Skip to content

Add Certificate Authority Endpoint #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jan 19, 2021
Merged

Add Certificate Authority Endpoint #120

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f54a741
Add Certificate Authority endpoint to API spec
john-odonnell Jan 13, 2021
d6203ed
Add integration tests for CertAuth API endpoint
john-odonnell Jan 13, 2021
810d55a
Add test cases for CertAuth signing with encrypted key
john-odonnell Jan 14, 2021
157fbc9
Patch Roles tests
john-odonnell Jan 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,6 @@ nose2-junit.xml
spec.yml
coverage.xml
.coverage

test-python.csr
test-python.key
4 changes: 3 additions & 1 deletion .gitleaks.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,5 +181,7 @@ files = [
'''(.*?)(jpg|gif|doc|pdf|bin)$''',
'''(.*?)conjur.key$''',
'''.gitleaks.toml''',
'''ldap-server.key.pem'''
'''ldap-server.key.pem''',
'''(.*?)intermediate.key''',
'''(.*?)intermediate_encrypted.key'''
]
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,5 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
[cyberark/conjur-openapi-spec#75](https://github.com/cyberark/conjur-openapi-spec/issues/75)
- Endpoint to configure enabled Conjur authenticators via the API.
[cyberark/conjur-openapi-spec#66](https://github.com/cyberark/conjur-openapi-spec/issues/66)
- `/ca/` endpoint now included in the OpenAPI specification.
[cyberark/conjur-openapi-spec#63](https://github.com/cyberark/conjur-openapi-spec/issues/63)
2 changes: 2 additions & 0 deletions bin/integration_tests
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ bin/start_conjur

bin/get_conjur_admin_key

config/https/generate_csr

echo "Building and starting test env..."
docker-compose build test-python
docker-compose up -d test-python
Expand Down
13 changes: 13 additions & 0 deletions config/https/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,16 @@ Copy the following:
- `certificates/ca-chain.cert.pem` -> `ca.crt`
- `certificates/nodes/conjur-https.mycompany.local/conjur-https.mycompany.local.cert.pem` -> `conjur.crt`
- `certificates/nodes/conjur-https.mycompany.local/conjur-https.mycompany.local.key.pem` -> `conjur.key`
- `certificates/intermediate_1/certs/intermediate_1.cert.pem` -> `intermediate.cert`
- `certificates/intermediate_1/private/intermediate_1/key.pem` -> `intermediate_encrypted.key`

The Intermediate CA private key is used to test the OpenAPI spec's definition of Conjur's `/ca`
endpoint. This tool generates encrypted keys using PKCS#1 format, while the `/ca` endpoint requires
Intermediate CA keys be PKCS#8 encrypted.

Run the following to convert and update the intermediate CA certificate and private key:
```sh-session
$ openssl rsa -in intermediate_encrypted.key -passin pass:secret -out intermediate.key
$ rm -f intermediate_encrypted.key
$ openssl pkcs8 -topk8 -v2 aes256 -in intermediate.key -passout pass:secret -out intermediate_encrypted.key
```
14 changes: 14 additions & 0 deletions config/https/generate_csr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash -e

echo "Generating Private Key and CSR for testing Conjur Certificate Authority..."

common_name="test-client"

