Private CA for SSH certificates

.github/workflows/update-private-ca-lambda.yml

@@ -0,0 +1,34 @@
+name: Update Private CA Lambda on push
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - private-ca/server/**
+      - .github/workflows/update-private-ca-lambda.yml
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  update-lambda:
+    runs-on: "ubuntu-24.04"
+    environment: "Prod"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_PRIVATE_CA_LAMBDA_UPDATE_ROLE }}
+          role-session-name: UpdatePrivateCALambda
+
+      - name: Run update-server-on-lambda.sh
+        run: |
+          cd private-ca/
+          bash update-server-on-lambda.sh

.gitignore

@@ -0,0 +1 @@
+**/node_modules/**

action/setup/create-role-action.sh

@@ -0,0 +1,27 @@
+ACCOUNT_ID=$1
+PROFILE=$2
+POLICY_NAME=${3:-AWS_PRIVATE_CA_LAMBDA_UPDATE_POLICY}
+ROLE_NAME=${4:-AWS_PRIVATE_CA_LAMBDA_UPDATE_ROLE}
+
+[ ! -z $PROFILE ] && PROFILE="--profile=$PROFILE"
+
+ROLE_ARN=$(aws iam list-roles --query "Roles[?RoleName=='$ROLE_NAME'].Arn" --output text $PROFILE)
+
+if [ -n "$ROLE_ARN"  ] ; then
+  echo "Role $ROLE_NAME already exists"
+else
+  ASSUME_ROLE_POLICY_DOC=$( sed "s/<account-id>/$ACCOUNT_ID/" policies/trust-relationship-policy.json )
+  ROLE_ARN=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document "$ASSUME_ROLE_POLICY_DOC" --output text $PROFILE --query 'Role.Arn')
+  echo "Role created with arn: "
+  echo $ROLE_ARN
+fi
+
+POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='$POLICY_NAME'].Arn" --output text $PROFILE)
+if [ -n "$POLICY_ARN" ]; then
+  echo "Policy $POLICY_NAME already exists"
+else
+  echo "Creating Policy"
+  POLICY_DOC=$(sed -e "s/<account_id>/$ACCOUNT_ID/g" policies/lambda-update-policy.json)
+  POLICY_ARN=$(aws iam create-policy --policy-name $POLICY_NAME --policy-document "$POLICY_DOC" $PROFILE --output text --query 'Policy.Arn' )
+  aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn $POLICY_ARN $PROFILE
+fi

action/setup/policies/lambda-update-policy.json

@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Effect": "Allow",
+          "Action": [
+              "lambda:UpdateFunctionCode",
+              "lambda:GetFunction"
+          ],
+          "Resource": [
+              "arn:aws:lambda:*:<account_id>:function:privateCA"
+          ]
+      }
+  ]
+} 

action/setup/policies/trust-relationship-policy.json

@@ -0,0 +1,20 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Effect": "Allow",
+          "Principal": {
+              "Federated": "arn:aws:iam::<account-id>:oidc-provider/token.actions.githubusercontent.com"
+          },
+          "Action": "sts:AssumeRoleWithWebIdentity",
+          "Condition": {
+              "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+              },
+              "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "repo:getfundwave/network-utils:environment:Prod"
+              }
+          }
+      }
+  ]
+}

