Merge pull request #1684 from venkyg-sec/allow_external_x509_ca_servi…

…ce_intf Allow x509 Service CA implementation to be injected through ca and authority options
smallstep · Feb 14, 2024 · 073fcb7 · 073fcb7
2 parents 5d865b2 + ac773ff
commit 073fcb7
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 1 deletion.
diff --git a/authority/options.go b/authority/options.go
@@ -167,6 +167,15 @@ func WithKeyManager(k kms.KeyManager) Option {
 	}
 }
 
+// WithX509CAService allows the consumer to provide an externally implemented
+// API implementation of apiv1.CertificateAuthorityService
+func WithX509CAService(svc casapi.CertificateAuthorityService) Option {
+	return func(a *Authority) error {
+		a.x509CAService = svc
+		return nil
+	}
+}
+
 // WithX509Signer defines the signer used to sign X509 certificates.
 func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
 	return WithX509SignerChain([]*x509.Certificate{crt}, s)

diff --git a/ca/ca.go b/ca/ca.go
@@ -26,6 +26,7 @@ import (
 	"github.com/smallstep/certificates/authority/admin"
 	adminAPI "github.com/smallstep/certificates/authority/admin/api"
 	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/cas/apiv1"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/internal/metrix"
 	"github.com/smallstep/certificates/logging"
@@ -47,6 +48,7 @@ type options struct {
 	sshHostPassword []byte
 	sshUserPassword []byte
 	database        db.AuthDB
+	x509CAService   apiv1.CertificateAuthorityService
 }
 
 func (o *options) apply(opts []Option) {
@@ -66,6 +68,13 @@ func WithConfigFile(name string) Option {
 	}
 }
 
+// WithX509CAService provides the x509CAService to be used for signing x509 requests
+func WithX509CAService(svc apiv1.CertificateAuthorityService) Option {
+	return func(o *options) {
+		o.x509CAService = svc
+	}
+}
+
 // WithPassword sets the given password as the configured password in the CA
 // options.
 func WithPassword(password []byte) Option {
@@ -165,10 +174,13 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
 		opts = append(opts, authority.WithQuietInit())
 	}
 
+	if ca.opts.x509CAService != nil {
+		opts = append(opts, authority.WithX509CAService(ca.opts.x509CAService))
+	}
+
 	var meter *metrix.Meter
 	if ca.config.MetricsAddress != "" {
 		meter = metrix.New()
-
 		opts = append(opts, authority.WithMeter(meter))
 	}
 

diff --git a/cas/apiv1/services.go b/cas/apiv1/services.go
@@ -53,6 +53,8 @@ const (
 	StepCAS = "stepcas"
 	// VaultCAS is a CertificateAuthorityService using Hasicorp Vault PKI.
 	VaultCAS = "vaultcas"
+	// ExternalCAS is a CertificateAuthorityService using an external injected CA implementation
+	ExternalCAS = "externalcas"
 )
 
 // String returns a string from the type. It will always return the lower case

diff --git a/cas/apiv1/services_test.go b/cas/apiv1/services_test.go
@@ -13,6 +13,7 @@ func TestType_String(t *testing.T) {
 		{"default", "", "softcas"},
 		{"SoftCAS", SoftCAS, "softcas"},
 		{"CloudCAS", CloudCAS, "cloudcas"},
+		{"ExternalCAS", ExternalCAS, "externalcas"},
 		{"UnknownCAS", "UnknownCAS", "unknowncas"},
 	}
 	for _, tt := range tests {