Cfssl backend

README.md

@@ -215,6 +215,110 @@ Output render options are:
     certonly If set to true the x509 format will return only the certificate
     keyonly  If set to true the x509 format will return only the private key
 
+### cfssl
+
+This format will use [CFSSL](https://github.com/cloudflare/cfssl) to generate certificates and then sign it via remote CFSSL API server, for example:
+
+`trocla set testcert cfssl '{"CN" : "test.example.com","hosts":["test.example.com"],"names":[{"O":"Testorg","OU":"testcert"}],}'`
+
+Format for options is same config as CFSSL uses. That means all names must be in `hosts` key including CN. Plaintext pass is not used.
+
+Key type is set to RSA 2048 if not set in trocla call. `names` list can be set as default in trocla config or passed to trocla call to override default
+
+Required configuration:
+
+* cfssl installed in /usr/bin/cfssl (that's where Debian packages install it) or anywhere in PATH that trocla sees.
+* cfssl CA configuration (example of it is in`lib/trocla/ca-config.json`
+* cfssl config keys showing server URL and CA configuration
+
+Trocla config minimum setup:
+
+```yaml
+formats:
+  cfssl:
+    server_url: https://certserver.example.com:8443
+    cfssl_config_path: /etc/trocla/trocla-ca-config.json
+```
+
+#### Basic usage
+
+call trocla with hash describing cert to sign:
+```json
+{
+  "CN": "*.example.com",
+  "hosts": [
+    "*.example.com",
+    "example.com",
+    "10.0.0.1"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "AB",
+      "L": "Nowherecity",
+      "O": "Someorg",
+      "OU": "IT dept",
+      "ST": "nowhere",
+      "emailAddress": "[email protected]"
+    }
+  ]
+}
+```
+and it will be signed using `server` cfssl profile
+
+`names` can be skipped if `default_names` key is specified in trocla config. `key` defaults to RSA 2048 and can be set globally via `default_key` key
+
+#### Additional generation options
+
+all other parameters are passed directly to cfssl
+
+##### profile
+
+Changes CFSSL profile. Defaults to 'server'
+
+##### selfsigned
+
+When set to true switches mode to generate selfsigned certs. Example:
+
+`trocla set testcerts cfssl '{"ca":{"expiry":"96h"},"selfsigned":true,"CN" : "test.example.com","hosts":["test.example.com"],"names":[{"O":"Testorg","OU":"testcert"}],}'`
+
+will generate selfsigned cert with lifetime 96 hours
+
+#### Additional trocla config options
+
+##### default_names
+
+Array to use if no `names` key is provided when requesting the certificate. For example:
+
+```yaml
+default_names:
+  - C: AB
+    L: Nowherecity
+    O: Someorg
+    OU: IT dept
+    ST: nowhere
+    emailAddress: [email protected]
+
+```
+####  intermediates
+
+Intermediates to add to the cert hash. Are **not** checked in any way
+
+#### Output
+
+Resulting hash will have  those keys, in PEM format: 
+
+* `cert` - cert itself
+* `key` - key to the cert
+* `csr` - CSR of the key
+* `intermediates` - intermediates needed for cert to work
+* `not_before` - stringified start date of cert (  2019-02-28 13:31:00 UTC )
+* `not_after` - stringified end date of cert (  2019-04-28 13:31:00 UTC )
+
+
 ## Installation
 
 * Debian has trocla within its sid-release: `apt-get install trocla`

lib/trocla/ca-config.json

@@ -0,0 +1,46 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "12h"
+    },
+    "profiles": {
+      "server": {
+        "expiry": "87600h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth"
+        ]
+      },
+      "client": {
+        "expiry": "87600h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "client auth"
+        ]
+      },
+      "client-server": {
+        "expiry": "87600h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth",
+          "client auth"
+        ]
+      },
+      "ca": {
+        "expiry": "87600h",
+        "ca_constraint": {
+          "is_ca": true,
+          "max_path_len": 0,
+          "max_path_len_zero": true
+        },
+        "usages": [
+          "cert sign",
+          "crl sign"
+        ]
+      }
+    }
+  }
+}

