treewide: introduce osbase package and move things around
All except localregistry moved from metropolis/pkg to osbase,
localregistry moved to metropolis/test as its only used there anyway.
Change-Id: If1a4bf377364bef0ac23169e1b90379c71b06d72
Reviewed-on: https://review.monogon.dev/c/monogon/+/3079
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>
diff --git a/osbase/pki/BUILD.bazel b/osbase/pki/BUILD.bazel
new file mode 100644
index 0000000..c7087d1
--- /dev/null
+++ b/osbase/pki/BUILD.bazel
@@ -0,0 +1,34 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+ name = "pki",
+ srcs = [
+ "ca.go",
+ "certificate.go",
+ "crl.go",
+ "x509.go",
+ ],
+ importpath = "source.monogon.dev/osbase/pki",
+ visibility = ["//visibility:public"],
+ deps = [
+ "//osbase/event",
+ "//osbase/event/etcd",
+ "//osbase/fileargs",
+ "@io_etcd_go_etcd_client_v3//:client",
+ ],
+)
+
+go_test(
+ name = "pki_test",
+ srcs = [
+ "certificate_test.go",
+ "crl_test.go",
+ ],
+ embed = [":pki"],
+ deps = [
+ "//osbase/logtree",
+ "@io_etcd_go_etcd_client_pkg_v3//testutil",
+ "@io_etcd_go_etcd_tests_v3//integration",
+ "@org_uber_go_zap//:zap",
+ ],
+)
diff --git a/osbase/pki/ca.go b/osbase/pki/ca.go
new file mode 100644
index 0000000..b8c2aed
--- /dev/null
+++ b/osbase/pki/ca.go
@@ -0,0 +1,133 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pki
+
+import (
+ "context"
+ "crypto/ed25519"
+ "crypto/rand"
+ "crypto/x509"
+ "fmt"
+ "math/big"
+ "time"
+
+ clientv3 "go.etcd.io/etcd/client/v3"
+)
+
+// Issuer is an entity that can issue certificates. This interface is
+// implemented by SelfSigned, which is an issuer that emits self-signed
+// certificates, and any other Certificate that has been created with CA(),
+// which makes this Certificate act as a CA and issue (sign) ceritficates.
+type Issuer interface {
+ // CACertificate returns the DER-encoded x509 certificate of the CA that
+ // will sign certificates when Issue is called, or nil if this is
+ // self-signing issuer.
+ CACertificate(ctx context.Context, kv clientv3.KV) ([]byte, error)
+ // Issue will generate a certificate signed by the Issuer. The returned
+ // certificate is x509 DER-encoded.
+ Issue(ctx context.Context, req *Certificate, kv clientv3.KV) (cert []byte, err error)
+}
+
+// issueCertificate is a generic low level certificate-and-key issuance
+// function. If ca is null, the certificate will be self-signed. The returned
+// certificate is DER-encoded
+func issueCertificate(req *Certificate, ca *x509.Certificate, caKey ed25519.PrivateKey) (cert []byte, err error) {
+ serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
+ serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+ if err != nil {
+ err = fmt.Errorf("failed to generate serial number: %w", err)
+ return
+ }
+
+ skid, err := calculateSKID(req.PublicKey)
+ if err != nil {
+ return nil, err
+ }
+
+ req.Template.SerialNumber = serialNumber
+ req.Template.NotBefore = time.Now()
+ req.Template.NotAfter = UnknownNotAfter
+ req.Template.BasicConstraintsValid = true
+ req.Template.SubjectKeyId = skid
+
+ // Set the AuthorityKeyID to the SKID of the signing certificate (or self,
+ // if self-signing).
+ if ca != nil {
+ req.Template.AuthorityKeyId = ca.SubjectKeyId
+ } else {
+ req.Template.AuthorityKeyId = req.Template.SubjectKeyId
+ ca = &req.Template
+ }
+
+ return x509.CreateCertificate(rand.Reader, &req.Template, ca, req.PublicKey, caKey)
+}
+
+type selfSigned struct{}
+
+var (
+ // SelfSigned is an Issuer that generates self-signed certificates.
+ SelfSigned = &selfSigned{}
+)
+
+// Issue will generate a key and certificate that is self-signed.
+func (s *selfSigned) Issue(ctx context.Context, req *Certificate, kv clientv3.KV) (cert []byte, err error) {
+ if err := req.ensureKey(ctx, kv); err != nil {
+ return nil, err
+ }
+ if req.PrivateKey == nil {
+ return nil, fmt.Errorf("cannot issue self-signed certificate without a private key")
+ }
+ return issueCertificate(req, nil, req.PrivateKey)
+}
+
+// CACertificate returns nil for self-signed issuers.
+func (s *selfSigned) CACertificate(ctx context.Context, kv clientv3.KV) ([]byte, error) {
+ return nil, nil
+}
+
+// Issue will generate a key and certificate that is signed by this
+// Certificate, if the Certificate is a CA.
