Added KRL

Author: mlgupta

app/admin/hosts.py

@@ -231,6 +231,8 @@ def update_host(hostname):
                 if ("keyid" in sshPublicCert):
                     # Delete a cert
                     sshPublicCerts = list(filter(lambda key: key['keyid'] != sshPublicCert['keyid'], sshPublicCerts))
+                    if (sshca.add_to_krl(key=sshPublicCert['cert'])):
+                        app.logger.debug("Host Cert revoked: " + str(sshPublicCert['keyid']))
                 else: 
                     # Create a cert  
                     sshPublicCert['keyid'] = keyid

app/admin/users.py

@@ -226,6 +226,7 @@ def update_user(username):
         con = operations.open_ldap_connection()
 
         if ("sshPublicKeys" in req)  or ("sshPublicCerts" in req) or ("accountLocked" in req):
+            sshca = SSHCA()
             user = {}
             user = search_users(con,'(&(' + LDAP_ATTR_OBJECTCLASS + '=*)(' + LDAP_ATTR_CN + '=' + username + '))').pop()
 
@@ -251,16 +252,20 @@ def update_user(username):
                     if ("keyid" in sshPublicKey):
                         # Delete key
                         sshPublicKeys = list(filter(lambda key: key['keyid'] != sshPublicKey['keyid'], sshPublicKeys))
+                        if (sshca.add_to_krl(key=sshPublicKey['key'])):
+                            app.logger.debug("Key revoked: " + str(sshPublicKey['keyid']))
                     else:
                         # Create a new key
                         hostGroups = list(map(lambda hostGroup: hostGroup.lower(), sshPublicKey.get("hostGroups")))
                         if (set(hostGroups).issubset(set(memberOfs))):
-                            sshPublicKey['keyid'] = key_id
-                            sshPublicKey['keytype'] = keytype
-                            sshPublicKey['dateExpire'] = date_expire
-                            key_id += 1
-    #                    sshPublicKeys.append(json.dumps(sshPublicKey).encode())
-                            sshPublicKeys.append(sshPublicKey)
+                            if not (sshca.is_key_revoked(sshPublicKey["key"])):
+                                sshPublicKey['keyid'] = key_id
+                                sshPublicKey['keytype'] = keytype
+                                sshPublicKey['dateExpire'] = date_expire
+                                key_id += 1
+                                sshPublicKeys.append(sshPublicKey)
+                            else:
+                                raise KeyperError(errors["SSHPublicKeyRevokedError"].get("msg"), errors["SSHPublicKeyRevokedError"].get("status"))
                         else:
                             raise KeyperError(errors["UnauthorizedAccessError"].get("msg"), errors["UnauthorizedAccessError"].get("status"))
 
@@ -276,7 +281,6 @@ def update_user(username):
                     app.logger.debug("key_id: " + str(key_id))
 
             if ("sshPublicCerts" in req):
-                sshca = SSHCA()
                 principal_list = user.get("principal")
                 principal  = ','.join(principal_list)
 
@@ -285,6 +289,8 @@ def update_user(username):
                         # Delete Cert
                         sshPublicCerts = list(filter(lambda key: key["keyid"] != sshPublicCert["keyid"], sshPublicCerts))
                         app.logger.debug("Remaining certs: " + json.dumps(sshPublicCerts))
+                        if (sshca.add_to_krl(key=sshPublicCert['cert'])):
+                            app.logger.debug("User Cert revoked: " + str(sshPublicCert['keyid']))
                     else:
                         hostGroups = list(map(lambda hostGroup: hostGroup.lower(), sshPublicCert.get("hostGroups")))  
                         if (set(hostGroups).issubset(set(memberOfs))):

app/public/authkeys.py

@@ -14,14 +14,15 @@
 import sys
 import json
 import ldap
-from flask import request, Response
+from flask import request, Response, send_from_directory
 from flask import current_app as app
 from marshmallow import fields, Schema
 from marshmallow.validate import Length
 from datetime import datetime
 from . import public
 from ..resources.errors import KeyperError, errors
 from ..utils import operations
+from ..utils.sshca import SSHCA
 from ..admin.users import search_users, cn_from_dn
 from ..admin.hosts import searchHosts
 from ldapDefn import *
@@ -45,12 +46,22 @@ def get_authkeys():
     username = request.values.get('username')
     host = request.values.get('host')
     fingerprint = request.values.get('fingerprint')
+    key = request.values.get('key')
 
     app.logger.debug("username/host: " + username + "/" + host)
 
+    sshca = SSHCA()
+
     sshPublicKeys = []
     result = ""
 
