-
Notifications
You must be signed in to change notification settings - Fork 268
/
Copy pathoptions.go
357 lines (327 loc) · 10.1 KB
/
options.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
package token
import (
"bytes"
"crypto"
"crypto/ecdh"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/sha256"
"crypto/x509"
"encoding/hex"
"encoding/pem"
"fmt"
"os"
"time"
"github.com/pkg/errors"
nebula "github.com/slackhq/nebula/cert"
"golang.org/x/crypto/ssh"
"go.step.sm/crypto/fingerprint"
"go.step.sm/crypto/jose"
"go.step.sm/crypto/pemutil"
"go.step.sm/crypto/x25519"
)
// Options is a function that set claims.
type Options func(c *Claims) error
// WithClaim is an Options function that adds a custom claim to the JWT.
func WithClaim(name string, value interface{}) Options {
return func(c *Claims) error {
if name == "" {
return errors.New("name cannot be empty")
}
c.Set(name, value)
return nil
}
}
// WithRootCA returns an Options function that calculates the SHA256 of the
// given root certificate to be used in the token claims. If this method it's
// not used the default root certificate in the $STEPPATH secrets directory will
// be used.
func WithRootCA(path string) Options {
return func(c *Claims) error {
cert, err := pemutil.ReadCertificate(path)
if err != nil {
return err
}
sum := sha256.Sum256(cert.Raw)
c.Set(RootSHAClaim, hex.EncodeToString(sum[:]))
return nil
}
}
// WithSHA returns an Options function that sets the SHA claim to the given
// value.
func WithSHA(sum string) Options {
return func(c *Claims) error {
c.Set(RootSHAClaim, sum)
return nil
}
}
// WithSANS returns an Options function that sets the list of required SANs
// in the token claims.
func WithSANS(sans []string) Options {
return func(c *Claims) error {
c.Set(SANSClaim, sans)
return nil
}
}
// WithStep returns an Options function that sets the step claim in the payload.
func WithStep(v interface{}) Options {
return func(c *Claims) error {
c.Set(StepClaim, v)
return nil
}
}
// WithUserData returns an Option function that merges the provided map with the
// existing user claim in the payload.
func WithUserData(v map[string]interface{}) Options {
return func(c *Claims) error {
if _, ok := c.ExtraClaims[UserClaim]; !ok {
c.Set(UserClaim, make(map[string]interface{}))
}
s := c.ExtraClaims[UserClaim]
sm, ok := s.(map[string]interface{})
if !ok {
return fmt.Errorf("%q claim is %T, not map[string]interface{}", UserClaim, s)
}
for k, val := range v {
sm[k] = val
}
return nil
}
}
// WithSSH returns an Options function that sets the step claim with the ssh
// property in the value.
func WithSSH(v interface{}) Options {
return WithStep(map[string]interface{}{
"ssh": v,
})
}
// WithConfirmationFingerprint returns an Options function that sets the cnf
// claim with the given CSR fingerprint.
func WithConfirmationFingerprint(fp string) Options {
return func(c *Claims) error {
c.Set(ConfirmationClaim, map[string]string{
"x5rt#S256": fp,
})
return nil
}
}
// WithFingerprint returns an Options function that the cnf claims with
// "x5rt#S256" representing the fingerprint of the CSR
func WithFingerprint(v any) Options {
return func(c *Claims) error {
var data []byte
switch vv := v.(type) {
case *x509.CertificateRequest:
data = vv.Raw
case ssh.PublicKey:
data = vv.Marshal()
default:
return fmt.Errorf("unsupported fingerprint for %T", v)
}
fp, err := fingerprint.New(data, crypto.SHA256, fingerprint.Base64RawURLFingerprint)
if err != nil {
return err
}
c.Set(ConfirmationClaim, map[string]string{
"x5rt#S256": fp,
})
return nil
}
}
// WithValidity validates boundary inputs and sets the 'nbf' (NotBefore) and
// 'exp' (expiration) options.
func WithValidity(notBefore, expiration time.Time) Options {
return func(c *Claims) error {
now := time.Now().UTC()
if expiration.Before(notBefore) {
return errors.Errorf("nbf < exp: nbf=%v, exp=%v", notBefore, expiration)
}
requestedDelay := notBefore.Sub(now)
if requestedDelay > MaxValidityDelay {
return errors.Errorf("requested validity delay is too long: 'requested validity delay'=%v, 'max validity delay'=%v", requestedDelay, MaxValidityDelay)
}
requestedValidity := expiration.Sub(notBefore)
if requestedValidity < MinValidity {
return errors.Errorf("requested token validity is too short: 'requested token validity'=%v, 'minimum token validity'=%v", requestedValidity, MinValidity)
} else if requestedValidity > MaxValidity {
return errors.Errorf("requested token validity is too long: 'requested token validity'=%v, 'maximum token validity'=%v", requestedValidity, MaxValidity)
}
c.NotBefore = jose.NewNumericDate(notBefore)
c.Expiry = jose.NewNumericDate(expiration)
return nil
}
}
// WithIssuer returns an Options function that sets the issuer to use in the
// token claims. If Issuer is not used the default issuer will be used.
func WithIssuer(s string) Options {
return func(c *Claims) error {
if s == "" {
return errors.New("issuer cannot be empty")
}
c.Issuer = s
return nil
}
}
// WithSubject returns an Options that sets the subject to use in the token
// claims.
func WithSubject(s string) Options {
return func(c *Claims) error {
if s == "" {
return errors.New("subject cannot be empty")
}
c.Subject = s
return nil
}
}
// WithAudience returns a Options that sets the audience to use in the token
// claims. If Audience is not used the default audience will be used.
func WithAudience(s string) Options {
return func(c *Claims) error {
if s == "" {
return errors.New("audience cannot be empty")
}
c.Audience = append(jose.Audience{}, s)
return nil
}
}
// WithJWTID returns a Options that sets the jwtID to use in the token
// claims. If WithJWTID is not used a random identifier will be used.
func WithJWTID(s string) Options {
return func(c *Claims) error {
if s == "" {
return errors.New("jwtID cannot be empty")
}
c.ID = s
return nil
}
}
// WithKid returns a Options that sets the header kid claims.
