consul/tlsutil/generate.go

package tlsutil

import (
	"bytes"
	"crypto"
	"crypto/ecdsa"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"math/big"
	"net"
	"time"

	"net/url"

	"github.com/hashicorp/consul/agent/connect"
)

// GenerateSerialNumber returns random bigint generated with crypto/rand
func GenerateSerialNumber() (*big.Int, error) {
	l := new(big.Int).Lsh(big.NewInt(1), 128)
	s, err := rand.Int(rand.Reader, l)
	if err != nil {
		return nil, err
	}
	return s, nil
}

// GeneratePrivateKey generates a new ecdsa private key
func GeneratePrivateKey() (crypto.Signer, string, error) {
	return connect.GeneratePrivateKey()
}

type CAOpts struct {
	Signer              crypto.Signer
	Serial              *big.Int
	ClusterID           string
	Days                int
	PermittedDNSDomains []string
	Domain              string
	Name                string
}

type CertOpts struct {
	Signer      crypto.Signer
	CA          string
	Serial      *big.Int
	Name        string
	Days        int
	DNSNames    []string
	IPAddresses []net.IP
	ExtKeyUsage []x509.ExtKeyUsage
	IsCA        bool
}

// GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)
func GenerateCA(opts CAOpts) (string, string, error) {
	signer := opts.Signer
	var pk string
	if signer == nil {
		var err error
		signer, pk, err = GeneratePrivateKey()
		if err != nil {
			return "", "", err
		}
	}

	id, err := keyID(signer.Public())
	if err != nil {
		return "", "", err
	}

	sn := opts.Serial
	if sn == nil {
		var err error
		sn, err = GenerateSerialNumber()
		if err != nil {
			return "", "", err
		}
	}
	name := opts.Name
	if name == "" {
		name = fmt.Sprintf("Consul Agent CA %d", sn)
	}

	days := opts.Days
	if opts.Days == 0 {
		days = 365
	}

	var uris []*url.URL
	if opts.ClusterID != "" {
		spiffeID := connect.SpiffeIDSigning{ClusterID: opts.ClusterID, Domain: opts.Domain}
		uris = []*url.URL{spiffeID.URI()}
	}

	// Create the CA cert
	template := x509.Certificate{
		SerialNumber: sn,
		URIs:         uris,
		Subject: pkix.Name{
			Country:       []string{"US"},
			PostalCode:    []string{"94105"},
			Province:      []string{"CA"},
			Locality:      []string{"San Francisco"},
			StreetAddress: []string{"101 Second Street"},
			Organization:  []string{"HashiCorp Inc."},
			CommonName:    name,
		},
		BasicConstraintsValid: true,
		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature,
		IsCA:                  true,
		NotAfter:              time.Now().AddDate(0, 0, days),
		NotBefore:             time.Now(),
		AuthorityKeyId:        id,
		SubjectKeyId:          id,
	}

	if len(opts.PermittedDNSDomains) > 0 {
		template.PermittedDNSDomainsCritical = true
		template.PermittedDNSDomains = opts.PermittedDNSDomains
	}
	bs, err := x509.CreateCertificate(
		rand.Reader, &template, &template, signer.Public(), signer)
	if err != nil {
		return "", "", fmt.Errorf("error generating CA certificate: %s", err)
	}

	var buf bytes.Buffer
	err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
	if err != nil {
		return "", "", fmt.Errorf("error encoding private key: %s", err)
	}

	return buf.String(), pk, nil
}

// GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)
func GenerateCert(opts CertOpts) (string, string, error) {
	parent, err := parseCert(opts.CA)
	if err != nil {
		return "", "", fmt.Errorf("failed to parse CA: %w", err)
	}

	signee, pk, err := GeneratePrivateKey()
	if err != nil {
		return "", "", fmt.Errorf("failed to generate private key: %w", err)
	}

	id, err := keyID(signee.Public())
	if err != nil {
		return "", "", fmt.Errorf("failed to get keyID from public key: %w", err)
	}

	sn := opts.Serial
	if sn == nil {
		var err error
		sn, err = GenerateSerialNumber()
		if err != nil {
			return "", "", err
		}
	}

	template := x509.Certificate{
		SerialNumber:          sn,
		Subject:               pkix.Name{CommonName: opts.Name},
		BasicConstraintsValid: true,
		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
		ExtKeyUsage:           opts.ExtKeyUsage,
		IsCA:                  false,
		NotAfter:              time.Now().AddDate(0, 0, opts.Days),
		NotBefore:             time.Now(),
		SubjectKeyId:          id,
		DNSNames:              opts.DNSNames,
		IPAddresses:           opts.IPAddresses,
	}
	if opts.IsCA {
		template.IsCA = true
		template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature
	}

