From c1c986922b1efa5daa27dd2d8ff83ad4cd8fe794 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 6 May 2021 18:09:40 -0700 Subject: [PATCH 01/11] Show Ed25519 in the public-key log field. --- api/api.go | 4 +++- api/api_test.go | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/api/api.go b/api/api.go index 2ae6e6e8..6a0a7e8f 100644 --- a/api/api.go +++ b/api/api.go @@ -5,6 +5,7 @@ import ( "crypto" "crypto/dsa" //nolint "crypto/ecdsa" + "crypto/ed25519" "crypto/rsa" "crypto/x509" "encoding/asn1" @@ -437,7 +438,6 @@ func parseCursor(r *http.Request) (cursor string, limit int, err error) { return } -// TODO: add support for Ed25519 once it's supported func fmtPublicKey(cert *x509.Certificate) string { var params string switch pk := cert.PublicKey.(type) { @@ -445,6 +445,8 @@ func fmtPublicKey(cert *x509.Certificate) string { params = pk.Curve.Params().Name case *rsa.PublicKey: params = strconv.Itoa(pk.Size() * 8) + case ed25519.PublicKey: + return cert.PublicKeyAlgorithm.String() case *dsa.PublicKey: params = strconv.Itoa(pk.Q.BitLen() * 8) default: diff --git a/api/api_test.go b/api/api_test.go index 944927ff..62ef7740 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -6,6 +6,7 @@ import ( "crypto" "crypto/dsa" //nolint "crypto/ecdsa" + "crypto/ed25519" "crypto/elliptic" "crypto/rand" "crypto/rsa" @@ -1285,6 +1286,10 @@ func Test_fmtPublicKey(t *testing.T) { if err != nil { t.Fatal(err) } + edPub, edPriv, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + t.Fatal(err) + } var dsa2048 dsa.PrivateKey if err := dsa.GenerateParameters(&dsa2048.Parameters, rand.Reader, dsa.L2048N256); err != nil { t.Fatal(err) @@ -1304,6 +1309,7 @@ func Test_fmtPublicKey(t *testing.T) { }{ {"p256", args{p256.Public(), p256, nil}, "ECDSA P-256"}, {"rsa1024", args{rsa1024.Public(), rsa1024, nil}, "RSA 1024"}, + {"ed25519", args{edPub, edPriv, nil}, "Ed25519"}, {"dsa2048", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.DSA, PublicKey: &dsa2048.PublicKey}}, "DSA 2048"}, {"unknown", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.ECDSA, PublicKey: []byte("12345678")}}, "ECDSA unknown"}, } From 26e7cc6177f6a51176908bb376eaa6702af51f3b Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 6 May 2021 18:10:12 -0700 Subject: [PATCH 02/11] Allow to use the SDK with ed25519 keys. --- ca/tls.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ca/tls.go b/ca/tls.go index 2d9b8f92..e4f585fe 100644 --- a/ca/tls.go +++ b/ca/tls.go @@ -4,6 +4,7 @@ import ( "context" "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/rsa" "crypto/tls" "crypto/x509" @@ -325,6 +326,13 @@ func getPEM(i interface{}) ([]byte, error) { if err != nil { return nil, errors.Wrap(err, "error marshaling private key") } + case ed25519.PrivateKey: + var err error + block.Type = "PRIVATE KEY" + block.Bytes, err = x509.MarshalPKCS8PrivateKey(i) + if err != nil { + return nil, errors.Wrap(err, "error marshaling private key") + } default: return nil, errors.Errorf("unsupported key type %T", i) } From 9607691f9ce483c3599772dc4839b5d45a9f2cbb Mon Sep 17 00:00:00 2001 From: FibreFoX Date: Sat, 8 May 2021 22:28:22 +0200 Subject: [PATCH 03/11] Added missing hints for running step-ca on Raspberry Pi See #351, #344, #279 --- docs/docker.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/docker.md b/docs/docker.md index 9202e300..1efcbb7b 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -101,6 +101,35 @@ HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. It's working but curl complains because the certificate is not signed by an accepted certificate authority. +### Notes for running on a Raspberry Pi + +When you run step-ca on a Raspberry Pi, you might get the following error in the +logs of your docker container: + +```sh +step-ca | badger 2021/05/08 20:13:12 INFO: All 0 tables opened in 0s +step-ca | Error opening database of Type badger with source /home/step/db: error opening Badger database: Mmap value log file. Path=/home/step/db/000000.vlog. Error=cannot allocate memory +``` + +In that case you need to adjust the `db` configuration in the file `/home/step/config/ca.json`, +you need to adjust `badgerFileLoadingMode` from being `""` to the value `FileIO`. + +```sh +docker run -it -v step:/home/step smallstep/step-ca sh + +~ $ vi config/ca.json +``` + +You will end up with something similar like this: +```json + "db": { + "type": "badger", + "dataSource": "/root/.step/db", + "badgerFileLoadingMode": "FileIO", + }, +``` + + ## Dev environment bootstrap To initialize the development environment we need to grab the Root fingerprint From 8e1343224cce34b3c95480253d8a6c2f45e9c65f Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 10 May 2021 09:59:33 -0700 Subject: [PATCH 04/11] Add arm6 to goreleaser --- .goreleaser.