+func (c *Certificate) Issue(ctx context.Context, req *Certificate, kv clientv3.KV) (cert []byte, err error) {
+ if err := c.ensureKey(ctx, kv); err != nil {
+ return nil, fmt.Errorf("could not ensure CA %q key exists: %w", c.Name, err)
+ }
+ if err := req.ensureKey(ctx, kv); err != nil {
+ return nil, fmt.Errorf("could not subject %q key exists: %w", req.Name, err)
+ }
+ if c.PrivateKey == nil {
+ return nil, fmt.Errorf("cannot use certificate without private key as CA")
+ }
+
+ caCert, err := c.ensure(ctx, kv)
+ if err != nil {
+ return nil, fmt.Errorf("could not ensure CA %q certificate exists: %w", c.Name, err)
+ }
+
+ ca, err := x509.ParseCertificate(caCert)
+ if err != nil {
+ return nil, fmt.Errorf("could not parse CA certificate: %w", err)
+ }
+ // Ensure only one level of CAs exist, and that they are created explicitly.
+ req.Template.IsCA = false
+ return issueCertificate(req, ca, c.PrivateKey)
+}
+
+// CACertificate returns the DER encoded x509 form of this Certificate that
+// will be the used to issue child certificates.
+func (c *Certificate) CACertificate(ctx context.Context, kv clientv3.KV) ([]byte, error) {
+ return c.ensure(ctx, kv)
+}
diff --git a/osbase/pki/certificate.go b/osbase/pki/certificate.go
new file mode 100644
index 0000000..b925958
--- /dev/null
+++ b/osbase/pki/certificate.go
@@ -0,0 +1,413 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// package pki implements an x509 PKI (Public Key Infrastructure) system backed
+// on etcd.
+package pki
+
+import (
+ "bytes"
+ "context"
+ "crypto/ed25519"
+ "crypto/rand"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/pem"
+ "fmt"
+ "net"
+
+ clientv3 "go.etcd.io/etcd/client/v3"
+
+ "source.monogon.dev/osbase/fileargs"
+)
+
+// Namespace represents some path in etcd where certificate/CA data will be
+// stored. Creating a namespace via Namespaced then permits the consumer of
+// this library to start creating certificates within this namespace.
+type Namespace struct {
+ prefix string
+}
+
+// Namespaced creates a namespace for storing certificate data in etcd at a
+// given 'path' prefix.
+func Namespaced(prefix string) Namespace {
+ return Namespace{
+ prefix: prefix,
+ }
+}
+
+type CertificateMode int
+
+const (
+ // CertificateManaged is a certificate whose key material is fully managed by
+ // the Certificate code. When set, PublicKey and PrivateKey must not be set by
+ // the user, and instead will be populated by the Ensure call. Name must be set,
+ // and will be used to store this Certificate and its keys within etcd. After
+ // the initial generation during Ensure, other Certificates with the same Name
+ // will be retrieved (including key material) from etcd.
+ CertificateManaged CertificateMode = iota
+
+ // CertificateExternal is a certificate whose key material is not managed by
+ // Certificate or stored in etcd, but the X509 certificate itself is. PublicKey
+ // must be set while PrivateKey must not be set. Name must be set, and will be
+ // used to store the emitted X509 certificate in etcd on Ensure. After the
+ // initial generation during Ensure, other Certificates with the same Name will
+ // be retrieved (without key material) from etcd.
+ CertificateExternal
+
+ // CertificateEphemeral is a certificate whose data (X509 certificate and
+ // possibly key material) is generated on demand each time Ensure is called.
+ // Nothing is stored in etcd or loaded from etcd. PrivateKey or PublicKey can be
+ // set, if both are nil then a new keypair will be generated. Name is ignored.
+ CertificateEphemeral
+)
+
+// Certificate is the promise of a Certificate being available to the caller.
+// In this case, Certificate refers to a pair of x509 certificate and
+// corresponding private key. Certificates can be stored in etcd, and their
+// issuers might also be store on etcd. As such, this type's methods contain
+// references to an etcd KV client.
+type Certificate struct {
+ Namespace *Namespace
+
+ // Issuer is the Issuer that will generate this certificate if one doesn't
+ // yet exist or etcd, or the requested certificate is ephemeral (not to be
+ // stored on etcd).
+ Issuer Issuer
+ // Name is a unique key for storing the certificate in etcd (if the requested
+ // certificate is not ephemeral).
+ Name string
+ // Template is an x509 certificate definition that will be used to generate
+ // the certificate when issuing it.
+ Template x509.Certificate
+
+ // Mode in which this Certificate will operate. This influences the behaviour of
+ // the Ensure call.
+ Mode CertificateMode
+
+ // PrivateKey is the private key for this Certificate. It should never be set by
+ // the user, and instead will be populated by the Ensure call for Managed
+ // Certificates.
+ PrivateKey ed25519.PrivateKey
+
+ // PublicKey is the public key for this Certificate. It should only be set by
+ // the user for External or Ephemeral certificates, and will be populated by the
+ // next Ensure call if missing.
+ PublicKey ed25519.PublicKey
+}
+
+func (n *Namespace) etcdPath(f string, args ...interface{}) string {
+ return n.prefix + fmt.Sprintf(f, args...)
