TLS Certificate Enpoints (#241)

Co-authored-by: Niklas Empt <[email protected]>
Co-authored-by: Niklas Empt <[email protected]>

Author: 3 people

docs/api/_index.md

@@ -199,6 +199,8 @@ Replace the TLS certificate and key on the fly. Reload is optional.
 
 The certificates need to be base64 encoded as in the following example.
 
+When updating the TLS certificate with a new certificate obtained by requesting a Certificate Signing Request (CSR) from the CSR Endpoint, the keydata field must be omitted. The certificate will only be updated if the public key associated with the new certificate matches the public key generated by the CSR Endpoint.
+
 Example:
 
 ```bash
@@ -229,6 +231,7 @@ https://127.0.0.1:8443/api/v1/admin/csr
 ```
 
 Returns PEM encoded csr
+When NewKey:true is specified, a new private key will be generated and stored in a temporary file. This temporary file will be retained until you upload the signed certificate to the /api/v1/admin/certs/replace endpoint, at which point the new private key will be saved in the keyfile specified in the configuration
 
 ### /api/v1/admin/updates/install
 

pkg/snclient/listen_web_admin.go

@@ -54,6 +54,12 @@ type csrRequestJSON struct {
 	KeyLength          int    `json:"KeyLength"`
 }
 
+type replaceCertData struct {
+	CertData string `json:"CertData"`
+	KeyData  string `json:"KeyData"`
+	Reload   bool   `json:"Reload"`
+}
+
 // ensure we fully implement the RequestHandlerHTTP type
 var _ RequestHandlerHTTP = &HandlerAdmin{}
 
@@ -148,11 +154,9 @@ func (l *HandlerWebAdmin) serveCertsCSR(res http.ResponseWriter, req *http.Reque
 	if !l.requirePostMethod(res, req) {
 		return
 	}
-
 	// extract json payload
 	decoder := json.NewDecoder(req.Body)
 	decoder.DisallowUnknownFields()
-
 	data := csrRequestJSON{}
 	err := decoder.Decode(&data)
 	if err != nil {
@@ -165,7 +169,6 @@ func (l *HandlerWebAdmin) serveCertsCSR(res http.ResponseWriter, req *http.Reque
 
 		return
 	}
-
 	if data.HostName == "" {
 		res.Header().Set("Content-Type", "application/json")
 		res.WriteHeader(http.StatusBadRequest)
@@ -184,7 +187,12 @@ func (l *HandlerWebAdmin) serveCertsCSR(res http.ResponseWriter, req *http.Reque
 		}
 		privateKey, err = rsa.GenerateKey(rand.Reader, data.KeyLength)
 	} else {
-		privateKey, err = l.readPrivateKey()
+		defaultSection := l.Handler.snc.config.Section("/settings/default")
+		keyFile, ok := defaultSection.GetString("certificate key")
+		if !ok {
+			l.sendError(res, fmt.Errorf("could not read certificate location from config"))
+		}
+		privateKey, err = l.readPrivateKey(keyFile)
 	}
 	if err != nil {
 		l.sendError(res, err)
@@ -203,8 +211,10 @@ func (l *HandlerWebAdmin) serveCertsCSR(res http.ResponseWriter, req *http.Reque
 		defSection := l.Handler.snc.config.Section("/settings/default")
 
 		keyFile, _ := defSection.GetString("certificate key")
+		keyFileTemp := keyFile + ".tmp"
+
 		privateKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey)
-		if err = os.WriteFile(keyFile, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKeyBytes}), 0o600); err != nil {
+		if err = os.WriteFile(keyFileTemp, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKeyBytes}), 0o600); err != nil {
 			l.sendError(res, fmt.Errorf("failed to write certificate key file %s: %s", keyFile, err.Error()))
 
 			return
@@ -247,13 +257,8 @@ func (l *HandlerWebAdmin) createCSR(data *csrRequestJSON, privateKey *rsa.Privat
 	return csrPEM, nil
 }
 
-func (l *HandlerWebAdmin) readPrivateKey() (*rsa.PrivateKey, error) {
+func (l *HandlerWebAdmin) readPrivateKey(keyFile string) (*rsa.PrivateKey, error) {
 	// read private key
-	defSection := l.Handler.snc.config.Section("/settings/default")
-	keyFile, ok := defSection.GetString("certificate key")
-	if !ok {
-		return nil, fmt.Errorf("could not read certificate location from config")
-	}
 	pemData, err := os.ReadFile(keyFile)
 	if err != nil {
 		return nil, fmt.Errorf("could not read file: %s", err.Error())
@@ -288,12 +293,7 @@ func (l *HandlerWebAdmin) serveCertsReplace(res http.ResponseWriter, req *http.R
 	// extract json payload
 	decoder := json.NewDecoder(req.Body)
 	decoder.DisallowUnknownFields()
-	type postData struct {
-		CertData string `json:"CertData"`
-		KeyData  string `json:"KeyData"`
-		Reload   bool   `json:"Reload"`
-	}
-	data := postData{}
+	data := replaceCertData{}
 	err := decoder.Decode(&data)
 	if err != nil {
 		res.Header().Set("Content-Type", "application/json")
@@ -306,29 +306,31 @@ func (l *HandlerWebAdmin) serveCertsReplace(res http.ResponseWriter, req *http.R
 		return
 	}
 
-	certBytes := []byte{}
-	keyBytes := []byte{}
-	if data.CertData != "" {
-		certBytes, err = base64.StdEncoding.DecodeString(data.CertData)
-		if err != nil {
-			l.sendError(res, fmt.Errorf("failed to base64 decode certdata: %s", err.Error()))
-
-			return
-		}
-	}
-
-	if data.KeyData != "" {
-		keyBytes, err = base64.StdEncoding.DecodeString(data.KeyData)
-		if err != nil {
-			l.sendError(res, fmt.Errorf("failed to base64 decode keydata: %s", err.Error()))
-
-			return
-		}
+	certBytes, keyBytes, err := l.getBytesFromRaplacementStructData(res, data)
+	if err != nil {
+		return
 	}
 
 	defSection := l.Handler.snc.config.Section("/settings/default")
 	certFile, _ := defSection.GetString("certificate")
 	keyFile, _ := defSection.GetString("certificate key")
+	keyFileBak := keyFile + ".tmp"
+	if data.KeyData == "" && data.CertData != "" {
+		pubKey, certPublicKey := l.getRelevantPublicKeys(res, keyFileBak, certBytes)
+		newPrivateKey, err := l.readPrivateKey(keyFileBak)
+		if err != nil {
+			l.sendError(res, err)
+		}
+		if pubKey.Equal(certPublicKey) {
+			privateKeyBytes := x509.MarshalPKCS1PrivateKey(newPrivateKey)
+			if err = os.WriteFile(keyFile, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: privateKeyBytes}), 0o600); err != nil {
+				l.sendError(res, fmt.Errorf("failed to write certificate key file %s: %s", keyFile, err.Error()))
+
+				return
+			}
+			os.Remove(keyFileBak)
+		}
+	}
 
 	if data.CertData != "" {
 		if err := os.WriteFile(certFile, certBytes, 0o600); err != nil {
@@ -357,6 +359,52 @@ func (l *HandlerWebAdmin) serveCertsReplace(res http.ResponseWriter, req *http.R
 	}
 }
 
+func (l *HandlerWebAdmin) getBytesFromRaplacementStructData(res http.ResponseWriter, data replaceCertData) (certBytes, keyBytes []byte, err error) {
+	if data.CertData != "" {
+		certBytes, err = base64.StdEncoding.DecodeString(data.CertData)
+		if err != nil {
+			l.sendError(res, fmt.Errorf("failed to base64 decode certdata: %s", err.Error()))
+
+			return
+		}
+	}
+
+	if data.KeyData != "" {
+		keyBytes, err = base64.StdEncoding.DecodeString(data.KeyData)
+		if err != nil {
+			l.sendError(res, fmt.Errorf("failed to base64 decode keydata: %s", err.Error()))
+
+			return
+		}
+	}
+
+	return
+}
+
+func (l *HandlerWebAdmin) getRelevantPublicKeys(res http.ResponseWriter, tempKeyFile string, certBytes []byte) (privateKeyPubclicPart, certPublicKey *rsa.PublicKey) {
+	newPrivateKey, err := l.readPrivateKey(tempKeyFile)
+
+	if err != nil {
+		l.sendError(res, err)
+	}
+	newPubKey := newPrivateKey.Public()
+	rsaNewPublicKey, ok := newPubKey.(*rsa.PublicKey)
+	if !ok {
+		l.sendError(res, fmt.Errorf("rsa public key in wrong format"))
+	}
+	block, _ := pem.Decode(certBytes)
+	newCert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		l.sendError(res, err)
+	}
+	newCertPublicKey, ok := newCert.PublicKey.(*rsa.PublicKey)
+	if !ok {
+		l.sendError(res, fmt.Errorf("rsa public key from csr in wrong format"))
+	}
+
+	return rsaNewPublicKey, newCertPublicKey
+}
+
 func (l *HandlerWebAdmin) serveUpdate(res http.ResponseWriter, req *http.Request) {
 	if !l.requirePostMethod(res, req) {
 		return

