agent/connect: use proper keyusage fields for CA and leaf

This commit is contained in:
Mitchell Hashimoto 2018-03-24 08:32:42 -10:00
parent 73442ada5a
commit 0cbcb07d61
No known key found for this signature in database
GPG Key ID: 744E147AA52F5B0A
2 changed files with 27 additions and 24 deletions

View File

@ -6,7 +6,6 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha256"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
@ -67,12 +66,14 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
PermittedDNSDomainsCritical: true, PermittedDNSDomainsCritical: true,
PermittedDNSDomains: []string{uri.Hostname()}, PermittedDNSDomains: []string{uri.Hostname()},
BasicConstraintsValid: true, BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, KeyUsage: x509.KeyUsageCertSign |
IsCA: true, x509.KeyUsageCRLSign |
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour), x509.KeyUsageDigitalSignature,
NotBefore: time.Now(), IsCA: true,
AuthorityKeyId: testKeyID(t, signer.Public()), NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
SubjectKeyId: testKeyID(t, signer.Public()), NotBefore: time.Now(),
AuthorityKeyId: testKeyID(t, signer.Public()),
SubjectKeyId: testKeyID(t, signer.Public()),
} }
bs, err := x509.CreateCertificate( bs, err := x509.CreateCertificate(
@ -100,7 +101,11 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
t.Fatalf("error parsing signing key: %s", err) t.Fatalf("error parsing signing key: %s", err)
} }
// Set the authority key to be the previous one // Set the authority key to be the previous one.
// NOTE(mitchellh): From Paul Banks: if we have to cross-sign a cert
// that came from outside (e.g. vault) we can't rely on them using the
// same KeyID hashing algo we do so we'd need to actually copy this
// from the xc cert's subjectKeyIdentifier extension.
template.AuthorityKeyId = testKeyID(t, xcsigner.Public()) template.AuthorityKeyId = testKeyID(t, xcsigner.Public())
// Create the new certificate where the parent is the previous // Create the new certificate where the parent is the previous
@ -161,7 +166,10 @@ func TestLeaf(t testing.T, service string, root *structs.CARoot) string {
URIs: []*url.URL{spiffeId.URI()}, URIs: []*url.URL{spiffeId.URI()},
SignatureAlgorithm: x509.ECDSAWithSHA256, SignatureAlgorithm: x509.ECDSAWithSHA256,
BasicConstraintsValid: true, BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement, KeyUsage: x509.KeyUsageDataEncipherment |
x509.KeyUsageKeyAgreement |
x509.KeyUsageDigitalSignature |
x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{ ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageServerAuth,
@ -230,23 +238,15 @@ func TestCSR(t testing.T, id SpiffeID) (string, string) {
return csrBuf.String(), pkBuf.String() return csrBuf.String(), pkBuf.String()
} }
// testKeyID returns a KeyID from the given public key. The "raw" must be // testKeyID returns a KeyID from the given public key. This just calls
// an *ecdsa.PublicKey, but is an interface type to suppot crypto.Signer.Public // KeyId but handles errors for tests.
// values.
func testKeyID(t testing.T, raw interface{}) []byte { func testKeyID(t testing.T, raw interface{}) []byte {
pub, ok := raw.(*ecdsa.PublicKey) result, err := KeyId(raw)
if !ok { if err != nil {
t.Fatalf("raw is type %T, expected *ecdsa.PublicKey", raw) t.Fatalf("KeyId error: %s", err)
} }
// This is not standard; RFC allows any unique identifier as long as they return result
// match in subject/authority chains but suggests specific hashing of DER
// bytes of public key including DER tags. I can't be bothered to do esp.
// since ECDSA keys don't have a handy way to marshal the publick key alone.
h := sha256.New()
h.Write(pub.X.Bytes())
h.Write(pub.Y.Bytes())
return h.Sum([]byte{})
} }
// testMemoizePK is the private key that we memoize once we generate it // testMemoizePK is the private key that we memoize once we generate it

View File

@ -232,7 +232,10 @@ func (s *ConnectCA) Sign(
PublicKeyAlgorithm: csr.PublicKeyAlgorithm, PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
PublicKey: csr.PublicKey, PublicKey: csr.PublicKey,
BasicConstraintsValid: true, BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement, KeyUsage: x509.KeyUsageDataEncipherment |
x509.KeyUsageKeyAgreement |
x509.KeyUsageDigitalSignature |
x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{ ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageServerAuth,