Merge pull request #2491 from smallstep/mariano/update

Improve validation in authorization path

Author: maraino

acme/challenge.go

@@ -792,6 +792,9 @@ type attestationObject struct {
 
 // TODO(bweeks): move attestation verification to a shared package.
 func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
+	// Update challenge with the payload
+	ch.Payload = payload
+
 	// Load authorization to store the key fingerprint.
 	az, err := db.GetAuthorization(ctx, ch.AuthorizationID)
 	if err != nil {
@@ -946,7 +949,6 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 	ch.Status = StatusValid
 	ch.Error = nil
 	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
-	ch.Payload = payload
 	ch.PayloadFormat = format
 
 	// Store the fingerprint in the authorization.

acme/challenge_test.go

@@ -878,7 +878,7 @@ MCowBQYDK2VwAyEA5c+4NKZSNQcR1T8qN6SjwgdPZQ0Ge12Ylx/YeGAJ35k=
 						assert.Equal(t, StatusInvalid, updch.Status)
 						assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 						assert.Equal(t, "12345678", updch.Value)
-						assert.Nil(t, updch.Payload)
+						assert.Equal(t, payload, updch.Payload)
 						assert.Empty(t, updch.PayloadFormat)
 
 						err := NewError(ErrorRejectedIdentifierType, "payload contained error: an error")
@@ -4077,7 +4077,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, errorPayload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewError(ErrorRejectedIdentifierType, "payload contained error: an error")
@@ -4117,7 +4117,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, errorBase64Payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "failed base64 decoding attObj %q", "?!")
@@ -4157,7 +4157,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, emptyPayload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "attObj must not be empty")
@@ -4197,7 +4197,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, emptyObjectPayload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "attObj must not be empty")
@@ -4237,7 +4237,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, errorNonWellformedCBORPayload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "attObj is not well formed CBOR: unexpected EOF")
@@ -4279,7 +4279,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, errorUnsupportedFormat, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "unsupported attestation object format %q", "unsupported-format")
@@ -4326,7 +4326,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", "step")
@@ -4383,7 +4383,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")
@@ -4432,7 +4432,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "serial-number", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "challenge token does not match")
@@ -4480,7 +4480,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "non-matching-value", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							subproblem := NewSubproblemWithIdentifier(
@@ -4560,7 +4560,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "x5c not present")
@@ -4616,7 +4616,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, "permanent identifier does not match").
@@ -4713,7 +4713,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "12345678", updch.Value)
-							assert.Nil(t, updch.Payload)
+							assert.Equal(t, payload, updch.Payload)
 							assert.Empty(t, updch.PayloadFormat)
 
 							err := NewDetailedError(ErrorBadAttestationStatementType, `unsupported attestation object format "bogus-format"`)

api/renew.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority"
+	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
 )
 
@@ -60,7 +61,7 @@ func getPeerCertificate(r *http.Request) (*x509.Certificate, string, error) {
 	}
 	if s := r.Header.Get(authorizationHeader); s != "" {
 		if parts := strings.SplitN(s, bearerScheme+" ", 2); len(parts) == 2 {
-			ctx := r.Context()
+			ctx := provisioner.NewContextWithMethod(r.Context(), provisioner.RenewMethod)
 			peer, err := mustAuthority(ctx).AuthorizeRenewToken(ctx, parts[1])
 			return peer, parts[1], err
 		}

api/revoke.go

@@ -94,8 +94,9 @@ func Revoke(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		opts.Crt = r.TLS.PeerCertificates[0]
-		if opts.Crt.SerialNumber.String() != opts.Serial {
-			render.Error(w, r, errs.BadRequest("serial number in client certificate different than body"))
+		if serialNumber := opts.Crt.SerialNumber.String(); opts.Serial != serialNumber {
+			render.Error(w, r, errs.Forbidden(
+				"request serial number %q and certificate serial number %q do not match", opts.Serial, serialNumber))
 			return
 		}
 		// TODO: should probably be checking if the certificate was revoked here.

api/sshRevoke.go

@@ -70,14 +70,13 @@ func SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	ctx := provisioner.NewContextWithMethod(r.Context(), provisioner.SSHRevokeMethod)
 	a := mustAuthority(ctx)
 
-	// A token indicates that we are using the api via a provisioner token,
-	// otherwise it is assumed that the certificate is revoking itself over mTLS.
 	logOtt(w, body.OTT)
 
 	if _, err := a.Authorize(ctx, body.OTT); err != nil {
 		render.Error(w, r, errs.UnauthorizedErr(err))
 		return
 	}
+
 	opts.OTT = body.OTT
 
 	if err := a.Revoke(ctx, opts); err != nil {

authority/authority_test.go

@@ -80,6 +80,10 @@ func testAuthority(t *testing.T, opts ...Option) *Authority {
 				EnableSSHCA: &enableSSHCA,
 			},
 		},
+		&provisioner.ACME{
+			Name: "acme",
+			Type: "ACME",
+		},
 		&provisioner.JWK{
 			Name: "uninitialized",
 			Type: "JWK",

authority/authorize.go

@@ -93,7 +93,7 @@ func (a *Authority) authorizeToken(ctx context.Context, token string) (provision
 	// Store the token to protect against reuse unless it's skipped.
 	// If we cannot get a token id from the provisioner, just hash the token.
 	if !SkipTokenReuseFromContext(ctx) {
-		if err := a.UseToken(token, p); err != nil {
+		if err := a.UseToken(ctx, token, p); err != nil {
 			return nil, err
 		}
 	}
@@ -138,7 +138,7 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 	}
 