rm -rf ./test-python.key ./test-python.csr
openssl genrsa -out ./test-python.key 2048
chmod 400 ./test-python.key
openssl req -config ./config/https/openssl.conf -new -sha256 \
-subj "/C=US/ST=./L=./O=./CN=${common_name}" \
-extensions v3_intermediate_ca \
-outform PEM \
-key ./test-python.key -out ./test-python.csr
33 changes: 33 additions & 0 deletions config/https/intermediate.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFszCCA5ugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx
FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxETAPBgNVBAoMCEN5YmVyQXJrMQ8wDQYD
VQQLDAZDb25qdXIxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjAxMTI1MTYzNDE4WhcN
MzAxMTIzMTYzNDE4WjB2MQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz
ZXR0czEPMA0GA1UEBwwGTmV3dG9uMREwDwYDVQQKDAhDeWJlckFyazEPMA0GA1UE
CwwGQ29uanVyMRowGAYDVQQDDBFJbnRlcm1lZGlhdGUgQ0EgMTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMrIMFBLKHoXj2LYVJOhJoUvFzppo2hZpO1t
G+lhOQ7Tbjb+28WPP+DF/JW7o/idL2RbExChxITk6229nIAc/Rr5BMVYKFT4UN9J
Yb1HyDcCya8YYw63U8WyCH73Y25MXMmLi7/ZSdDtgNOSRUfug9OtrCAc0S8q9AK1
LPzeBGYa0Qc8EjFxKIsP6G4jZ3EvMyAgdTCUpPJIseMjekuiMJwPDhSqowUQn9I/
6pLDZ17syVP4Ez/ut17GMyo9rgScpL8Qq7Cp9KFKuKnDaszYNAW+wFp0Qk+yXnRE
gvECKcq5YxLvwaAhw7HtvtUplyDPj+YbNU3/TuZ3Wz3HxLgxgNGaHLa+X4menJi+
4bvbyCJY8JsYEh/RTQouA0HkCAgkh4nc8SQkfTYtcbV5irpsLbLruRFg03KYuPc0
8L2UsGfsMGxdRinranmPGEfst8tkRXwP0VLU6V7pTtJeGHGu14kOv2W6bspTiIUU
I7juZWVdG82dz0/2sYfUptNYvVu4SLNHfimjmjuF0hnhOu6VsP9xEW4jZwrVJ9NB
5AnaGmNMifblxwoLqLyLNGG9IZmyxadXNRdb9WQ1fJbILbWHsAUSJ1sF6GzE/j3b
81t/6Oeja9djQHztVn2zSMmHGXHW+bKgqtTHrnsmx6imERd1fP3UZ6K0QbQY0S3i
VQWyowDTAgMBAAGjZjBkMB0GA1UdDgQWBBT2fr9c+cle/UR2pjx13ODvB/RdmzAf
BgNVHSMEGDAWgBTBDg9fBBFTz4xwiS8u4Pwx4uU9TjASBgNVHRMBAf8ECDAGAQH/
AgEUMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAY5C1gs4vxByr
R+u2lgdA5aJ3y1OcuBlEteTEggDH8brNAreaoGKY49CDCSD2ZOKtMCAooTBgajuk
YDzVUBmh2YB0inonm9ZIv/T0tsacbaS+v20VzMR37nMaVe2xbckUD+XauWQ7Kpkn
