Merge branch 'smallstep:master' into master

Author: mishaslavin

CHANGELOG.md

@@ -25,11 +25,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
+## [unreleased] - aaaa-bb-cc
+
+### Added
+
+- Add support for using key usage, extended key usage, and basic constraints
+  from certificate requests in certificate templates (smallstep/crypto#767)
+
 ## [0.28.3] - 2025-03-17
 
 - dependabot updates
 
-
 ## [0.28.2] - 2025-02-20
 
 ### Added

api/api.go

@@ -552,6 +552,7 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 			"serial":      cert.SerialNumber.String(),
 			"subject":     cert.Subject.CommonName,
 			"issuer":      cert.Issuer.CommonName,
+			"sans":        fmtSans(cert),
 			"valid-from":  cert.NotBefore.Format(time.RFC3339),
 			"valid-to":    cert.NotAfter.Format(time.RFC3339),
 			"public-key":  fmtPublicKey(cert),
@@ -625,6 +626,31 @@ func ParseCursor(r *http.Request) (cursor string, limit int, err error) {
 	return
 }
 
+func fmtSans(cert *x509.Certificate) map[string][]string {
+	sans := make(map[string][]string)
+	if len(cert.DNSNames) > 0 {
+		sans["dns"] = cert.DNSNames
+	}
+	if len(cert.EmailAddresses) > 0 {
+		sans["email"] = cert.EmailAddresses
+	}
+	if size := len(cert.IPAddresses); size > 0 {
+		ips := make([]string, size)
+		for i, ip := range cert.IPAddresses {
+			ips[i] = ip.String()
+		}
+		sans["ip"] = ips
+	}
+	if size := len(cert.URIs); size > 0 {
+		uris := make([]string, size)
+		for i, u := range cert.URIs {
+			uris[i] = u.String()
+		}
+		sans["uri"] = uris
+	}
+	return sans
+}
+
 func fmtPublicKey(cert *x509.Certificate) string {
 	var params string
 	switch pk := cert.PublicKey.(type) {

authority/meter.go

@@ -2,24 +2,26 @@ package authority
 
 import (
 	"crypto"
+	"crypto/x509"
 	"io"
 
 	"go.step.sm/crypto/kms"
 	kmsapi "go.step.sm/crypto/kms/apiv1"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/smallstep/certificates/authority/provisioner"
 )
 
 // Meter wraps the set of defined callbacks for metrics gatherers.
 type Meter interface {
 	// X509Signed is called whenever an X509 certificate is signed.
-	X509Signed(provisioner.Interface, error)
+	X509Signed([]*x509.Certificate, provisioner.Interface, error)
 
 	// X509Renewed is called whenever an X509 certificate is renewed.
-	X509Renewed(provisioner.Interface, error)
+	X509Renewed([]*x509.Certificate, provisioner.Interface, error)
 
 	// X509Rekeyed is called whenever an X509 certificate is rekeyed.
-	X509Rekeyed(provisioner.Interface, error)
+	X509Rekeyed([]*x509.Certificate, provisioner.Interface, error)
 
 	// X509WebhookAuthorized is called whenever an X509 authoring webhook is called.
 	X509WebhookAuthorized(provisioner.Interface, error)
@@ -28,13 +30,13 @@ type Meter interface {
 	X509WebhookEnriched(provisioner.Interface, error)
 
 	// SSHSigned is called whenever an SSH certificate is signed.
-	SSHSigned(provisioner.Interface, error)
+	SSHSigned(*ssh.Certificate, provisioner.Interface, error)
 
 	// SSHRenewed is called whenever an SSH certificate is renewed.
-	SSHRenewed(provisioner.Interface, error)
+	SSHRenewed(*ssh.Certificate, provisioner.Interface, error)
 
 	// SSHRekeyed is called whenever an SSH certificate is rekeyed.
-	SSHRekeyed(provisioner.Interface, error)
+	SSHRekeyed(*ssh.Certificate, provisioner.Interface, error)
 
