search

oxidecomputer / dice-util

utilities for cert template generation and manufacturing / certifying DeviceIds
Mozilla Public License 2.0
7 stars 3 forks source link

Permslip signing backend #197

Closed plotnick closed 5 months ago

plotnick commented 5 months ago

NOTE: Depends on permslip#165; if you test locally, be sure to build permslip from that branch.

Reverts a few aspects of 26dae63f2c2bc6c026a505b1c938c3077daa8007, in particular the shell expansion and key-value encoding of arguments. Instead, we use a clap Subcommand for signing, which can be either openssl or permslip:

$ dice-mfg sign-cert --help                                        
Turn a CSR into a cert. This is a thin wrapper around either the `openssl ca` command (whose behavior will depend on the openssl.cnf provided by the caller), or `permslip sign` (whose behavior will be governed by a previously set key context and batch of approvals)

Usage: dice-mfg sign-cert [OPTIONS] --cert-out <CERT_OUT> <CSR_IN> <COMMAND>

Commands:
  openssl   
  permslip  
  help      Print this message or the help of the given subcommand(s)

Arguments:
  <CSR_IN>  Path to input CSR file [env: CSR_IN=]

Options:
      --cert-out <CERT_OUT>  Destination path for Cert [env: CERT_OUT=]
      --auth-id <AUTH_ID>    Auth ID used w/r YubiHSM [env: DICE_MFG_AUTH_ID=] [default: 2]
  -h, --help                 Print help
$ dice-mfg sign-cert openssl --help
Usage: dice-mfg sign-cert --cert-out <CERT_OUT> <CSR_IN> openssl [OPTIONS] --ca-root <CA_ROOT>

Options:
      --config <CONFIG>
          Path to openssl config file (typically openssl.cnf) used for signing operation [env: CONFIG=]
      --ca-section <CA_SECTION>
          CA section from openssl.cnf [env: CA_SECTION=]
      --v3-section <V3_SECTION>
          x509 v3 extension section from openssl.cnf [env: V3_SECTION=]
      --engine-section <ENGINE_SECTION>
          Engine section from openssl.cnf [env: ENGINE_SECTION=]
      --ca-root <CA_ROOT>
          Root directory for CA state. If provided the tool will chdir to this directory before executing openssl commands. This is intended to support openssl.cnf files that use relative paths [env: CA_ROOT=]
  -h, --help
          Print help
$ dice-mfg sign-cert permslip --help
Usage: dice-mfg sign-cert --cert-out <CERT_OUT> <CSR_IN> permslip <KEY_NAME>

Arguments:
  <KEY_NAME>  The name of the signing key

Options:
  -h, --help  Print help

Example with permslip batch approval:

$ dice-mfg sign-cert \                                                                                                             
    --cert-out=platform-id-request.crt.pem \                                                                      
    platform-id-request.csr.pem \                                          
    permslip 'Platform Identity TEST ONLY foo'
Error: Server responded: authorization failed, try `approve -- <request>`
$ permslip approve-batch \                                                                                                                                        
    --single-use \                                                                                                                           
    --constraints='C=US,O=Oxide Computer Company,CN=PDV2:PPP-PPPPPPP:RRR:SSSSSSSSSSS' \                                         
    -- sign 'Platform Identity TEST ONLY foo'
24905cc703492f8911e225fb66cd0f431e5397dc36b3c1be3b80b7bd499a97e802a355a972eaabddcbf3373d17ea2484cd3412daa1dd866366703476e59b0104
$ dice-mfg sign-cert \    
    --cert-out=platform-id-request.crt.pem \
    platform-id-request.csr.pem \                                                      
    permslip 'Platform Identity TEST ONLY foo'
Wrote to platform-id-request.crt.pem
$ openssl x509 -text -noout -in platform-id-request.crt.pem                                                                       
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7d:99:c4:ad:e3:69:21:07:a0:8d:0d:4c:fa:cb:6c:5e:7e:3d:13:ff
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN = Platform Identity TEST ONLY foo
        Validity
            Not Before: Mar 20 20:56:44 2024 GMT
            Not After : Dec 31 23:59:59 9999 GMT
        Subject: C = US, O = Oxide Computer Company, CN = PDV2:PPP-PPPPPPP:RRR:SSSSSSSSSSS
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    fa:f4:68:05:f9:96:9c:34:c1:ae:be:d1:02:61:41:
                    6a:9e:d8:29:7a:e7:2d:88:a0:33:fe:41:f8:70:db:
                    b7:24
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                57:44:C4:72:60:8C:E0:71:79:4E:43:8A:B4:EB:E1:94:2C:3F:49:94
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Certificate Policies: critical
                Policy: 1.3.6.1.4.1.57551.1.3
                Policy: 2.23.133.5.4.100.6
                Policy: 2.23.133.5.4.100.8
                Policy: 2.23.133.5.4.100.12
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:65:02:31:00:83:33:de:0c:45:39:91:29:a0:aa:aa:70:04:
        27:7b:02:0d:07:4c:5b:1b:90:21:07:89:68:17:ed:52:b0:cd:
        9a:c4:ef:d0:54:72:2d:89:c8:e6:67:70:d6:69:70:57:ba:02:
        30:30:39:06:4b:d8:34:7d:d5:1a:32:f7:d2:90:85:bc:dd:c4:
        63:1c:e8:e2:63:4d:40:44:91:2c:d8:f4:a0:05:7e:e2:b9:da:
        a2:c3:8b:8a:e5:82:d7:dd:45:1b:a1:8d:9d
plotnick commented 5 months ago

I think my preference is to wait for an explicit :+1: on openssl still working to merge this. Pretty confident about the permslip pieces, but couldn't test openssl so want to make sure I didn't break the existing workflow.

flihp commented 5 months ago

Works great. Merging now ...