+}
+
+// Client makes a Kubernetes PKI-compatible client certificate template.
+// Directly derived from Kubernetes PKI requirements documented at
+// https://kubernetes.io/docs/setup/best-practices/certificates/#configure-certificates-manually
+func Client(identity string, groups []string) x509.Certificate {
+ return x509.Certificate{
+ Subject: pkix.Name{
+ CommonName: identity,
+ Organization: groups,
+ },
+ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+ }
+}
+
+// Server makes a Kubernetes PKI-compatible server certificate template.
+func Server(dnsNames []string, ips []net.IP) x509.Certificate {
+ return x509.Certificate{
+ Subject: pkix.Name{},
+ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+ DNSNames: dnsNames,
+ IPAddresses: ips,
+ }
+}
+
+// CA makes a Certificate that can sign other certificates.
+func CA(cn string) x509.Certificate {
+ return x509.Certificate{
+ Subject: pkix.Name{
+ CommonName: cn,
+ },
+ IsCA: true,
+ KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning},
+ }
+}
+
+// ensure returns a DER-encoded x509 certificate and internally encoded bare
+// ed25519 key for a given Certificate, in memory (if ephemeral), loading it
+// from etcd, or creating and saving it on etcd if needed.
+// This function is safe to call in parallel from multiple etcd clients
+// (including across machines), but it will error in case a concurrent
+// certificate generation happens. These errors are, however, safe to retry -
+// as long as all the certificate creators (ie., Metropolis nodes) run the same
+// version of this code.
+func (c *Certificate) ensure(ctx context.Context, kv clientv3.KV) (cert []byte, err error) {
+ // Ensure key is available.
+ if err := c.ensureKey(ctx, kv); err != nil {
+ return nil, err
+ }
+
+ switch c.Mode {
+ case CertificateEphemeral:
+ // TODO(q3k): cache internally?
+ cert, err = c.Issuer.Issue(ctx, c, kv)
+ if err != nil {
+ return nil, fmt.Errorf("failed to issue: %w", err)
+ }
+ return cert, nil
+ case CertificateManaged, CertificateExternal:
+ default:
+ return nil, fmt.Errorf("invalid certificate mode %v", c.Mode)
+ }
+
+ if c.Name == "" {
+ if c.Mode == CertificateExternal {
+ return nil, fmt.Errorf("external certificate must have name set")
+ } else {
+ return nil, fmt.Errorf("managed certificate must have name set")
+ }
+ }
+
+ certPath := c.Namespace.etcdPath("issued/%s-cert.der", c.Name)
+
+ // Try loading certificate from etcd.
+ certRes, err := kv.Get(ctx, certPath)
+ if err != nil {
+ return nil, fmt.Errorf("failed to get certificate from etcd: %w", err)
+ }
+
+ if len(certRes.Kvs) == 1 {
+ certBytes := certRes.Kvs[0].Value
+ cert, err := x509.ParseCertificate(certBytes)
+ if err != nil {
+ return nil, fmt.Errorf("failed to parse certificate retrieved from etcd: %w", err)
+ }
+ pk, ok := cert.PublicKey.(ed25519.PublicKey)
+ if !ok {
+ return nil, fmt.Errorf("unexpected non-ed25519 certificate found in etcd")
+ }
+ if !bytes.Equal(pk, c.PublicKey) {
+ return nil, fmt.Errorf("certificate stored in etcd emitted for different public key")
+ }
+ // TODO(q3k): ensure issuer and template haven't changed
+ return certBytes, nil
+ }
+
+ // No certificate found - issue one and save to etcd.
+ cert, err = c.Issuer.Issue(ctx, c, kv)
+ if err != nil {
+ return nil, fmt.Errorf("failed to issue: %w", err)
+ }
+
+ res, err := kv.Txn(ctx).
+ If(
+ clientv3.Compare(clientv3.CreateRevision(certPath), "=", 0),
+ ).
+ Then(
+ clientv3.OpPut(certPath, string(cert)),
+ ).Commit()
+ if err != nil {
+ err = fmt.Errorf("failed to write newly issued certificate: %w", err)
+ } else if !res.Succeeded {
+ err = fmt.Errorf("certificate issuance transaction failed: concurrent write")
+ }
+
+ return
+}
+
+// ensureKey retrieves or creates PublicKey as needed based on the Certificate
+// Mode. For Managed Certificates and Ephemeral Certificates with no PrivateKey
+// it will also populate PrivateKay.
+func (c *Certificate) ensureKey(ctx context.Context, kv clientv3.KV) error {
+ // If we have a public key then we're all set.
+ if c.PublicKey != nil {
+ return nil
+ }
+
+ // For ephemeral keys, we just generate them.
+ // For external keys, we can't do anything - not having the keys set means
+ // a programming error.
+
+ switch c.Mode {
+ case CertificateEphemeral:
+ pub, priv, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ return fmt.Errorf("when generating ephemeral key: %w", err)
+ }
+ c.PublicKey = pub
+ c.PrivateKey = priv
+ return nil
+ case CertificateExternal:
+ if c.PrivateKey != nil {
+ // We prohibit having PrivateKey set in External Certificates to simplify the
+ // different logic paths this library implements. Being able to assume External
+ // == PublicKey only makes things easier elsewhere.
