Allow a few global defaults to be pulled from the CA

- min-encryption-password-length
- provisioner

Enforce min-encryption-password-length, if set, in the 'step ssh
certificate' command.

Author: dopey

command/ssh/certificate.go

@@ -44,7 +44,8 @@ func certificateCommand() cli.Command {
 [**--console**] [**--no-password**] [**--insecure**] [**--force**] [**--x5c-cert**=<file>]
 [**--x5c-key**=<file>] [**--k8ssa-token-path**=<file>] [**--no-agent**]
 [**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
+[**--min-encryption-password-length**=<length>] [**--ca-url**=<uri>]
+[**--root**=<file>] [**--context**=<name>]`,
 
 		Description: `**step ssh certificate** command generates an SSH key pair and creates a
 certificate using [step certificates](https://github.com/smallstep/certificates).
@@ -202,6 +203,11 @@ $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 				Name:  "no-agent",
 				Usage: "Do not add the generated certificate and associated private key to the SSH agent.",
 			},
+			cli.IntFlag{
+				Name:  "min-encryption-password-length",
+				Usage: "Set minimum required length for password used to encrypt private key. The default value is '0'. Values <=0 are interpreted as if no minimum value is set.",
+				Value: 0,
+			},
 			flags.CaConfig,
 			flags.CaURL,
 			flags.Root,
@@ -240,6 +246,7 @@ func certificateAction(ctx *cli.Context) error {
 	noPassword := ctx.Bool("no-password")
 	insecure := ctx.Bool("insecure")
 	sshPrivKeyFile := ctx.String("private-key")
+	minPasswordLength := ctx.Int("min-encryption-password-length")
 	validAfter, validBefore, err := flags.ParseTimeDuration(ctx)
 	if err != nil {
 		return err
@@ -258,6 +265,8 @@ func certificateAction(ctx *cli.Context) error {
 	switch {
 	case noPassword && !insecure:
 		return errs.RequiredInsecureFlag(ctx, "no-password")
+	case noPassword && minPasswordLength > 0:
+		return errs.IncompatibleFlagWithFlag(ctx, "noPassword", "minPasswordLen")
 	case noPassword && passwordFile != "":
 		return errs.IncompatibleFlagWithFlag(ctx, "no-password", "password-file")
 	case token != "" && provisionerPasswordFile != "":
@@ -456,42 +465,43 @@ func certificateAction(ctx *cli.Context) error {
 		// Private key (with password unless --no-password --insecure)
 		opts := []pemutil.Options{
 			pemutil.WithOpenSSH(true),
-			pemutil.ToFile(keyFile, 0600),
+			pemutil.ToFile(keyFile, 0o600),
 		}
 		switch {
 		case noPassword && insecure:
 		case passwordFile != "":
-			opts = append(opts, pemutil.WithPasswordFile(passwordFile))
+			opts = append(opts, pemutil.WithMinLengthPasswordFile(passwordFile, minPasswordLength))
 		default:
 			opts = append(opts, pemutil.WithPasswordPrompt("Please enter the password to encrypt the private key", func(s string) ([]byte, error) {
-				return ui.PromptPassword(s, ui.WithValidateNotEmpty())
+				return ui.PromptPassword(s, ui.WithValidateNotEmpty(), ui.WithValidateMinLength(minPasswordLength))
 			}))
 		}
+
 		_, err = pemutil.Serialize(priv, opts...)
 		if err != nil {
 			return err
 		}
 
-		if err := utils.WriteFile(pubFile, marshalPublicKey(sshPub, subject), 0644); err != nil {
+		if err := utils.WriteFile(pubFile, marshalPublicKey(sshPub, subject), 0o644); err != nil {
 			return err
 		}
 	}
 
 	// Write certificate
-	if err := utils.WriteFile(crtFile, marshalPublicKey(resp.Certificate, subject), 0644); err != nil {
+	if err := utils.WriteFile(crtFile, marshalPublicKey(resp.Certificate, subject), 0o644); err != nil {
 		return err
 	}
 
 	// Write Add User keys and certs
 	if isAddUser && resp.AddUserCertificate != nil {
 		id := provisioner.SanitizeSSHUserPrincipal(subject) + "-provisioner"
-		if _, err := pemutil.Serialize(auPriv, pemutil.WithOpenSSH(true), pemutil.ToFile(baseName+"-provisioner", 0600)); err != nil {
+		if _, err := pemutil.Serialize(auPriv, pemutil.WithOpenSSH(true), pemutil.ToFile(baseName+"-provisioner", 0o600)); err != nil {
 			return err
 		}
-		if err := utils.WriteFile(baseName+"-provisioner.pub", marshalPublicKey(sshAuPub, id), 0644); err != nil {
+		if err := utils.WriteFile(baseName+"-provisioner.pub", marshalPublicKey(sshAuPub, id), 0o644); err != nil {
 			return err
 		}
-		if err := utils.WriteFile(baseName+"-provisioner-cert.pub", marshalPublicKey(resp.AddUserCertificate, id), 0644); err != nil {
+		if err := utils.WriteFile(baseName+"-provisioner-cert.pub", marshalPublicKey(resp.AddUserCertificate, id), 0o644); err != nil {
 			return err
 		}
 	}

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/certificates v0.28.2
 	github.com/smallstep/certinfo v1.13.0
-	github.com/smallstep/cli-utils v0.11.0
+	github.com/smallstep/cli-utils v0.12.0
 	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935
 	github.com/smallstep/linkedca v0.23.0
 	github.com/smallstep/truststore v0.13.0
@@ -28,7 +28,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/cli v1.22.16
 	go.mozilla.org/pkcs7 v0.9.0
-	go.step.sm/crypto v0.58.0
+	go.step.sm/crypto v0.59.0
 	golang.org/x/crypto v0.35.0
 	golang.org/x/sys v0.30.0
 	golang.org/x/term v0.29.0
@@ -131,12 +131,15 @@ require (
 	go.opentelemetry.io/otel v1.34.0 // indirect
 	go.opentelemetry.io/otel/metric v1.34.0 // indirect
 	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 // indirect
+	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.26.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.10.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
 	google.golang.org/api v0.221.0 // indirect
 	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect

go.sum

@@ -302,6 +302,8 @@ github.com/smallstep/certinfo v1.13.0 h1:iv/Fc1c8vke1asJZI7s3XoH7Wo/MY7znK0TlDUs
 github.com/smallstep/certinfo v1.13.0/go.mod h1:2pGT3T7r0s5f3BpJRi/j5K5akgvL3RfYXts5rDICkEA=
 github.com/smallstep/cli-utils v0.11.0 h1:XBKOEYFxbx3dal6P9mE58xXxBrdKNAp8J/CRMb7C9AI=
 github.com/smallstep/cli-utils v0.11.0/go.mod h1:VIQX+rhIUd4d8OBpIqpkQtBDq/lUlzqaGpCNbFeUuNM=
+github.com/smallstep/cli-utils v0.12.0 h1:EX3WBTpoCJGqIddiJnhYWYx+CGo8xH1o29tu5I+giss=
+github.com/smallstep/cli-utils v0.12.0/go.mod h1:skV2Neg8qjiKPu2fphM89H9bIxNpKiiRTnX9Q6Lc+20=
 github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 h1:kjYvkvS/Wdy0PVRDUAA0gGJIVSEZYhiAJtfwYgOYoGA=
 github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935/go.mod h1:vNAduivU014fubg6ewygkAvQC0IQVXqdc8vaGl/0er4=
 github.com/smallstep/linkedca v0.23.0 h1:5W/7EudlK1HcCIdZM68dJlZ7orqCCCyv6bm2l/0JmLU=
@@ -377,6 +379,10 @@ go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC
 go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
 go.step.sm/crypto v0.58.0 h1:PrrtM9fP8Y7A7193WnZDu2bqEZu7jc7M8+CCkDarMtw=
 go.step.sm/crypto v0.58.0/go.mod h1:yluOL5OqY7mXGGQ7JUmAv/6h8T8Ge3yXdlEESWHOqDQ=
+go.step.sm/crypto v0.58.1 h1:2PpEYTbytA3el9dW0gh9uJEe/CR/J6wS+x2vWYLG83M=
+go.step.sm/crypto v0.58.1/go.mod h1:yluOL5OqY7mXGGQ7JUmAv/6h8T8Ge3yXdlEESWHOqDQ=
+go.step.sm/crypto v0.59.0 h1:BDEbdyYJpp0yOSx7dmT+9git2/BXfkCsCzJKOj3v9RI=
+go.step.sm/crypto v0.59.0/go.mod h1:wz5S8Q0NI/x22TIWQxdGD+ioHa+ge2FbkcPmbXUzNao=
 go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -398,6 +404,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
+golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -472,6 +480,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
+golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.221.0 h1:qzaJfLhDsbMeFee8zBRdt/Nc+xmOuafD/dbdgGfutOU=
 google.golang.org/api v0.221.0/go.mod h1:7sOU2+TL4TxUTdbi0gWgAIg7tH5qBXxoyhtL+9x3biQ=

utils/cautils/bootstrap.go

@@ -25,9 +25,11 @@ import (
 )
 
 type bootstrapAPIResponse struct {
-	CaURL       string `json:"url"`
-	Fingerprint string `json:"fingerprint"`
-	RedirectURL string `json:"redirect-url"`
+	CaURL                       string `json:"url"`
+	Fingerprint                 string `json:"fingerprint"`
+	RedirectURL                 string `json:"redirect-url"`
+	Provisioner                 string `json:"provisioner"`
+	MinEncryptionPasswordLength int    `json:"min-encryption-password-length"`
 }
 
 // UseContext returns true if contexts should be used, false otherwise.
@@ -53,8 +55,22 @@ func WarnContext() {
 type bootstrapOption func(bc *bootstrapContext)
 
 type bootstrapContext struct {
-	defaultContextName string
-	redirectURL        string
+	defaultContextName          string
+	redirectURL                 string
+	provisioner                 string
+	minEncryptionPasswordLength int
+}
+
+func withProvisioner(provisioner string) bootstrapOption {
+	return func(bc *bootstrapContext) {
+		bc.provisioner = provisioner
+	}
+}
+
+func withMinEncryptionPasswordLength(minLength int) bootstrapOption {
+	return func(bc *bootstrapContext) {
+		bc.minEncryptionPasswordLength = minLength
+	}
 }
 
 func withDefaultContextValues(context string) bootstrapOption {
@@ -70,10 +86,12 @@ func withRedirectURL(r string) bootstrapOption {
 }
 
 type bootstrapConfig struct {
-	CA          string `json:"ca-url"`
-	Fingerprint string `json:"fingerprint"`
-	Root        string `json:"root"`
-	Redirect    string `json:"redirect-url"`
+	CA                          string `json:"ca-url"`
+	Fingerprint                 string `json:"fingerprint"`
+	Root                        string `json:"root"`
+	Redirect                    string `json:"redirect-url"`
+	Provisioner                 string `json:"provisioner"`
+	MinEncryptionPasswordLength int    `json:"min-encryption-password-length"`
 }
 
 func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOption) error {
@@ -126,16 +144,16 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	rootFile := pki.GetRootCAPath()
 	configFile := step.DefaultsFile()
 
-	if err = os.MkdirAll(filepath.Dir(rootFile), 0700); err != nil {
+	if err = os.MkdirAll(filepath.Dir(rootFile), 0o700); err != nil {
 		return errs.FileError(err, rootFile)
 	}
 
-	if err = os.MkdirAll(filepath.Dir(configFile), 0700); err != nil {
+	if err = os.MkdirAll(filepath.Dir(configFile), 0o700); err != nil {
 		return errs.FileError(err, configFile)
 	}
 
 	// Serialize root
-	_, err = pemutil.Serialize(resp.RootPEM.Certificate, pemutil.ToFile(rootFile, 0600))
+	_, err = pemutil.Serialize(resp.RootPEM.Certificate, pemutil.ToFile(rootFile, 0o600))
 	if err != nil {
 		return err
 	}
@@ -148,12 +166,19 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	}
 
 	// Serialize defaults.json
-	b, err := json.MarshalIndent(bootstrapConfig{
+	bootConf := bootstrapConfig{
 		CA:          caURL,
 		Fingerprint: fingerprint,
 		Root:        pki.GetRootCAPath(),
 		Redirect:    bc.redirectURL,
-	}, "", "  ")
+	}
+	if bc.minEncryptionPasswordLength > 0 {
+		bootConf.MinEncryptionPasswordLength = bc.minEncryptionPasswordLength
+	}
+	if bc.provisioner != "" {
+		bootConf.Provisioner = bc.provisioner
+	}
+	b, err := json.MarshalIndent(bootConf, "", "  ")
 	if err != nil {
 		return errors.Wrap(err, "error marshaling defaults.json")
 	}
@@ -162,7 +187,7 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	ctx.Set("fingerprint", fingerprint)
 	ctx.Set("root", rootFile)
 
-	if err := utils.WriteFile(configFile, b, 0644); err != nil {
+	if err := utils.WriteFile(configFile, b, 0o644); err != nil {
 		return err
 	}
 
@@ -171,12 +196,12 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	if step.Contexts().Enabled() {
 		profileDefaultsFile := step.ProfileDefaultsFile()
 
-		if err := os.MkdirAll(filepath.Dir(profileDefaultsFile), 0700); err != nil {
+		if err := os.MkdirAll(filepath.Dir(profileDefaultsFile), 0o700); err != nil {
 			return errs.FileError(err, profileDefaultsFile)
 		}
 
 		if _, err := os.Stat(profileDefaultsFile); os.IsNotExist(err) {
-			if err := os.WriteFile(profileDefaultsFile, []byte("{}"), 0600); err != nil {
+			if err := os.WriteFile(profileDefaultsFile, []byte("{}"), 0o600); err != nil {
 				return errs.FileError(err, profileDefaultsFile)
 			}
 			ui.Printf("The profile configuration has been saved in %s.\n", profileDefaultsFile)
@@ -254,9 +279,17 @@ func BootstrapTeamAuthority(ctx *cli.Context, team, teamAuthority string) error
 		r.RedirectURL = "https://smallstep.com/app/teams/sso/success"
 	}
 
-	return bootstrap(ctx, r.CaURL, r.Fingerprint,
-		withDefaultContextValues(teamAuthority+"."+team),
-		withRedirectURL(r.RedirectURL))
+	bootOpts := []bootstrapOption{
+		withDefaultContextValues(teamAuthority + "." + team),
+		withRedirectURL(r.RedirectURL),
+	}
+	if r.Provisioner != "" {
+		bootOpts = append(bootOpts, withProvisioner(r.Provisioner))
+	}
+	if r.MinEncryptionPasswordLength > 0 {
+		bootOpts = append(bootOpts, withMinEncryptionPasswordLength(r.MinEncryptionPasswordLength))
+	}
+	return bootstrap(ctx, r.CaURL, r.Fingerprint, bootOpts...)
 }
 
 // BootstrapAuthority bootstraps an authority using only the caURL and fingerprint.
@@ -268,7 +301,7 @@ func BootstrapAuthority(ctx *cli.Context, caURL, fingerprint string) (err error)
 		}
 	}
 
-	var opts = []bootstrapOption{
+	opts := []bootstrapOption{
 		withDefaultContextValues(caHostname),
 	}