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index e475e61d..83a3adcd 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -20,6 +20,7 @@ builds: - arm64 - 386 goarm: + - 6 - 7 ignore: - goos: windows From 6f0f023d2c30179df6f94ba538dd23f2dba59946 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 10 May 2021 14:43:05 -0700 Subject: [PATCH 05/11] Small docs cleanup --- docs/docker.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/docker.md b/docs/docker.md index 1efcbb7b..6ec885f6 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -1,4 +1,7 @@ -# Getting started with docker +# Getting started with Docker + +## NOTE: This guide is deprecated. +## Please see [smallstep/step-ca](https://hub.docker.com/r/smallstep/step-ca) on Docker Hub for instructions. This guide shows how to set up [step certificates](https://github.com/smallstep/certificates) using docker. @@ -103,16 +106,16 @@ accepted certificate authority. ### Notes for running on a Raspberry Pi -When you run step-ca on a Raspberry Pi, you might get the following error in the -logs of your docker container: +When you run step-ca on a Raspberry Pi, you might get the following error in +your continaer logs: ```sh step-ca | badger 2021/05/08 20:13:12 INFO: All 0 tables opened in 0s step-ca | Error opening database of Type badger with source /home/step/db: error opening Badger database: Mmap value log file. Path=/home/step/db/000000.vlog. Error=cannot allocate memory ``` -In that case you need to adjust the `db` configuration in the file `/home/step/config/ca.json`, -you need to adjust `badgerFileLoadingMode` from being `""` to the value `FileIO`. +To fix it, adjust the `db` configuration in the file `config/ca.json`. +Change the value of `badgerFileLoadingMode` from `""` to `"FileIO"`. ```sh docker run -it -v step:/home/step smallstep/step-ca sh @@ -120,16 +123,16 @@ docker run -it -v step:/home/step smallstep/step-ca sh ~ $ vi config/ca.json ``` -You will end up with something similar like this: +You will end up with this: + ```json "db": { "type": "badger", "dataSource": "/root/.step/db", - "badgerFileLoadingMode": "FileIO", + "badgerFileLoadingMode": "FileIO" }, ``` - ## Dev environment bootstrap To initialize the development environment we need to grab the Root fingerprint From e3059404488ffe7447958ea34d141c422ab559f2 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 10 May 2021 15:14:29 -0700 Subject: [PATCH 06/11] Small docs cleanup --- docs/docker.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/docker.md b/docs/docker.md index 6ec885f6..dee879c9 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -1,7 +1,6 @@ # Getting started with Docker -## NOTE: This guide is deprecated. -## Please see [smallstep/step-ca](https://hub.docker.com/r/smallstep/step-ca) on Docker Hub for instructions. +## NOTE: This guide is deprecated. Please see [smallstep/step-ca](https://hub.docker.com/r/smallstep/step-ca) on Docker Hub for instructions. This guide shows how to set up [step certificates](https://github.com/smallstep/certificates) using docker. From 2a70ac2d0ef87f2f92481749eebc0c28a8c79c1f Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 10 May 2021 16:36:02 -0700 Subject: [PATCH 07/11] Take 2 on arm6 --- .goreleaser.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index 83a3adcd..e1b3a994 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -25,6 +25,10 @@ builds: ignore: - goos: windows goarch: 386 + - goos: windows + goarm: 6 + - goos: windows + goarm: 7 flags: - -trimpath main: ./cmd/step-ca/main.go @@ -45,10 +49,15 @@ builds: - arm64 - 386 goarm: + - 6 - 7 ignore: - goos: windows goarch: 386 + - goos: windows + goarm: 6 + - goos: windows + goarm: 7 flags: - -trimpath main: ./cmd/step-cloudkms-init/main.go @@ -69,10 +78,15 @@ builds: - arm64 - 386 goarm: + - 6 - 7 ignore: - goos: windows goarch: 386 + - goos: windows + goarm: 6 + - goos: windows + goarm: 7 flags: - -trimpath main: ./cmd/step-awskms-init/main.go From fc31df34cfb89be4122d9986ef5d38c6f091bda0 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 10 May 2021 16:58:20 -0700 Subject: [PATCH 08/11] Zip the windows release --- .goreleaser.