smallstep · maraino · Sep 13, 2022 · Aug 30, 2022 · Aug 31, 2022 · Aug 31, 2022
diff --git a/.gitignore b/.gitignore
@@ -6,6 +6,10 @@
 *.so
 *.dylib
 
+# Go Workspaces
+go.work
+go.work.sum
+
 # Test binary, build with `go test -c`
 *.test
 

diff --git a/command/ca/certificate.go b/command/ca/certificate.go
@@ -167,6 +167,7 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
 			flags.Size,
 			flags.NotAfter,
 			flags.NotBefore,
+			flags.Attest,
 			flags.Force,
 			flags.Offline,
 			flags.PasswordFile,
@@ -186,10 +187,15 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
 }
 
 func certificateAction(ctx *cli.Context) error {
-	if err := errs.NumberOfArguments(ctx, 3); err != nil {
+	if err := errs.MinMaxNumberOfArguments(ctx, 2, 3); err != nil {
 		return err
 	}
 
+	// Allow two arguments with the attestation uri.
+	if ctx.NArg() == 2 && ctx.String("attest") == "" {
+		return errs.TooFewArguments(ctx)
+	}
+
 	args := ctx.Args()
 	subject := args.Get(0)
 	crtFile, keyFile := args.Get(1), args.Get(2)

diff --git a/flags/flags.go b/flags/flags.go
@@ -398,6 +398,11 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
 		Name:  "kms",
 		Usage: "The <uri> to configure a Cloud KMS or an HSM.",
 	}
+
+	Attest = cli.StringFlag{
+		Name:  "attest",
+		Usage: "The KMS <uri> used for attestation.",
+	}
 )
 
