1
// Copyright Istio Authors
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
7
// http://www.apache.org/licenses/LICENSE-2.0
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
25
"google.golang.org/grpc"
26
"google.golang.org/grpc/codes"
27
ghc "google.golang.org/grpc/health/grpc_health_v1"
28
"google.golang.org/grpc/status"
30
pb "istio.io/api/security/v1alpha1"
31
"istio.io/istio/pkg/log"
32
"istio.io/istio/pkg/security"
33
"istio.io/istio/pkg/spiffe"
34
caerror "istio.io/istio/security/pkg/pki/error"
35
"istio.io/istio/security/pkg/pki/util"
38
var caServerLog = log.RegisterScope("ca", "CA service debugging")
40
// CAServer is a mock CA server.
42
pb.UnimplementedIstioCertificateServiceServer
44
GRPCServer *grpc.Server
45
Authenticators []security.Authenticator
49
KeyCertBundle *util.KeyCertBundle
50
certLifetime time.Duration
54
faultInjectLock *sync.Mutex
57
func NewCAServerWithKeyCert(port int, key, cert []byte, opts ...grpc.ServerOption) (*CAServer, error) {
58
keyCertBundle, err := util.NewVerifiedKeyCertBundleFromPem(cert, key, nil, cert)
60
caServerLog.Errorf("failed to create CA KeyCertBundle: %+v", err)
67
certLifetime: 24 * time.Hour,
68
KeyCertBundle: keyCertBundle,
69
GRPCServer: grpc.NewServer(opts...),
70
faultInjectLock: &sync.Mutex{},
72
// Register CA service at gRPC server.
73
pb.RegisterIstioCertificateServiceServer(server.GRPCServer, server)
74
ghc.RegisterHealthServer(server.GRPCServer, server)
75
return server, server.start(port)
78
// NewCAServer creates a new CA server that listens on port.
79
func NewCAServer(port int, opts ...grpc.ServerOption) (*CAServer, error) {
80
// Create root cert and private key.
81
options := util.CertOptions{
82
TTL: 3650 * 24 * time.Hour,
83
Org: spiffe.GetTrustDomain(),
89
cert, key, err := util.GenCertKeyFromOptions(options)
91
caServerLog.Errorf("cannot create CA cert and private key: %+v", err)
94
return NewCAServerWithKeyCert(port, key, cert, opts...)
97
func (s *CAServer) start(port int) error {
98
listener, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", port))
100
caServerLog.Errorf("cannot listen on port %d (error: %v)", port, err)
104
// If passed in port is 0, get the actual chosen port.
105
port = listener.Addr().(*net.TCPAddr).Port
106
s.URL = fmt.Sprintf("localhost:%d", port)
108
caServerLog.Infof("start CA server on %s", s.URL)
109
if err := s.GRPCServer.Serve(listener); err != nil && (err != grpc.ErrServerStopped) {
110
caServerLog.Errorf("CA Server failed to serve in %q: %v", s.URL, err)
116
// RejectCSR specifies whether to send error response to CSR.
117
func (s *CAServer) RejectCSR(reject bool) {
118
s.faultInjectLock.Lock()
120
s.faultInjectLock.Unlock()
122
caServerLog.Info("force CA server to return error to CSR")
126
func (s *CAServer) shouldReject() bool {
128
s.faultInjectLock.Lock()
130
s.faultInjectLock.Unlock()
134
// SendEmptyCert force CA server send empty cert chain.
135
func (s *CAServer) SendEmptyCert() {
136
s.faultInjectLock.Lock()
138
s.faultInjectLock.Unlock()
139
caServerLog.Info("force CA server to send empty cert chain")
142
func (s *CAServer) sendEmpty() bool {
144
s.faultInjectLock.Lock()
146
s.faultInjectLock.Unlock()
150
// CreateCertificate handles CSR.
151
func (s *CAServer) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
152
*pb.IstioCertificateResponse, error,
154
caServerLog.Infof("received CSR request")
155
if s.shouldReject() {
156
caServerLog.Info("force rejecting CSR request")
157
return nil, status.Error(codes.Unavailable, "CA server is not available")
160
caServerLog.Info("force sending empty cert chain in CSR response")
161
response := &pb.IstioCertificateResponse{
162
CertChain: []string{},
166
id := []string{"client-identity"}
167
if len(s.Authenticators) > 0 {
168
caller, err := security.Authenticate(ctx, s.Authenticators)
169
if caller == nil || err != nil {
170
return nil, status.Error(codes.Unauthenticated, "request authenticate failure")
172
id = caller.Identities
174
cert, err := s.sign([]byte(request.Csr), id, time.Duration(request.ValidityDuration)*time.Second, false)
176
caServerLog.Errorf("failed to sign CSR: %+v", err)
177
return nil, status.Errorf(err.(*caerror.Error).HTTPErrorCode(), "CSR signing error: %+v", err.(*caerror.Error))
179
respCertChain := []string{string(cert)}
180
respCertChain = append(respCertChain, string(s.certPem))
181
response := &pb.IstioCertificateResponse{
182
CertChain: respCertChain,
184
caServerLog.Info("send back CSR success response")
188
func (s *CAServer) sign(csrPEM []byte, subjectIDs []string, _ time.Duration, forCA bool) ([]byte, error) {
189
csr, err := util.ParsePemEncodedCSR(csrPEM)
191
caServerLog.Errorf("failed to parse CSR: %+v", err)
192
return nil, caerror.NewError(caerror.CSRError, err)
194
signingCert, signingKey, _, _ := s.KeyCertBundle.GetAll()
195
certBytes, err := util.GenCertFromCSR(csr, signingCert, csr.PublicKey, *signingKey, subjectIDs, s.certLifetime, forCA)
197
caServerLog.Errorf("failed to generate cert from CSR: %+v", err)
198
return nil, caerror.NewError(caerror.CertGenError, err)
204
cert := pem.EncodeToMemory(block)
209
// Check handles health check requests.
210
func (s *CAServer) Check(ctx context.Context, in *ghc.HealthCheckRequest) (*ghc.HealthCheckResponse, error) {
211
return &ghc.HealthCheckResponse{
212
Status: ghc.HealthCheckResponse_SERVING,
216
// Watch handles health check streams.
217
func (s *CAServer) Watch(_ *ghc.HealthCheckRequest, _ ghc.Health_WatchServer) error {