private-ca/README.md

@@ -0,0 +1,160 @@
+# Private Certificate Authority (CA) for SSH Certificates
+
+This project provides a private Certificate Authority (CA) implementation for generating SSH certificates. It allows you to issue certificates for SSH hosts and users for secure communication.
+
+## Deployment
+
+Deploy the resources by running:
+
+```bash
+./deploy-server-on-lambda.sh
+```
+
+This creates the following resources on AWS:
+
+- Secret to store the keys for signing certificates
+- A role for the lambda function
+- A policy to be attached to the role giving read access to created secret
+- An openSSH layer to facilitate SSH operations
+- The lambda function to act as a privateCA
+
+## Prerequisites for usage
+
+### Running via Docker (for host machines only)
+
+- Docker
+
+### Running directly
+
+- Python 3
+- Bash
+- Dependencies: `curl`, `jq`, `ssh-keygen`, `base64`
+
+### Running via AWS CLI (Lambda)
+
+- AWS CLI
+- Python 3
+- Access to the Lambda function in the specified region
+
+## Usage
+
+### Running directly
+
+#### For client certificates:
+
+```bash
+bash invoke-private-ca.sh generateClientSSHCert <PRIVATE-CA-URL> client
+```
+
+#### For host certificates:
+
+```bash
+bash invoke-private-ca.sh generateHostSSHCert <PRIVATE-CA-URL> host
+```
+
+#### For getting host CA public key:
+
+```bash
+bash invoke-private-ca.sh getHostCAPublicKey <PRIVATE-CA-URL> client
+```
+
+**Note:**
+
+1. Sudo privilege is required for generating host certificates as they need to write to system directories like `/etc/ssh`.
+2. The `ENVIRONMENT` (host or client) parameter affects how AWS credentials are retrieved. See [Script Parameters](#script-parameters) for more details.
+
+### Running via AWS CLI (Lambda)
+
+The `invoke-private-ca-aws-cli.sh` script provides an alternative approach to generate certificates. This method uses AWS CLI to invoke the Lambda function rather than making HTTP requests.
+
+#### Usage:
+
+```bash
+bash invoke-private-ca-aws-cli.sh <CA_ACTION> <ENVIRONMENT> <USER-SSH-DIR> <SYSTEM-SSH-DIR> <CA-LAMBDA-FUNCTION-NAME> <LAMBDA-REGION> <AWS-STS-REGION> <AWS-EC2-REGION> <CERT-HALF-LIFE-SECONDS>
+```
+
+### Running via Docker
+
+1. Build the Docker image:
+
+   ```bash
+   cd client
+   docker build -t certificate-generator .
+   ```
+
+2. Run the Docker container with the required volume mounts and parameters:
+
+   ```bash
+   docker run --rm \
+      -v $HOME/.ssh:/root/.ssh \
+      -v /etc/ssh:/etc/ssh \
+      certificate-generator \
+      generateHostSSHCert \
+      https://<PRIVATE-CA-URL>/ \
+      host \
+   ```
+
+## Running as a cron job (optional)
+
+Since certificates need to be renewed periodically, you can set up a cron job to automatically regenerate them.
+
+Sample script:
+
+```bash
+#!/bin/bash
+
+# Create the cron job entry
+echo "* */1 * * * cd /path/to/private-ca/client && bash invoke-private-ca.sh generateHostSSHCert https://<PRIVATE-CA-URL>/ host >> /home/cron.log 2>&1" > /tmp/root_crontab
+
+# Load into root's crontab
+crontab -u root /tmp/root_crontab
+
+# Optionally start cron service (only if not already running)
+systemctl start cron 2>/dev/null || systemctl start crond 2>/dev/null
+```
+
+## Script Parameters
+
+Both `invoke-private-ca.sh` and `invoke-private-ca-aws-cli.sh` accept several shared and some script-specific parameters.
+
+| Parameter                 | Required | Description                                                                                | Used In Script(s)              | Default Value             |
+| ------------------------- | -------- | ------------------------------------------------------------------------------------------ | ------------------------------ | ------------------------- |
+| `CA_ACTION`               | Yes      | Action to perform: `generateClientSSHCert`, `generateHostSSHCert`, or `getHostCAPublicKey` | Both                           | —                         |
+| `CA_URL`                  | Yes      | URL of the Private CA                                                                      | `invoke-private-ca.sh`         | —                         |
+| `ENVIRONMENT`             | No       | Machine environment: `"client"` (uses AWS CLI) or `"host"` (uses EC2 metadata)             | Both                           | `client`                  |
+| `USER_SSH_DIR`            | No       | Path to user's SSH directory                                                               | Both                           | `$HOME/.ssh`              |
+| `USER_AWS_DIR`            | No       | Path to user's AWS directory                                                               | `invoke-private-ca.sh`         | `$HOME/.aws`              |
+| `SYSTEM_SSH_DIR`          | No       | Path to system SSH directory                                                               | Both                           | `/etc/ssh`                |
+| `AWS_STS_REGION`          | No       | AWS region to use for STS operations                                                       | Both                           | `eu-central-1`            |
+| `LAMBDA_REGION`           | No       | AWS region where the Lambda function is deployed                                           | `invoke-private-ca-aws-cli.sh` | `eu-central-1`            |
+| `CA_LAMBDA_FUNCTION_NAME` | No       | Name of the Lambda function that performs certificate signing                              | `invoke-private-ca-aws-cli.sh` | `privateCA`               |
+| `AWS_EC2_REGION`          | No       | AWS region where the EC2 instance is deployed                                              | `invoke-private-ca-aws-cli.sh` | `eu-central-1`            |
+| `CERT_HALF_LIFE_SECONDS`  | No       | Certificate half-life in seconds                                                           | Both                           | `259200 seconds (3 days)` |
+
+## Important Notes
+
+- **Certificate Type**: Determined by the `CA_ACTION` parameter (`generateClientSSHCert`, `generateHostSSHCert`, or `getHostCAPublicKey`)
+- **Permissions**: Host certificates require sudo privileges for system directory access
+- **Public Key Retrieval**: The `getHostCAPublicKey` action retrieves the Host CA's public key for host certificate verification
+
+## Client Environment Limitations
+
+**Important**: Client environments can only generate client certificates because they don't have a public IP address.
+
+- **Host Certificate Requirements**: Host certificates require the public IP address as a hostname when issuing the certificate. Due to the absence of a public IP address, client environments cannot generate host certificates
+- **Recommendation**: Use client environments exclusively for generating client certificates, and use host environments (such as EC2 instances with public IPs) for generating host certificates
+
+## Directory Structure
+
+- `deploy-server-on-lambda.sh`: Script to deploy the Lambda function and related AWS resources
+- `update-server-on-lambda.sh`: Script to update the deployed Lambda function
+- `client/`: Directory containing client-side tools
+  - `invoke-private-ca.sh`: Main script for certificate generation using curl
+  - `invoke-private-ca-aws-cli.sh`: Alternative script using AWS CLI
+  - `aws-auth-header.py`: Python helper for generating AWS authentication headers
+  - `Dockerfile`: Docker container configuration
+- `server/`: Directory containing server-side Lambda function code
+
+```
+
+```