+ return fmt.Errorf("external certificate must not have PrivateKey set")
+ }
+ return fmt.Errorf("external certificate must have PublicKey set")
+ case CertificateManaged:
+ default:
+ return fmt.Errorf("invalid certificate mode %v", c.Mode)
+ }
+
+ // For managed keys, synchronize with etcd.
+ if c.Name == "" {
+ return fmt.Errorf("managed certificate must have Name set")
+ }
+
+ // First, try loading.
+ privPath := c.Namespace.etcdPath("keys/%s-privkey.bin", c.Name)
+ privRes, err := kv.Get(ctx, privPath)
+ if err != nil {
+ return fmt.Errorf("failed to get private key from etcd: %w", err)
+ }
+ if len(privRes.Kvs) == 1 {
+ privBytes := privRes.Kvs[0].Value
+ if len(privBytes) != ed25519.PrivateKeySize {
+ return fmt.Errorf("stored private key has invalid size")
+ }
+ c.PrivateKey = privBytes
+ c.PublicKey = c.PrivateKey.Public().(ed25519.PublicKey)
+ return nil
+ }
+
+ // No key in etcd? Generate and save.
+ pub, priv, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ return fmt.Errorf("while generating keypair: %w", err)
+ }
+
+ res, err := kv.Txn(ctx).
+ If(
+ clientv3.Compare(clientv3.CreateRevision(privPath), "=", 0),
+ ).
+ Then(
+ clientv3.OpPut(privPath, string(priv)),
+ ).Commit()
+ if err != nil {
+ return fmt.Errorf("failed to write newly generated keypair: %w", err)
+ } else if !res.Succeeded {
+ return fmt.Errorf("key generation transaction failed: concurrent write")
+ }
+
+ crlPath := c.crlPath()
+ emptyCRL, err := c.makeCRL(ctx, kv, nil)
+ if err != nil {
+ return fmt.Errorf("failed to generate empty CRL: %w", err)
+ }
+
+ // Also attempt to emit an empty CRL if one doesn't exist yet.
+ _, err = kv.Txn(ctx).
+ If(
+ clientv3.Compare(clientv3.CreateRevision(crlPath), "=", 0),
+ ).
+ Then(
+ clientv3.OpPut(crlPath, string(emptyCRL)),
+ ).Commit()
+ if err != nil {
+ return fmt.Errorf("failed to upsert empty CRL")
+ }
+
+ c.PrivateKey = priv
+ c.PublicKey = pub
+ return nil
+}
+
+// Ensure returns an x509 DER-encoded (but not PEM-encoded) certificate for a
+// given Certificate.
+//
+// If the Certificate is ephemeral, each call to Ensure will cause a new
+// certificate to be generated. Otherwise, it will be retrieved from etcd, or
+// generated and stored there if needed.
+func (c *Certificate) Ensure(ctx context.Context, kv clientv3.KV) (cert []byte, err error) {
+ return c.ensure(ctx, kv)
+}
+
+func (c *Certificate) PrivateKeyX509() ([]byte, error) {
+ if c.PrivateKey == nil {
+ return nil, fmt.Errorf("certificate has no private key")
+ }
+ key, err := x509.MarshalPKCS8PrivateKey(c.PrivateKey)
+ if err != nil {
+ return nil, fmt.Errorf("could not marshal private key (data corruption?): %w", err)
+ }
+ return key, nil
+}
+
+// FilesystemCertificate is a fileargs.FileArgs wrapper which will contain PEM
+// encoded certificate material when Mounted. This construct is useful when
+// dealing with services that want to access etcd-backed certificates as files
+// available locally.
+// Paths to the available files are considered opaque and should not be leaked
+// outside of the struct. Further restrictions on access to these files might
+// be imposed in the future.
+type FilesystemCertificate struct {
+ *fileargs.FileArgs
+ // CACertPath is the full path at which the CA certificate is available.
+ // Read only.
+ CACertPath string
+ // CertPath is the full path at which the certificate is available. Read
+ // only.
+ CertPath string
+ // KeyPath is the full path at which the private key is available, or an empty
+ // string if the Certificate was created without a private key. Read only.
+ KeyPath string
+}
+
+// Mount returns a locally mounted FilesystemCertificate for this Certificate,
+// which allows services to access this Certificate via local filesystem
+// access.
+// The embeded fileargs.FileArgs can also be used to add additional file-backed
+// data under the same mount by calling ArgPath.
+// The returned FilesystemCertificate must be Closed in order to prevent a
+// system mount leak.
+func (c *Certificate) Mount(ctx context.Context, kv clientv3.KV) (*FilesystemCertificate, error) {
+ fa, err := fileargs.New()
+ if err != nil {
+ return nil, fmt.Errorf("when creating fileargs mount: %w", err)
+ }
+ fs := &FilesystemCertificate{FileArgs: fa}
+
+ cert, err := c.Ensure(ctx, kv)
+ if err != nil {
+ return nil, fmt.Errorf("when issuing certificate: %w", err)
+ }
+
+ cacert, err := c.Issuer.CACertificate(ctx, kv)
+ if err != nil {
+ return nil, fmt.Errorf("when getting issuer CA: %w", err)
+ }
+ // cacert will be null if this is a self-signed certificate.