 // ParseTimeOrDuration is a helper that returns the time or the current time

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.18
 require (
 	github.com/Microsoft/go-winio v0.4.14
 	github.com/ThomasRooney/gexpect v0.0.0-20161231170123-5482f0350944
+	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/google/uuid v1.3.0
 	github.com/icrowley/fake v0.0.0-20180203215853-4178557ae428
 	github.com/manifoldco/promptui v0.9.0
@@ -14,18 +15,18 @@ require (
 	github.com/shurcooL/sanitized_anchor_name v1.0.0
 	github.com/slackhq/nebula v1.5.2
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
-	github.com/smallstep/certificates v0.22.0
-	github.com/smallstep/certinfo v1.7.0
+	github.com/smallstep/certificates v0.22.2-0.20220908202628-b2119e9f2c68
+	github.com/smallstep/certinfo v1.8.1
 	github.com/smallstep/truststore v0.11.0
 	github.com/smallstep/zcrypto v0.0.0-20210924233136-66c2600f6e71
 	github.com/smallstep/zlint v0.0.0-20180727184541-d84eaafe274f
 	github.com/stretchr/testify v1.7.1
 	github.com/urfave/cli v1.22.5
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.4
-	go.step.sm/crypto v0.18.0
-	go.step.sm/linkedca v0.18.1-0.20220824000236-47827c8eb300
-	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29
+	go.step.sm/crypto v0.19.0
+	go.step.sm/linkedca v0.18.1-0.20220908140115-147cf75c525d
+	golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d
 	golang.org/x/net v0.0.0-20220607020251-c690dde0001d
 	golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
@@ -149,6 +150,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
 	github.com/weppos/publicsuffix-go v0.4.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.0 // indirect
@@ -193,9 +195,3 @@ require (
 	howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
-
-// replace github.com/smallstep/certificates => ../certificates
-// replace github.com/smallstep/certinfo => ../certinfo
-// replace go.step.sm/linkedca => ../linkedca
-// replace go.step.sm/cli-utils => ../cli-utils
-// replace go.step.sm/crypto => ../crypto
diff --git a/go.sum b/go.sum
@@ -329,6 +329,8 @@ github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZU
 github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw=
 github.com/fullstorydev/grpcurl v1.8.2 h1:2II5e++aFnctnPJir3GL6cPSwF69Ord1u/9O+fv1vrI=
 github.com/fullstorydev/grpcurl v1.8.2/go.mod h1:YvWNT3xRp2KIRuvCphFodG0fKkMXwaxA9CJgKCcyzUQ=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -889,10 +891,10 @@ github.com/slackhq/nebula v1.5.2/go.mod h1:xaCM6wqbFk/NRmmUe1bv88fWBm3a1UioXJVIp
 github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5/go.mod h1:TC9A4+RjIOS+HyTH7wG17/gSqVv95uDw2J64dQZx7RE=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
-github.com/smallstep/certificates v0.22.0 h1:Xrj3ZPw/+V9j4sBu21GEK0WfVriHG4LQODmLr/K2B64=
-github.com/smallstep/certificates v0.22.0/go.mod h1:3R1PxdLOEqbNaWp88WiUByQAHGL+b9NefaQ5q6oTIZo=
-github.com/smallstep/certinfo v1.7.0 h1:1VzGgeSFLdXO242mRUkJu02epXV6E9uawjhPH0H2LzA=
-github.com/smallstep/certinfo v1.7.0/go.mod h1:QRjP6s+cuishA6cdB//RX357ysYGz/QxlpWGyWjnfII=
+github.com/smallstep/certificates v0.22.2-0.20220908202628-b2119e9f2c68 h1:s5S1IZJM4hgK78d/QQov2Vx3Re5GBbb+r4mIaCo7iJk=
+github.com/smallstep/certificates v0.22.2-0.20220908202628-b2119e9f2c68/go.mod h1:rGaw/vJYWunycyCMNu2Pq2XHVjtRNMdNO3U1gOSOfcQ=
+github.com/smallstep/certinfo v1.8.1 h1:M6z2uUtK6MVva0E7ZIzev9I/3mZl6Sfvvk4DiNob/s0=
+github.com/smallstep/certinfo v1.8.1/go.mod h1:rRIcDFvXO8nrxnmqhrLrhOwiFtJ4iMRa9naNnZXcNU8=
 github.com/smallstep/nosql v0.4.0 h1:Go3WYwttUuvwqMtFiiU4g7kBIlY+hR0bIZAqVdakQ3M=
 github.com/smallstep/nosql v0.4.0/go.mod h1:yKZT5h7cdIVm6wEKM9+jN5dgK80Hljpuy8HNsnI7Gzo=
 github.com/smallstep/truststore v0.11.0 h1:JUTkQ4oHr40jHTS/A2t0usEhteMWG+45CDD2iJA/dIk=
@@ -974,6 +976,8 @@ github.com/urfave/cli v1.22.5 h1:lNq9sAHXK2qfdI8W+GRItjCEkI+2oR4d+MEHy1CKXoU=
 github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/weppos/publicsuffix-go v0.4.0 h1:YSnfg3V65LcCFKtIGKGoBhkyKolEd0hlipcXaOjdnQw=
 github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
@@ -1069,10 +1073,10 @@ go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqe
 go.step.sm/cli-utils v0.7.4 h1:oI7PStZqlvjPZ0u2EB4lN7yZ4R3ShTotdGL/L84Oorg=
 go.step.sm/cli-utils v0.7.4/go.mod h1:taSsY8haLmXoXM3ZkywIyRmVij/4Aj0fQbNTlJvv71I=
 go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0=
-go.step.sm/crypto v0.18.0 h1:saD/tMG7uKJmUIPyOyudidVTHPnozTU02CDd+oqwKn0=
-go.step.sm/crypto v0.18.0/go.mod h1:qZ+pNU1nV+THwP7TPTNCRMRr9xrRURhETTAK7U5psfw=
-go.step.sm/linkedca v0.18.1-0.20220824000236-47827c8eb300 h1:kDqCHUh4jqqqf+m5IXjFjlwsTXuIXpf5ciGKigqJH14=
-go.step.sm/linkedca v0.18.1-0.20220824000236-47827c8eb300/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM=
+go.step.sm/crypto v0.19.0 h1:WxjUDeTDpuPZ1IR3v6c4jc6WdlQlS5IYYQBhfnG5uW0=
+go.step.sm/crypto v0.19.0/go.mod h1:qZ+pNU1nV+THwP7TPTNCRMRr9xrRURhETTAK7U5psfw=
+go.step.sm/linkedca v0.18.1-0.20220908140115-147cf75c525d h1:grL/lXVzdUc51Aa2exEsRJl+Q9eaUwHc31heb/ims58=
+go.step.sm/linkedca v0.18.1-0.20220908140115-147cf75c525d/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@@ -1119,8 +1123,9 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o=
 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d h1:3qF+Z8Hkrw9sOhrFHti9TlB1Hkac1x+DNRkv0XQiFjo=
+golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

