smallstep · maraino · Mar 29, 2022 · Mar 29, 2022 · Mar 29, 2022
diff --git a/authority/options.go b/authority/options.go
@@ -163,6 +163,22 @@ func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
 	}
 }
 
+// WithX509SignerFunc defines the function used to get the chain of certificates
+// and signer used when we sign X.509 certificates.
+func WithX509SignerFunc(fn func() ([]*x509.Certificate, crypto.Signer, error)) Option {
+	return func(a *Authority) error {
+		srv, err := cas.New(context.Background(), casapi.Options{
+			Type:              casapi.SoftCAS,
+			CertificateSigner: fn,
+		})
+		if err != nil {
+			return err
+		}
+		a.x509CAService = srv
+		return nil
+	}
+}
+
 // WithSSHUserSigner defines the signer used to sign SSH user certificates.
 func WithSSHUserSigner(s crypto.Signer) Option {
 	return func(a *Authority) error {

diff --git a/cas/apiv1/options.go b/cas/apiv1/options.go
@@ -31,13 +31,18 @@ type Options struct {
 	// https://cloud.google.com/docs/authentication.
 	CredentialsFile string `json:"credentialsFile,omitempty"`
 
-	// Certificate and signer are the issuer certificate, along with any other
-	// bundled certificates to be returned in the chain for consumers, and
+	// CertificateChain and Signer are the issuer certificate, along with any
+	// other bundled certificates to be returned in the chain for consumers, and
 	// signer used in SoftCAS. They are configured in ca.json crt and key
 	// properties.
 	CertificateChain []*x509.Certificate `json:"-"`
 	Signer           crypto.Signer       `json:"-"`
 
+	// CertificateSigner combines CertificateChain and Signer in a callback that
+	// returns the chain of certificate and signer used to sign X.509
+	// certificates in SoftCAS.
+	CertificateSigner func() ([]*x509.Certificate, crypto.Signer, error) `json:"-"`
+
 	// IsCreator is set to true when we're creating a certificate authority. It
 	// is used to skip some validations when initializing a
 	// CertificateAuthority. This option is used on SoftCAS and CloudCAS.

diff --git a/cas/softcas/softcas.go b/cas/softcas/softcas.go
@@ -24,26 +24,28 @@ var now = time.Now
 // SoftCAS implements a Certificate Authority Service using Golang or KMS
 // crypto. This is the default CAS used in step-ca.
 type SoftCAS struct {
-	CertificateChain []*x509.Certificate
-	Signer           crypto.Signer
-	KeyManager       kms.KeyManager
+	CertificateChain  []*x509.Certificate
+	Signer            crypto.Signer
+	CertificateSigner func() ([]*x509.Certificate, crypto.Signer, error)
+	KeyManager        kms.KeyManager
 }
 
 // New creates a new CertificateAuthorityService implementation using Golang or KMS
 // crypto.
 func New(ctx context.Context, opts apiv1.Options) (*SoftCAS, error) {
 	if !opts.IsCreator {
 		switch {
-		case len(opts.CertificateChain) == 0:
+		case len(opts.CertificateChain) == 0 && opts.CertificateSigner == nil:
 			return nil, errors.New("softCAS 'CertificateChain' cannot be nil")
-		case opts.Signer == nil:
+		case opts.Signer == nil && opts.CertificateSigner == nil:
 			return nil, errors.New("softCAS 'signer' cannot be nil")
 		}
 	}
 	return &SoftCAS{
-		CertificateChain: opts.CertificateChain,
-		Signer:           opts.Signer,
-		KeyManager:       opts.KeyManager,
+		CertificateChain:  opts.CertificateChain,
+		Signer:            opts.Signer,
+		CertificateSigner: opts.CertificateSigner,
+		KeyManager:        opts.KeyManager,
 	}, nil
 }
 
@@ -57,23 +59,29 @@ func (c *SoftCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1
 	}
 
 	t := now()
+
 	// Provisioners can also set specific values.
 	if req.Template.NotBefore.IsZero() {
 		req.Template.NotBefore = t.Add(-1 * req.Backdate)
 	}
 	if req.Template.NotAfter.IsZero() {
 		req.Template.NotAfter = t.Add(req.Lifetime)
 	}
-	req.Template.Issuer = c.CertificateChain[0].Subject
 
-	cert, err := createCertificate(req.Template, c.CertificateChain[0], req.Template.PublicKey, c.Signer)
+	chain, signer, err := c.getCertSigner()
+	if err != nil {
+		return nil, err
+	}
+	req.Template.Issuer = chain[0].Subject
+
+	cert, err := createCertificate(req.Template, chain[0], req.Template.PublicKey, signer)
 	if err != nil {
 		return nil, err
 	}
 
 	return &apiv1.CreateCertificateResponse{
 		Certificate:      cert,
-		CertificateChain: c.CertificateChain,
+		CertificateChain: chain,
 	}, nil
 }
 
@@ -89,26 +97,35 @@ func (c *SoftCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.R
 	t := now()
 	req.Template.NotBefore = t.Add(-1 * req.Backdate)
 	req.Template.NotAfter = t.Add(req.Lifetime)
-	req.Template.Issuer = c.CertificateChain[0].Subject
 
-	cert, err := createCertificate(req.Template, c.CertificateChain[0], req.Template.PublicKey, c.Signer)
+	chain, signer, err := c.getCertSigner()
+	if err != nil {
+		return nil, err
+	}
+	req.Template.Issuer = chain[0].Subject
+
+	cert, err := createCertificate(req.Template, chain[0], req.Template.PublicKey, signer)
 	if err != nil {
 		return nil, err
 	}
 
 	return &apiv1.RenewCertificateResponse{
 		Certificate:      cert,
-		CertificateChain: c.CertificateChain,
+		CertificateChain: chain,
 	}, nil
 }
 
 // RevokeCertificate revokes the given certificate in step-ca. In SoftCAS this
 // operation is a no-op as the actual revoke will happen when we store the entry
 // in the db.
 func (c *SoftCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) {
+	chain, _, err := c.getCertSigner()
+	if err != nil {
+		return nil, err
+	}
 	return &apiv1.RevokeCertificateResponse{
 		Certificate:      req.Certificate,
-		CertificateChain: c.CertificateChain,
+		CertificateChain: chain,
 	}, nil
 }
 
@@ -179,7 +196,7 @@ func (c *SoftCAS) CreateCertificateAuthority(req *apiv1.CreateCertificateAuthori
 	}, nil
 }
 
-// initializeKeyManager initiazes the default key manager if was not given.
+// initializeKeyManager initializes the default key manager if was not given.
 func (c *SoftCAS) initializeKeyManager() (err error) {
 	if c.KeyManager == nil {
 		c.KeyManager, err = kms.New(context.Background(), kmsapi.Options{
@@ -189,6 +206,15 @@ func (c *SoftCAS) initializeKeyManager() (err error) {
 	return
 }
 
+// getCertSigner returns the certificate chain and signer to use.
+func (c *SoftCAS) getCertSigner() ([]*x509.Certificate, crypto.Signer, error) {
+	if c.CertificateSigner != nil {
+		return c.CertificateSigner()
+	}
+	return c.CertificateChain, c.Signer, nil
+
+}
+
 // createKey uses the configured kms to create a key.
 func (c *SoftCAS) createKey(req *kmsapi.CreateKeyRequest) (*kmsapi.CreateKeyResponse, error) {
 	if err := c.initializeKeyManager(); err != nil {