+ if cacert == nil {
+ cacert = cert
+ }
+
+ fs.CACertPath = fs.ArgPath("ca.crt", pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cacert}))
+ fs.CertPath = fs.ArgPath("tls.crt", pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert}))
+ if c.PrivateKey != nil {
+ key, err := c.PrivateKeyX509()
+ if err != nil {
+ return nil, err
+ }
+ fs.KeyPath = fs.ArgPath("tls.key", pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: key}))
+ }
+
+ return fs, nil
+}
diff --git a/osbase/pki/certificate_test.go b/osbase/pki/certificate_test.go
new file mode 100644
index 0000000..e751c54
--- /dev/null
+++ b/osbase/pki/certificate_test.go
@@ -0,0 +1,192 @@
+package pki
+
+import (
+ "bytes"
+ "context"
+ "crypto/ed25519"
+ "crypto/rand"
+ "crypto/x509"
+ "testing"
+
+ "go.etcd.io/etcd/client/pkg/v3/testutil"
+ "go.etcd.io/etcd/tests/v3/integration"
+ "go.uber.org/zap"
+
+ "source.monogon.dev/osbase/logtree"
+)
+
+// TestManaged ensures Managed Certificates work, including re-ensuring
+// certificates with the same data and issuing subordinate certificates.
+func TestManaged(t *testing.T) {
+ lt := logtree.New()
+ logtree.PipeAllToTest(t, lt)
+ tb, cancel := testutil.NewTestingTBProthesis("pki-managed")
+ defer cancel()
+ cluster := integration.NewClusterV3(tb, &integration.ClusterConfig{
+ Size: 1,
+ LoggerBuilder: func(memberName string) *zap.Logger {
+ dn := logtree.DN("etcd." + memberName)
+ return logtree.Zapify(lt.MustLeveledFor(dn), zap.WarnLevel)
+ },
+ })
+ cl := cluster.Client(0)
+ defer cluster.Terminate(tb)
+ ctx, ctxC := context.WithCancel(context.Background())
+ defer ctxC()
+ ns := Namespaced("/test-managed/")
+
+ // Test CA certificate issuance.
+ ca := &Certificate{
+ Namespace: &ns,
+ Issuer: SelfSigned,
+ Name: "ca",
+ Template: CA("Test CA"),
+ }
+ caBytes, err := ca.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Failed to Ensure CA: %v", err)
+ }
+ caCert, err := x509.ParseCertificate(caBytes)
+ if err != nil {
+ t.Fatalf("Failed to parse newly emited CA cert: %v", err)
+ }
+ if !caCert.IsCA {
+ t.Errorf("Newly emitted CA cert is not CA")
+ }
+ if ca.PublicKey == nil {
+ t.Errorf("Newly emitted CA cert has no public key")
+ }
+ if ca.PrivateKey == nil {
+ t.Errorf("Newly emitted CA cert has no public key")
+ }
+
+ // Re-emitting CA certificate with same parameters should return exact same
+ // data.
+ ca2 := &Certificate{
+ Namespace: &ns,
+ Issuer: SelfSigned,
+ Name: "ca",
+ Template: CA("Test CA"),
+ }
+ caBytes2, err := ca2.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Failed to re-Ensure CA: %v", err)
+ }
+ if !bytes.Equal(caBytes, caBytes2) {
+ t.Errorf("New CA has different x509 certificate")
+ }
+ if !bytes.Equal(ca.PublicKey, ca2.PublicKey) {
+ t.Errorf("New CA has different public key")
+ }
+ if !bytes.Equal(ca.PrivateKey, ca2.PrivateKey) {
+ t.Errorf("New CA has different private key")
+ }
+
+ // Emitting a subordinate certificate should work.
+ client := &Certificate{
+ Namespace: &ns,
+ Issuer: ca2,
+ Name: "client",
+ Template: Client("foo", nil),
+ }
+ clientBytes, err := client.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Failed to ensure client certificate: %v", err)
+ }
+ clientCert, err := x509.ParseCertificate(clientBytes)
+ if err != nil {
+ t.Fatalf("Failed to parse newly emitted client certificate: %v", err)
+ }
+ if clientCert.IsCA {
+ t.Errorf("New client cert is CA")
+ }
+ if want, got := "foo", clientCert.Subject.CommonName; want != got {
+ t.Errorf("New client CN should be %q, got %q", want, got)
+ }
+ if want, got := caCert.Subject.String(), clientCert.Issuer.String(); want != got {
+ t.Errorf("New client issuer should be %q, got %q", want, got)
+ }
+}
+
+// TestExternal ensures External certificates work correctly, including
+// re-Ensuring certificates with the same public key, and attempting to re-issue
+// the same certificate with a different public key (which should fail).