MflaYnR5SJd0BzyJJKQ8F/O9vOZZqK9xDnsVpt7TLA+b+UVqbdQ8k6LONTSfK0Q7
bJP1O7NI109pLBeNIwhTK3+96OhtX5y/xEpJMroez04kGdHHkoAWFZv+l1ZsFv6L
SO2dwAAjYC+Shj8nax3TLc/kE/XhyLY+rWsQTiRe/Eytvk1vRY8bno0Akh1VQeO8
xxDP1e7GZSq9L1vaj4XYmF9ka2M16RLvwBmohwf7jZJNXhIOOOdf+UP+M2AcPPRb
hl9w3S9trRpPkqrfL9M5y0NV7aR5q7lnIZfdeDaZCk7PklJ8xYmZOO+lhE6y8roH
8h3W+vqMUU7cqvrJ0WFciVwwZ9Ei0lP2mobOZFfOXAyZjAQgxWe1IhGq7eIeCkWW
qyTOIxikgFIrvODUuWZmFGdfxqnNFwYPgsn/Uqh6gPtFAhZ/2GMASqrQ8VmeIqFT
PoGeZRqhB2vE9jpxkn2YQSwShNm8AxaUt2YW2ni7auBtgagegn6Ceffy4kKrx6Uz
RqrTge/9cGYhFsCiGm8NBAJtY/5VB+c=
-----END CERTIFICATE-----
51 changes: 51 additions & 0 deletions config/https/intermediate.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAysgwUEsoehePYthUk6EmhS8XOmmjaFmk7W0b6WE5DtNuNv7b
xY8/4MX8lbuj+J0vZFsTEKHEhOTrbb2cgBz9GvkExVgoVPhQ30lhvUfINwLJrxhj
DrdTxbIIfvdjbkxcyYuLv9lJ0O2A05JFR+6D062sIBzRLyr0ArUs/N4EZhrRBzwS
MXEoiw/obiNncS8zICB1MJSk8kix4yN6S6IwnA8OFKqjBRCf0j/qksNnXuzJU/gT
P+63XsYzKj2uBJykvxCrsKn0oUq4qcNqzNg0Bb7AWnRCT7JedESC8QIpyrljEu/B
oCHDse2+1SmXIM+P5hs1Tf9O5ndbPcfEuDGA0Zoctr5fiZ6cmL7hu9vIIljwmxgS
H9FNCi4DQeQICCSHidzxJCR9Ni1xtXmKumwtsuu5EWDTcpi49zTwvZSwZ+wwbF1G
KetqeY8YR+y3y2RFfA/RUtTpXulO0l4Yca7XiQ6/ZbpuylOIhRQjuO5lZV0bzZ3P
T/axh9Sm01i9W7hIs0d+KaOaO4XSGeE67pWw/3ERbiNnCtUn00HkCdoaY0yJ9uXH
CguovIs0Yb0hmbLFp1c1F1v1ZDV8lsgttYewBRInWwXobMT+PdvzW3/o56Nr12NA
fO1WfbNIyYcZcdb5sqCq1MeueybHqKYRF3V8/dRnorRBtBjRLeJVBbKjANMCAwEA
AQKCAgEAyX3hg+cqcSa38x/B6m9WN0BzdDdDh4yLtN+VvHA+ody0xzC2b7fHYTFZ
qe6pH4AQd0eHyh7zhplw1bpyp1ompYaKlwziBow2z6e61rlc2EyM2s8Anr7LHsWo
a4Cl7BM0n49pbVgbYN6eA5xz+uWlV9BaGA6KTLQBgi9EZH63ID3FNcsayMYH4yYL
bmT/hBfCVUnrKDqLK7PQDkJSYpTmeCr9csua8I10QRYBn5NKQ6hE5Iq7les9iY6n
iHGBWFPN34xRDVnTGfGFTCpBFQo/pvXDbB3ZRheWgzEQayobHLTZHRfe7Z6fNU1n
MagB4zhbY+nlLXtiit5OazT045FMzTPizciXRY3iNIxVh1vsZTyMKs2Hkpry4XC7
ArwFuiVrPGXoS5B/Ve+3RI7t0wxqkbxc0V7h9sguSCmK5nJ/S1zkVnnf3ka9L4Xl
5TJe4L6FmGXZBt7iNX9JTYUBzKsQETxb574b7JJBoKq8ULWvxQQdjfc7O157gfjh