 	// SSHWebhookAuthorized is called whenever an SSH authoring webhook is called.
 	SSHWebhookAuthorized(provisioner.Interface, error)
@@ -49,17 +51,17 @@ type Meter interface {
 // noopMeter implements a noop [Meter].
 type noopMeter struct{}
 
-func (noopMeter) SSHRekeyed(provisioner.Interface, error)            {}
-func (noopMeter) SSHRenewed(provisioner.Interface, error)            {}
-func (noopMeter) SSHSigned(provisioner.Interface, error)             {}
-func (noopMeter) SSHWebhookAuthorized(provisioner.Interface, error)  {}
-func (noopMeter) SSHWebhookEnriched(provisioner.Interface, error)    {}
-func (noopMeter) X509Rekeyed(provisioner.Interface, error)           {}
-func (noopMeter) X509Renewed(provisioner.Interface, error)           {}
-func (noopMeter) X509Signed(provisioner.Interface, error)            {}
-func (noopMeter) X509WebhookAuthorized(provisioner.Interface, error) {}
-func (noopMeter) X509WebhookEnriched(provisioner.Interface, error)   {}
-func (noopMeter) KMSSigned(error)                                    {}
+func (noopMeter) SSHRekeyed(*ssh.Certificate, provisioner.Interface, error)     {}
+func (noopMeter) SSHRenewed(*ssh.Certificate, provisioner.Interface, error)     {}
+func (noopMeter) SSHSigned(*ssh.Certificate, provisioner.Interface, error)      {}
+func (noopMeter) SSHWebhookAuthorized(provisioner.Interface, error)             {}
+func (noopMeter) SSHWebhookEnriched(provisioner.Interface, error)               {}
+func (noopMeter) X509Rekeyed([]*x509.Certificate, provisioner.Interface, error) {}
+func (noopMeter) X509Renewed([]*x509.Certificate, provisioner.Interface, error) {}
+func (noopMeter) X509Signed([]*x509.Certificate, provisioner.Interface, error)  {}
+func (noopMeter) X509WebhookAuthorized(provisioner.Interface, error)            {}
+func (noopMeter) X509WebhookEnriched(provisioner.Interface, error)              {}
+func (noopMeter) KMSSigned(error)                                               {}
 
 type instrumentedKeyManager struct {
 	kms.KeyManager

authority/provisioner/options_test.go

@@ -189,7 +189,7 @@ func TestTemplateOptions(t *testing.T) {
 
 func TestCustomTemplateOptions(t *testing.T) {
 	csr := parseCertificateRequest(t, "testdata/certs/ecdsa.csr")
-	csrCertificate := `{"version":0,"subject":{"commonName":"foo"},"rawSubject":"MA4xDDAKBgNVBAMTA2Zvbw==","dnsNames":["foo"],"emailAddresses":null,"ipAddresses":null,"uris":null,"sans":null,"extensions":[{"id":"2.5.29.17","critical":false,"value":"MAWCA2Zvbw=="}],"signatureAlgorithm":""}`
+	csrCertificate := `{"version":0,"subject":{"commonName":"foo"},"rawSubject":"MA4xDDAKBgNVBAMTA2Zvbw==","dnsNames":["foo"],"emailAddresses":null,"ipAddresses":null,"uris":null,"sans":null,"extensions":[{"id":"2.5.29.17","critical":false,"value":"MAWCA2Zvbw=="}],"keyUsage":null,"extKeyUsage":[],"unknownExtKeyUsage":null,"basicConstraints":null,"signatureAlgorithm":""}`
 	data := x509util.TemplateData{
 		x509util.SubjectKey: x509util.Subject{
 			CommonName: "foobar",

authority/ssh.go

@@ -149,7 +149,7 @@ func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (*
 // SignSSH creates a signed SSH certificate with the given public key and options.
 func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) {
 	cert, prov, err := a.signSSH(ctx, key, opts, signOpts...)
-	a.meter.SSHSigned(prov, err)
+	a.meter.SSHSigned(cert, prov, err)
 	return cert, err
 }
 