+func TestExternal(t *testing.T) {
+ lt := logtree.New()
+ logtree.PipeAllToTest(t, lt)
+ tb, cancel := testutil.NewTestingTBProthesis("pki-managed")
+ defer cancel()
+ cluster := integration.NewClusterV3(tb, &integration.ClusterConfig{
+ Size: 1,
+ LoggerBuilder: func(memberName string) *zap.Logger {
+ dn := logtree.DN("etcd." + memberName)
+ return logtree.Zapify(lt.MustLeveledFor(dn), zap.WarnLevel)
+ },
+ })
+ cl := cluster.Client(0)
+ defer cluster.Terminate(tb)
+ ctx, ctxC := context.WithCancel(context.Background())
+ defer ctxC()
+ ns := Namespaced("/test-external/")
+
+ ca := &Certificate{
+ Namespace: &ns,
+ Issuer: SelfSigned,
+ Name: "ca",
+ Template: CA("Test CA"),
+ }
+
+ // Issuing an external certificate should work.
+ pk, _, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ t.Fatalf("GenerateKey: %v", err)
+ }
+ server := &Certificate{
+ Namespace: &ns,
+ Issuer: ca,
+ Name: "server",
+ Template: Server([]string{"server"}, nil),
+ Mode: CertificateExternal,
+ PublicKey: pk,
+ }
+ serverBytes, err := server.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Failed to Ensure server certificate: %v", err)
+ }
+
+ // Issuing an external certificate with the same name but different public key
+ // should fail.
+ pk2, _, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ t.Fatalf("GenerateKey: %v", err)
+ }
+ server2 := &Certificate{
+ Namespace: &ns,
+ Issuer: ca,
+ Name: "server",
+ Template: Server([]string{"server"}, nil),
+ Mode: CertificateExternal,
+ PublicKey: pk2,
+ }
+ if _, err := server2.Ensure(ctx, cl); err == nil {
+ t.Fatalf("Issuing server certificate with different public key should have failed")
+ }
+
+ // Issuing the external certificate with the same name and same public key
+ // should work and yield the same x509 bytes.
+ server3 := &Certificate{
+ Namespace: &ns,
+ Issuer: ca,
+ Name: "server",
+ Template: Server([]string{"server"}, nil),
+ Mode: CertificateExternal,
+ PublicKey: pk,
+ }
+ serverBytes3, err := server3.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Failed to re-Ensure server certificate: %v", err)
+ }
+ if !bytes.Equal(serverBytes, serverBytes3) {
+ t.Errorf("New server certificate has different x509 certificate")
+ }
+}
diff --git a/osbase/pki/crl.go b/osbase/pki/crl.go
new file mode 100644
index 0000000..40118aa
--- /dev/null
+++ b/osbase/pki/crl.go
@@ -0,0 +1,164 @@
+package pki
+
+import (
+ "context"
+ "crypto/rand"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "fmt"
+ "math/big"
+ "time"
+
+ clientv3 "go.etcd.io/etcd/client/v3"
+
+ "source.monogon.dev/osbase/event"
+ "source.monogon.dev/osbase/event/etcd"
+)
+
+// crlPath returns the etcd path under which the marshaled X.509 Certificate
+// Revocation List is stored.
+//
+// TODO(q3k): use etcd keyspace API from
+func (c *Certificate) crlPath() string {
+ return c.Namespace.etcdPath("%s-crl.der", c.Name)
+}
+
+// Revoke performs a CRL-based revocation of a given certificate by this CA,
+// looking it up by DNS name. The revocation is immediately written to the
+// backing etcd store and will be available to consumers through the WatchCRL
+// API.
+//
+// An error is returned if the CRL could not be emitted (eg. due to an etcd
+// communication error, a conflicting CRL write) or if the given hostname
+// matches no emitted certificate.
+//
+// Only Managed and External certificates can be revoked.
+func (c Certificate) Revoke(ctx context.Context, kv clientv3.KV, hostname string) error {
+ crlPath := c.crlPath()
+ issuedCerts := c.Namespace.etcdPath("issued/")
+
+ res, err := kv.Txn(ctx).Then(
+ clientv3.OpGet(crlPath),
+ clientv3.OpGet(issuedCerts, clientv3.WithPrefix())).Commit()
+ if err != nil {
+ return fmt.Errorf("failed to retrieve certificates and CRL from etcd: %w", err)
+ }
+
+ // Parse certs, CRL and CRL revision from state.
+ var certs []*x509.Certificate
+ var crlRevision int64
+ var crl *pkix.CertificateList
+ for _, el := range res.Responses {
+ for _, kv := range el.GetResponseRange().GetKvs() {
+ if string(kv.Key) == crlPath {
+ crl, err = x509.ParseCRL(kv.Value)
+ if err != nil {
+ return fmt.Errorf("could not parse CRL from etcd: %w", err)
+ }
+ crlRevision = kv.CreateRevision
+ } else {
+ cert, err := x509.ParseCertificate(kv.Value)
+ if err != nil {
+ return fmt.Errorf("could not parse certificate %q from etcd: %w", string(kv.Key), err)
+ }
+ certs = append(certs, cert)
+ }
+ }
+ }
+ if crl == nil {
+ return fmt.Errorf("could not find CRL in etcd")
+ }
+ revoked := crl.TBSCertList.RevokedCertificates
+
+ // Find requested hostname in issued certificates.
