Force Rotation: local authority scaffolding and implements X.509 auth…

…ority endpoints (spiffe#4020)

* Create local authority scaffolding, and implements X.509 local authority service

Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Neniel <[email protected]>

cmd/spire-server/cli/bundle/bundle_test.go

@@ -37,7 +37,8 @@ func TestShow(t *testing.T) {
   "trust_domain": "spiffe://example.test",
   "x509_authorities": [
     {
-      "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U="
+      "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=",
+      "tainted": false
     }
   ],
   "jwt_authorities": [],
@@ -532,12 +533,14 @@ func TestList(t *testing.T) {
       "trust_domain": "spiffe://domain1.test",
       "x509_authorities": [
         {
-          "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U="
+          "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=",
+	  "tainted": false
         }
       ],
       "jwt_authorities": [
         {
           "public_key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfK+wKTnKL7KFLM27lqq5DC+bxrVaH6rDV+IcCSEOeL7Cr6DdNBbFiVXnVMI8fTfTJexHG+6MPiFRRohCteTgog==",
+	  "tainted": false,
           "key_id": "KID",
           "expires_at": "0"
         }
@@ -549,7 +552,8 @@ func TestList(t *testing.T) {
       "trust_domain": "spiffe://domain2.test",
       "x509_authorities": [
         {
-          "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4="
+          "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4=",
+	  "tainted": false
         }
       ],
       "jwt_authorities": [],
@@ -563,7 +567,8 @@ func TestList(t *testing.T) {
   "trust_domain": "spiffe://domain2.test",
   "x509_authorities": [
     {
-      "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4="
+      "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8VbmlJ8YIuN9RuQ94PYanmkIRG7MkGV5mmrO6rFAv3SFd/uVlwYNkXrh0219eHUSD4o+4RGXoiMFJKysw5GK6jODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMi50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIQDMKwYtq+2ZoNyl4udPj7IMYIGX8yuCNRmh7m3d9tvoDgIgbS26wSwDjngGqdiHHL8fTcggdiIqWtxAqBLFrx8zNS4=",
+       "tainted": false
     }
   ],
   "jwt_authorities": [],

cmd/spire-server/cli/federation/create_test.go

@@ -267,7 +267,8 @@ Endpoint SPIFFE ID        : spiffe://td-3.org/bundle
           "trust_domain": "td-3.org",
           "x509_authorities": [
             {
-              "asn1": "%s"
+              "asn1": "%s",
+	      "tainted": false
             }
           ],
           "jwt_authorities": [],
@@ -427,7 +428,8 @@ Endpoint SPIFFE ID        : spiffe://td-3.org/bundle
           "trust_domain": "td-3.org",
           "x509_authorities": [
             {
-              "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U="
+              "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=",
+	      "tainted": false
             }
           ],
           "jwt_authorities": [],

cmd/spire-server/cli/federation/update_test.go

@@ -267,7 +267,8 @@ Endpoint SPIFFE ID        : spiffe://td-3.org/bundle
           "trust_domain": "td-3.org",
           "x509_authorities": [
             {
-              "asn1": "%s"
+              "asn1": "%s",
+	      "tainted": false
             }
           ],
           "jwt_authorities": [],
@@ -427,7 +428,8 @@ Endpoint SPIFFE ID        : spiffe://td-3.org/bundle
           "trust_domain": "td-3.org",
           "x509_authorities": [
             {
-              "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U="
+              "asn1": "MIIBKjCB0aADAgECAgEBMAoGCCqGSM49BAMCMAAwIhgPMDAwMTAxMDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHyvsCk5yi+yhSzNu5aquQwvm8a1Wh+qw1fiHAkhDni+wq+g3TQWxYlV51TCPH030yXsRxvujD4hUUaIQrXk4KKjODA2MA8GA1UdEwEB/wQFMAMBAf8wIwYDVR0RAQH/BBkwF4YVc3BpZmZlOi8vZG9tYWluMS50ZXN0MAoGCCqGSM49BAMCA0gAMEUCIA2dO09Xmakw2ekuHKWC4hBhCkpr5qY4bI8YUcXfxg/1AiEA67kMyH7bQnr7OVLUrL+b9ylAdZglS5kKnYigmwDh+/U=",
+	      "tainted": false
             }
           ],
           "jwt_authorities": [],

