Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add handling of cnf claim #1092

Merged
merged 6 commits into from
Jul 24, 2024
Merged

Add handling of cnf claim #1092

merged 6 commits into from
Jul 24, 2024

Conversation

maraino
Copy link
Collaborator

@maraino maraino commented Dec 29, 2023

Allow to add confirmation claims to tokens

This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.

Fixes smallstep/certificates#1637

Related PR:

@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Dec 29, 2023
This commit allows to generate fingerprints for CSR files to the
`step certificate fingerprint` command.
This commit allows passing confirmation claims to tokens to tie the
tokens with a provided CSR or SSH public key.

The confirmation claim is implemented in the token command as well as
the com commands that uses a given CSR or ssh public key. Those are:

  - step ca token
  - step ca sign
  - step ssh certificate --sign

Fixes smallstep/certificates#1637
@maraino maraino marked this pull request as ready for review January 12, 2024 00:53
@maraino maraino requested a review from hslatman January 12, 2024 00:53
@hslatman hslatman modified the milestones: v0.26.0, v0.26.1 Mar 26, 2024
command/certificate/fingerprint.go Outdated Show resolved Hide resolved
token/options.go Outdated Show resolved Hide resolved
command/ca/token.go Outdated Show resolved Hide resolved
flags/flags.go Outdated Show resolved Hide resolved
token/options.go Outdated Show resolved Hide resolved
@hslatman hslatman changed the title Fix 1637 Add handling of cnf claim Apr 2, 2024
@hslatman hslatman modified the milestones: v0.26.1, v0.26.2 Apr 25, 2024
@hslatman hslatman modified the milestones: v0.26.2, v0.26.3 Jun 17, 2024
@hslatman hslatman modified the milestones: v0.27.0, v0.27.2 Jul 15, 2024
@hslatman hslatman modified the milestones: v0.27.2, v0.27.3 Jul 23, 2024
@maraino maraino requested a review from hslatman July 24, 2024 01:58
utils/cautils/certificate_flow.go Show resolved Hide resolved
token/options.go Outdated Show resolved Hide resolved
token/options.go Show resolved Hide resolved
Comment on lines +382 to +394
// Confirmation is a cli.Flag used to add a confirmation claim in the token.
Confirmation = cli.StringFlag{
Name: "cnf",
Usage: `The <fingerprint> of the CSR to restrict this token for.`,
}

// ConfirmationFile is a cli.Flag used to add a confirmation claim in the
// tokens. It will add a confirmation kid with the fingerprint of the CSR.
ConfirmationFile = cli.StringFlag{
Name: "cnf-file",
Usage: `The CSR <file> to restrict this token for.`,
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these include something about the SSH public key, or want to keep it simple?

Copy link
Collaborator Author

@maraino maraino Jul 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They used to include it, but due to a comment in the certificates PR that suggested removing the cnf for SSH, I've removed it from here. Although I kept the SSH public key in the context.

command/certificate/fingerprint.go Outdated Show resolved Hide resolved
Comment on lines +334 to +345
if isSSH {
sshPub, _, _, _, err := ssh.ParseAuthorizedKey(in)
if err != nil {
return errors.Wrap(err, "error parsing ssh public key")
}
tokenOpts = append(tokenOpts, cautils.WithSSHPublicKey(sshPub))
} else {
csr, err := pemutil.ParseCertificateRequest(in)
if err != nil {
return errors.Wrap(err, "error parsing certificate request")
}
tokenOpts = append(tokenOpts, cautils.WithCertificateRequest(csr))
Copy link
Member

@hslatman hslatman Jul 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of passing the CSR or SSH public key, the claim itself could be calculated here, and just pass it as the fingerprint directly? Or is there some flow in which to defer calculation of the fingerprint is necessary? step ca sign, maybe?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

step ca sign use cautils.WithCertificateRequest(csr) and step ssh certificate use cautils.WithSSHPublicKey(sshPub), although the SSH one is currently totally ignored. These fields go to the shared context of the cautils package and end up in the token package, which takes care of calculating the fingerprint and adding the proper attribute to the final token. Right now, only the CSR gets into the token package, but sending the type allows us to specify the right attribute now that we don't share just kid.

@maraino maraino requested a review from hslatman July 24, 2024 18:52
Copy link
Member

@hslatman hslatman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks OK now. Not sure what's up with the test? It seems to want the old kid claim still?

@maraino maraino merged commit 797ae59 into master Jul 24, 2024
12 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Option to bind JWK provisioner tokens with CSR
2 participants