pki: Implement API endpoints for certs and caddy trust (#4443)

* admin: Implement /pki/certificates/<id> API * pki: Lower "skip_install_trust" log level to INFO See https://github.com/caddyserver/caddy/issues/4058#issuecomment-976132935 It's not necessary to warn about this, because this was an option explicitly configured by the user. Still useful to log, but we don't need to be so loud about it. * cmd: Export functions needed for PKI app, return API response to caller * pki: Rewrite `caddy trust` command to use new admin endpoint instead * pki: Rewrite `caddy untrust` command to support using admin endpoint * Refactor cmd and pki packages for determining admin API endpoint
2025-10-19 15:53:17 +00:00 · 2022-03-02 13:08:36 -05:00 · 2022-03-02 13:08:36 -05:00 · bbad6931e3
commit bbad6931e3
parent 5bd96a6ac2
9 changed files with 485 additions and 111 deletions
--- a/modules/caddypki/command.go
+++ b/modules/caddypki/command.go
@ -15,11 +15,13 @@
 package caddypki

 import (
-	"context"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
 	"flag"
 	"fmt"
+	"net/http"
 	"os"
-	"path/filepath"

 	"github.com/caddyserver/caddy/v2"
 	caddycmd "github.com/caddyserver/caddy/v2/cmd"
@ -30,69 +32,110 @@ func init() {
 	caddycmd.RegisterCommand(caddycmd.Command{
 		Name:  "trust",
 		Func:  cmdTrust,
+		Usage: "[--ca <id>] [--address <listen>] [--config <path> [--adapter <name>]]",
 		Short: "Installs a CA certificate into local trust stores",
 		Long: `
-Adds a root certificate into the local trust stores. Intended for
-development environments only.
+Adds a root certificate into the local trust stores.

-Since Caddy will install its root certificates into the local trust
-stores automatically when they are first generated, this command is
-only necessary if you need to pre-install the certificates before
-using them; for example, if you have elevated privileges at one
-point but not later, you will want to use this command so that a
-password prompt is not required later.
+Caddy will attempt to install its root certificates into the local
+trust stores automatically when they are first generated, but it
+might fail if Caddy doesn't have the appropriate permissions to
+write to the trust store. This command is necessary to pre-install
+the certificates before using them, if the server process runs as an
+unprivileged user (such as via systemd).

-This command installs the root certificate only for Caddy's
-default CA.`,
+By default, this command installs the root certificate for Caddy's
+default CA (i.e. 'local'). You may specify the ID of another CA
+with the --ca flag.
+
+Also, this command will attempt to connect to the Caddy's admin API
+running at '` + caddy.DefaultAdminListen + `' to fetch the root certificate. You may
+explicitly specify the --address, or use the --config flag to load
+the admin address from your config, if not using the default.`,
+		Flags: func() *flag.FlagSet {
+			fs := flag.NewFlagSet("trust", flag.ExitOnError)
+			fs.String("ca", "", "The ID of the CA to trust (defaults to 'local')")
+			fs.String("address", "", "Address of the administration API listener (if --config is not used)")
+			fs.String("config", "", "Configuration file (if --address is not used)")
+			fs.String("adapter", "", "Name of config adapter to apply (if --config is used)")
+			return fs
+		}(),
 	})

 	caddycmd.RegisterCommand(caddycmd.Command{
 		Name:  "untrust",
 		Func:  cmdUntrust,
-		Usage: "[--ca <id> | --cert <path>]",
+		Usage: "[--cert <path>] | [[--ca <id>] [--address <listen>] [--config <path> [--adapter <name>]]]",
 		Short: "Untrusts a locally-trusted CA certificate",
 		Long: `
-Untrusts a root certificate from the local trust store(s). Intended
-for development environments only.
+Untrusts a root certificate from the local trust store(s).

 This command uninstalls trust; it does not necessarily delete the
 root certificate from trust stores entirely. Thus, repeatedly
 trusting and untrusting new certificates can fill up trust databases.