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index e1b3a994..7a7e20d3 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -99,6 +99,9 @@ archives: # Most common use case is to archive as zip on Windows. # Default is empty. name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" + format_overrides: + - goos: windows + format: zip wrap_in_directory: "{{ .ProjectName }}_{{ .Version }}" files: - README.md From 07cf037d6eb530255142ce2b3352c356da6ee450 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 11 May 2021 07:54:36 -0700 Subject: [PATCH 09/11] Remove binary-* recipes from Makefile --- Makefile | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/Makefile b/Makefile index 1a3e7023..882a0122 100644 --- a/Makefile +++ b/Makefile @@ -231,35 +231,6 @@ distclean: clean .PHONY: changelog debian distclean -################################################# -# Build statically compiled step binary for various operating systems -################################################# - -BINARY_OUTPUT=$(OUTPUT_ROOT)binary/ -RELEASE=./.releases - -define BUNDLE_MAKE - # $(1) -- Go Operating System (e.g. linux, darwin, windows, etc.) - # $(2) -- Go Architecture (e.g. amd64, arm, arm64, etc.) - # $(3) -- Go ARM architectural family (e.g. 7, 8, etc.) - # $(4) -- Parent directory for executables generated by 'make'. - $(q) GOOS_OVERRIDE='GOOS=$(1) GOARCH=$(2) GOARM=$(3)' PREFIX=$(4) make $(4)bin/$(BINNAME) $(4)bin/$(CLOUDKMS_BINNAME) $(4)bin/$(AWSKMS_BINNAME) -endef - -binary-linux: - $(call BUNDLE_MAKE,linux,amd64,,$(BINARY_OUTPUT)linux/) - -binary-linux-arm64: - $(call BUNDLE_MAKE,linux,arm64,,$(BINARY_OUTPUT)linux.arm64/) - -binary-linux-armv7: - $(call BUNDLE_MAKE,linux,arm,7,$(BINARY_OUTPUT)linux.armv7/) - -binary-darwin: - $(call BUNDLE_MAKE,darwin,amd64,,$(BINARY_OUTPUT)darwin/) - -.PHONY: binary-linux binary-linux-arm64 binary-linux-armv7 binary-darwin - ################################################# # Targets for creating step artifacts ################################################# From b205f504121ec9e09955fcf4007320213e5a9c39 Mon Sep 17 00:00:00 2001 From: max furman Date: Thu, 13 May 2021 12:14:11 -0700 Subject: [PATCH 10/11] bump crypto to 0.8.3 and go mod tidy --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index fbc27c5e..6cbd17e1 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/smallstep/nosql v0.3.6 github.com/urfave/cli v1.22.4 go.step.sm/cli-utils v0.2.0 - go.step.sm/crypto v0.8.0 + go.step.sm/crypto v0.8.3 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 golang.org/x/net v0.0.0-20210119194325-5f4716e94777 google.golang.org/api v0.33.0 diff --git a/go.sum b/go.sum index 37e51dd6..3fd8341d 100644 --- a/go.sum +++ b/go.sum @@ -322,8 +322,8 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.step.sm/cli-utils v0.2.0 h1:hpVu9+6dpv/7/Bd8nGJFc3V+gQ+TciSJRTu9TavDUQ4= go.step.sm/cli-utils v0.2.0/go.mod h1:+t4qCp5NO+080DdGkJxEh3xL5S4TcYC2JTPLMM72b6Y= go.step.sm/crypto v0.6.1/go.mod h1:AKS4yMZVZD4EGjpSkY4eibuMenrvKCscb+BpWMet8c0= -go.step.sm/crypto v0.8.0 h1:S4qBPyy3hR7KWLybSkHB0H14pwFfYkom4RZ96JzmXig= -go.step.sm/crypto v0.8.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0= +go.step.sm/crypto v0.8.3 h1:TO/OPlaUrYXhs8srGEFNyL6OWVQvRmEPCUONNnQUuEM= +go.step.sm/crypto v0.8.3/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= From f84c8f846ac2fed379afab82477dc6db17c7a65d Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 18 May 2021 19:15:48 -0700 Subject: [PATCH 11/11] Upgrade x/crypto Although this does not affects us the old version had the vulnerability CVE-2020-29652 --- go.mod | 4 ++-- go.sum | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 6cbd17e1..65b395bb 100644 --- a/go.mod +++ b/go.mod @@ -22,8 +22,8 @@ require ( github.com/urfave/cli v1.22.4 go.step.sm/cli-utils v0.2.0 go.step.sm/crypto v0.8.3 - golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 - golang.org/x/net v0.0.0-20210119194325-5f4716e94777 + golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a + golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 google.golang.org/api v0.33.0 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154 google.golang.org/grpc v1.32.0 diff --git a/go.sum b/go.sum index 3fd8341d..9529a1a3 100644 --- a/go.sum +++ b/go.sum @@ -332,8 +332,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897 h1:pLI5jrR7OSLijeIDcmRxNmw2api+jEfxLoykJVice/E= -golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc= +golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -396,8 +396,9 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=