// If WithKid is not used a thumbprint using SHA256 will be used.
func WithKid(s string) Options {
return func(c *Claims) error {
if s == "" {
return errors.New("kid cannot be empty")
}
c.SetHeader("kid", s)
return nil
}
}
// WithX5CFile returns a Options that sets the header x5c claims.
func WithX5CFile(certFile string, key interface{}) Options {
return func(c *Claims) error {
certs, err := pemutil.ReadCertificateBundle(certFile)
if err != nil {
return err
}
certStrs, err := jose.ValidateX5C(certs, key)
if err != nil {
return errors.Wrap(err, "error validating x5c certificate chain and key for use in x5c header")
}
c.SetHeader("x5c", certStrs)
return nil
}
}
// WithX5CCerts returns a Options that sets the header x5c claims from a cert in memory
func WithX5CCerts(certs []*x509.Certificate, key interface{}) Options {
return func(c *Claims) error {
certStrs, err := jose.ValidateX5C(certs, key)
if err != nil {
return errors.Wrap(err, "error validating x5c certificate chain and key for use in x5c header")
}
c.SetHeader("x5c", certStrs)
return nil
}
}
var pemCertPrefix = []byte("-----BEGIN")
// WithNebulaCert returns a Options that sets the nebula header.
func WithNebulaCert(certFile string, anyKey any) Options {
return func(c *Claims) error {
b, err := os.ReadFile(certFile)
if err != nil {
return errors.Wrapf(err, "error reading %s", certFile)
}
if bytes.HasPrefix(b, pemCertPrefix) {
block, _ := pem.Decode(b)
if block == nil || block.Type != nebula.CertBanner {
return errors.Errorf("error reading %s: not a proper nebula certificate", certFile)
}
b = block.Bytes
}
crt, err := nebula.UnmarshalNebulaCertificate(b)
if err != nil {
return errors.Wrapf(err, "error reading %s", certFile)
}
var key []byte
var curve nebula.Curve
switch k := anyKey.(type) {
case x25519.PrivateKey:
key = []byte(k)
curve = nebula.Curve_CURVE25519
case ed25519.PrivateKey:
key = []byte(k)
curve = nebula.Curve_CURVE25519
case []byte:
key = k
curve = nebula.Curve_CURVE25519
case *ecdsa.PrivateKey:
pk, err := k.ECDH()
if err != nil {
return fmt.Errorf("failed transforming to ECDH key: %w", err)
}
key = pk.Bytes()
curve = nebula.Curve_P256
case *ecdh.PrivateKey:
key = k.Bytes()
curve = nebula.Curve_P256
default:
return errors.Errorf("key content is not a valid nebula key; got type %T", anyKey)
}
if err := crt.VerifyPrivateKey(curve, key); err != nil {
return errors.Wrapf(err, "error validating %s", certFile)
}
c.SetHeader("nebula", b)
return nil
}
}
// WithX5CInsecureFile returns a Options that sets the header x5cAllowInvalid claims.
// The `x5c` claims can only be accessed by running a method on the jose Token
// which validates the certificate chain before returning it. This option serves
// a use case where the user would prefer not to validate the certificate chain
// before returning it. Presumably the user would then perform their own validation.
// NOTE: here be dragons. Use WithX5CFile unless you know what you are doing.
func WithX5CInsecureFile(certFile string, key interface{}) Options {
return func(c *Claims) error {
certs, err := pemutil.ReadCertificateBundle(certFile)
if err != nil {
return err
}
certStrs, err := jose.ValidateX5C(certs, key)
if err != nil {
return errors.Wrap(err, "error validating x5c certificate chain and key for use in x5c header")
}
c.SetHeader(jose.X5cInsecureKey, certStrs)
return nil
}
}
// WithX5CInsecureCerts returns a Options that sets the header x5cAllowInvalid claims using the cert in memory
func WithX5CInsecureCerts(certs []*x509.Certificate, key interface{}) Options {
return func(c *Claims) error {
certStrs, err := jose.ValidateX5C(certs, key)
if err != nil {
return errors.Wrap(err, "error validating x5c certificate chain and key for use in x5c header")
}
c.SetHeader(jose.X5cInsecureKey, certStrs)
return nil
}
}
// WithSSHPOPFile returns a Options that sets the header sshpop claims.
func WithSSHPOPFile(certFile string, key interface{}) Options {
return func(c *Claims) error {
certStrs, err := jose.ValidateSSHPOP(certFile, key)
if err != nil {
return errors.Wrap(err, "error validating SSH certificate and key for use in sshpop header")
}
c.SetHeader("sshpop", certStrs)
return nil
}
}