go.mod

@@ -61,7 +61,7 @@ require (
 	github.com/sigstore/sigstore v1.7.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spiffe/go-spiffe/v2 v2.1.6
-	github.com/spiffe/spire-api-sdk v1.2.5-0.20230413135745-699e242b965d
+	github.com/spiffe/spire-api-sdk v1.2.5-0.20230629125323-08049dbe95e6
 	github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230224144655-648f8c740f73
 	github.com/stretchr/testify v1.8.4
 	github.com/uber-go/tally/v4 v4.1.7

go.sum

@@ -1803,8 +1803,8 @@ github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
 github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
 github.com/spiffe/go-spiffe/v2 v2.1.6 h1:4SdizuQieFyL9eNU+SPiCArH4kynzaKOOj0VvM8R7Xo=
 github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk=
-github.com/spiffe/spire-api-sdk v1.2.5-0.20230413135745-699e242b965d h1:0etgpf2R3yE+dwCM+leo1OcayEXfBdv0nZ3I7k/iRmk=
-github.com/spiffe/spire-api-sdk v1.2.5-0.20230413135745-699e242b965d/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
+github.com/spiffe/spire-api-sdk v1.2.5-0.20230629125323-08049dbe95e6 h1:viHj64Ur7/br8+UzaFm8DL7CUsMPM5DY+XBvA2eJ6OE=
+github.com/spiffe/spire-api-sdk v1.2.5-0.20230629125323-08049dbe95e6/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
 github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230224144655-648f8c740f73 h1:uGW6T41jGq1ZTxqpc8Y4b/LIPDtSYDaVql2gYdJYUfM=
 github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230224144655-648f8c740f73/go.mod h1:4KW5J6abGIAyUS8IL7Fi0NOfoWR6jA5LufKPnIdm9FE=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=

pkg/common/protoutil/masks_test.go

@@ -44,10 +44,11 @@ func TestAllTrueMasks(t *testing.T) {
 	}, protoutil.AllTrueEntryMask)
 
 	spiretest.AssertProtoEqual(t, &common.BundleMask{
-		RootCas:        true,
-		JwtSigningKeys: true,
-		RefreshHint:    true,
-		SequenceNumber: true,
+		RootCas:         true,
+		JwtSigningKeys:  true,
+		RefreshHint:     true,
+		SequenceNumber:  true,
+		X509TaintedKeys: true,
 	}, protoutil.AllTrueCommonBundleMask)
 
 	spiretest.AssertProtoEqual(t, &common.AttestedNodeMask{

pkg/common/telemetry/names.go

@@ -354,6 +354,9 @@ const (
 	// Kid tags some key ID
 	Kid = "kid"
 
+	// LocalAuthorityID tags a local authority ID
+	LocalAuthorityID = "local_authority_id"
+
 	// Mode tags a bundle deletion mode
 	Mode = "mode"
 

pkg/common/telemetry/server/datastore/wrapper.go

@@ -204,28 +204,28 @@ func (w metricsWrapper) SetBundle(ctx context.Context, bundle *common.Bundle) (_
 	return w.ds.SetBundle(ctx, bundle)
 }
 
-func (w metricsWrapper) TaintX509CA(ctx context.Context, trustDomainID string, publicKey crypto.PublicKey) (err error) {
+func (w metricsWrapper) TaintX509CA(ctx context.Context, trustDomainID string, publicKeyToTaint crypto.PublicKey) (err error) {
 	callCounter := StartTaintX509CAByKeyCall(w.m)
 	defer callCounter.Done(&err)
-	return w.ds.TaintX509CA(ctx, trustDomainID, publicKey)
+	return w.ds.TaintX509CA(ctx, trustDomainID, publicKeyToTaint)
 }
 
-func (w metricsWrapper) RevokeX509CA(ctx context.Context, trustDomainID string, publicKey crypto.PublicKey) (err error) {
+func (w metricsWrapper) RevokeX509CA(ctx context.Context, trustDomainID string, publicKeyToRevoke crypto.PublicKey) (err error) {
 	callCounter := StartRevokeX509CACall(w.m)
 	defer callCounter.Done(&err)
-	return w.ds.RevokeX509CA(ctx, trustDomainID, publicKey)
+	return w.ds.RevokeX509CA(ctx, trustDomainID, publicKeyToRevoke)
 }
 
-func (w metricsWrapper) TaintJWTKey(ctx context.Context, trustDomainID string, keyID string) (_ *common.PublicKey, err error) {
+func (w metricsWrapper) TaintJWTKey(ctx context.Context, trustDomainID string, authorityID string) (_ *common.PublicKey, err error) {
 	callCounter := StartTaintJWTKeyCall(w.m)
 	defer callCounter.Done(&err)
-	return w.ds.TaintJWTKey(ctx, trustDomainID, keyID)
+	return w.ds.TaintJWTKey(ctx, trustDomainID, authorityID)
 }
 