-This command does not delete or modify certificate files.
+This command does not delete or modify certificate files from Caddy's
+configured storage.

-Specify which certificate to untrust either by the ID of its CA with
-the --ca flag, or the direct path to the certificate file with the
--cert flag. If the --ca flag is used, only the default storage paths
-are assumed (i.e. using --ca flag with custom storage backends or file
-paths will not work).
+This command can be used in one of two ways. Either by specifying
+which certificate to untrust by a direct path to the certificate
+file with the --cert flag, or by fetching the root certificate for
+the CA from the admin API (default behaviour).

-If no flags are specified, --ca=local is assumed.`,
+If the admin API is used, then the CA defaults to 'local'. You may
+specify the ID of another CA with the --ca flag. By default, this
+will attempt to connect to the Caddy's admin API running at
+'` + caddy.DefaultAdminListen + `' to fetch the root certificate.
+You may explicitly specify the --address, or use the --config flag
+to load the admin address from your config, if not using the default.`,
 		Flags: func() *flag.FlagSet {
 			fs := flag.NewFlagSet("untrust", flag.ExitOnError)
-			fs.String("ca", "", "The ID of the CA to untrust")
 			fs.String("cert", "", "The path to the CA certificate to untrust")
+			fs.String("ca", "", "The ID of the CA to untrust (defaults to 'local')")
+			fs.String("address", "", "Address of the administration API listener (if --config is not used)")
+			fs.String("config", "", "Configuration file (if --address is not used)")
+			fs.String("adapter", "", "Name of config adapter to apply (if --config is used)")
 			return fs
 		}(),
 	})
 }

-func cmdTrust(fs caddycmd.Flags) (int, error) {
-	// we have to create a sort of dummy context so that
-	// the CA can provision itself...
-	ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
-	defer cancel()
+func cmdTrust(fl caddycmd.Flags) (int, error) {
+	caID := fl.String("ca")
+	addrFlag := fl.String("address")
+	configFlag := fl.String("config")
+	configAdapterFlag := fl.String("adapter")

-	// provision the CA, which generates and stores a root
-	// certificate if one doesn't already exist in storage
-	ca := CA{
-		storage: caddy.DefaultStorage,
+	// Prepare the URI to the admin endpoint
+	if caID == "" {
+		caID = DefaultCAID
 	}
-	err := ca.Provision(ctx, DefaultCAID, caddy.Log())
+
+	// Determine where we're sending the request to get the CA info
+	adminAddr, err := caddycmd.DetermineAdminAPIAddress(addrFlag, configFlag, configAdapterFlag)
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, fmt.Errorf("couldn't determine admin API address: %v", err)
+	}
+
+	// Fetch the root cert from the admin API
+	rootCert, err := rootCertFromAdmin(adminAddr, caID)
 	if err != nil {
 		return caddy.ExitCodeFailedStartup, err
 	}

+	// Set up the CA struct; we only need to fill in the root
+	// because we're only using it to make use of the installRoot()
+	// function. Also needs a logger for warnings, and a "cert path"
+	// for the root cert; since we're loading from the API and we
+	// don't know the actual storage path via this flow, we'll just
+	// pass through the admin API address instead.
+	ca := CA{
+		log:          caddy.Log(),
+		root:         rootCert,
+		rootCertPath: adminAddr + adminPKICertificatesEndpoint + caID,
+	}
+
+	// Install the cert!
 	err = ca.installRoot()
 	if err != nil {
 		return caddy.ExitCodeFailedStartup, err
@ -101,33 +144,93 @@ func cmdTrust(fs caddycmd.Flags) (int, error) {
 	return caddy.ExitCodeSuccess, nil
 }

-func cmdUntrust(fs caddycmd.Flags) (int, error) {
-	ca := fs.String("ca")
-	cert := fs.String("cert")
+func cmdUntrust(fl caddycmd.Flags) (int, error) {
+	certFile := fl.String("cert")
+	caID := fl.String("ca")
+	addrFlag := fl.String("address")
+	configFlag := fl.String("config")
+	configAdapterFlag := fl.String("adapter")

