Merge branch 'master' into max/cert-mgr-crud

.github/workflows/labeler.yml

@@ -11,4 +11,4 @@ jobs:
     - uses: actions/labeler@v3
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
-        configuration-path: .github/needs-triage-labeler.yml
+        configuration-path: .github/labeler.yml

Makefile

@@ -15,6 +15,7 @@ PREFIX?=
 SRC=$(shell find . -type f -name '*.go' -not -path "./vendor/*")
 GOOS_OVERRIDE ?=
 OUTPUT_ROOT=output/
+RELEASE=./.releases
 
 all: lint test build
 

api/api.go

@@ -418,7 +418,7 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 				if len(val.CredentialID) > 0 {
 					m["provisioner"] = fmt.Sprintf("%s (%s)", val.Name, val.CredentialID)
 				} else {
-					m["provisioner"] = string(val.Name)
+					m["provisioner"] = val.Name
 				}
 				break
 			}

authority/authority.go

@@ -395,6 +395,13 @@ func (a *Authority) init() error {
 		}
 	}
 
+	// Check if a KMS with decryption capability is required and available
+	if a.requiresDecrypter() {
+		if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
+			return errors.New("keymanager doesn't provide crypto.Decrypter")
+		}
+	}
+
 	// TODO: decide if this is a good approach for providing the SCEP functionality
 	// It currently mirrors the logic for the x509CAService
 	if a.requiresSCEPService() && a.scepService == nil {

authority/provisioner/scep.go

@@ -27,17 +27,17 @@ type SCEP struct {
 	secretChallengePassword string
 }
 
-// GetID returns the provisioner unique identifier. The name and credential id
-// should uniquely identify any JWK provisioner.
+// GetID returns the provisioner unique identifier.
 func (s *SCEP) GetID() string {
 	if s.ID != "" {
 		return s.ID
 	}
 	return s.GetIDForToken()
 }
 
-// GetIDForToken returns the provisioner unique identifier.
-func (s SCEP) GetIDForToken() string {
+// GetIDForToken returns an identifier that will be used to load the provisioner
+// from a token.
+func (s *SCEP) GetIDForToken() string {
 	return "scep/" + s.Name
 }
 

ca/ca.go

@@ -229,6 +229,7 @@ func (ca *CA) Init(config *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = m.Middleware(handler)
+		insecureHandler = m.Middleware(insecureHandler)
 	}
 
 	// Add logger if configured
@@ -238,6 +239,7 @@ func (ca *CA) Init(config *config.Config) (*CA, error) {
 			return nil, err
 		}
 		handler = logger.Middleware(handler)
+		insecureHandler = logger.Middleware(insecureHandler)
 	}
 
 	ca.srv = server.New(config.Address, handler, tlsConfig)
@@ -288,7 +290,17 @@ func (ca *CA) Stop() error {
 	if err := ca.auth.Shutdown(); err != nil {
 		log.Printf("error stopping ca.Authority: %+v\n", err)
 	}
-	return ca.srv.Shutdown()
+	var insecureShutdownErr error
+	if ca.insecureSrv != nil {
+		insecureShutdownErr = ca.insecureSrv.Shutdown()
+	}
+
+	secureErr := ca.srv.Shutdown()
+
+	if insecureShutdownErr != nil {
+		return insecureShutdownErr
+	}
+	return secureErr
 }
 
 // Reload reloads the configuration of the CA and calls to the server Reload
@@ -322,6 +334,13 @@ func (ca *CA) Reload() error {
 		return errors.Wrap(err, "error reloading ca")
 	}
 
+	if ca.insecureSrv != nil {
+		if err = ca.insecureSrv.Reload(newCA.insecureSrv); err != nil {
+			logContinue("Reload failed because insecure server could not be replaced.")
+			return errors.Wrap(err, "error reloading insecure server")
+		}
+	}
+
 	if err = ca.srv.Reload(newCA.srv); err != nil {
 		logContinue("Reload failed because server could not be replaced.")
 		return errors.Wrap(err, "error reloading server")

cas/apiv1/options.go

@@ -45,10 +45,15 @@ type Options struct {
 	// KeyManager is the KMS used to generate keys in SoftCAS.
 	KeyManager kms.KeyManager `json:"-"`
 
-	// Project and Location are parameters used in CloudCAS to create a new
-	// certificate authority.
-	Project  string `json:"-"`
-	Location string `json:"-"`
+	// Project, Location, CaPool and GCSBucket are parameters used in CloudCAS
+	// to create a new certificate authority. If a CaPool does not exist it will
+	// be created. GCSBucket is optional, if not provided GCloud will create a
+	// managed bucket.
+	Project    string `json:"-"`
+	Location   string `json:"-"`
+	CaPool     string `json:"-"`
+	CaPoolTier string `json:"-"`
+	GCSBucket  string `json:"-"`
 }
 