@@ -337,7 +337,7 @@ func (a *Authority) isAllowedToSignSSHCertificate(cert *ssh.Certificate) error {
 // RenewSSH creates a signed SSH certificate using the old SSH certificate as a template.
 func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ssh.Certificate, error) {
 	cert, prov, err := a.renewSSH(ctx, oldCert)
-	a.meter.SSHRenewed(prov, err)
+	a.meter.SSHRenewed(cert, prov, err)
 	return cert, err
 }
 
@@ -408,7 +408,7 @@ func (a *Authority) renewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ss
 // RekeySSH creates a signed SSH certificate using the old SSH certificate as a template.
 func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub ssh.PublicKey, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) {
 	cert, prov, err := a.rekeySSH(ctx, oldCert, pub, signOpts...)
-	a.meter.SSHRekeyed(prov, err)
+	a.meter.SSHRekeyed(cert, prov, err)
 	return cert, err
 }
 

authority/tls.go

@@ -118,7 +118,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 // request, taking the provided context.Context.
 func (a *Authority) SignWithContext(ctx context.Context, csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 	chain, prov, err := a.signX509(ctx, csr, signOpts, extraOpts...)
-	a.meter.X509Signed(prov, err)
+	a.meter.X509Signed(chain, prov, err)
 	return chain, err
 }
 
@@ -372,9 +372,9 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
 func (a *Authority) RenewContext(ctx context.Context, oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x509.Certificate, error) {
 	chain, prov, err := a.renewContext(ctx, oldCert, pk)
 	if pk == nil {
-		a.meter.X509Renewed(prov, err)
+		a.meter.X509Renewed(chain, prov, err)
 	} else {
-		a.meter.X509Rekeyed(prov, err)
+		a.meter.X509Rekeyed(chain, prov, err)
 	}
 	return chain, err
 }

go.mod

@@ -17,10 +17,10 @@ require (
 	github.com/google/go-tpm v0.9.5
 	github.com/google/uuid v1.6.0
 	github.com/googleapis/gax-go/v2 v2.14.2
-	github.com/hashicorp/vault/api v1.16.0
-	github.com/hashicorp/vault/api/auth/approle v0.9.0
-	github.com/hashicorp/vault/api/auth/aws v0.9.0
-	github.com/hashicorp/vault/api/auth/kubernetes v0.9.0
+	github.com/hashicorp/vault/api v1.20.0
+	github.com/hashicorp/vault/api/auth/approle v0.10.0
+	github.com/hashicorp/vault/api/auth/aws v0.10.0
+	github.com/hashicorp/vault/api/auth/kubernetes v0.10.0
 	github.com/newrelic/go-agent/v3 v3.39.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.22.0
@@ -29,35 +29,35 @@ require (
 	github.com/slackhq/nebula v1.9.5
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/cli-utils v0.12.1
-	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935
+	github.com/smallstep/go-attestation v0.4.4-0.20241119153605-2306d5b464ca
 	github.com/smallstep/linkedca v0.23.0
 	github.com/smallstep/nosql v0.7.0
 	github.com/smallstep/pkcs7 v0.2.1
 	github.com/smallstep/scep v0.0.0-20240926084937-8cf1ca453101
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/cli v1.22.16
-	go.step.sm/crypto v0.63.0
+	go.step.sm/crypto v0.66.0
 	go.uber.org/mock v0.5.2
 	golang.org/x/crypto v0.38.0
-	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
 	golang.org/x/net v0.40.0
-	google.golang.org/api v0.233.0
-	google.golang.org/grpc v1.72.1
+	google.golang.org/api v0.236.0
+	google.golang.org/grpc v1.73.0
 	google.golang.org/protobuf v1.36.6
 )
 
 require (
 	cloud.google.com/go v0.120.0 // indirect
 	cloud.google.com/go/auth v0.16.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
-	cloud.google.com/go/kms v1.21.2 // indirect
+	cloud.google.com/go/kms v1.22.0 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
@@ -118,7 +118,7 @@ require (
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
@@ -164,10 +164,10 @@ require (
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.31.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )