Add --ca-kms flag to step certificate create

CHANGELOG.md

@@ -37,10 +37,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Detect OIDC tokens issued by Kubernetes (smallstep/cli#953).
 - Add support for Smallstep Managed Endpoint X509 extension
   (smallstep/cli#989).
+- Support signing a certificate for a private key that can only be used for encryption with the `--skip-csr-signature` flag in `step certificate create`. Some KMSs restrict key usage to a single type of cryptographic operation. This blocks RSA decryption keys from being used to sign a CSR for their public key. Using the `--skip-csr-signature` flag, the public key is used directly with a certificate template, removing the need for the CSR signature.
 
 ### Changed
 
 - Increase PBKDF2 iterations to 600k (smallstep/cli#949).
+- `--kms` flag is no longer used for the CA (signing) key for `step certificate create`. It was replaced by the `--ca-kms` flag (smallstep/cli#942).
 
 ### Fixed
 

command/certificate/create.go

@@ -44,11 +44,11 @@
 [**--kms**=<uri>] [**--csr**] [**--profile**=<profile>]
 [**--template**=<file>] [**--set**=<key=value>] [**--set-file**=<file>]
 [**--not-before**=<duration>] [**--not-after**=<duration>]
-[**--password-file**=<file>] [**--ca**=<issuer-cert>]
+[**--password-file**=<file>] [**--ca**=<issuer-cert>] 
 [**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
-[**--san**=<SAN>] [**--bundle**] [**--key**=<file>]
+[**--ca-kms**=<uri>] [**--san**=<SAN>] [**--bundle**] [**--key**=<file>]
 [**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--no-password**] [**--insecure**]`,
+[**--skip-csr-signature**] [**--no-password**] [**--insecure**]`,
 		Description: `**step certificate create** generates a certificate or a
 certificate signing request (CSR) that can be signed later using 'step
 certificate sign' (or some other tool) to produce a certificate.
@@ -350,6 +350,28 @@
   --key 'pkcs11:id=4001' \
   'My KMS Intermediate' intermediate_ca.crt
 '''
+
+Create an intermediate certificate for an RSA decryption key in Google Cloud KMS, signed by a root stored on disk, using <step-kms-plugin>:
+'''
+$ step certificate create \
+  --profile intermediate-ca \ 
+  --kms cloudkms: \ 
+  --ca root_ca.crt --ca-key root_ca_key \  
+  --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
+  --skip-csr-signature \
+  'My RSA Intermediate' intermediate_rsa_ca.crt 
+'''
+
+Create an intermediate certificate for an RSA signing key in Google Cloud KMS, signed by a root stored in an HSM, using <step-kms-plugin>:
+'''
+$ step certificate create \
+  --profile intermediate-ca \ 
+  --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
+  --kms cloudkms: \ 
+  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
+  --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
+  'My RSA Intermediate' intermediate_rsa_ca.crt 
+'''
 `,
 		Flags: []cli.Flag{
 			flags.KMSUri,
@@ -446,6 +468,14 @@
 				Name:   "insecure",
 				Hidden: true,
 			},
+			cli.StringFlag{
+				Name:  "ca-kms",
+				Usage: "The <uri> to configure the KMS used for signing the certificate",
+			},
+			cli.BoolFlag{
+				Name:  "skip-csr-signature",
+				Usage: "Skip creating and signing a CSR",
+			},
 		},
 	}
 }
@@ -485,17 +515,22 @@
 	}
 
 	var (
-		sans         = ctx.StringSlice("san")
-		profile      = ctx.String("profile")
-		templateFile = ctx.String("template")
-		bundle       = ctx.Bool("bundle")
-		subtle       = ctx.Bool("subtle")
+		sans             = ctx.StringSlice("san")
+		profile          = ctx.String("profile")
+		templateFile     = ctx.String("template")
+		bundle           = ctx.Bool("bundle")
+		subtle           = ctx.Bool("subtle")
+		skipCSRSignature = ctx.Bool("skip-csr-signature")
 	)
 
 	if ctx.IsSet("profile") && templateFile != "" {
 		return errs.IncompatibleFlagWithFlag(ctx, "profile", "template")
 	}
 
+	if ctx.Bool("csr") && skipCSRSignature {
+		return errs.IncompatibleFlagWithFlag(ctx, "csr", "skip-csr-signature")
+	}
+
 	// Read template if passed
 	var template string
 	if templateFile != "" {
@@ -631,20 +666,31 @@
 		defaultValidity = defaultTemplatevalidity
 	}
 
-	// Create X.509 certificate used as base for the certificate
-	cr, err := x509util.CreateCertificateRequest(subject, sans, signer)
-	if err != nil {
-		return err
-	}
-
 	// Create X.509 certificate
 	templateData := x509util.CreateTemplateData(subject, sans)
 	templateData.SetUserData(userData)
-	certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate(template, templateData))
-	if err != nil {
-		return err
+
+	var certTemplate = &x509.Certificate{}
+	if skipCSRSignature {
+		certTemplate.PublicKey = pub
+		certificate, err := x509util.NewCertificateFromX509(certTemplate, x509util.WithTemplate(template, templateData))
+		if err != nil {
+			return err
+		}
+		certTemplate = certificate.GetCertificate()
+	} else {
+		// Create X.509 certificate used as base for the certificate
+		cr, err := x509util.CreateCertificateRequest(subject, sans, priv)
+		if err != nil {
+			return err
+		}
+		certificate, err := x509util.NewCertificate(cr, x509util.WithTemplate(template, templateData))
+		if err != nil {
+			return err
+		}
+		certTemplate = certificate.GetCertificate()
 	}
-	certTemplate := certificate.GetCertificate()
+
 	if parent == nil {
 		parent = certTemplate
 	}
@@ -766,9 +812,9 @@
 	var (
 		caCert   = ctx.String("ca")
 		caKey    = ctx.String("ca-key")
+		caKMS    = ctx.String("ca-kms")
 		profile  = ctx.String("profile")
 		template = ctx.String("template")
-		kms      = ctx.String("kms")
 	)
 
 	// Check required flags when profile is used.
@@ -819,7 +865,7 @@
 		opts = append(opts, pemutil.WithPasswordFile(passFile))
 	}
 
-	signer, err := cryptoutil.CreateSigner(kms, caKey, opts...)
+	signer, err := cryptoutil.CreateSigner(caKMS, caKey, opts...)
 	if err != nil {
 		return nil, nil, err
 	}

internal/cryptoutil/cryptoutil.go

@@ -138,9 +138,13 @@ func IsKMSSigner(signer crypto.Signer) (ok bool) {
 }
 
 // IsX509Signer returns true if the given signer is supported by Go's
-// crypto/x509 package to sign sign X509 certificates. This methods returns true
+// crypto/x509 package to sign X509 certificates. This methods returns true
 // for ECDSA, RSA and Ed25519 keys, but if the kms is `sshagentkms:` it will
 // only return true for Ed25519 keys.
+// TODO(hs): introspect the KMS key to verify that it can actually be
+// used for signing? E.g. for Google Cloud KMS RSA keys can be used for
+// signing or decryption, but only one of those at a time. Trying to use
+// a signing key to decrypt data will result in an error from Cloud KMS.
 func IsX509Signer(signer crypto.Signer) bool {
 	pub := signer.Public()
 	if ks, ok := signer.(*kmsSigner); ok {