR() (string, error)

GenerateIntermediateCSR provides a mock function with given fields:

func (*MockProvider) GenerateRoot added in v1.4.1

func (_m *MockProvider) GenerateRoot() error

GenerateRoot provides a mock function with given fields:

func (*MockProvider) SetIntermediate added in v1.4.1

func (_m *MockProvider) SetIntermediate(intermediatePEM string, rootPEM string) error

SetIntermediate provides a mock function with given fields: intermediatePEM, rootPEM

func (*MockProvider) Sign added in v1.4.1

func (_m *MockProvider) Sign(_a0 *x509.CertificateRequest) (string, error)

Sign provides a mock function with given fields: _a0

func (*MockProvider) SignIntermediate added in v1.4.1

func (_m *MockProvider) SignIntermediate(_a0 *x509.CertificateRequest) (string, error)

SignIntermediate provides a mock function with given fields: _a0

func (*MockProvider) State added in v1.7.0

func (_m *MockProvider) State() (map[string]string, error)

State provides a mock function with given fields:

func (*MockProvider) SupportsCrossSigning added in v1.7.0

func (_m *MockProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning provides a mock function with given fields:

type NeedsStop added in v1.8.5

type NeedsStop interface {
	Stop()
}

NeedsStop is an optional interface that allows a CA to define a function to be called when the CA instance is no longer in use. This is different from Cleanup(), as only the local provider instance is being shut down such as in the case of a leader change.

type PrimaryUsesIntermediate added in v1.9.14

type PrimaryUsesIntermediate interface {
	PrimaryUsesIntermediate()
}

PrimaryUsesIntermediate is an optional interface that CA providers may implement to indicate that they use an intermediate cert in the primary datacenter as well as the secondary. This is used when determining whether to run the intermediate renewal routine in the primary.

type Provider

type Provider interface {
	// Configure initializes the provider based on the given cluster ID, root
	// status and configuration values. rawConfig contains the user-provided
	// Config. State contains a the State the same provider last persisted on a
	// restart or reconfiguration. The provider must not modify `rawConfig` or
	// `state` maps directly as it may be being read from other goroutines.
	Configure(cfg ProviderConfig) error

	// State returns the current provider state. If the provider doesn't need to
	// store anything other than what the user configured this can return nil. It
	// is called after any config change before the new active config is stored in
	// the state store and the most recent value returned by the provider is given
	// in subsequent `Configure` calls provided that the current provider is the
	// same type as the new provider instance being configured. This provides a
	// simple way for providers to persist information like UUIDs of resources
	// they manage. This state is visible to anyone with operator:read via the API
	// so it's not intended for storing secrets like root private keys. Only
	// strings are permitted since this has to pass through msgpack and so
	// interface values will end up mangled in many cases which is ugly for all
	// provider code to have to remember to reason about.
	//
	// Note that the map returned will be accessed (read-only) in other goroutines
	// - for example passed to Configure in the Connect CA Config RPC endpoint -
	// so it must not just be a pointer to a map that may internally be modified.
	// If the Provider only writes to it during Configure it's safe to return
	// as-is, but otherwise it's assumed the map returned is a copy of the state
	// in the Provider struct so it won't change after being returned.
	State() (map[string]string, error)

	// GenerateRoot causes the creation of a new root certificate for this provider.
	// This can also be a no-op if a root certificate already exists for the given
	// config. If IsPrimary is false, calling this method is an error.
	GenerateRoot() error

	// ActiveRoot returns the currently active root CA for this
	// provider. This should be a parent of the certificate returned by
	// ActiveIntermediate()
	ActiveRoot() (string, error)

	// GenerateIntermediateCSR generates a CSR for an intermediate CA
	// certificate, to be signed by the root of another datacenter. If IsPrimary was
	// set to true with Configure(), calling this is an error.
	GenerateIntermediateCSR() (string, error)