+    if (key is None):
+        app.logger.debug("Key is None")
+    else:
+        if (sshca.is_key_revoked(key.replace('#',' ',1))):
+            app.logger.info("Key in KRL")
+            return Response(result, mimetype='text/plain')
+
     con = operations.open_ldap_connection()
 
     users = []
@@ -66,8 +77,6 @@ def get_authkeys():
         else:
             app.logger.debug("User not allowed to access host: " + user[LDAP_ATTR_CN] + "/" + host)
 
-#    for sshPublicKey in sshPublicKeys:
-#        result = sshPublicKey + "\n"
     result = '\n'.join(sshPublicKeys)
 
     operations.close_ldap_connection(con)
@@ -92,12 +101,22 @@ def get_authprinc():
     username = request.values.get('username')
     host = request.values.get('host')
     fingerprint = request.values.get('fingerprint')
+    cert = request.values.get('cert')
 
     app.logger.debug("username/host/fingerprint: " + username + "/" + host + "/" + fingerprint)
 
     sshPublicCerts = []
     result = ""
 
+    sshca = SSHCA()
+
+    if (cert is None):
+        app.logger.debug("Cert is None")
+    else:
+        if (sshca.is_key_revoked(cert.replace('#',' ',1))):
+            app.logger.info("Cert in KRL")
+            return Response(result, mimetype='text/plain')
+
     con = operations.open_ldap_connection()
 
     users = []
@@ -232,6 +251,17 @@ def get_userca():
     app.logger.debug("Exit")
     return Response(ca_key, mimetype='text/plain')
 
+@public.route('/cakrl', methods=['GET', 'POST'])
+def get_cakrl():
+    ''' Get KRL File '''
+    app.logger.debug("Enter")
+
+    try:
+        return send_from_directory(directory=app.config["SSH_CA_DIR"], filename=app.config["SSH_CA_KRL_FILE"], as_attachment=True)
+    except FileNotFoundError:
+        app.logger.error("KRL FIle Not Found Exception")
+        raise KeyperError("KRL File Not Found Exception",404)
+
 @public.route('/usercert', methods=['GET'])
 def get_usercert():
     ''' Get Cert for a user '''
@@ -397,17 +427,19 @@ class AuthKeySchema(Schema):
     username = fields.Str(required=True, validate=Length(max=100))
     host = fields.Str(required=True, validate=Length(max=100))
     fingerprint = fields.Str(required=False, validate=Length(max=100))
+    key = fields.Str(required=False, validate=Length(max=5000))
 
     class Meta:
-        fields = ("username", "host", "fingerprint")
+        fields = ("username", "host", "fingerprint", "key")
 
 class AuthPrincSchema(Schema):
     username = fields.Str(required=True, validate=Length(max=100))
     host = fields.Str(required=True, validate=Length(max=100))
     fingerprint = fields.Str(required=True, validate=Length(max=100))
+    cert = fields.Str(required=False, validate=Length(max=5000))
 
     class Meta:
-        fields = ("username", "host", "fingerprint")
+        fields = ("username", "host", "fingerprint", "cert")
 
 class HostCertSchema(Schema):
     hostname = fields.Str(required=True, validate=Length(max=100))

app/resources/errors.py

@@ -71,26 +71,30 @@ def to_dict(self):
      },
      "SSHPublicKeyError": {
          "msg": "SSH Public Key Error",
-         "status": 401
+         "status": 403
      },
      "SSHPublicKeyParseError": {
          "msg": "SSH Public Key Parse Error",
-         "status": 401
+         "status": 403
      },
      "SSHPublicKeyInvalidError": {
          "msg": "SSH Public Key Invalid",
-         "status": 401
+         "status": 403
+     },
+     "SSHPublicKeyRevokedError": {
+         "msg": "SSH Public Key in Key Revocation List (KRL).",
+         "status": 403
      },
      "OSError": {
          "msg": "OS Error",
-         "status": 401
+         "status": 403
      },
      "SSHPublicCertError": {
          "msg": "SSH Public Cert Error",
-         "status": 401
+         "status": 403
      },
      "SSHPublicCertNotExistError": {
          "msg": "SSH Public Cert does not exist",
-         "status": 401
+         "status": 403
      }
 }

app/utils/sshca.py

@@ -26,6 +26,7 @@ class SSHCA(object):
     ''' SSHCA Class '''
     ca_host_key = ''
     ca_user_key = ''
+    ca_krl_file = ''
     ca_tmp_work_dir = ''
     ca_tmp_work_delete_flag = True
 
