From f8a3fcaec117ea43549734a015bb814c256ca797 Mon Sep 17 00:00:00 2001 From: Naomi Kirby Date: Thu, 13 Jun 2024 12:32:09 -0700 Subject: [PATCH] Add certificate fingerprints and validity dates too --- docs/endpoints.md | 11 ++++++++++- signer/signer.go | 44 +++++++++++++++++++++++++++++++---------- signer/signer_test.go | 46 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+), 11 deletions(-) diff --git a/docs/endpoints.md b/docs/endpoints.md index 03cecd15f..f92fb8415 100644 --- a/docs/endpoints.md +++ b/docs/endpoints.md @@ -385,7 +385,7 @@ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="som ### Request -Get the public configuration of a configured signer. For example: +Get the sanitized configuration of a signer. For example: ```bash GET /config/dummyrsa @@ -410,3 +410,12 @@ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="som "hash": "sha256" } ``` + +The returned configuration should be a subset of the internal configuration with the following differences: + - Public values, such as the `id`, `publickey` and `certificate` are copied verbatim. + - Private keys are hashed, and return only the SHA256 checksum of the secret value. + - The `certificate`, if present is parsed and the following additional fields are added: + + `cert_sha1`: Contains the SHA1 fingerprint of the DER certificate. + + `cert_sha256`: Contains the SHA256 fingerprint of the DER certificate. + + `cert_start`: Contains the certificate `NotBefore` time in RFC 3339 format. + + `cert_end`: Contains the certificate `NotAfter` time in RFC 3339 format. diff --git a/signer/signer.go b/signer/signer.go index 7fd6863e4..1f45eecb5 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -12,11 +12,13 @@ import ( "crypto/elliptic" "crypto/rand" "crypto/rsa" + "crypto/sha1" "crypto/sha256" "crypto/x509" "encoding/base64" "encoding/pem" "fmt" + "hash" "io" "regexp" "strings" @@ -186,24 +188,26 @@ type SanitizedConfig struct { PrivateKey string `json:"privatekey,omitempty" yaml:"privatekey,omitempty"` IssuerPrivKey string `json:"issuerprivkey,omitempty" yaml:"issuerprivkey,omitempty"` - // TODO: To fully replace the config-sanitizer tool, we should also include - // fingerprints and expiration times of the certificate (if present). + // If a certificate is present, add fingerprints and expiration dates. + CertFingerprintSha1 string `json:"cert_sha1,omitempty" yaml:"cert_sha1,omitempty"` + CertFingerprintSha256 string `json:"cert_sha256,omitempty" yaml:"cert_sha256,omitempty"` + CertDateStart string `json:"cert_date_start,omitempty" yaml:"cert_date_start,omitempty"` + CertDateEnd string `json:"cert_date_end,omitempty" yaml:"cert_date_end,omitempty"` } -func hashSecretString(secret string) string { +func hashFingerprint(secret []byte, algorithm hash.Hash) string { // Empty strings should stay empty - if secret == "" { + if len(secret) == 0 { return "" } - h := sha256.New() - h.Write([]byte(secret)) - return fmt.Sprintf("%x", h.Sum(nil)) + algorithm.Write(secret) + return fmt.Sprintf("%x", algorithm.Sum(nil)) } // Sanitize configuration to make it suitable for public export func (cfg *Configuration) Sanitize() *SanitizedConfig { - return &SanitizedConfig{ + result := &SanitizedConfig{ // Copy public values verbatim. ID: cfg.ID, Type: cfg.Type, @@ -222,9 +226,29 @@ func (cfg *Configuration) Sanitize() *SanitizedConfig { SaltLength: cfg.SaltLength, // Hash private keys, if present. - PrivateKey: hashSecretString(cfg.PrivateKey), - IssuerPrivKey: hashSecretString(cfg.IssuerPrivKey), + PrivateKey: