Remove SSH cfn support and use x5rt#S256 property

maraino · maraino · commit 3eb25647ba26 · 2024-07-23T18:56:17.000-07:00
diff --git a/command/ca/token.go b/command/ca/token.go
@@ -30,7 +30,7 @@ func tokenCommand() cli.Command {
 [**--output-file**=<file>] [**--kms**=uri] [**--key**=<file>] [**--san**=<SAN>] [**--offline**]
 [**--revoke**] [**--x5c-cert**=<file>] [**--x5c-key**=<file>] [**--x5c-insecure**]
 [**--sshpop-cert**=<file>] [**--sshpop-key**=<file>]
-[**--cnf-file**=<file>] [**--cnf-kid**=<fingerprint>]
+[**--cnf**=<fingerprint>] [**--cnf-file**=<file>]
 [**--ssh**] [**--host**] [**--principal**=<name>] [**--k8ssa-token-path**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
 		Description: `**step ca token** command generates a one-time token granting access to the
@@ -86,6 +86,13 @@ Get a new token that becomes valid in 30 minutes and expires 5 minutes after tha
 $ step ca token --not-before 30m --not-after 35m internal.example.com
 '''
 
+Get a new token with a confirmation claim to enforce a given CSR fingerprint:
+'''
+$ step certificate fingerprint --format base64-url-raw internal.csr
+PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw
+$ step ca token --cnf PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw internal.smallstep.com
+'''
+
 Get a new token with a confirmation claim to enforce the use of a given CSR:
 '''
 step ca token --cnf-file internal.csr internal.smallstep.com
@@ -200,8 +207,8 @@ multiple principals.`,
 			flags.SSHPOPKey,
 			flags.NebulaCert,
 			flags.NebulaKey,
+			flags.Confirmation,
 			flags.ConfirmationFile,
-			flags.ConfirmationKid,
 			cli.StringFlag{
 				Name: "key",
 				Usage: `The private key <file> used to sign the JWT. This is usually downloaded from
@@ -258,7 +265,7 @@ func tokenAction(ctx *cli.Context) error {
 	principals := ctx.StringSlice("principal")
 	// confirmation claims
 	cnfFile := ctx.String("cnf-file")
-	cnfKid := ctx.String("cnf-kid")
+	cnf := ctx.String("cnf")
 
 	switch {
 	case isSSH && len(sans) > 0:
@@ -271,8 +278,8 @@ func tokenAction(ctx *cli.Context) error {
 		return errs.RequiredWithFlag(ctx, "host", "ssh")
 	case !isSSH && len(principals) > 0:
 		return errs.RequiredWithFlag(ctx, "principal", "ssh")
-	case cnfFile != "" && cnfKid != "":
-		return errs.IncompatibleFlagWithFlag(ctx, "cnf-file", "cnf-kid")
+	case cnfFile != "" && cnf != "":
+		return errs.IncompatibleFlagWithFlag(ctx, "cnf-file", "cnf")
 	}
 
 	// Default token type is always a 'Sign' token.
@@ -337,8 +344,8 @@ func tokenAction(ctx *cli.Context) error {
 			}
 			tokenOpts = append(tokenOpts, cautils.WithCertificateRequest(csr))
 		}
-	} else if cnfKid != "" {
-		tokenOpts = append(tokenOpts, cautils.WithConfirmationKid(cnfKid))
+	} else if cnf != "" {
+		tokenOpts = append(tokenOpts, cautils.WithConfirmationFingerprint(cnf))
 	}
 
 	// --san and --type revoke are incompatible. Revocation tokens do not support SANs.
diff --git a/command/certificate/fingerprint.go b/command/certificate/fingerprint.go
@@ -57,7 +57,7 @@ e2c4f12edfc1816cc610755d32e6f45d5678ba21ecda1693bb5b246e3c48c03d
 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
 '''
 
-Get the fingerprint for a CSR using base64-url without padding encoding:
+Get the fingerprint for a CSR using base64-url encoding without padding:
 '''
 $ step certificate fingerprint --format base64-url-raw hello.csr
 PJLNhtQoBE1yGN_ZKzr4Y2U5pyqIGiyyszkoz2raDOw
diff --git a/flags/flags.go b/flags/flags.go
@@ -379,19 +379,17 @@ be stored in the 'sshpop' header.`,
 be stored in the 'nebula' header.`,
 	}
 
+	// Confirmation is a cli.Flag used to add a confirmation claim in the token.
+	Confirmation = cli.StringFlag{
+		Name:  "cnf",
+		Usage: `The <fingerprint> of the CSR to restrict this token for.`,
+	}
+
 	// ConfirmationFile is a cli.Flag used to add a confirmation claim in the
-	// tokens. It will add a confirmation kid with the fingerprint of the CSR or
-	// an SSH public key.
+	// tokens. It will add a confirmation kid with the fingerprint of the CSR.
 	ConfirmationFile = cli.StringFlag{
 		Name:  "cnf-file",
-		Usage: `The CSR or SSH public key <file> to restrict this token for.`,
-	}
-
-	// ConfirmationKid is a cli.Flag used to add a confirmation claim in the
-	// token.
-	ConfirmationKid = cli.StringFlag{
-		Name:  "cnf-kid",
-		Usage: `The <fingerprint> of the CSR or SSH public key to restrict this token for.`,
+		Usage: `The CSR <file> to restrict this token for.`,
 	}
 
 	// Team is a cli.Flag used to pass the team ID.
diff --git a/token/options.go b/token/options.go
@@ -20,7 +20,6 @@ import (
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x25519"
-	"golang.org/x/crypto/ssh"
 )
 