+ var serial *big.Int
+ for _, cert := range certs {
+ for _, dnsName := range cert.DNSNames {
+ if dnsName == hostname {
+ serial = cert.SerialNumber
+ break
+ }
+ }
+ if serial != nil {
+ break
+ }
+ }
+ if serial == nil {
+ return fmt.Errorf("could not find requested hostname")
+ }
+
+ // Check if certificate has already been revoked.
+ for _, revokedCert := range revoked {
+ if revokedCert.SerialNumber.Cmp(serial) == 0 {
+ return nil // Already revoked
+ }
+ }
+
+ // Otherwise, revoke and save new CRL.
+ revoked = append(revoked, pkix.RevokedCertificate{
+ SerialNumber: serial,
+ RevocationTime: time.Now(),
+ })
+
+ crlRaw, err := c.makeCRL(ctx, kv, revoked)
+ if err != nil {
+ return fmt.Errorf("when generating new CRL for revocation: %w", err)
+ }
+
+ res, err = kv.Txn(ctx).If(
+ clientv3.Compare(clientv3.CreateRevision(crlPath), "=", crlRevision),
+ ).Then(
+ clientv3.OpPut(crlPath, string(crlRaw)),
+ ).Commit()
+ if err != nil {
+ return fmt.Errorf("when saving new CRL: %w", err)
+ }
+ if !res.Succeeded {
+ return fmt.Errorf("CRL save transaction failed, retry possible")
+ }
+
+ return nil
+}
+
+// makeCRL returns a valid CRL for a given list of certificates to be revoked.
+// The given etcd client is used to ensure this CA certificate exists in etcd,
+// but is not used to write any CRL to etcd.
+func (c *Certificate) makeCRL(ctx context.Context, kv clientv3.KV, revoked []pkix.RevokedCertificate) ([]byte, error) {
+ if c.Mode != CertificateManaged {
+ return nil, fmt.Errorf("only managed certificates can issue CRLs")
+ }
+ certBytes, err := c.ensure(ctx, kv)
+ if err != nil {
+ return nil, fmt.Errorf("when ensuring certificate: %w", err)
+ }
+ cert, err := x509.ParseCertificate(certBytes)
+ if err != nil {
+ return nil, fmt.Errorf("when parsing issuing certificate: %w", err)
+ }
+ crl, err := cert.CreateCRL(rand.Reader, c.PrivateKey, revoked, time.Now(), UnknownNotAfter)
+ if err != nil {
+ return nil, fmt.Errorf("failed to generate CRL: %w", err)
+ }
+ return crl, nil
+}
+
+// WatchCRL returns and Event Value compatible CRLWatcher which can be used to
+// retrieve and watch for the newest CRL available from this CA certificate.
+func (c *Certificate) WatchCRL(cl etcd.ThinClient) event.Watcher[*CRL] {
+ value := etcd.NewValue(cl, c.crlPath(), func(_, data []byte) (*CRL, error) {
+ crl, err := x509.ParseCRL(data)
+ if err != nil {
+ return nil, fmt.Errorf("could not parse CRL from etcd: %w", err)
+ }
+ return &CRL{
+ Raw: data,
+ List: crl,
+ }, nil
+ })
+ return value.Watch()
+}
+
+type CRL struct {
+ Raw []byte
+ List *pkix.CertificateList
+}
diff --git a/osbase/pki/crl_test.go b/osbase/pki/crl_test.go
new file mode 100644
index 0000000..e47eab9
--- /dev/null
+++ b/osbase/pki/crl_test.go
@@ -0,0 +1,140 @@
+package pki
+
+import (
+ "context"
+ "crypto/x509"
+ "testing"
+
+ "go.etcd.io/etcd/client/pkg/v3/testutil"
+ "go.etcd.io/etcd/tests/v3/integration"
+)
+
+// TestRevoke exercises the CRL revocation and watching functionality of a CA
+// certificate.
+func TestRevoke(t *testing.T) {
+ tb, cancel := testutil.NewTestingTBProthesis("pki-revoke")
+ defer cancel()
+ cluster := integration.NewClusterV3(tb, &integration.ClusterConfig{
+ Size: 1,
+ })
+ cl := cluster.Client(0)
+ defer cluster.Terminate(tb)
+ ctx, ctxC := context.WithCancel(context.Background())
+ defer ctxC()
+ ns := Namespaced("/test-managed/")
+
+ ca := &Certificate{
+ Namespace: &ns,
+ Issuer: SelfSigned,
+ Name: "ca",
+ Template: CA("Test CA"),
+ }
+ sub := &Certificate{
+ Namespace: &ns,
+ Issuer: ca,
+ Name: "sub",
+ Template: Server([]string{"server"}, nil),
+ }
+
+ caCertBytes, err := ca.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Ensuring ca certificate failed: %v", err)
+ }
+ caCert, err := x509.ParseCertificate(caCertBytes)
+ if err != nil {
+ t.Fatalf("Loading newly emitted CA certificate failed: %v", err)
+ }
+
+ subCertBytes, err := sub.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Ensuring sub certificate failed: %v", err)
+ }
+ subCert, err := x509.ParseCertificate(subCertBytes)
+ if err != nil {
+ t.Fatalf("Loading newly emitted sub certificate failed: %v", err)
+ }
+
+ // Ensure CRL is correctly signed and that subCert is not yet on it.