JvmzjrcWTH7ePBAFGMxQMyZJPoaFBMxkJHuuECwYNLoKcoZ5DNkNa4zWMzP7gpVn
mNH+qSsoP8WepNAUrEA4Ed1ovHUvDcPk05/JtwJ/kTYTTTx05fzD+3jCNFAcv9YO
F1Q6O5rRvGhMvhDD5uV0nsRddqydERf9GUobPGPx9Iy3tHH+ugECggEBAOZvbtYR
HRZDYPBywddHGRc5NDXDs3087bS+khDqeY4hYTwr6N9ks5AqH+6UbSMWETpAMFHW
dV3VBHV0n8tDRW2SyikhO5i0/roblHAHENjb0xKEZmeXL8kSmri5N3Ko6gbBzoND
I3v8WN4KTJKZSza9QjoH8YFr90kMBa4VuwmxyrNx0fSKYnCXU/TYhTjOBf/ZxTh7
01MOQGOyFie+q0Kqvw9YMPj84FNpZ84vDyc7LZyqoNQ0qhnp/DdFvXduetDTDSCo
atVSH2xGm+p04k+xrgnirgKs2a35FWFH1fBtKVxDnY8nIi/lTXINRt7HnNzM+zN5
Sw9MbmBkXjLN4hkCggEBAOFHYKUcLLuEm+KFiv6jwIKPXnr0GWrPlz0mi2DbbPSZ
2tEvNgPDcfMl6o7qV+APVg+jWFUbmU5eiZzQt0Vw6sflAtLwoS6/lPxnVav5fasW
y2nLzePJnND8o4ZdhcoYfscnFowR8mQibXPAoJ64X2L+fTf2+TcJjpQFWvVmjoZw
ptQJmEnKHvVd/7PKDPb500HBmC/ox7I/b5KX7NZKiMr+xoQHMJazsmLm2P/WgdOO
FKhuntqNywIk9lCEvPJFTWuGR5ZigzWHDoAi/GiI5M01mbMyGtOzQ7YA5rWpy16i
VXYu9XAfuOlw/sTS5g+F9jUQVXQ/hBZLKW9mRXbTT8sCggEATWkh0sfs/Y2lAyGJ
/MflpeeRon4bzfap5A4hA43BR/3urEgT8vfhWozMLVmvUBoZr3fgw51H0D2/QbXr
+Fyg9i5Zu3dujd4/tEWPmBLHlhJC1fWkcShY5TNaxrNx7RLRi3OP7IihYwVi1TSg
hJ76pWju1o/UkaWzbNadEd469wbDEYUrAvt6Fli/24DhQDP1z/1YQ6FVXJFtEBDD
YJas8bhqdr0ptns84MiIFru4W3WF3Rt069TFT+9Ky0aiX3y9xWkg/9eUDBWKeNU/
i4O4gw0taiS8UCnA9rC2ffej5yDExDnytCRxV6WwXqAXLr/f8kzqFmCo1nrWmYse
GfMQAQKCAQEAvZPiia+3GSqUQEEfYgCNrZFW8eNfTFpbrJM2MZEWFJUw5l5zdyFP
UE31IMWmo6BkTQ6p9B0gmynFZpjh0ecfPI7FHJxxF7UTfIC9QNbY4VRyY5qlre5p
MBmaxyUGxLZuYcvMFp23vHqYXxOYV1lStCzzVVhaCu3Y9Um4bNEcWZiNW9yjMl2M
RfIPj84VsPU1yZ1QI+khvCfUDaoaHY9lpGZYypx+UCPyl3Yq4Mk0QcLMMZ29wrAW
SbyvJ708gCi/6R98ONq4DiCUnFJU1Od2nBZiPMGKf+LYtV32yKOVyBKWFrmXw/5+
Dr0POLU984xJUAhp0UTuNBCWUu/evws+lwKCAQEAseoAQR8dsNmt9HaKZPijhjku
rzP7AnlTGb8wopNDDMe5oyPkZC547pGy3AqZlZKA8YOPyPgxCih64IokFgyGR1L2
R5cDC3AMg0D/lQBR3y1i+Man03SlE9q31TYkFreZwvdGkbLqWxQQB6/L4eiRxCkN
QWWGBHzsrSb8jrAOa/m9ruSwxslAfb/U1rs22NKedFn2kS44xGwBhsWpETD9HniV
fjdlWfaOkHXHC+QTvCSV2Sr1DgNwD7V7VL5I1yzhpTKwIvD5xsMOdsE0K6N/hpsp