 // Options is a function that set claims.
@@ -87,38 +86,35 @@ func WithSSH(v interface{}) Options {
 	})
 }
 
-// WithConfirmationKid returns an Options function that sets the cnf claim with
-// the given kid.
-func WithConfirmationKid(kid string) Options {
+// WithConfirmationFingerprint returns an Options function that sets the cnf
+// claim with the given CSR fingerprint.
+func WithConfirmationFingerprint(fp string) Options {
 	return func(c *Claims) error {
 		c.Set(ConfirmationClaim, map[string]string{
-			"kid": kid,
+			"x5rt#S256": fp,
 		})
 		return nil
 	}
 }
 
-// WithFingerprint returns an Options function that the cnf claims with the kid
-// representing the fingerprint of the certificate request or the ssh public
-// key.
+// WithFingerprint returns an Options function that the cnf claims with
+// "x5rt#S256" representing the fingerprint of the CSR
 func WithFingerprint(v interface{}) Options {
 	return func(c *Claims) error {
 		var data []byte
 		switch vv := v.(type) {
 		case *x509.CertificateRequest:
 			data = vv.Raw
-		case ssh.PublicKey:
-			data = vv.Marshal()
 		default:
-			return fmt.Errorf("unsupported fingerprint for %T", vv)
+			return fmt.Errorf("unsupported fingerprint for %T", v)
 		}
 
 		kid, err := fingerprint.New(data, crypto.SHA256, fingerprint.Base64RawURLFingerprint)
 		if err != nil {
 			return err
 		}
 		c.Set(ConfirmationClaim, map[string]string{
-			"kid": kid,
+			"x5rt#S256": kid,
 		})
 		return nil
 	}
diff --git a/token/options_test.go b/token/options_test.go
@@ -86,7 +86,7 @@ func TestOptions(t *testing.T) {
 		{"WithNebulaCurve25519Cert empty file fail", WithNebulaCert(emptyFile.Name(), nil), empty, true},
 		{"WithNebulaCurve25519Cert invalid content fail", WithNebulaCert(c25519CertFilename, nil), empty, true},
 		{"WithNebulaCurve25519Cert mismatching key fail", WithNebulaCert(c25519CertFilename, p256Signer), empty, true},
-		{"WithConfirmationKid ok", WithConfirmationKid("my-kid"), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"kid": "my-kid"}}}, false},
+		{"WithConfirmationFingerprint ok", WithConfirmationFingerprint("my-kid"), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"kid": "my-kid"}}}, false},
 		{"WithFingerprint csr ok", WithFingerprint(testCSR), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"kid": "ak6j6CwuZbd_mOQ-pNOUwhpmtSN0mY0xrLvaQL4J5l8"}}}, false},
 		{"WithFingerprint ssh ok", WithFingerprint(testSSH), &Claims{ExtraClaims: map[string]any{"cnf": map[string]string{"kid": "hpTQOoB7fIRxTp-FhXCIm94mGBv7_dzr_5SxLn1Pnwk"}}}, false},
 		{"WithFingerprint fail", WithFingerprint("unexpected type"), empty, true},
diff --git a/utils/cautils/certificate_flow.go b/utils/cautils/certificate_flow.go
@@ -37,10 +37,10 @@ type CertificateFlow struct {
 }
 
 type flowContext struct {
-	DisableCustomSANs  bool
-	SSHPublicKey       ssh.PublicKey
-	CertificateRequest *x509.CertificateRequest
-	ConfirmationKid    string
+	DisableCustomSANs       bool
+	SSHPublicKey            ssh.PublicKey
+	CertificateRequest      *x509.CertificateRequest
+	ConfirmationFingerprint string
 }
 
 // sharedContext is used to share information between commands.
@@ -78,10 +78,11 @@ func WithCertificateRequest(cr *x509.CertificateRequest) Option {
 	})
 }
 
-// WithConfirmationKid sets the confirmation kid used in the request.
-func WithConfirmationKid(kid string) Option {
+// WithConfirmationFingerprint sets the confirmation fingerprint used in the
+// request.
+func WithConfirmationFingerprint(fp string) Option {
 	return newFuncFlowOption(func(fo *flowContext) {
-		fo.ConfirmationKid = kid
+		fo.ConfirmationFingerprint = fp
 	})
 }
 
diff --git a/utils/cautils/token_generator.go b/utils/cautils/token_generator.go
@@ -102,8 +102,8 @@ func (t *TokenGenerator) SignToken(sub string, sans []string, opts ...token.Opti
 	// Tie certificate request to the token used in the JWK and X5C provisioners
 	if sharedContext.CertificateRequest != nil {
 		opts = append(opts, token.WithFingerprint(sharedContext.CertificateRequest))
-	} else if sharedContext.ConfirmationKid != "" {
-		opts = append(opts, token.WithConfirmationKid(sharedContext.ConfirmationKid))
+	} else if sharedContext.ConfirmationFingerprint != "" {
+		opts = append(opts, token.WithConfirmationFingerprint(sharedContext.ConfirmationFingerprint))
 	}
 
 	return t.Token(sub, opts...)
@@ -124,13 +124,6 @@ func (t *TokenGenerator) SignSSHToken(sub, certType string, principals []string,
 		ValidBefore: notAfter,
 	})}, opts...)
 
-	// Tie SSH public key to the token used in the JWK and X5C provisioners
-	if sharedContext.SSHPublicKey != nil {
-		opts = append(opts, token.WithFingerprint(sharedContext.SSHPublicKey))
-	} else if sharedContext.ConfirmationKid != "" {
-		opts = append(opts, token.WithConfirmationKid(sharedContext.ConfirmationKid))
-	}
-
 	return t.Token(sub, opts...)
 }
 