-	if ca != "" && cert != "" {
-		return caddy.ExitCodeFailedStartup, fmt.Errorf("conflicting command line arguments")
-	}
-	if ca == "" && cert == "" {
-		ca = DefaultCAID
-	}
-	if ca != "" {
-		cert = filepath.Join(caddy.AppDataDir(), "pki", "authorities", ca, "root.crt")
+	if certFile != "" && (caID != "" || addrFlag != "" || configFlag != "") {
+		return caddy.ExitCodeFailedStartup, fmt.Errorf("conflicting command line arguments, cannot use --cert with other flags")
 	}

-	// sanity check, make sure cert file exists first
-	_, err := os.Stat(cert)
+	// If a file was specified, try to uninstall the cert matching that file
+	if certFile != "" {
+		// Sanity check, make sure cert file exists first
+		_, err := os.Stat(certFile)
+		if err != nil {
+			return caddy.ExitCodeFailedStartup, fmt.Errorf("accessing certificate file: %v", err)
+		}
+
+		// Uninstall the file!
+		err = truststore.UninstallFile(certFile,
+			truststore.WithDebug(),
+			truststore.WithFirefox(),
+			truststore.WithJava())
+		if err != nil {
+			return caddy.ExitCodeFailedStartup, fmt.Errorf("failed to uninstall certificate file: %v", err)
+		}
+
+		return caddy.ExitCodeSuccess, nil
+	}
+
+	// Prepare the URI to the admin endpoint
+	if caID == "" {
+		caID = DefaultCAID
+	}
+
+	// Determine where we're sending the request to get the CA info
+	adminAddr, err := caddycmd.DetermineAdminAPIAddress(addrFlag, configFlag, configAdapterFlag)
 	if err != nil {
-		return caddy.ExitCodeFailedStartup, fmt.Errorf("accessing certificate file: %v", err)
+		return caddy.ExitCodeFailedStartup, fmt.Errorf("couldn't determine admin API address: %v", err)
 	}

-	err = truststore.UninstallFile(cert,
-		truststore.WithDebug(),
-		truststore.WithFirefox(),
-		truststore.WithJava())
+	// Fetch the root cert from the admin API
+	rootCert, err := rootCertFromAdmin(adminAddr, caID)
 	if err != nil {
 		return caddy.ExitCodeFailedStartup, err
 	}

+	// Uninstall the cert!
+	err = truststore.Uninstall(rootCert,
+		truststore.WithDebug(),
+		truststore.WithFirefox(),
+		truststore.WithJava())
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, fmt.Errorf("failed to uninstall certificate file: %v", err)
+	}
+
 	return caddy.ExitCodeSuccess, nil
 }
+
+// rootCertFromAdmin makes the API request to fetch the
+func rootCertFromAdmin(adminAddr string, caID string) (*x509.Certificate, error) {
+	uri := adminPKICertificatesEndpoint + caID
+
+	// Make the request to fetch the CA info
+	resp, err := caddycmd.AdminAPIRequest(adminAddr, http.MethodGet, uri, make(http.Header), nil)
+	if err != nil {
+		return nil, fmt.Errorf("requesting CA info: %v", err)
+	}
+	defer resp.Body.Close()
+
+	// Decode the resposne
+	caInfo := new(CAInfo)
+	err = json.NewDecoder(resp.Body).Decode(caInfo)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode JSON response: %v", err)
+	}
+
+	// Decode the root
+	rootBlock, _ := pem.Decode([]byte(caInfo.Root))
+	if rootBlock == nil {
+		return nil, fmt.Errorf("failed to decode root certificate: %v", err)
+	}
+	rootCert, err := x509.ParseCertificate(rootBlock.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse root certificate: %v", err)
+	}
+
+	return rootCert, nil
+}