Merge branch 'master' into herman/fix-go-tpm-v0.9.0

smallstep · Sep 19, 2023 · 0b28b9d · 0b28b9d
2 parents 9aed784 + b2edfa2
commit 0b28b9d
Show file tree

Hide file tree

Showing 16 changed files with 198 additions and 66 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,6 +28,44 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Added
+
+- Add support for provisioner claim `disableSmallstepExtensions`
+  (smallstep/cli#986).
+- Add support for PowerShell plugins on Windows (smallstep/certificates#992).
+- Create API token using team slug (smallstep/cli#980).
+- Detect OIDC tokens issued by Kubernetes (smallstep/cli#953).
+- Add support for Smallstep Managed Endpoint X509 extension
+  (smallstep/cli#989).
+- Support signing a certificate for a private key that can only be used for 
+  encryption with the `--skip-csr-signature` flag in `step certificate create`. 
+  Some KMSs restrict key usage to a single type of cryptographic operation. 
+  This blocks RSA decryption keys from being used to sign a CSR for their public 
+  key. Using the `--skip-csr-signature` flag, the public key is used directly 
+  with a certificate template, removing the need for the CSR signature.
+- Add all AWS identity document certificates (smallstep/certificates#1510)
+
+### Changed
+
+- Increase PBKDF2 iterations to 600k (smallstep/cli#949).
+- `--kms` flag is no longer used for the CA (signing) key for `step certificate create`. It was replaced by the `--ca-kms` flag (smallstep/cli#942).
+
+### Fixed
+
+- Look for Windows plugins with executable extensions
+  (smallstep/certificates#976)
+- Fix empty ca.json with invalid template data (smallstep/certificates#1501).
+- Fix interactive prompt on docker builds (smallstep/cli#963).
+- `step certificate fingerprint` correctly parse PEM files with non-PEM header
+  (smallstep/crypto#311)
+- `step certificate format` correctly parse PEM files with non-PEM header
+  (smallstep/cli#1006)
+
+### Remove
+
+- Remove automatic creation of the step path (smallstep/certificates#991)
+
+
 ## [v0.24.4] - 2023-05-11
 
 ### Added

diff --git a/cmd/step/main.go b/cmd/step/main.go
@@ -3,7 +3,6 @@ package main
 import (
 	"errors"
 	"fmt"
-	"math/rand"
 	"os"
 	"reflect"
 	"regexp"
@@ -54,11 +53,17 @@ var BuildTime = "N/A"
 func init() {
 	step.Set("Smallstep CLI", Version, BuildTime)
 	ca.UserAgent = step.Version()
-	rand.Seed(time.Now().UnixNano())
 }
 
 func main() {
+	// initialize step environment.
+	if err := step.Init(); err != nil {
+		fmt.Fprintln(os.Stderr, err.Error())
+		os.Exit(1)
+	}
+
 	defer panicHandler()
+
 	// Override global framework components
 	cli.VersionPrinter = func(c *cli.Context) {
 		version.Command(c)

diff --git a/command/ca/bootstrap.go b/command/ca/bootstrap.go
@@ -65,7 +65,7 @@ $ step ca bootstrap --team superteam --team-url https://config.example.com/<>
 			fingerprintFlag,
 			cli.BoolFlag{
 				Name:  "install",
-				Usage: "Install the root certificate into the system truststore.",
+				Usage: "Install the root certificate into the system's default trust store.",
 			},
 			flags.Team,
 			flags.TeamAuthority,

diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
@@ -167,6 +167,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -360,8 +361,9 @@ func addAction(ctx *cli.Context) (err error) {
 			HostDurations: &linkedca.Durations{},
 			Enabled:       !(ctx.IsSet("ssh") && !ctx.Bool("ssh")),
 		},
-		DisableRenewal:          ctx.Bool("disable-renewal"),
-		AllowRenewalAfterExpiry: ctx.Bool("allow-renewal-after-expiry"),
+		DisableRenewal:             ctx.Bool("disable-renewal"),
+		AllowRenewalAfterExpiry:    ctx.Bool("allow-renewal-after-expiry"),
+		DisableSmallstepExtensions: ctx.Bool("disable-smallstep-extensions"),
 	}
 
 	if ctx.IsSet("x509-min-dur") {

diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
@@ -248,6 +248,10 @@ unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
 		Name:  "allow-renewal-after-expiry",
 		Usage: `Allow renewals for expired certificates generated by this provisioner.`,
 	}
+	disableSmallstepExtensionsFlag = cli.BoolFlag{
+		Name:  "disable-smallstep-extensions",
+		Usage: `Disable the Smallstep extension for all certificates generated by this provisioner.`,
+	}
 	//enableX509Flag = cli.BoolFlag{
 	//	Name:  "x509",
 	//	Usage: `Enable provisioning of x509 certificates.`,

diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
@@ -166,6 +166,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -404,8 +405,11 @@ func updateClaims(ctx *cli.Context, p *linkedca.Provisioner) {
 	if ctx.IsSet("allow-renewal-after-expiry") {
 		p.Claims.AllowRenewalAfterExpiry = ctx.Bool("allow-renewal-after-expiry")
 	}
-	claims := p.Claims
+	if ctx.IsSet("disable-smallstep-extensions") {
+		p.Claims.DisableSmallstepExtensions = ctx.Bool("disable-smallstep-extensions")
+	}
 
+	claims := p.Claims
 	if claims.X509 == nil {
 		claims.X509 = &linkedca.X509Claims{}
 	}

diff --git a/command/ca/sign.go b/command/ca/sign.go
@@ -20,7 +20,7 @@ func signCertificateCommand() cli.Command {
 	return cli.Command{
 		Name:   "sign",
 		Action: command.ActionFunc(signCertificateAction),
-		Usage:  "generate a new certificate signing a certificate request",
+		Usage:  "generate a new certificate from signing a certificate request",
 		UsageText: `**step ca sign** <csr-file> <crt-file>
 [**--token**=<token>] [**--issuer**=<name>] [**--provisioner-password-file=<file>]
 [**--not-before**=<time|duration>] [**--not-after**=<time|duration>]

diff --git a/command/certificate/certificate.go b/command/certificate/certificate.go
@@ -70,12 +70,12 @@ Extract the public key from a PEM encoded certificate:
 $ step certificate key foo.crt
 '''
 
-Install a root certificate in the system truststore:
+Install a root certificate in the system's default trust store:
 '''
 $ step certificate install root-ca.crt
 '''
 
-Uninstall a root certificate from the system truststore:
+Uninstall a root certificate from the system's default trust store:
 '''
 $ step certificate uninstall root-ca.crt
 '''`,

diff --git a/command/certificate/create.go b/command/certificate/create.go
@@ -44,11 +44,11 @@ func createCommand() cli.Command {
 [**--kms**=<uri>] [**--csr**] [**--profile**=<profile>]
 [**--template**=<file>] [**--set**=<key=value>] [**--set-file**=<file>]
 [**--not-before**=<duration>] [**--not-after**=<duration>]
-[**--password-file**=<file>] [**--ca**=<issuer-cert>]
+[**--password-file**=<file>] [**--ca**=<issuer-cert>] 
 [**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
-[**--san**=<SAN>] [**--bundle**] [**--key**=<file>]
+[**--ca-kms**=<uri>] [**--san**=<SAN>] [**--bundle**] [**--key**=<file>]
 [**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--no-password**] [**--insecure**]`,
+[**--skip-csr-signature**] [**--no-password**] [**--insecure**]`,
 		Description: `**step certificate create** generates a certificate or a
 certificate signing request (CSR) that can be signed later using 'step
 certificate sign' (or some other tool) to produce a certificate.
@@ -345,11 +345,34 @@ $ step kms create \
   'pkcs11:id=4001;object=intermediate-key'
 $ step certificate create \
   --profile intermediate-ca \
-  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
+  --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password'
   --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
+  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ 
   --key 'pkcs11:id=4001' \
   'My KMS Intermediate' intermediate_ca.crt
 '''
+
+Create an intermediate certificate for an RSA decryption key in Google Cloud KMS, signed by a root stored on disk, using <step-kms-plugin>:
+'''
+$ step certificate create \
+  --profile intermediate-ca \ 
+  --ca root_ca.crt --ca-key root_ca_key \ 
+  --kms cloudkms: \ 
+  --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
+  --skip-csr-signature \
+  'My RSA Intermediate' intermediate_rsa_ca.crt 
+'''
+
+Create an intermediate certificate for an RSA signing key in Google Cloud KMS, signed by a root stored in an HSM, using <step-kms-plugin>:
+'''
+$ step certificate create \
+  --profile intermediate-ca \ 
+  --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
+  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ 
+  --kms cloudkms: \ 
+  --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
+  'My RSA Intermediate' intermediate_rsa_ca.crt 
+'''
 `,
 		Flags: []cli.Flag{
 			flags.KMSUri,
@@ -446,6 +469,14 @@ the **--ca** flag.`,
 				Name:   "insecure",
 				Hidden: true,
 			},
+			cli.StringFlag{
+				Name:  "ca-kms",
+				Usage: "The <uri> to configure the KMS used for signing the certificate",
+			},
+			cli.BoolFlag{
+				Name:  "skip-csr-signature",
+				Usage: "Skip creating and signing a CSR",
+			},
 		},
 	}
 }
@@ -485,17 +516,22 @@ func createAction(ctx *cli.Context) error {
 	}
 
 	var (
-		sans         = ctx.StringSlice("san")
-		profile      = ctx.String("profile")
-		templateFile = ctx.String("template")
-		bundle       = ctx.Bool("bundle")
-		subtle       = ctx.Bool("subtle")
+		sans             = ctx.StringSlice("san")
+		profile          = ctx.String("profile")
+		templateFile     = ctx.String("template")
+		bundle           = ctx.Bool("bundle")
+		subtle           = ctx.Bool("subtle")
+		skipCSRSignature = ctx.Bool("skip-csr-signature")
 	)
 
 	if ctx.IsSet("profile") && templateFile != "" {
 		return errs.IncompatibleFlagWithFlag(ctx, "profile", "template")
 	}
 
+	if ctx.Bool("csr") && skipCSRSignature {
+		return errs.IncompatibleFlagWithFlag(ctx, "csr", "skip-csr-signature")
+	}
+
 	// Read template if passed
 	var template string
 	if templateFile != "" {
@@ -631,20 +667,31 @@ func createAction(ctx *cli.Context) error {
 		defaultValidity = defaultTemplatevalidity
 	}
 
-	// Create X.509 certificate used as base for the certificate
-	cr, err := x509util.CreateCertificateRequest(subject, sans, signer)
-	if err != nil {
-		return err
-	}
-
 	// Create X.509 certificate
 	templateData := x509util.CreateTemplateData(subject, sans)
 	templateData.SetUserData(userData)
-	certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate(template, templateData))
-	if err != nil {
-		return err
+
+	var certTemplate = &x509.Certificate{}
+	if skipCSRSignature {
+		certTemplate.PublicKey = pub
+		certificate, err := x509util.NewCertificateFromX509(certTemplate, x509util.WithTemplate(template, templateData))
+		if err != nil {
+			return err
+		}
+		certTemplate = certificate.GetCertificate()
+	} else {
+		// Create X.509 certificate used as base for the certificate
+		cr, err := x509util.CreateCertificateRequest(subject, sans, priv)
+		if err != nil {
+			return err
+		}
+		certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate(template, templateData))
+		if err != nil {
+			return err
+		}
+		certTemplate = certificate.GetCertificate()
 	}
-	certTemplate := certificate.GetCertificate()
+
 	if parent == nil {
 		parent = certTemplate
 	}
@@ -766,9 +813,9 @@ func parseSigner(ctx *cli.Context, defaultSigner crypto.Signer) (*x509.Certifica
 	var (
 		caCert   = ctx.String("ca")
 		caKey    = ctx.String("ca-key")
+		caKMS    = ctx.String("ca-kms")
 		profile  = ctx.String("profile")
 		template = ctx.String("template")
-		kms      = ctx.String("kms")
 	)
 
 	// Check required flags when profile is used.
@@ -819,7 +866,7 @@ func parseSigner(ctx *cli.Context, defaultSigner crypto.Signer) (*x509.Certifica
 		opts = append(opts, pemutil.WithPasswordFile(passFile))
 	}
 
-	signer, err := cryptoutil.CreateSigner(kms, caKey, opts...)
+	signer, err := cryptoutil.CreateSigner(caKMS, caKey, opts...)
 	if err != nil {
 		return nil, nil, err
 	}

diff --git a/command/certificate/fingerprint.go b/command/certificate/fingerprint.go
@@ -21,7 +21,7 @@ func fingerprintCommand() cli.Command {
 		Action: cli.ActionFunc(fingerprintAction),
 		Usage:  "print the fingerprint of a certificate",
 		UsageText: `**step certificate fingerprint** <crt-file>
-[**--bundle**] [**--roots**=<root-bundle>] [**--servername**=<servername>] 
+[**--bundle**] [**--roots**=<root-bundle>] [**--servername**=<servername>]
 [**--format**=<format>] [**--sha1**] [**--insecure**]`,
 		Description: `**step certificate fingerprint** reads a certificate and prints to STDOUT the
 certificate SHA256 of the raw certificate.

diff --git a/command/certificate/format.go b/command/certificate/format.go
@@ -85,7 +85,7 @@ func formatAction(ctx *cli.Context) error {
 	}
 
 	switch {
-	case bytes.HasPrefix(crtBytes, []byte("-----BEGIN ")): // PEM format
+	case bytes.Contains(crtBytes, []byte("-----BEGIN ")): // PEM format
 		ob, err = decodeCertificatePem(crtBytes)
 		if err != nil {
 			return err