smallstep · maraino · Sep 13, 2022 · Aug 30, 2022 · Aug 31, 2022 · Aug 31, 2022
diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,10 @@
 *.so
 *.dylib
 
+# Go Workspaces
+go.work
+go.work.sum
+
 # Test binary, build with `go test -c`
 *.test
 

diff --git a/command/ca/certificate.go b/command/ca/certificate.go
@@ -167,6 +167,7 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
 			flags.Size,
 			flags.NotAfter,
 			flags.NotBefore,
+			flags.Attest,
 			flags.Force,
 			flags.Offline,
 			flags.PasswordFile,
@@ -186,10 +187,15 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
 }
 
 func certificateAction(ctx *cli.Context) error {
-	if err := errs.NumberOfArguments(ctx, 3); err != nil {
+	if err := errs.MinMaxNumberOfArguments(ctx, 2, 3); err != nil {
 		return err
 	}
 
+	// Allow two arguments with the attestation uri.
+	if ctx.NArg() == 2 && ctx.String("attest") == "" {
+		return errs.TooFewArguments(ctx)
+	}
+
 	args := ctx.Args()
 	subject := args.Get(0)
 	crtFile, keyFile := args.Get(1), args.Get(2)

diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
@@ -815,7 +815,7 @@ func acmeChallengeToLinkedca(challenges []string) []linkedca.ACMEProvisioner_Cha
 		case "dns-01":
 			ret = append(ret, linkedca.ACMEProvisioner_DNS_01)
 		case "tls-alpn-01":
-			ret = append(ret, linkedca.ACMEProvisioner_TLS_ALPN_O1)
+			ret = append(ret, linkedca.ACMEProvisioner_TLS_ALPN_01)
 		case "device-attest-01":
 			ret = append(ret, linkedca.ACMEProvisioner_DEVICE_ATTEST_01)
 		}

diff --git a/flags/flags.go b/flags/flags.go
@@ -398,6 +398,11 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
 		Name:  "kms",
 		Usage: "The <uri> to configure a Cloud KMS or an HSM.",
 	}
+
+	Attest = cli.StringFlag{
+		Name:  "attest",
+		Usage: "The KMS <uri> used for attestation.",
+	}
 )
 