private-ca/client/Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine:3.18.3
+
+RUN apk add bash curl jq python3 openssh
+
+WORKDIR /app
+
+COPY invoke-private-ca.sh .
+COPY aws-auth-header.py .
+
+RUN chmod +x invoke-private-ca.sh
+
+ENTRYPOINT ["bash", "invoke-private-ca.sh"]

private-ca/client/aws-auth-header.py

@@ -0,0 +1,29 @@
+import sys
+from datetime import datetime, timezone
+from botocore.auth import SigV4Auth
+from botocore.awsrequest import AWSRequest
+from botocore.credentials import Credentials
+
+if __name__ == "__main__":
+    access_key_id = sys.argv[1]
+    secret_access_key = sys.argv[2]
+    session_token = sys.argv[3]
+    aws_region = sys.argv[4]
+
+    sts_host = "sts." + aws_region + ".amazonaws.com"
+    request_parameters = 'Action=GetCallerIdentity&Version=2011-06-15'
+    request_headers = {
+        'Host': sts_host,
+        'X-Amz-Date': datetime.now(timezone.utc).strftime('%Y%m%dT%H%M%SZ'),
+        'Aud': 'FundwaveCA'
+    }
+    request = AWSRequest(method="POST", url="/", data=request_parameters, headers=request_headers)
+    boto_creds = Credentials(access_key_id, secret_access_key,token=session_token)
+    auth = SigV4Auth(boto_creds, "sts", aws_region)
+    auth.add_auth(request)
+
+    authorization = request.headers["Authorization"]
+    date = request.headers["X-Amz-Date"]
+
+    response = f'{{"Authorization": "{authorization}", "Date": "{date}"}}'
+    print(response)