@@ -34,6 +35,7 @@ def __init__(self):
         self.ca_dir = app.config["SSH_CA_DIR"]
         self.ca_host_key = self.ca_dir + "/" + app.config["SSH_CA_HOST_KEY"]
         self.ca_user_key = self.ca_dir + "/" + app.config["SSH_CA_USER_KEY"]
+        self.ca_krl_file = self.ca_dir + "/" + app.config["SSH_CA_KRL_FILE"]
         self.ca_tmp_work_dir = self.ca_dir + "/" + app.config["SSH_CA_TMP_WORK_DIR"]
         self.ca_tmp_work_delete_flag = app.config["SSH_CA_TMP_DELETE_FLAG"]
         app.logger.debug("Exit")
@@ -42,7 +44,7 @@ def sign_user_key(self, userkey, duration, owner, principal_list):
         ''' Sign User Key using User CA Key '''
         app.logger.debug("Enter")
 
-        serial = random.getrandbits(64)
+        serial = datetime.utcnow().strftime("%Y%m%d%H%M%S") + str(random.getrandbits(16))
         signed_key = ''
         cert_file_full_path = ''
 
@@ -89,7 +91,7 @@ def sign_host_key(self, hostkey, duration, hostname, principal_list):
         ''' Sign Host Key using Host CA Key '''
         app.logger.debug("Enter")
 
-        serial = random.getrandbits(64)
+        serial = datetime.utcnow().strftime("%Y%m%d%H%M%S") + str(random.getrandbits(16))
         signed_key = ''
         cert_file_full_path = ''
 
@@ -133,3 +135,73 @@ def sign_host_key(self, hostkey, duration, hostname, principal_list):
         app.logger.debug("Exit")
         return signed_key
 
+    def add_to_krl(self, key):
+        ''' Adds Key/Certificate to the Key Revocation List (KRL) '''
+        app.logger.debug("Enter")
+
+        try:
+            with NamedTemporaryFile(mode='w+t',  dir=self.ca_tmp_work_dir, delete=self.ca_tmp_work_delete_flag, suffix='.pub') as key_file:
+                app.logger.debug("Key: " + key)
+                key_file.write(key)
+                key_file.flush()
+
+                key_file_full_path = key_file.name
+                app.logger.debug("Key File: " + key_file_full_path)
+
+                subprocess.call([
+                    'ssh-keygen',
+                    '-k',
+                    '-u',
+                    '-f', '{}'.format(self.ca_krl_file),
+                    '-q',
+                    key_file_full_path])
+                
+                key_file.close()
+
+        except subprocess.SubprocessError as e:
+            app.logger.error("ssh-keygen error: " + str(e))
+            raise KeyperError(errors["SSHPublicKeyError"].get("msg"), errors["SSHPublicKeyError"].get("status"))
+        except OSError as e:
+            app.logger.error("OS error: " + str(e))
+            raise KeyperError(errors["OSError"].get("msg"), errors["OSError"].get("status"))
+
+        app.logger.debug("Exit")
+        return True
+
+    def is_key_revoked(self, key):
+        ''' Checks if key in KRL '''
+        app.logger.debug("Enter")
+
+        rc = True
+
+        try:
+            with NamedTemporaryFile(mode='w+t',  dir=self.ca_tmp_work_dir, delete=self.ca_tmp_work_delete_flag, suffix='.pub') as key_file:
+                app.logger.debug("Key: " + key)
+                key_file.write(key)
+                key_file.flush()
+
+                key_file_full_path = key_file.name
+                app.logger.debug("Key File: " + key_file_full_path)
+
+                result = subprocess.run([
+                    'ssh-keygen',
+                    '-Q',
+                    '-f', '{}'.format(self.ca_krl_file),
+                    key_file_full_path], capture_output=True, text=True)
+                
+                if ("REVOKED" in result.stdout):
+                    rc = True
+                else:
+                    rc = False
+                
+                key_file.close()
+
+        except subprocess.SubprocessError as e:
+            app.logger.error("ssh-keygen error: " + str(e))
+            raise KeyperError(errors["SSHPublicKeyError"].get("msg"), errors["SSHPublicKeyError"].get("status"))
+        except OSError as e:
+            app.logger.error("OS error: " + str(e))
+            raise KeyperError(errors["OSError"].get("msg"), errors["OSError"].get("status"))
+
+        app.logger.debug("Exit")
+        return rc

config.py

@@ -45,6 +45,7 @@ class Config(object):
     SSH_CA_DIR = environ.get("SSH_CA_DIR", "/etc/sshca")
     SSH_CA_HOST_KEY = environ.get("SSH_CA_HOST_KEY", "ca_host_key")
     SSH_CA_USER_KEY = environ.get("SSH_CA_USER_KEY", "ca_user_key")
+    SSH_CA_KRL_FILE = environ.get("SSH_CA_KRL_FILE", "ca_krl")
     SSH_CA_TMP_WORK_DIR = environ.get("SSH_CA_TMP_WORK_DIR", "tmp")
     SSH_CA_TMP_DELETE_FLAG = True