-func (w metricsWrapper) RevokeJWTKey(ctx context.Context, trustDomainID string, keyID string) (_ *common.PublicKey, err error) {
+func (w metricsWrapper) RevokeJWTKey(ctx context.Context, trustDomainID string, authorityID string) (_ *common.PublicKey, err error) {
 	callCounter := StartRevokeJWTKeyCall(w.m)
 	defer callCounter.Done(&err)
-	return w.ds.RevokeJWTKey(ctx, trustDomainID, keyID)
+	return w.ds.RevokeJWTKey(ctx, trustDomainID, authorityID)
 }
 
 func (w metricsWrapper) SetNodeSelectors(ctx context.Context, spiffeID string, selectors []*common.Selector) (err error) {

pkg/common/x509util/keyid.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"fmt"
 )
 
 // GetSubjectKeyID calculates a subject key identifier by doing a SHA-1 hash
@@ -27,3 +28,15 @@ func GetSubjectKeyID(pubKey interface{}) ([]byte, error) {
 	keyID := sha1.Sum(subjectKeyInfo.SubjectPublicKey.Bytes) //nolint: gosec // usage of SHA1 is according to specification
 	return keyID[:], nil
 }
+
+// SubjectKeyIDToString parse Subject Key ID into string
+func SubjectKeyIDToString(ski []byte) string {
+	serialHex := fmt.Sprintf("%x", ski)
+	if len(serialHex)%2 == 1 {
+		// Append leading 0 in cases where hexadecimal representation is odd number of characters
+		// in order to be more consistent with other tooling that displays certificate serial numbers.
+		serialHex = "0" + serialHex
+	}
+
+	return serialHex
+}

pkg/common/x509util/keyid_test.go

@@ -0,0 +1,38 @@
+package x509util_test
+
+import (
+	"testing"
+
+	"github.com/spiffe/spire/pkg/common/x509util"
+	"github.com/spiffe/spire/test/testkey"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	privateKey = testkey.MustEC256()
+)
+
+func TestSubjectKeyIDToString(t *testing.T) {
+	t.Run("empty ski", func(t *testing.T) {
+		str := x509util.SubjectKeyIDToString([]byte{})
+		require.Empty(t, str)
+	})
+
+	t.Run("small byte", func(t *testing.T) {
+		str := x509util.SubjectKeyIDToString([]byte("foo"))
+		require.Equal(t, "666f6f", str)
+	})
+
+	t.Run("no odd number", func(t *testing.T) {
+		str := x509util.SubjectKeyIDToString([]byte{1})
+		require.Equal(t, "01", str)
+	})
+
+	realSKI, err := x509util.GetSubjectKeyID(privateKey.Public())
+	require.NoError(t, err)
+
+	t.Run("real parsed ski", func(t *testing.T) {
+		str := x509util.SubjectKeyIDToString(realSKI)
+		require.Equal(t, "42c702d94031c6bc849ec99fa361802a877bdade", str)
+	})
+}

pkg/server/api/agent/v1/service.go

@@ -439,6 +439,11 @@ func (s *Service) RenewAgent(ctx context.Context, req *agentv1.RenewAgentRequest
 	}, nil
 }
 
+// PostStatus post agent status
+func (s *Service) PostStatus(context.Context, *agentv1.PostStatusRequest) (*agentv1.PostStatusResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "unimplemented")
+}
+
 // CreateJoinToken returns a new JoinToken for an agent.
 func (s *Service) CreateJoinToken(ctx context.Context, req *agentv1.CreateJoinTokenRequest) (*types.JoinToken, error) {
 	log := rpccontext.Logger(ctx)

pkg/server/api/agent/v1/service_test.go

@@ -2019,6 +2019,14 @@ func TestRenewAgent(t *testing.T) {
 	}
 }
 
+func TestPostStatus(t *testing.T) {
+	test := setupServiceTest(t, 0)
+
+	resp, err := test.client.PostStatus(context.Background(), &agentv1.PostStatusRequest{})
+	require.Nil(t, resp)
+	spiretest.RequireGRPCStatus(t, err, codes.Unimplemented, "unimplemented")
+}
+
 func TestCreateJoinToken(t *testing.T) {
 	for _, tt := range []struct {
 		name          string