+ crlW := ca.WatchCRL(cl)
+ crl, err := crlW.Get(ctx)
+ if err != nil {
+ t.Fatalf("Retrieving initial CRL failed: %v", err)
+ }
+ if err := caCert.CheckCRLSignature(crl.List); err != nil {
+ t.Fatalf("Initial CRL not signed by CA: %v", err)
+ }
+ for _, el := range crl.List.TBSCertList.RevokedCertificates {
+ if el.SerialNumber.Cmp(subCert.SerialNumber) == 0 {
+ t.Fatalf("Newly emitted certificate is already on CRL.")
+ }
+ }
+
+ // Emit yet another certificate. Also shouldn't be on CRL.
+ bad := &Certificate{
+ Namespace: &ns,
+ Issuer: ca,
+ Name: "bad",
+ Template: Server([]string{"badserver"}, nil),
+ }
+ badCertBytes, err := bad.Ensure(ctx, cl)
+ if err != nil {
+ t.Fatalf("Ensuring bad certificate failed: %v", err)
+ }
+ badCert, err := x509.ParseCertificate(badCertBytes)
+ if err != nil {
+ t.Fatalf("Loading newly emitted bad certificate failed: %v", err)
+ }
+ for _, el := range crl.List.TBSCertList.RevokedCertificates {
+ if el.SerialNumber.Cmp(badCert.SerialNumber) == 0 {
+ t.Fatalf("Newly emitted bad certificate is already on CRL.")
+ }
+ }
+
+ // Revoke bad certificate. Should now be present in CRL.
+ if err := ca.Revoke(ctx, cl, "badserver"); err != nil {
+ t.Fatalf("Revoke failed: %v", err)
+ }
+ // Get in a loop until found.
+ for {
+ crl, err = crlW.Get(ctx)
+ if err != nil {
+ t.Fatalf("Get failed: %v", err)
+ }
+ found := false
+ for _, el := range crl.List.TBSCertList.RevokedCertificates {
+ if el.SerialNumber.Cmp(badCert.SerialNumber) == 0 {
+ found = true
+ }
+ if el.SerialNumber.Cmp(subCert.SerialNumber) == 0 {
+ t.Errorf("Found non-revoked cert in CRL")
+ }
+ }
+ if found {
+ break
+ }
+ }
+ // Now revoke first certificate. Both should be now present in CRL.
+ if err := ca.Revoke(ctx, cl, "server"); err != nil {
+ t.Fatalf("Revoke failed: %v", err)
+ }
+ // Get in a loop until found.
+ for {
+ crl, err = crlW.Get(ctx)
+ if err != nil {
+ t.Fatalf("Get failed: %v", err)
+ }
+ foundSub := false
+ foundBad := false
+ for _, el := range crl.List.TBSCertList.RevokedCertificates {
+ if el.SerialNumber.Cmp(badCert.SerialNumber) == 0 {
+ foundBad = true
+ }
+ if el.SerialNumber.Cmp(subCert.SerialNumber) == 0 {
+ foundSub = true
+ }
+ }
+ if foundBad && foundSub {
+ break
+ }
+ }
+}
diff --git a/osbase/pki/x509.go b/osbase/pki/x509.go
new file mode 100644
index 0000000..40e7a08
--- /dev/null
+++ b/osbase/pki/x509.go
@@ -0,0 +1,57 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pki
+
+import (
+ "crypto"
+ "crypto/sha1"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/asn1"
+ "time"
+)
+
+var (
+ // From RFC 5280 Section 4.1.2.5
+ UnknownNotAfter = time.Unix(253402300799, 0)
+)
+
+// Workaround for https://github.com/golang/go/issues/26676 in Go's
+// crypto/x509. Specifically Go violates Section 4.2.1.2 of RFC 5280 without
+// this. Fixed for 1.15 in https://go-review.googlesource.com/c/go/+/227098/.
+//
+// Taken from https://github.com/FiloSottile/mkcert/blob/master/cert.go#L295
+// Written by one of Go's crypto engineers
+//
+// TODO(lorenz): remove this once we migrate to Go 1.15.
+func calculateSKID(pubKey crypto.PublicKey) ([]byte, error) {
+ spkiASN1, err := x509.MarshalPKIXPublicKey(pubKey)
+ if err != nil {
+ return nil, err
+ }
+
+ var spki struct {
+ Algorithm pkix.AlgorithmIdentifier
+ SubjectPublicKey asn1.BitString
+ }
+ _, err = asn1.Unmarshal(spkiASN1, &spki)
+ if err != nil {
+ return nil, err
+ }
+ skid := sha1.Sum(spki.SubjectPublicKey.Bytes)
+ return skid[:], nil
+}