 // ParseTimeOrDuration is a helper that returns the time or the current time

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.18
 require (
 	github.com/Microsoft/go-winio v0.4.14
 	github.com/ThomasRooney/gexpect v0.0.0-20161231170123-5482f0350944
+	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/google/uuid v1.3.0
 	github.com/icrowley/fake v0.0.0-20180203215853-4178557ae428
 	github.com/manifoldco/promptui v0.9.0
@@ -14,8 +15,8 @@ require (
 	github.com/shurcooL/sanitized_anchor_name v1.0.0
 	github.com/slackhq/nebula v1.5.2
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
-	github.com/smallstep/certificates v0.22.2-0.20220908202628-b2119e9f2c68
-	github.com/smallstep/certinfo v1.7.0
+	github.com/smallstep/certificates v0.22.2-0.20220912233041-df975122a0da
+	github.com/smallstep/certinfo v1.8.1
 	github.com/smallstep/truststore v0.12.0
 	github.com/smallstep/zcrypto v0.0.0-20210924233136-66c2600f6e71
 	github.com/smallstep/zlint v0.0.0-20180727184541-d84eaafe274f
@@ -24,8 +25,8 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.5
 	go.step.sm/crypto v0.19.0
-	go.step.sm/linkedca v0.18.1-0.20220908140115-147cf75c525d
-	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29
+	go.step.sm/linkedca v0.19.0-rc.1
+	golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d
 	golang.org/x/net v0.0.0-20220607020251-c690dde0001d
 	golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
@@ -81,7 +82,6 @@ require (
 	github.com/envoyproxy/protoc-gen-validate v0.3.0-java // indirect
 	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
 	github.com/fullstorydev/grpcurl v1.8.2 // indirect
-	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-kit/kit v0.10.0 // indirect
 	github.com/go-logfmt/logfmt v0.5.0 // indirect
@@ -195,9 +195,3 @@ require (
 	howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
-
-// replace github.com/smallstep/certificates => ../certificates
-// replace github.com/smallstep/certinfo => ../certinfo
-// replace go.step.sm/linkedca => ../linkedca
-// replace go.step.sm/cli-utils => ../cli-utils
-// replace go.step.sm/crypto => ../crypto
diff --git a/go.sum b/go.sum
@@ -891,10 +891,10 @@ github.com/slackhq/nebula v1.5.2/go.mod h1:xaCM6wqbFk/NRmmUe1bv88fWBm3a1UioXJVIp
 github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5/go.mod h1:TC9A4+RjIOS+HyTH7wG17/gSqVv95uDw2J64dQZx7RE=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
-github.com/smallstep/certificates v0.22.2-0.20220908202628-b2119e9f2c68 h1:s5S1IZJM4hgK78d/QQov2Vx3Re5GBbb+r4mIaCo7iJk=
-github.com/smallstep/certificates v0.22.2-0.20220908202628-b2119e9f2c68/go.mod h1:rGaw/vJYWunycyCMNu2Pq2XHVjtRNMdNO3U1gOSOfcQ=
-github.com/smallstep/certinfo v1.7.0 h1:1VzGgeSFLdXO242mRUkJu02epXV6E9uawjhPH0H2LzA=
-github.com/smallstep/certinfo v1.7.0/go.mod h1:QRjP6s+cuishA6cdB//RX357ysYGz/QxlpWGyWjnfII=
+github.com/smallstep/certificates v0.22.2-0.20220912233041-df975122a0da h1:Y0iP/MZpdl1bpt7D2WYnwa8te8+k0vDcyYQ5tRKLjbI=
+github.com/smallstep/certificates v0.22.2-0.20220912233041-df975122a0da/go.mod h1:e5p/JQ4oT3IArpw1WA5BB86TBE6s6IaIiqnTx7JwRrk=
+github.com/smallstep/certinfo v1.8.1 h1:M6z2uUtK6MVva0E7ZIzev9I/3mZl6Sfvvk4DiNob/s0=
+github.com/smallstep/certinfo v1.8.1/go.mod h1:rRIcDFvXO8nrxnmqhrLrhOwiFtJ4iMRa9naNnZXcNU8=
 github.com/smallstep/nosql v0.4.0 h1:Go3WYwttUuvwqMtFiiU4g7kBIlY+hR0bIZAqVdakQ3M=
 github.com/smallstep/nosql v0.4.0/go.mod h1:yKZT5h7cdIVm6wEKM9+jN5dgK80Hljpuy8HNsnI7Gzo=
 github.com/smallstep/truststore v0.12.0 h1:973Aa6fA7Ob/GCxqziosDzkQq6tV0Le6IUe4sikyW+U=
@@ -1075,8 +1075,8 @@ go.step.sm/cli-utils v0.7.5/go.mod h1:taSsY8haLmXoXM3ZkywIyRmVij/4Aj0fQbNTlJvv71
 go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0=
 go.step.sm/crypto v0.19.0 h1:WxjUDeTDpuPZ1IR3v6c4jc6WdlQlS5IYYQBhfnG5uW0=
 go.step.sm/crypto v0.19.0/go.mod h1:qZ+pNU1nV+THwP7TPTNCRMRr9xrRURhETTAK7U5psfw=
-go.step.sm/linkedca v0.18.1-0.20220908140115-147cf75c525d h1:grL/lXVzdUc51Aa2exEsRJl+Q9eaUwHc31heb/ims58=
-go.step.sm/linkedca v0.18.1-0.20220908140115-147cf75c525d/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM=
+go.step.sm/linkedca v0.19.0-rc.1 h1:8XcQvanelK1g0ijl5/itmmAIsqD2QSMHGqcWzJwwJCU=
+go.step.sm/linkedca v0.19.0-rc.1/go.mod h1:G35baT7Qnh6VsRCjzSfi5xsYw0ERrU+I1aIuZswMBeA=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@@ -1123,8 +1123,9 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o=
 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d h1:3qF+Z8Hkrw9sOhrFHti9TlB1Hkac1x+DNRkv0XQiFjo=
+golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

diff --git a/internal/cryptoutil/cryptoutil.go b/internal/cryptoutil/cryptoutil.go
@@ -16,6 +16,13 @@ import (
 	"go.step.sm/crypto/pemutil"
 )
 