diff --git a/internal/cryptoutil/cryptoutil.go b/internal/cryptoutil/cryptoutil.go
@@ -16,6 +16,11 @@ import (
 	"go.step.sm/crypto/pemutil"
 )
 
+type Attestor interface {
+	crypto.Signer
+	Attest() ([]byte, error)
+}
+
 // CreateSigner reads a key from a file with a given name or creates a signer
 // with the given kms and name uri.
 func CreateSigner(kms, name string, opts ...pemutil.Options) (crypto.Signer, error) {
@@ -33,6 +38,12 @@ func CreateSigner(kms, name string, opts ...pemutil.Options) (crypto.Signer, err
 	return newKMSSigner(kms, name)
 }
 
+// CreateAttestor creates an attestor that will use `step-kms-plugin` with the
+// given kms and uri.
+func CreateAttestor(kms, name string) (Attestor, error) {
+	return newKMSSigner(kms, name)
+}
+
 // IsKMSSigner returns true if the given signer uses the step-kms-plugin signer.
 func IsKMSSigner(signer crypto.Signer) (ok bool) {
 	_, ok = signer.(*kmsSigner)
@@ -76,7 +87,7 @@ func exitError(cmd *exec.Cmd, err error) error {
 }
 
 // newKMSSigner creates a signer using `step-kms-plugin` as the signer.
-func newKMSSigner(kms, key string) (crypto.Signer, error) {
+func newKMSSigner(kms, key string) (*kmsSigner, error) {
 	name, err := plugin.LookPath("kms")
 	if err != nil {
 		return nil, err
@@ -152,3 +163,21 @@ func (s *kmsSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts)
 	}
 	return base64.StdEncoding.DecodeString(string(out))
 }
+
+// Attest returns an attestation certificate using the `step-kms-plugin attest`
+// command.
+func (s *kmsSigner) Attest() ([]byte, error) {
+	args := []string{"attest"}
+	if s.kms != "" {
+		args = append(args, "--kms", s.kms)
+	}
+	args = append(args, s.key)
+
+	//nolint:gosec // arguments controlled by step.
+	cmd := exec.Command(s.name, args...)
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, exitError(cmd, err)
+	}
+	return out, nil
+}
diff --git a/utils/cautils/acme_flow.go b/utils/cautils/acme_flow.go
@@ -29,11 +29,14 @@ func ACMECreateCertFlow(ctx *cli.Context, provisionerName string) error {
 	}
 	ui.PrintSelected("Certificate", certFile)
 
-	_, err = pemutil.Serialize(af.priv, pemutil.ToFile(keyFile, 0600))
-	if err != nil {
-		return errors.WithStack(err)
+	// We won't have a private key with attestation certificates
+	if af.priv != nil {
+		_, err = pemutil.Serialize(af.priv, pemutil.ToFile(keyFile, 0600))
+		if err != nil {
+			return errors.WithStack(err)
+		}
+		ui.PrintSelected("Private Key", keyFile)
 	}
-	ui.PrintSelected("Private Key", keyFile)
 	return nil
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,10 @@ @@
     *.so
     *.dylib
+    # Go Workspaces
+    go.work
+    go.work.sum
     # Test binary, build with `go test -c`
     *.test
@@ Expand Down @@