 // CertificateIssuer contains the properties used to use the StepCAS certificate

cas/cloudcas/certificate.go

@@ -12,8 +12,7 @@ import (
 
 	"github.com/pkg/errors"
 	kmsapi "github.com/smallstep/certificates/kms/apiv1"
-	pb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1beta1"
-	wrapperspb "google.golang.org/protobuf/types/known/wrapperspb"
+	pb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1"
 )
 
 var (
@@ -67,11 +66,10 @@ func createCertificateConfig(tpl *x509.Certificate) (*pb.Certificate_Config, err
 	config := &pb.CertificateConfig{
 		SubjectConfig: &pb.CertificateConfig_SubjectConfig{
 			Subject:        createSubject(tpl),
-			CommonName:     tpl.Subject.CommonName,
 			SubjectAltName: createSubjectAlternativeNames(tpl),
 		},
-		ReusableConfig: createReusableConfig(tpl),
-		PublicKey:      pk,
+		X509Config: createX509Parameters(tpl),
+		PublicKey:  pk,
 	}
 	return &pb.Certificate_Config{
 		Config: config,
@@ -86,15 +84,15 @@ func createPublicKey(key crypto.PublicKey) (*pb.PublicKey, error) {
 			return nil, errors.Wrap(err, "error marshaling public key")
 		}
 		return &pb.PublicKey{
-			Type: pb.PublicKey_PEM_EC_KEY,
+			Format: pb.PublicKey_PEM,
 			Key: pem.EncodeToMemory(&pem.Block{
 				Type:  "PUBLIC KEY",
 				Bytes: asn1Bytes,
 			}),
 		}, nil
 	case *rsa.PublicKey:
 		return &pb.PublicKey{
-			Type: pb.PublicKey_PEM_RSA_KEY,
+			Format: pb.PublicKey_PEM,
 			Key: pem.EncodeToMemory(&pem.Block{
 				Type:  "RSA PUBLIC KEY",
 				Bytes: x509.MarshalPKCS1PublicKey(key),
@@ -107,7 +105,9 @@ func createPublicKey(key crypto.PublicKey) (*pb.PublicKey, error) {
 
 func createSubject(cert *x509.Certificate) *pb.Subject {
 	sub := cert.Subject
-	ret := new(pb.Subject)
+	ret := &pb.Subject{
+		CommonName: sub.CommonName,
+	}
 	if len(sub.Country) > 0 {
 		ret.CountryCode = sub.Country[0]
 	}
@@ -196,7 +196,7 @@ func createSubjectAlternativeNames(cert *x509.Certificate) *pb.SubjectAltNames {
 	return ret
 }
 
-func createReusableConfig(cert *x509.Certificate) *pb.ReusableConfigWrapper {
+func createX509Parameters(cert *x509.Certificate) *pb.X509Parameters {
 	var unknownEKUs []*pb.ObjectId
 	var ekuOptions = &pb.KeyUsage_ExtendedKeyUsageOptions{}
 	for _, eku := range cert.ExtKeyUsage {
@@ -241,22 +241,19 @@ func createReusableConfig(cert *x509.Certificate) *pb.ReusableConfigWrapper {
 		policyIDs = append(policyIDs, createObjectID(oid))
 	}
 
-	var caOptions *pb.ReusableConfigValues_CaOptions
+	var caOptions *pb.X509Parameters_CaOptions
 	if cert.BasicConstraintsValid {
-		var maxPathLength *wrapperspb.Int32Value
+		caOptions = new(pb.X509Parameters_CaOptions)
+		var maxPathLength int32
 		switch {
 		case cert.MaxPathLenZero:
-			maxPathLength = wrapperspb.Int32(0)
+			maxPathLength = 0
+			caOptions.MaxIssuerPathLength = &maxPathLength
 		case cert.MaxPathLen > 0:
-			maxPathLength = wrapperspb.Int32(int32(cert.MaxPathLen))
-		default:
-			maxPathLength = nil
-		}
-
-		caOptions = &pb.ReusableConfigValues_CaOptions{
-			IsCa:                wrapperspb.Bool(cert.IsCA),
-			MaxIssuerPathLength: maxPathLength,
+			maxPathLength = int32(cert.MaxPathLen)
+			caOptions.MaxIssuerPathLength = &maxPathLength
 		}
+		caOptions.IsCa = &cert.IsCA
 	}
 
 	var extraExtensions []*pb.X509Extension
@@ -270,7 +267,7 @@ func createReusableConfig(cert *x509.Certificate) *pb.ReusableConfigWrapper {
 		}
 	}
 
-	values := &pb.ReusableConfigValues{
+	return &pb.X509Parameters{
 		KeyUsage: &pb.KeyUsage{
 			BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
 				DigitalSignature:  cert.KeyUsage&x509.KeyUsageDigitalSignature > 0,
@@ -291,12 +288,6 @@ func createReusableConfig(cert *x509.Certificate) *pb.ReusableConfigWrapper {
 		AiaOcspServers:       cert.OCSPServer,
 		AdditionalExtensions: extraExtensions,
 	}
-
-	return &pb.ReusableConfigWrapper{
-		ConfigValues: &pb.ReusableConfigWrapper_ReusableConfigValues{
-			ReusableConfigValues: values,
-		},
-	}
 }
 
 // isExtraExtension returns true if the extension oid is not managed in a