Merge branch 'master' into herman/wasm-signals-and-offline-mode

command/ca/renew.go

@@ -280,7 +280,7 @@ func renewCertificateAction(ctx *cli.Context) error {
 	if isDaemon {
 		// Force is always enabled when daemon mode is used
 		ctx.Set("force", "true")
-		next := utils.NextRenewDuration(leaf, expiresIn, renewPeriod)
+		next := utils.NextRenewDuration(cert.Leaf, expiresIn, renewPeriod)
 		return renewer.Daemon(outFile, next, expiresIn, renewPeriod, afterRenew)
 	}
 
@@ -334,6 +334,7 @@ func runExecCmd(execCmd string) error {
 }
 
 func newRenewer(ctx *cli.Context, caURL string, cert tls.Certificate, rootFile string) (*renewerPkg.Renewer, error) {
+
 	if len(cert.Certificate) == 0 {
 		return nil, errors.New("error loading certificate: certificate chain is empty")
 	}
@@ -351,8 +352,11 @@ func newRenewer(ctx *cli.Context, caURL string, cert tls.Certificate, rootFile s
 		},
 	}
 
-	var client caclient.CaClient
+	if time.Now().Before(cert.Leaf.NotAfter) {
+		tr.TLSClientConfig.Certificates = []tls.Certificate{cert}
+	}
 
+	var client caclient.CaClient
 	isOffline := ctx.Bool("offline")
 	if isOffline {
 		caConfig := ctx.String("ca-config")
@@ -370,41 +374,12 @@ func newRenewer(ctx *cli.Context, caURL string, cert tls.Certificate, rootFile s
 		}
 	}
 
-	return renewerPkg.New(client, tr, cert.PrivateKey, isOffline), nil
-}
-
-// RenewAfterExpiry creates an authorization token with the given certificate
-// and attempts to renew the expired certificate.
-func (r *renewer) RenewAfterExpiry(cert tls.Certificate) (*api.SignResponse, error) {
-	claims, err := token.NewClaims(
-		token.WithAudience(r.caURL.ResolveReference(&url.URL{Path: "/renew"}).String()),
-		token.WithIssuer("step-ca-client/1.0"),
-		token.WithSubject(cert.Leaf.Subject.CommonName),
-	)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating authorization token")
-	}
-	var x5c []string
-	for _, b := range cert.Certificate {
-		x5c = append(x5c, base64.StdEncoding.EncodeToString(b))
-	}
-	if claims.ExtraHeaders == nil {
-		claims.ExtraHeaders = make(map[string]interface{})
-	}
-	claims.ExtraHeaders[jose.X5cInsecureKey] = x5c
-
-	tok, err := claims.Sign("", cert.PrivateKey)
+	u, err := url.Parse(client.GetCaURL())
 	if err != nil {
-		return nil, errors.Wrap(err, "error signing authorization token")
+		return nil, errors.Errorf("error parsing CA URL: %s", client.GetCaURL())
 	}
 
-	// Remove existing certificate from the transport. And close keep-alive
-	// connections. When daemon is used we don't want to re-use the connection
-	// that did not include a certificate.
-	r.transport.TLSClientConfig.Certificates = nil
-	defer r.transport.CloseIdleConnections()
-
-	return r.client.RenewWithToken(tok)
+	return renewerPkg.New(client, tr, cert.PrivateKey, isOffline, cert, u), nil
 }
 
 func tlsLoadX509KeyPair(certFile, keyFile, passFile string) (tls.Certificate, error) {

internal/renewer/renewer.go

@@ -8,6 +8,7 @@ import (
 	"encoding/pem"
 	"log"
 	"net/http"
+	"net/url"
 	"os"
 	"time"
 
@@ -24,14 +25,18 @@ type Renewer struct {
 	transport *http.Transport
 	key       crypto.PrivateKey
 	offline   bool
+	cert      tls.Certificate
+	caURL     *url.URL
 }
 
-func New(client caclient.CaClient, tr *http.Transport, key crypto.PrivateKey, offline bool) *Renewer {
+func New(client caclient.CaClient, tr *http.Transport, key crypto.PrivateKey, offline bool, cert tls.Certificate, caURL *url.URL) *Renewer {
 	return &Renewer{
 		client:    client,
 		transport: tr,
 		key:       key,
 		offline:   offline,
+		cert:      cert,
+		caURL:     caURL,
 	}
 }
 

utils/cautils/client/client.go

@@ -26,4 +26,5 @@ type CaClient interface {
 	SSHBastion(req *api.SSHBastionRequest) (*api.SSHBastionResponse, error)
 	Version() (*api.VersionResponse, error)
 	GetRootCAs() *x509.CertPool
+	GetCaURL() string
 }