 	// Check that the token has not been used.
-	if err := a.UseToken(token, prov); err != nil {
+	if err := a.UseToken(r.Context(), token, prov); err != nil {
 		return nil, admin.WrapError(admin.ErrorUnauthorizedType, err, "adminHandler.authorizeToken; error with reuse token")
 	}
 
@@ -193,22 +193,35 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 
 // UseToken stores the token to protect against reuse.
 //
-// This method currently ignores any error coming from the GetTokenID, but it
-// should specifically ignore the error provisioner.ErrAllowTokenReuse.
-func (a *Authority) UseToken(token string, prov provisioner.Interface) error {
-	if reuseKey, err := prov.GetTokenID(token); err == nil {
-		if reuseKey == "" {
-			sum := sha256.Sum256([]byte(token))
-			reuseKey = strings.ToLower(hex.EncodeToString(sum[:]))
-		}
-		ok, err := a.db.UseToken(reuseKey, token)
-		if err != nil {
-			return errs.Wrap(http.StatusInternalServerError, err, "failed when attempting to store token")
-		}
-		if !ok {
-			return errs.Unauthorized("token already used")
+// This method currently ignores most errors coming from the GetTokenID because
+// the token is already validated. But it should specifically ignore the errors
+// provisioner.ErrAllowTokenReuse, provisioner.ErrNotImplemented, and
+// provisioner.ErrTokenFlowNotSupported unless this latter one used in a renewal
+// flow without mTLS.
+func (a *Authority) UseToken(ctx context.Context, token string, prov provisioner.Interface) error {
+	reuseKey, err := prov.GetTokenID(token)
+	if err != nil {
+		// Fail on ErrTokenFlowNotSupported but allow x5cInsecure renew token
+		if errors.Is(err, provisioner.ErrTokenFlowNotSupported) && provisioner.RenewMethod != provisioner.MethodFromContext(ctx) {
+			return errs.BadRequest("token flow is not supported")
 		}
+
+		return nil
+	}
+
+	if reuseKey == "" {
+		sum := sha256.Sum256([]byte(token))
+		reuseKey = strings.ToLower(hex.EncodeToString(sum[:]))
 	}
+
+	ok, err := a.db.UseToken(reuseKey, token)
+	if err != nil {
+		return errs.Wrap(http.StatusInternalServerError, err, "failed when attempting to store token")
+	}
+	if !ok {
+		return errs.Unauthorized("token already used")
+	}
+
 	return nil
 }
 
@@ -398,7 +411,7 @@ func (a *Authority) authorizeSSHRevoke(ctx context.Context, token string) error
 
 // AuthorizeRenewToken validates the renew token and returns the leaf
 // certificate in the x5cInsecure header.
-func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Certificate, error) {
+func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error) {
 	var claims jose.Claims
 	jwt, chain, err := jose.ParseX5cInsecure(ott, a.rootX509Certs)
 	if err != nil {
@@ -413,7 +426,7 @@ func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Ce
 	if err != nil {
 		return nil, errs.Unauthorized("error validating renew token: cannot get provisioner from certificate")
 	}
-	if err := a.UseToken(ott, p); err != nil {
+	if err := a.UseToken(ctx, ott, p); err != nil {
 		return nil, err
 	}
 

authority/authorize_test.go

@@ -193,6 +193,25 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				code:  http.StatusUnauthorized,
 			}
 		},
+		"fail/token-flow-not-supported": func(t *testing.T) *authorizeTest {
+			cl := jose.Claims{
+				Subject:   "test.smallstep.com",
+				Issuer:    validIssuer,
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
+				IssuedAt:  jose.NewNumericDate(now),
+				Audience:  []string{"acme/acme"},
+				ID:        "45",
+			}
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
+			assert.FatalError(t, err)
+			return &authorizeTest{
+				auth:  a,
+				token: raw,
+				err:   errors.New("token flow is not supported"),
+				code:  http.StatusBadRequest,
+			}
+		},
 		"ok/simpledb": func(t *testing.T) *authorizeTest {
 			cl := jose.Claims{
 				Subject:   "test.smallstep.com",

authority/provisioner/acme.go

@@ -138,9 +138,10 @@ func (p *ACME) GetIDForToken() string {
 	return "acme/" + p.Name
 }
 
-// GetTokenID returns the identifier of the token.
+// GetTokenID returns the identifier of the token. This provisioner will always
+// return [ErrTokenFlowNotSupported].
 func (p *ACME) GetTokenID(string) (string, error) {
-	return "", errors.New("acme provisioner does not implement GetTokenID")
+	return "", ErrTokenFlowNotSupported
 }
 
 // GetName returns the name of the provisioner.

authority/provisioner/acme_test.go

@@ -82,6 +82,9 @@ func TestACME_Getters(t *testing.T) {
 		t.Errorf("ACME.GetEncryptedKey() = (%v, %v, %v), want (%v, %v, %v)",
 			kid, key, ok, "", "", false)
 	}
+	tokenID, err := p.GetTokenID("token")
+	assert.Empty(t, tokenID)
+	assert.Equal(t, ErrTokenFlowNotSupported, err)
 }
 
 func TestACME_Init(t *testing.T) {