t/02_daemon_linux_test.go

@@ -1,10 +1,13 @@
 package main
 
 import (
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"os"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -30,3 +33,82 @@ func TestDaemonRequestsLinux(t *testing.T) {
 	os.Remove("test.crt")
 	os.Remove("test.key")
 }
+
+func TestErrorBetweenSavingAndSigning(t *testing.T) {
+	_, baseURL, _, cleanUp := daemonInit(t, "")
+	defer os.Remove("test.crt")
+	defer os.Remove("test.key")
+	defer os.Remove("test.csr")
+
+	postData, err := json.Marshal(map[string]any{
+		"Country":            "DE",
+		"State":              "Bavaria",
+		"Locality":           "Earth",
+		"Organization":       "snclient",
+		"OrganizationalUnit": "IT",
+		"HostName":           "Root CA SNClient",
+		"NewKey":             true,
+		"KeyLength":          1024,
+	})
+	require.NoErrorf(t, err, "post data json encoded")
+
+	// Create  Temp Server Certs
+	runCmd(t, &cmd{
+		Cmd:     "make",
+		Args:    []string{"testca"},
+		ErrLike: []string{"Certificate request self-signature ok"},
+	})
+	defer runCmd(t, &cmd{
+		Cmd:  "make",
+		Args: []string{"clean-testca"},
+		Like: []string{"dist"},
+	})
+
+	commandResult := runCmd(t, &cmd{
+		Cmd:  "curl",
+		Args: []string{"-s", "-u", "user:" + localDaemonAdminPassword, "-k", "-s", "-d", string(postData), baseURL + "/api/v1/admin/csr"},
+		Dir:  ".",
+		Like: []string{"CERTIFICATE REQUEST"},
+	})
+	err = os.WriteFile("test.csr", []byte(commandResult.Stdout), 0o600)
+	if err != nil {
+		t.Fatalf("could not save certificate signing requests")
+	}
+
+	runCmd(t, &cmd{
+		Cmd:     "openssl",
+		Args:    []string{"x509", "-req", "-in=test.csr", "-CA=dist/cacert.pem", "-CAkey=dist/ca.key", "-out=server.crt", "-days=365"},
+		ErrLike: []string{"Certificate request self-signature ok"},
+	})
+	defer os.Remove("server.crt")
+
+	keyBak, _ := os.ReadFile("test.key.tmp")
+	newCert, _ := os.ReadFile("server.crt")
+
+	// restart client
+	cleanUp()
+	_, baseURL, _, cleanUp = daemonInit(t, "")
+	defer cleanUp()
+
+	postData, err = json.Marshal(map[string]interface{}{
+		"Reload":   true,
+		"CertData": base64.StdEncoding.EncodeToString(newCert),
+		"KeyData":  "",
+	})
+	require.NoErrorf(t, err, "post data json encoded")
+
+	runCmd(t, &cmd{
+		Cmd:  "curl",
+		Args: []string{"-s", "-u", "user:" + localDaemonAdminPassword, "-k", "-s", "-d", string(postData), baseURL + "/api/v1/admin/certs/replace"},
+		Like: []string{`{"success":true}`},
+	})
+
+	// Check if new private Key matches the on we got from the csr Endpoint
+	key, _ := os.ReadFile("test.key")
+	assert.Equalf(t, string(keyBak), string(key), "private keys do not match")
+
+	_, err = os.ReadFile("test.key.tmp")
+	if err == nil {
+		t.Fatalf("tempory key file was not removed")
+	}
+}

t/02_daemon_test.go

@@ -215,7 +215,7 @@ func TestDaemonAdminCSR(t *testing.T) {
 	_, baseURL, _, cleanUp := daemonInit(t, "")
 	defer cleanUp()
 
-	postData, err := json.Marshal(map[string]interface{}{
+	postData, err := json.Marshal(map[string]any{
 		"Country":            "DE",
 		"State":              "Bavaria",
 		"Locality":           "Earth",

t/Makefile

@@ -23,3 +23,13 @@ clean:
 	fi
 
 
+testca:
+	mkdir -p ./dist
+	openssl genrsa -out dist/ca.key 4096
+	openssl req -key dist/ca.key -new -x509 -days 20000 -sha256 -extensions v3_ca -out dist/cacert.pem -subj "/C=DE/ST=Bavaria/L=Earth/O=snclient/OU=IT/CN=Root CA SNClient"
+	openssl req -newkey rsa:2048 -nodes -keyout dist/server.key -out dist/server.csr -subj "/CN=snclient" -reqexts SAN -extensions SAN -config <(echo -e "[req]\ndistinguished_name=req\n[SAN]\nsubjectAltName=DNS:snclient")
+	openssl x509 -req -CAcreateserial -CA dist/cacert.pem -CAkey dist/ca.key -days 20000 -in dist/server.csr -out dist/server.crt
+	rm -f dist/server.csr dist/cacert.srl
+
+clean-testca:
+	rm -rf dist