HmYTGVZS6UFFnJGdQimXdcHjfsmlVDGWMvECm8BlamHVr6Ey5fazusdxxLan7A==
-----END RSA PRIVATE KEY-----
54 changes: 54 additions & 0 deletions config/https/intermediate_encrypted.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIbrub0HuHZ6kCAggA
MB0GCWCGSAFlAwQBKgQQQqwqRmPLyBjzlT3FUXQpnwSCCVC9cuW/S3ngS9LcGgcH
2E3bl++aP5EUfoSqpJA+hN+7xw+z5AwK0MbxdP+pVIphIPhTl0QGkpJtn/tm+UxS
4ZQNV6MsvpOljyA8JwjoNsnDGpR4miGDo2rpB9ZGcWzzZUU/xWDDzSURNMmgZ5qm
iDCWb3recGKzQsOY4qMWSIUijJtwTmYEmMT4ttknP5xApdsZDoFmg7f88WS00W5m
8UmjDXTI4OMBj2DSOzCwhPwgSo4PmDMNujJuuSzLEIURdSHEUqIIU+Ik1GZhvrOD
Oq/wZqizmNmCb0RHqGQcPsNJif603Gl7Urq9JNbuLWuBViazsax8faOenhPgVtpd
2YTe9o80A5Mkl2gZOp2ejpx9dR/RAHS6hIVdBodC5MG9kJwnx1b7zVqPn46lfs7b
JyXAPemLc6fTT0Qm6OCQncK/EM0BqSYbHtMIcI/X9RsEmQQSSv+nE3K+hltFTge8
jltOMIOsTu7sN0PGnaR+ZziL+whkSQTrlTTiWkiYaEkTomktoTikalRnSEwt1kA+
E2Of6Nqa1ygvXcAwrdQuE0njOFqjqywT3Bgt2Wec6TyAsDS2/zQi6l4ohZXLkZmw
iU10YRT1IkK5DfCHHmXDe39iDKqL0ZSYLluopk7CVK4/xnNItLNTIVWm5MSa5mWT
XO0nfoIIZc/cvJx7hpA2U9bHbQEA6UnTc3zyKMzrCOrGRnV5t6Ykcg0ccwXPuhj9
9NHFyL73Ne/nlCw64E3Pxr8tkFRNDtLp2H/4OvaDPef0roKQmH5fZPcX5YuoHOe1
L1QZb8ZD4oKVxk7bhO3Peu88gBwFjdID8fVeJsJzIA822koQ2ExQbifTLpuxdXIA
SiY5nfdhHu/N1pwOvFXKHOLZnxd+mTZhnGLbIXFp5vViZZhr4v1x6hx1lcXD8xOU
xr/6iREOj5GWlGycFvw+bR7dejO4dhaYIG1UidWFMwk5fpOPwgGdYT0yma7dr3GG
Kfkk8FBoth9PtOME8iD+0jeURdSrKjD2ZnMDAfX+yAOudE09TDvaju68W2X9ZvAT
PzRyzmQ0mV2148K9YlWqOz1/tGi1/fA50VEm1/vp8O8YtR+RI0r8xxdDTLU4/j15
W50B8rn/bvsWIo+E0gQPMgNv8114LNjiJyGgAYvUYesy3QMzKUgfpRkuzTzCKDwJ
kVThGhnqDYYyrjje9GNwjC+CDq4cITW9wj4NlJwDZ5RGuYfwkfzIyXrYRarO46sQ
x0tHYgUu4dUlrz9IU2lJztlxz6QKWOewY67yOYQQlVjRIkQ/ftH2dZ93AJfALwct
iiTNyOwNJhrxoeDSD273hiJOwXw3y6/ZfLFxcQ4oRIej8th1y1rKVABurhg4PE0v
mS/SbmbCFxrmUYdubwfozA6EnXjdPyv+G68JH2A/wvTOdtEAhH42ski68VxA8CuU
HNlQrA+ZbJGkIcZaF7jnawoX/cT6ED6Lgum0pi6IlnlWIs02OGpsSTsVPCRJbO2R
0yg2eM1Q6AED6fmJXdNfOBeMFZGhxDyoL08MG6quURguYlOzLW3eT4KOquUWBe62
xepiRGYcAdiPnR5CMS25iwm7K9zj8B0CJMLDhI42RROK2jGkBXY4pNkd+TIroHHW