	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)
	if err != nil {
		return "", "", fmt.Errorf("failed to create certificate: %w", err)
	}

	var buf bytes.Buffer
	err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
	if err != nil {
		return "", "", fmt.Errorf("error encoding private key: %s", err)
	}

	return buf.String(), pk, nil
}

// KeyId returns a x509 KeyId from the given signing key.
func keyID(raw interface{}) ([]byte, error) {
	switch raw.(type) {
	case *ecdsa.PublicKey:
	case *rsa.PublicKey:
	default:
		return nil, fmt.Errorf("invalid key type: %T", raw)
	}

	// This is not standard; RFC allows any unique identifier as long as they
	// match in subject/authority chains but suggests specific hashing of DER
	// bytes of public key including DER tags.
	bs, err := x509.MarshalPKIXPublicKey(raw)
	if err != nil {
		return nil, err
	}

	// String formatted
	kID := sha256.Sum256(bs)
	return kID[:], nil
}

func parseCert(pemValue string) (*x509.Certificate, error) {
	// The _ result below is not an error but the remaining PEM bytes.
	block, _ := pem.Decode([]byte(pemValue))
	if block == nil {
		return nil, fmt.Errorf("no PEM-encoded data found")
	}

	if block.Type != "CERTIFICATE" {
		return nil, fmt.Errorf("first PEM-block should be CERTIFICATE type")
	}

	return x509.ParseCertificate(block.Bytes)
}

// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key
// is expected to be the first block in the PEM value.
func ParseSigner(pemValue string) (crypto.Signer, error) {
	return connect.ParseSigner(pemValue)
}

func Verify(caString, certString, dns string) error {
	roots := x509.NewCertPool()
	ok := roots.AppendCertsFromPEM([]byte(caString))
	if !ok {
		return fmt.Errorf("failed to parse root certificate")
	}

	cert, err := parseCert(certString)
	if err != nil {
		return fmt.Errorf("failed to parse certificate")
	}

	opts := x509.VerifyOptions{
		DNSName: fmt.Sprint(dns),
		Roots:   roots,
	}

	_, err = cert.Verify(opts)
	return err
}
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 5 years ago			`package tlsutil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago
			`import (`
			`"bytes"`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/rand"`
Reuse Connect.parseSigner.Adds change from #8898 Co-authored-by: Aliaksandr Mianzhynski <amenzhinsky@gmail.com> 4 years ago			`"crypto/rsa"`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`"crypto/sha256"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"fmt"`
			`"math/big"`
			`"net"`
			`"time"`
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492) The fields in the certs are meant to hold the original binary representation of this data, not some ascii-encoded version. The only time we should be colon-hex-encoding fields is for display purposes or marshaling through non-TLS mediums (like RPC). 5 years ago
Add flags to support CA generation for Connect (#9585) 4 years ago			`"net/url"`
connect/ca: cease including the common name field in generated certs (#10424) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS 3 years ago
			`"github.com/hashicorp/consul/agent/connect"`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`)`

			`// GenerateSerialNumber returns random bigint generated with crypto/rand`
			`func GenerateSerialNumber() (*big.Int, error) {`
			`l := new(big.Int).Lsh(big.NewInt(1), 128)`
			`s, err := rand.Int(rand.Reader, l)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return s, nil`
			`}`

			`// GeneratePrivateKey generates a new ecdsa private key`
			`func GeneratePrivateKey() (crypto.Signer, string, error) {`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`return connect.GeneratePrivateKey()`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

Add flags to support CA generation for Connect (#9585) 4 years ago			`type CAOpts struct {`
			`Signer crypto.Signer`
			`Serial *big.Int`
			`ClusterID string`
			`Days int`
			`PermittedDNSDomains []string`
			`Domain string`
			`Name string`
			`}`

introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`type CertOpts struct {`
			`Signer crypto.Signer`
			`CA string`
			`Serial *big.Int`
			`Name string`
			`Days int`
			`DNSNames []string`
			`IPAddresses []net.IP`
			`ExtKeyUsage []x509.ExtKeyUsage`
tls: consider presented intermediates during server connection tls handshake. (#10964) * use intermediates when verifying * extract connection state * remove useless import * add changelog entry * golint * better error * wording * collect errors * use SAN.DNSName instead of CommonName * Add test for unknown intermediate * improve changelog entry 3 years ago			`IsCA bool`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`}`

Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`// GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)`
Add flags to support CA generation for Connect (#9585) 4 years ago			`func GenerateCA(opts CAOpts) (string, string, error) {`
			`signer := opts.Signer`
			`var pk string`
			`if signer == nil {`
			`var err error`
			`signer, pk, err = GeneratePrivateKey()`
			`if err != nil {`
			`return "", "", err`
			`}`
			`}`

Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`id, err := keyID(signer.Public())`
			`if err != nil {`
Add flags to support CA generation for Connect (#9585) 4 years ago			`return "", "", err`
			`}`

			`sn := opts.Serial`
			`if sn == nil {`
			`var err error`
			`sn, err = GenerateSerialNumber()`
			`if err != nil {`
			`return "", "", err`
			`}`
			`}`
			`name := opts.Name`
			`if name == "" {`
			`name = fmt.Sprintf("Consul Agent CA %d", sn)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

Add flags to support CA generation for Connect (#9585) 4 years ago			`days := opts.Days`
			`if opts.Days == 0 {`
			`days = 365`
			`}`

			`var uris []*url.URL`
			`if opts.ClusterID != "" {`
			`spiffeID := connect.SpiffeIDSigning{ClusterID: opts.ClusterID, Domain: opts.Domain}`
			`uris = []*url.URL{spiffeID.URI()}`
			`}`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago
			`// Create the CA cert`
			`template := x509.Certificate{`
			`SerialNumber: sn,`
Add flags to support CA generation for Connect (#9585) 4 years ago			`URIs: uris,`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`Subject: pkix.Name{`
			`Country: []string{"US"},`
			`PostalCode: []string{"94105"},`
			`Province: []string{"CA"},`
			`Locality: []string{"San Francisco"},`
			`StreetAddress: []string{"101 Second Street"},`
			`Organization: []string{"HashiCorp Inc."},`
			`CommonName: name,`
			`},`
			`BasicConstraintsValid: true,`
			`KeyUsage: x509.KeyUsageCertSign \| x509.KeyUsageCRLSign \| x509.KeyUsageDigitalSignature,`
			`IsCA: true,`
			`NotAfter: time.Now().AddDate(0, 0, days),`
			`NotBefore: time.Now(),`
			`AuthorityKeyId: id,`
			`SubjectKeyId: id,`
			`}`

Add flags to support CA generation for Connect (#9585) 4 years ago			`if len(opts.PermittedDNSDomains) > 0 {`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`template.PermittedDNSDomainsCritical = true`
Add flags to support CA generation for Connect (#9585) 4 years ago			`template.PermittedDNSDomains = opts.PermittedDNSDomains`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`
			`bs, err := x509.CreateCertificate(`
			`rand.Reader, &template, &template, signer.Public(), signer)`
			`if err != nil {`
Add flags to support CA generation for Connect (#9585) 4 years ago			`return "", "", fmt.Errorf("error generating CA certificate: %s", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

			`var buf bytes.Buffer`
			`err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})`
			`if err != nil {`
Add flags to support CA generation for Connect (#9585) 4 years ago			`return "", "", fmt.Errorf("error encoding private key: %s", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

Add flags to support CA generation for Connect (#9585) 4 years ago			`return buf.String(), pk, nil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

			`// GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`func GenerateCert(opts CertOpts) (string, string, error) {`
			`parent, err := parseCert(opts.CA)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`if err != nil {`
tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true See github.com/hashicorp/consul/issues/11207 When VerifyIncomingRPC is false the TLS conn will not have the required certificates. 3 years ago			`return "", "", fmt.Errorf("failed to parse CA: %w", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

			`signee, pk, err := GeneratePrivateKey()`
			`if err != nil {`
tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true See github.com/hashicorp/consul/issues/11207 When VerifyIncomingRPC is false the TLS conn will not have the required certificates. 3 years ago			`return "", "", fmt.Errorf("failed to generate private key: %w", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

			`id, err := keyID(signee.Public())`
			`if err != nil {`
tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true See github.com/hashicorp/consul/issues/11207 When VerifyIncomingRPC is false the TLS conn will not have the required certificates. 3 years ago			`return "", "", fmt.Errorf("failed to get keyID from public key: %w", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`sn := opts.Serial`
			`if sn == nil {`
			`var err error`
			`sn, err = GenerateSerialNumber()`
			`if err != nil {`
			`return "", "", err`
			`}`
			`}`

Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`template := x509.Certificate{`
			`SerialNumber: sn,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`Subject: pkix.Name{CommonName: opts.Name},`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`BasicConstraintsValid: true,`
			`KeyUsage: x509.KeyUsageDigitalSignature \| x509.KeyUsageKeyEncipherment,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`ExtKeyUsage: opts.ExtKeyUsage,`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`IsCA: false,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`NotAfter: time.Now().AddDate(0, 0, opts.Days),`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`NotBefore: time.Now(),`
			`SubjectKeyId: id,`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`DNSNames: opts.DNSNames,`
			`IPAddresses: opts.IPAddresses,`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`
tls: consider presented intermediates during server connection tls handshake. (#10964) * use intermediates when verifying * extract connection state * remove useless import * add changelog entry * golint * better error * wording * collect errors * use SAN.DNSName instead of CommonName * Add test for unknown intermediate * improve changelog entry 3 years ago			`if opts.IsCA {`
			`template.IsCA = true`
			`template.KeyUsage = x509.KeyUsageCertSign \| x509.KeyUsageCRLSign \| x509.KeyUsageDigitalSignature`
			`}`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 4 years ago			`bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`if err != nil {`
tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true See github.com/hashicorp/consul/issues/11207 When VerifyIncomingRPC is false the TLS conn will not have the required certificates. 3 years ago			`return "", "", fmt.Errorf("failed to create certificate: %w", err)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

			`var buf bytes.Buffer`
			`err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})`
			`if err != nil {`
			`return "", "", fmt.Errorf("error encoding private key: %s", err)`
			`}`

			`return buf.String(), pk, nil`
			`}`

			`// KeyId returns a x509 KeyId from the given signing key.`
			`func keyID(raw interface{}) ([]byte, error) {`
			`switch raw.(type) {`
			`case *ecdsa.PublicKey:`
Add RSA Support to KeyID 5 years ago			`case *rsa.PublicKey:`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`default:`
			`return nil, fmt.Errorf("invalid key type: %T", raw)`
			`}`

			`// This is not standard; RFC allows any unique identifier as long as they`
			`// match in subject/authority chains but suggests specific hashing of DER`
			`// bytes of public key including DER tags.`
			`bs, err := x509.MarshalPKIXPublicKey(raw)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// String formatted`
			`kID := sha256.Sum256(bs)`
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492) The fields in the certs are meant to hold the original binary representation of this data, not some ascii-encoded version. The only time we should be colon-hex-encoding fields is for display purposes or marshaling through non-TLS mediums (like RPC). 5 years ago			`return kID[:], nil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

			`func parseCert(pemValue string) (*x509.Certificate, error) {`
			`// The _ result below is not an error but the remaining PEM bytes.`
			`block, _ := pem.Decode([]byte(pemValue))`
			`if block == nil {`
			`return nil, fmt.Errorf("no PEM-encoded data found")`
			`}`

			`if block.Type != "CERTIFICATE" {`
			`return nil, fmt.Errorf("first PEM-block should be CERTIFICATE type")`
			`}`

			`return x509.ParseCertificate(block.Bytes)`
			`}`

			`// ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key`
			`// is expected to be the first block in the PEM value.`
			`func ParseSigner(pemValue string) (crypto.Signer, error) {`
Add RSA Test case for generating CA Cert 4 years ago			`return connect.ParseSigner(pemValue)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`}`

			`func Verify(caString, certString, dns string) error {`
			`roots := x509.NewCertPool()`
			`ok := roots.AppendCertsFromPEM([]byte(caString))`
			`if !ok {`
			`return fmt.Errorf("failed to parse root certificate")`
			`}`

			`cert, err := parseCert(certString)`
			`if err != nil {`
			`return fmt.Errorf("failed to parse certificate")`
			`}`

			`opts := x509.VerifyOptions{`
ci: Add staticcheck and fix most errors Three of the checks are temporarily disabled to limit the size of the diff, and allow us to enable all the other checks in CI. In a follow up we can fix the issues reported by the other checks one at a time, and enable them. 5 years ago			`DNSName: fmt.Sprint(dns),`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 6 years ago			`Roots: roots,`
			`}`

			`_, err = cert.Verify(opts)`
			`return err`
			`}`