+// Attestor is the interface implemented by step-kms-plugin using the key, sign
-// Attestor is the interface implemented by step-kms-plugin using the key, sign
+// Attestor is the interface implemented by step-kms-plugin using the key, sign,
-// Attestor is the interface implemented by step-kms-plugin using the key, sign
+// Attestor is the interface implemented by step-kms-plugin using the key, sign,
+// and attest commands.
+type Attestor interface {
+	crypto.Signer
+	Attest() ([]byte, error)
+}
+
 // CreateSigner reads a key from a file with a given name or creates a signer
 // with the given kms and name uri.
 func CreateSigner(kms, name string, opts ...pemutil.Options) (crypto.Signer, error) {
@@ -33,6 +40,12 @@ func CreateSigner(kms, name string, opts ...pemutil.Options) (crypto.Signer, err
 	return newKMSSigner(kms, name)
 }
 
+// CreateAttestor creates an attestor that will use `step-kms-plugin` with the
+// given kms and name.
+func CreateAttestor(kms, name string) (Attestor, error) {
+	return newKMSSigner(kms, name)
+}
+
 // IsKMSSigner returns true if the given signer uses the step-kms-plugin signer.
 func IsKMSSigner(signer crypto.Signer) (ok bool) {
 	_, ok = signer.(*kmsSigner)
@@ -76,7 +89,7 @@ func exitError(cmd *exec.Cmd, err error) error {
 }
 
 // newKMSSigner creates a signer using `step-kms-plugin` as the signer.
-func newKMSSigner(kms, key string) (crypto.Signer, error) {
+func newKMSSigner(kms, key string) (*kmsSigner, error) {
 	name, err := plugin.LookPath("kms")
 	if err != nil {
 		return nil, err
@@ -152,3 +165,21 @@ func (s *kmsSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts)
 	}
 	return base64.StdEncoding.DecodeString(string(out))
 }
+
+// Attest returns an attestation certificate using the `step-kms-plugin attest`
+// command.
+func (s *kmsSigner) Attest() ([]byte, error) {
+	args := []string{"attest"}
+	if s.kms != "" {
+		args = append(args, "--kms", s.kms)
+	}
+	args = append(args, s.key)
+
+	//nolint:gosec // arguments controlled by step.
+	cmd := exec.Command(s.name, args...)
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, exitError(cmd, err)
+	}
+	return out, nil
+}
diff --git a/utils/cautils/acme_flow.go b/utils/cautils/acme_flow.go
@@ -29,11 +29,16 @@ func ACMECreateCertFlow(ctx *cli.Context, provisionerName string) error {
 	}
 	ui.PrintSelected("Certificate", certFile)
 
-	_, err = pemutil.Serialize(af.priv, pemutil.ToFile(keyFile, 0600))
-	if err != nil {
-		return errors.WithStack(err)
+	// We won't have a private key with attestation certificates
+	if af.priv != nil {
+		_, err = pemutil.Serialize(af.priv, pemutil.ToFile(keyFile, 0600))
+		if err != nil {
+			return errors.WithStack(err)
+		}
+		ui.PrintSelected("Private Key", keyFile)
+	} else if v := ctx.String("attest"); v != "" {
+		ui.PrintSelected("Private Key", v)
 	}
-	ui.PrintSelected("Private Key", keyFile)
 	return nil
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,10 @@ @@
     *.so
     *.dylib
+    # Go Workspaces
+    go.work
+    go.work.sum
     # Test binary, build with `go test -c`
     *.test
@@ Expand Down @@