h/Pw12RfwDjKFpK2Cr2umXat2ckfvPuzYDt5Y11aNrNh9AcV4F1s6YcHPHCU6CFC
dsNjipEXj50RA4SWy/s6qL9k6GdziWThdyN3M1bjLBhkSGmYHx7CLDeLFNBxNxXi
5D17KRX8RnhKts/T2xpSvgvSsXWzF/yNV8VsvIFn9jTHaIRr0FZr2dLacY8dQyxL
29z0I6gf7/GyJsY5ZAF3HHcpI35CUsS7T8y8PPVXmPZNCem+IoTt202BweUBJtkv
LgRX1p9rpf1wJO19h45IqH4x9s5zyGgIa8y3pXtJ5bB65p6rEmYqk6MIJF0pnt8/
/NKoOIdBrF5qBBG6Auce4T1kxJZWIgA/Oug6IQg7sficplWn0o7SaNPoA55+TVg8
6OIeGJHbRIvEZ9ZTP/xC9Odl89QOh7E/TBm11Fv7V6NtFpenl8lfTPR6uWUE94+1
5N7Wv4uHYsh2Qi50e/sSDDLrjJ2gwYSr1LWuFB6/NH7fKu+8tI2J4f6Y25zf4Ka0
e9EAuZf1djjs9NCrZe6Db67H1TuBSqDB2CbRqEMFT/s9wuvh8mJ8yR+RrFF83gvi
UOaFH1CU2eMSeA3NBf6x1DMLZv8xiTNEjPiCL8gAdcOg1UWeRZg3ocjqVHXrXpau
HMpPoyKKH02GwU905e/9V5tk8c0I8dVkAKDEzHFED69R+RdwaEcPZAehAWD+pmIi
4YmCjjpzWGHq6NROEOK0oSW83x/jc4nrP/ZJTMU2N7JYsQrd7Hz87FfTuKGI5+Ni
BmymehZbvqJgnrJEUGXHjnFsHHqDnf86+e8V3wno25rR7zRtig6WB1vn2eD/23A+
t3BrhPzSacPwumvzYHHqrQPKR+tkWFJgKmxBv8MvH8ki3F9j7Y5apFVjUAGXj5P7
C1nNUdSp/Kf38T7P45qdkmglbhHCOB2AmiLpQhv81eLjXVsOLDK5Fn6icDud5X35
25AAPzg4/JZn0+yPTg4XFxh4oB7tl+oE37vf8shLB7KEVTXcht9G+8tlRImapbuZ
5BxGoO/xZjLqQM0GK4sXtNdUqKjZznlAtIHyJo8g5fEpTSpNZpN1Bys4AjnAn5Zf
Qa50I1tG0Wd3wMNxXO6mlN5ej0pbZ4ACygK2Vx9ZSDe9DE8PvxYmUmhjThR8bzWL
qczYnB8M2fthYkpAyGABveTpmQkyb/SBU1KtzBilwusTFjns/Wu1pPOc3BHp+Ul3
Z+ZrqI8Sh8T2lcBuuBQIvJ8ikHOurBg+k4HNPJKI6ZRYzlmnTOjWb8fRIUG74kAi
5IyFELFHYdqZxsCjIzhzyjqC8EGFfRZFhKlk9PsqUl7dDd84Dnyl0m8bq9P/RuXf
LcMVxjBcr8+CkvxMfO1917j5Eer9YOeNvBf/6To4Hbv8TOH2BX9ozLgRFg3D8YbD
GhaVE/Eq1cCLTKOn9senfh6P79HsV5fhOpw+kYo6i6XOGqMFylFuGghmrBo1t8dt
J6reOuSSJWAeNKbX9+lvTMtrtabcp240Jv3qhST9SOw4aN46VtDrh4ZdkiYyJMRN
a3O+/CvGlkdOppTs4Dum+0htxg==
-----END ENCRYPTED PRIVATE KEY-----
1 change: 1 addition & 0 deletions config/https/intermediate_key_password.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
secret
25 changes: 25 additions & 0 deletions config/https/openssl.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
C = US
ST = MA
L = Newton
O = CyberArk Software
OU = Conjur
CN = conjur.org