	// SetIntermediate sets the provider to use the given intermediate certificate
	// as well as the root it was signed by. This completes the initialization for
	// a provider where IsPrimary was set to false in Configure().
	SetIntermediate(intermediatePEM, rootPEM string) error

	// ActiveIntermediate returns the current signing cert used by this provider
	// for generating SPIFFE leaf certs. Note that this must not change except
	// when Consul requests the change via GenerateIntermediate. Changing the
	// signing cert will break Consul's assumptions about which validation paths
	// are active.
	ActiveIntermediate() (string, error)

	// GenerateIntermediate returns a new intermediate signing cert and sets it to
	// the active intermediate. If multiple intermediates are needed to complete
	// the chain from the signing certificate back to the active root, they should
	// all by bundled here.
	GenerateIntermediate() (string, error)

	// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
	// returned should include only the leaf certificate as all Intermediates
	// needed to validate it will be added by Consul based on the active
	// intemediate and any cross-signed intermediates managed by Consul. Note that
	// providers should return ErrRateLimited if they are unable to complete the
	// operation due to upstream rate limiting so that clients can intelligently
	// backoff.
	Sign(*x509.CertificateRequest) (string, error)

	// SignIntermediate will validate the CSR to ensure the trust domain in the
	// URI SAN matches the local one and that basic constraints for a CA
	// certificate are met. It should return a signed CA certificate with a path
	// length constraint of 0 to ensure that the certificate cannot be used to
	// generate further CA certs. Note that providers should return ErrRateLimited
	// if they are unable to complete the operation due to upstream rate limiting
	// so that clients can intelligently backoff.
	SignIntermediate(*x509.CertificateRequest) (string, error)

	// CrossSignCA must accept a CA certificate from another CA provider and cross
	// sign it exactly as it is such that it forms a chain back the the
	// CAProvider's current root. Specifically, the Distinguished Name, Subject
	// Alternative Name, SubjectKeyID and other relevant extensions must be kept.
	// The resulting certificate must have a distinct Serial Number and the
	// AuthorityKeyID set to the CAProvider's current signing key as well as the
	// Issuer related fields changed as necessary. The resulting certificate is
	// returned as a PEM formatted string.
	//
	// If the CA provider does not support this operation, it may return an error
	// provided `SupportsCrossSigning` also returns false. Note that
	// providers should return ErrRateLimited if they are unable to complete the
	// operation due to upstream rate limiting so that clients can intelligently
	// backoff.
	CrossSignCA(*x509.Certificate) (string, error)

	// SupportsCrossSigning should indicate whether the CA provider supports
	// cross-signing an external root to provide a seamless rotation. If the CA
	// does not support this, the user will have to force an upgrade when that CA
	// provider is the current CA as the upgrade may cause interruptions to
	// connectivity during the rollout.
	SupportsCrossSigning() (bool, error)

	// Cleanup performs any necessary cleanup that should happen when the provider
	// is shut down permanently, such as removing a temporary PKI backend in Vault
	// created for an intermediate CA. Whether the CA provider type is changing
	// and the other providers raw configuration is passed along so that the provider
	// instance can determine which cleanup steps to perform. For example, when the
	// Vault provider is in use and there is no type change occuring, the Vault
	// provider should check if the intermediate PKI path is changing. If it is not
	// changing then the provider should not remove that path from Vault.
	Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
}

Provider is the interface for Consul to interact with an external CA that provides leaf certificate signing for given SpiffeIDServices.

type ProviderConfig added in v1.7.0

type ProviderConfig struct {
	// ClusterID is the current Consul cluster ID.
	ClusterID string

	// Datacenter is the current Consul datacenter.
	Datacenter string

	// IsPrimary is true when the CA instance is in the primary DC typically it
	// may choose to act as a root in this case while secondaries are typically
	// intermediate CAs. In some case the primary DC in Consul is an intermediate
	// signed by some external CA along with that CA's public cert so the old name
	// of `IsRoot` was misleading.
	IsPrimary bool