hashFingerprint([]byte(cfg.PrivateKey), sha256.New()), + IssuerPrivKey: hashFingerprint([]byte(cfg.IssuerPrivKey), sha256.New()), + } + + // If a certificate exists - parse it. + certDER, _ := pem.Decode([]byte(cfg.Certificate)) + if certDER != nil && certDER.Type == "CERTIFICATE" { + certX509, err := x509.ParseCertificate(certDER.Bytes) + if err == nil { + result.CertFingerprintSha1 = hashFingerprint(certDER.Bytes, sha1.New()) + result.CertFingerprintSha256 = hashFingerprint(certDER.Bytes, sha256.New()) + start, err := certX509.NotBefore.MarshalText() + if err == nil { + result.CertDateStart = string(start) + } + end, err := certX509.NotAfter.MarshalText() + if err == nil { + result.CertDateEnd = string(end) + } + } } + + return result } // InitHSM indicates that an HSM has been initialized diff --git a/signer/signer_test.go b/signer/signer_test.go index 74fdac791..6c66af06d 100644 --- a/signer/signer_test.go +++ b/signer/signer_test.go @@ -373,4 +373,50 @@ var sanitizerTestCases = []struct { // echo -n "Lorem Ipsum" | sha256sum IssuerPrivKey: "030dc1f936c3415aff3f3357163515190d347a28e758e1f717d17bae453541c9", }}, + // Certificates should parse out the fingerprint and validity dates. + {cfg: Configuration{ + ID: "cert-extra-data", + Certificate: ` +-----BEGIN CERTIFICATE----- +MIICXDCCAeKgAwIBAgIIFYW6xg9HrnAwCgYIKoZIzj0EAwMwXzELMAkGA1UEBhMC +VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRAwDgYDVQQK +EwdNb3ppbGxhMRkwFwYDVQQDExBjc3Jvb3QxNTUwODUxMDA2MB4XDTE4MTIyMTE1 +NTY0NloXDTI5MDIyMjE1NTY0NlowYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB +MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRAwDgYDVQQKEwdNb3ppbGxhMRowGAYD +VQQDExFjc2ludGVyMTU1MDg1MTAwNjB2MBAGByqGSM49AgEGBSuBBAAiA2IABAwF +9wOPiv/1oBdxSyOO6fe8KkFJCiyRx2KIXhsT4BwWY8AGHoCfBNm/Swdg+OSi+TdH +dF+5eUrKiqG4PvdWoGGS4rtHqY3ayeF9GRaaLpLMdZkhc/MVJygJoecmsXM2O6Nq +MGgwDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA8GA1UdEwEB +/wQFMAMBAf8wMAYDVR0eAQH/BCYwJKAiMCCCHi5jb250ZW50LXNpZ25hdHVyZS5t +b3ppbGxhLm9yZzAKBggqhkjOPQQDAwNoADBlAjBss+GLdMdLT2Y/g73OE9x0WyUG +vqzO7klt20yytmhaYMIPT/zRnWsHZbqEijHMzGsCMQDEoKetuWkyBkzAytS6l+ss +mYigBlwySY+gTqsjuIrydWlKaOv1GU+PXbwX0cQuaN8= +-----END CERTIFICATE-----`, + }, + result: SanitizedConfig{ + ID: "cert-extra-data", + Certificate: ` +-----BEGIN CERTIFICATE----- +MIICXDCCAeKgAwIBAgIIFYW6xg9HrnAwCgYIKoZIzj0EAwMwXzELMAkGA1UEBhMC +VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRAwDgYDVQQK +EwdNb3ppbGxhMRkwFwYDVQQDExBjc3Jvb3QxNTUwODUxMDA2MB4XDTE4MTIyMTE1 +NTY0NloXDTI5MDIyMjE1NTY0NlowYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB +MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRAwDgYDVQQKEwdNb3ppbGxhMRowGAYD +VQQDExFjc2ludGVyMTU1MDg1MTAwNjB2MBAGByqGSM49AgEGBSuBBAAiA2IABAwF +9wOPiv/1oBdxSyOO6fe8KkFJCiyRx2KIXhsT4BwWY8AGHoCfBNm/Swdg+OSi+TdH +dF+5eUrKiqG4PvdWoGGS4rtHqY3ayeF9GRaaLpLMdZkhc/MVJygJoecmsXM2O6Nq +MGgwDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA8GA1UdEwEB +/wQFMAMBAf8wMAYDVR0eAQH/BCYwJKAiMCCCHi5jb250ZW50LXNpZ25hdHVyZS5t +b3ppbGxhLm9yZzAKBggqhkjOPQQDAwNoADBlAjBss+GLdMdLT2Y/g73OE9x0WyUG +vqzO7klt20yytmhaYMIPT/zRnWsHZbqEijHMzGsCMQDEoKetuWkyBkzAytS6l+ss +mYigBlwySY+gTqsjuIrydWlKaOv1GU+PXbwX0cQuaN8= +-----END CERTIFICATE-----`, + // openssl x509 -outform DER | shasum + CertFingerprintSha1: "793a92cb335c3846ffed7f8c112137cd8a75e7c7", + // openssl x509 -outform DER | sha256sum + CertFingerprintSha256: "61bd2500b732d2889a1b17c24365741550534fb715cd4f7c463a23a35bd931ee", + // openssl x509 -noout -text + CertDateStart: "2018-12-21T15:56:46Z", + CertDateEnd: "2029-02-22T15:56:46Z", + }}, }