lib/trocla/default_config.yaml

@@ -44,4 +44,12 @@ profiles:
     days: 2
     # 1 day
     expires: 86400
-
+formats:
+  cfssl:
+    server_url: http://localhost:8888
+    #cfssl_config_path: ./ca-config.json
+    # intermediates: |
+    #    -----BEGIN CERTIFICATE-----
+    #    ...
+    #    -----END CERTIFICATE-----
+    #

lib/trocla/formats/cfssl.rb

@@ -0,0 +1,72 @@
+class Trocla::Formats::Cfssl < Trocla::Formats::Base
+  require 'json'
+  require 'open3'
+  def format(plain_password,options={})
+    #no dig method on jruby 1.9 used by puppet ;/
+    if @trocla.config['formats'] && @trocla.config['formats']['cfssl']
+      @cfssl_config = @trocla.config['formats']['cfssl']
+    else
+      raise "cfssl format needs server parameters in formats -> cfssl config in the config file"
+    end
+    if !options.is_a?(Hash)
+      options = YAML.load(options)
+    end
+    selfsigned = false
+    if options['selfsigned']
+      selfsigned = true
+      options.delete('selfsigned')
+    end
+    options['names'] ||= @cfssl_config['default_names']
+    options['key'] ||= @cfssl_config['default_key'] || { 'algo' => 'rsa', 'size' => 2048 }
+    if selfsigned
+      options['profile'] ||= 'ca'
+    else
+      options['profile'] ||= 'server'
+    end
+
+
+    if plain_password.is_a?(Hash) && plain_password['cert'] && plain_password['key']
+      # just an import, don't generate any new keys
+      # if cert does not have expiry info, add them (for certs imported manually)
+      if !plain_password['not_before']
+        cert = OpenSSL::X509::Certificate.new plain_password['cert']
+        plain_password['not_before'] = cert.not_before
+        plain_password['not_after'] = cert.not_after
+      end
+      return plain_password
+    end
+    @cfssl_config['cfssl_config_path'] ||= File.expand_path(File.join(File.dirname(__FILE__),'..','ca-config.json'))
+    if !options['CN'] || !options['names']
+      raise "options passed should contain CN and names (if names are not defined in default config)"
+    end
+    # CA certs and client certs do not need to have list of hosts
+    if !options.key?('hosts') && !selfsigned
+      raise "options passed should contain hosts key with list of domains/IPs to sign. If you you really do not want hosts (client certs etc), pass hosts => false"
+    end
+    if options.key?('hosts') && !options['hosts']
+      options.delete('hosts')
+    end
+    json_csr = JSON.dump(options)
+    if selfsigned
+      cfssl_cmd = ['cfssl','gencert','-initca=true','-config',@cfssl_config['cfssl_config_path'],'-profile', options['profile'], '-']
+    else
+      cfssl_cmd = ['cfssl','gencert','-config',@cfssl_config['cfssl_config_path'],'-profile', options['profile'], '-remote',@cfssl_config['server_url'],'-']
+    end
+    cfssl_stdout,cfssl_stderr = Open3.capture3(
+        *cfssl_cmd,
+        :stdin_data=>json_csr
+    )
+    certdata = JSON.load(cfssl_stdout)
+    if !certdata.is_a?(Hash) || !certdata['cert']
+      raise "cfssl: did not get cert data from server: stdin: #{json_csr} -> stdout: #{cfssl_stdout}, stderr #{cfssl_stderr}, config:#{@cfssl_config['cfssl_config_path']}"
+    end
+    if @cfssl_config['intermediates'] || options['intermediates']
+      certdata['intermediate'] ||= options['intermediates'] || @cfssl_config['intermediates']
+    end
+    # parse cert and extract validity date
+    cert = OpenSSL::X509::Certificate.new certdata['cert']
+    certdata['not_before'] = cert.not_before
+    certdata['not_after'] = cert.not_after
+    return certdata
+  end
+end