	// RawConfig is the user configuration for the provider and is
	// provider-specific to be interpreted as the provider wishes.
	RawConfig map[string]interface{}

	// State contains the State the same provider last persisted. It is provided
	// after a restart or reconfiguration, or on a leader election on a new server
	// to maintain operation. It MUST NOT be used for secret storage since it is
	// visible in the API to operators. It's intended use is to store small bits
	// of state like UUIDs of external resources that the provider has created and
	// needs to continue to manage.
	State map[string]string
}

ProviderConfig encapsulates all the data Consul passes to `Configure` on a new provider instance. The provider must treat this as read-only and make copies of any map or slice if it might modify them internally.

type TestVaultServer added in v1.7.13

type TestVaultServer struct {
	RootToken string
	Addr      string
	// contains filtered or unexported fields
}

func NewTestVaultServer added in v1.7.13

func NewTestVaultServer(t testing.T) *TestVaultServer

func (*TestVaultServer) Client added in v1.7.13

func (v *TestVaultServer) Client() *vaultapi.Client

func (*TestVaultServer) Stop added in v1.7.13

func (v *TestVaultServer) Stop() error

func (*TestVaultServer) WaitUntilReady added in v1.7.13

func (v *TestVaultServer) WaitUntilReady(t testing.T)

type VaultProvider

type VaultProvider struct {
	// contains filtered or unexported fields
}

func NewVaultProvider

func NewVaultProvider(logger hclog.Logger) *VaultProvider

func (*VaultProvider) ActiveIntermediate

func (v *VaultProvider) ActiveIntermediate() (string, error)

ActiveIntermediate returns the current intermediate certificate.

func (*VaultProvider) ActiveRoot

func (v *VaultProvider) ActiveRoot() (string, error)

ActiveRoot returns the active root CA certificate.

func (*VaultProvider) Cleanup

func (v *VaultProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup unmounts the configured intermediate PKI backend. It's fine to tear this down and recreate it on small config changes because the intermediate certs get bundled with the leaf certs, so there's no cost to the CA changing.

func (*VaultProvider) Configure added in v1.3.0

func (v *VaultProvider) Configure(cfg ProviderConfig) error

Configure sets up the provider using the given configuration.

func (*VaultProvider) CrossSignCA

func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA takes a CA certificate and cross-signs it to form a trust chain back to our active root.

func (*VaultProvider) GenerateIntermediate

func (v *VaultProvider) GenerateIntermediate() (string, error)

GenerateIntermediate mounts the configured intermediate PKI backend if necessary, then generates and signs a new CA CSR using the root PKI backend and updates the intermediate backend to use that new certificate.

func (*VaultProvider) GenerateIntermediateCSR added in v1.3.0

func (v *VaultProvider) GenerateIntermediateCSR() (string, error)

GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign, overwriting the intermediate backend in the process.

func (*VaultProvider) GenerateRoot added in v1.3.0

func (v *VaultProvider) GenerateRoot() error

GenerateRoot mounts and initializes a new root PKI backend if needed.

func (*VaultProvider) PrimaryUsesIntermediate added in v1.9.14

func (v *VaultProvider) PrimaryUsesIntermediate()

func (*VaultProvider) SetIntermediate added in v1.3.0

func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error

SetIntermediate writes the incoming intermediate and root certificates to the intermediate backend (as a chain).

func (*VaultProvider) Sign

Sign calls the configured role in the intermediate PKI backend to issue a new leaf certificate based on the provided CSR, with the issuing intermediate CA cert attached.

func (*VaultProvider) SignIntermediate added in v1.3.0

func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate returns a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.

func (*VaultProvider) State added in v1.7.0

func (v *VaultProvider) State() (map[string]string, error)

State implements Provider. Vault provider needs no state other than the user-provided config currently.

func (*VaultProvider) Stop added in v1.8.5

func (v *VaultProvider) Stop()

Stop shuts down the token renew goroutine.

func (*VaultProvider) SupportsCrossSigning added in v1.7.0

func (v *VaultProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL