Allow custom SCEP key manager

This commit allows to inject a custom key manger for SCEP.
smallstep · Apr 10, 2024 · 06a9d2e · 06a9d2e
1 parent 976bf0c
commit 06a9d2e
Show file tree

Hide file tree

Showing 8 changed files with 435 additions and 127 deletions.
diff --git a/authority/authority.go b/authority/authority.go
@@ -62,9 +62,10 @@ type Authority struct {
  x509Enforcers []provisioner.CertificateEnforcer
 
  // SCEP CA
- scepOptions *scep.Options
- validateSCEP bool
- scepAuthority *scep.Authority
+ scepOptions *scep.Options
+ validateSCEP bool
+ scepAuthority *scep.Authority
+ scepKeyManager provisioner.SCEPKeyManager
 
  // SSH CA
  sshHostPassword []byte

diff --git a/authority/options.go b/authority/options.go
@@ -226,6 +226,16 @@ func WithFullSCEPOptions(options *scep.Options) Option {
  }
 }
 
+// WithSCEPKeyManager defines the key manager used on SCEP provisioners.
+//
+// This feature is EXPERIMENTAL and might change at any time.
+func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option {
+ return func(a *Authority) error {
+ a.scepKeyManager = skm
+ return nil
+ }
+}
+
 // WithSSHUserSigner defines the signer used to sign SSH user certificates.
 func WithSSHUserSigner(s crypto.Signer) Option {
  return func(a *Authority) error {

diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go
@@ -10,6 +10,7 @@ import (
  "strings"
 
  "github.com/pkg/errors"
+ kmsapi "go.step.sm/crypto/kms/apiv1"
  "golang.org/x/crypto/ssh"
 
  "github.com/smallstep/certificates/errs"
@@ -231,6 +232,13 @@ type SSHKeys struct {
  HostKeys []ssh.PublicKey
 }
 
+// SCEPKeyManager is a KMS interface that combines a KeyManager with a
+// Decrypter.
+type SCEPKeyManager interface {
+ kmsapi.KeyManager
+ kmsapi.Decrypter
+}
+
 // Config defines the default parameters used in the initialization of
 // provisioners.
 type Config struct {
@@ -251,6 +259,8 @@ type Config struct {
  AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc
  // WebhookClient is an http client to use in webhook request
  WebhookClient *http.Client
+ // SCEPKeyManager, if defined, is the interface used by SCEP provisioners.
+ SCEPKeyManager SCEPKeyManager
 }
 
 type provisioner struct {

diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go
@@ -15,7 +15,6 @@ import (
 
  "go.step.sm/crypto/kms"
  kmsapi "go.step.sm/crypto/kms/apiv1"
- "go.step.sm/crypto/kms/uri"
  "go.step.sm/linkedca"
 
  "github.com/smallstep/certificates/webhook"
@@ -59,7 +58,7 @@ type SCEP struct {
  encryptionAlgorithm int
  challengeValidationController *challengeValidationController
  notificationController *notificationController
- keyManager kmsapi.KeyManager
+ keyManager SCEPKeyManager
  decrypter crypto.Decrypter
  decrypterCertificate *x509.Certificate
  signer crypto.Signer
@@ -269,76 +268,83 @@ func (s *SCEP) Init(config Config) (err error) {
  )
 
  // parse the decrypter key PEM contents if available
- if decryptionKeyPEM := s.DecrypterKeyPEM; len(decryptionKeyPEM) > 0 {
+ if len(s.DecrypterKeyPEM) > 0 {
  // try reading the PEM for validation
- block, rest := pem.Decode(decryptionKeyPEM)
+ block, rest := pem.Decode(s.DecrypterKeyPEM)
  if len(rest) > 0 {
  return errors.New("failed parsing decrypter key: trailing data")
  }
  if block == nil {
  return errors.New("failed parsing decrypter key: no PEM block found")
  }
+
  opts := kms.Options{
  Type: kmsapi.SoftKMS,
  }
- if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
+ km, err := kms.New(context.Background(), opts)
+ if err != nil {
  return fmt.Errorf("failed initializing kms: %w", err)
  }
- kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
+ scepKeyManager, ok := km.(SCEPKeyManager)
  if !ok {
  return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
  }
- if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
- DecryptionKeyPEM: decryptionKeyPEM,
+ s.keyManager = scepKeyManager
+
+ if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+ DecryptionKeyPEM: s.DecrypterKeyPEM,
  Password: []byte(s.DecrypterKeyPassword),
  PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
  }); err != nil {
  return fmt.Errorf("failed creating decrypter: %w", err)
  }
  if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
- SigningKeyPEM: decryptionKeyPEM, // TODO(hs): support distinct signer key in the future?
+ SigningKeyPEM: s.DecrypterKeyPEM, // TODO(hs): support distinct signer key in the future?
  Password: []byte(s.DecrypterKeyPassword),
  PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
  }); err != nil {
  return fmt.Errorf("failed creating signer: %w", err)
  }
  }
 
- if decryptionKeyURI := s.DecrypterKeyURI; decryptionKeyURI != "" {
- u, err := uri.Parse(s.DecrypterKeyURI)
+ if s.DecrypterKeyURI != "" {
+ kmsType, err := kmsapi.TypeOf(s.DecrypterKeyURI)
  if err != nil {
  return fmt.Errorf("failed parsing decrypter key: %w", err)
  }
- var kmsType kmsapi.Type
- switch {
- case u.Scheme != "":
- kmsType = kms.Type(u.Scheme)
- default:
- kmsType = kmsapi.SoftKMS
- }
- opts := kms.Options{
- Type: kmsType,
- URI: s.DecrypterKeyURI,
- }
- if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
- return fmt.Errorf("failed initializing kms: %w", err)
- }
- kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
- if !ok {
- return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
- }
- if kmsType != "softkms" { // TODO(hs): this should likely become more transparent?
- decryptionKeyURI = u.Opaque
- }
- if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
- DecryptionKey: decryptionKeyURI,
+
+ if config.SCEPKeyManager != nil {
+ s.keyManager = config.SCEPKeyManager
+ } else {
+ if kmsType == kmsapi.DefaultKMS {
+ kmsType = kmsapi.SoftKMS
+ }
+ opts := kms.Options{
+ Type: kmsType,
+ URI: s.DecrypterKeyURI,
+ }
+ km, err := kms.New(context.Background(), opts)
+ if err != nil {
+ return fmt.Errorf("failed initializing kms: %w", err)
+ }
+ scepKeyManager, ok := km.(SCEPKeyManager)
+ if !ok {
+ return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
+ }
+ s.keyManager = scepKeyManager
+ }
+
+ // Create decrypter and signer with the same key:
+ // TODO(hs): support distinct signer key in the future?
+ if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+ DecryptionKey: s.DecrypterKeyURI,
  Password: []byte(s.DecrypterKeyPassword),
  PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
  }); err != nil {
  return fmt.Errorf("failed creating decrypter: %w", err)
  }
  if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
- SigningKey: decryptionKeyURI, // TODO(hs): support distinct signer key in the future?
+ SigningKey: s.DecrypterKeyURI,
  Password: []byte(s.DecrypterKeyPassword),
  PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
  }); err != nil {