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
98 changes: 98 additions & 0 deletions spec/cert-auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
components:
schemas:
CertificateJson:
type: object
properties:
certificate:
type: string

CertificatePem:
type: string
format: base64

CsrBody:
type: object
properties:
csr:
type: string
ttl:
type: string
required:
- csr
- ttl

responses:
Certificate:
description: "The response body is the newly signed certificate"
content:
application/json:
schema:
$ref: '#/components/schemas/CertificateJson'
application/x-pem-file:
schema:
$ref: '#/components/schemas/CertificatePem'

paths:
Sign:
post:
tags:
- "certificate authority"
summary: "Gets a signed certificate from the configured Certificate Authority service."
description: "Gets a signed certificate from the configured Certificate Authority service.

The request must include a valid Certificate Signing Request, and a desired TTL in ISO 8601 format.

*** IMPORTANT ***
This endpoint is part of an early implementation of support for using Conjur as a certificate
authority, and is currently available at the Community (or early alpha) level.
This endpoint is still subject to breaking changes in the future.
"
operationId: "sign"
parameters:
- name: "account"
in: "path"
description: "Organization account name"
required: true
schema:
$ref: 'openapi.yml#/components/schemas/AccountName'
- name: "service_id"
in: "path"
description: "Name of the Certificate Authority service"
required: true
schema:
type: string
minLength: 1
example: "ca-service"
- name: "Accept"
in: "header"
description: "Setting the Accept header to `application/x-pem-file` allows Conjur to respond with a formatted certificate"
schema:
type: "string"
minLength: 1
example: "application/x-pem-file"
requestBody:
description: "Client Certificate Signing Request"
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/CsrBody'

responses:
"201":
$ref: '#/components/responses/Certificate'
"400":
$ref: 'openapi.yml#/components/responses/BadRequest'
"401":
$ref: 'openapi.yml#/components/responses/UnauthorizedError'
"403":
description: "Either:
The authenticated role is not a Host role,
The authenticated Host does not have `sign` privilege for the CA service, or
The authenticated Host ID does not match the of the CSR Common Name (CN).
"
"404":
description: "CA Service with the given ID does not exist"

security:
- conjurAuth: []
7 changes: 7 additions & 0 deletions spec/openapi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ tags:
description: "Resources"
- name: "status"
description: "Server status"
- name: "certificate authority"
description: "Certificate authority"

components:
schemas:
Expand Down Expand Up @@ -286,6 +288,11 @@ paths:
'/public_keys/{account}/{kind}/{identifier}':
$ref: 'public-keys.yml#/components/paths/PublicKeys'

# ========== Certificate Authority ==========

'/ca/{account}/{service_id}/sign':
$ref: 'cert-auth.yml#/components/paths/Sign'

# TODO: Inject client cert
# TODO: Seed Service

Expand Down
33 changes: 33 additions & 0 deletions test/config/cert_auth_policy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
- !policy
id: conjur/signing-service/ca
body:
- !variable private-key
- !variable private-key-password
- !variable cert-chain

- !webservice
annotations:
ca/private-key: conjur/signing-service/ca/private-key
ca/private-key-password: conjur/signing-service/ca/private-key-password
ca/certificate-chain: conjur/signing-service/ca/cert-chain
ca/max_ttl: P1D

- !group clients

- !permit
role: !group clients
privilege: [ sign ]
resource: !webservice

- !policy
id: signing-service
body:
- !host test-client
- !host cn-test-client
- !host no-sign-client

- !grant
role: !group conjur/signing-service/ca/clients
members:
- !host signing-service/test-client
- !host signing-service/cn-test-client
Loading