Use container secrets securely

* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes #2270

Author: itoffshore

README.md

@@ -136,6 +136,9 @@ See our installation docs [here](https://smallstep.com/docs/step-ca/installation
 [on smallstep.com](https://smallstep.com/docs/step-cli/reference/),
 or by running `step help --http=:8080` from the command line
 and visiting http://localhost:8080.
+* [Examples](https://github.com/smallstep/certificates/tree/master/examples) including
+[Podman & Quantum Resistant CA](https://github.com/smallstep/certificates/tree/master/examples/podman) &
+[Docker](https://github.com/smallstep/certificates/tree/master/examples/docker)
 
 ## Feedback?
 

docker/entrypoint.sh

@@ -27,11 +27,16 @@ function init_if_possible () {
 
 function generate_password () {
     set +o pipefail
-    < /dev/urandom tr -dc A-Za-z0-9 | head -c40
+    < /dev/urandom tr -dc A-Za-z0-9 | head -c256
     echo
     set -o pipefail
 }
 
+function set_password_files () {
+    ln -sf "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" "${STEPPATH}/password"
+    ln -sf "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" "${STEPPATH}/provisioner_password"
+}
+
 # Initialize a CA if not already initialized
 function step_ca_init () {
     DOCKER_STEPCA_INIT_PROVISIONER_NAME="${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}"
@@ -47,8 +52,7 @@ function step_ca_init () {
         --address "${DOCKER_STEPCA_INIT_ADDRESS}"
     )
     if [ -n "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" ]; then
-        cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/password"
-        cat < "${DOCKER_STEPCA_INIT_PASSWORD_FILE}" > "${STEPPATH}/provisioner_password"
+	set_password_files
     elif [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
         echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
         echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password"
@@ -86,4 +90,8 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then
     init_if_possible
 fi
 
+if [ -n "${DOCKER_STEPCA_PASSWORD_FILE}" ]; then
+    set_password_files
+fi
+
 exec "${@}"

examples/podman/quantum-resistant-ca.md

@@ -0,0 +1,80 @@
+## Example [Quantum Resistant CA](https://angrysysadmins.tech/index.php/2022/09/grassyloki/step-ca-change-certificate-authority-and-intermediate-authority-encryption-type-and-key-size/)
+
+Generates:
+
+* **Root CA** with RSA `16384` bit certificate
+* **Intermediate CA** with RSA `8192` bit certificate
+* Use [higher container limits](https://github.com/smallstep/certificates/tree/master/examples/podman/stepca.container.md): `1` or `2` cores in testing below is ideal
+* `PodmanArgs=--memory 50m --cpus 1`
+
+---
+
+* Get a shell in the container & regenerate certificates
+* `podman exec -it container_name /bin/bash`
+
+---
+```
+export root_bits=16384
+export intermediate_bits=8192
+```
+
+## ROOT CA
+
+```
+step certificate create 'My Root CA' \
+    $(step path)/certs/root_ca.crt \
+    $(step path)/secrets/root_ca_key \
+    --profile root-ca \
+    --kty RSA --size $root_bits \
+    --force
+```
+
+8192 bits (root CA generation time)
+---
+* 1 core = 1 min / 21 secs / 50 secs
+
+16384 bits (root CA generation time)
+---
+* 8 cores = 3 mins / 12 mins
+* 3 cores = 14 mins
+* 2 cores = 3 mins / 6 mins / 7 mins / 9 mins / 11 mins / 13 mins
+* 1.5 cores = 8 mins / 29 mins
+* 1 core = 2 mins / 6 mins / 7.5 mins / 15 mins / 16.5 mins
+* 0.5 core = 9 mins / 23 mins
+
+## Intermediate CA
+
+```
+step certificate create 'My Intermediate CA' \
+    $(step path)/certs/intermediate_ca.crt \
+    $(step path)/secrets/intermediate_ca_key \
+    --profile intermediate-ca \
+    --ca $(step path)/certs/root_ca.crt \
+    --ca-key $(step path)/secrets/root_ca_key \
+    --kty RSA --size $intermediate_bits \
+    --force
+```
+
+8192 bits (intermediate CA generation time)
+---
+* 2 core = 30 secs
+* 1 core = 25 secs
+
+---
+
+* Restart the container & note the new X.509 Root Fingerprint: `podman logs container_name` 
+* Boostsrap clients
+
+```
+port=xxx
+
+step ca bootstrap \
+	--ca-url https://ca.mydomain.com:$port \
+	--fingerprint 12345678abcdef12345678abcdef12345678abcdef12345678abcdef12345678 \
+	--context your_label \
+	--force
+```
+
+---
+
+* Contributed by: [Stuart Cardall](https://github.com/itoffshore)

examples/podman/stepca.container.md

@@ -0,0 +1,48 @@
+## Example [Podman Quadlet container](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#container-units-container) file
+
+* `~/.config/containers/systemd/stepca.container` (rootless)
+* `/etc/containers/systemd/stepca.container`      (rootful)
+
+```
+[Unit]
+Description=Smallstep Certificate Authority
+After=network-online.target
+
+[Container]
+# default EC root CA / intermediate CA
+PodmanArgs=--memory 25m --cpus 0.20
+# RSA 16384 / 8192 bit root CA / intermediate CA
+# PodmanArgs=--memory 50m --cpus 1
+PidsLimit=60
+DropCapability=ALL
+AutoUpdate=registry
+ContainerName=stepca
+DropCapability=ALL
+Environment=TZ="Europe/London"
+Environment="DOCKER_STEPCA_INIT_NAME=Example CA"
+Environment=DOCKER_STEPCA_INIT_DNS_NAMES=ca.custom.domain,10.89.0.10,localhost,127.0.0.1
+Environment=DOCKER_STEPCA_INIT_PROVISIONER_NAME=admin@custom.domain
+Environment=DOCKER_STEPCA_INIT_SSH=true
+Environment=DOCKER_STEPCA_INIT_ACME=true
+Environment=DOCKER_STEPCA_INIT_PASSWORD_FILE=/run/secrets/stepca
+HostName=stepca
+PodmanArgs=--privileged
+# Alpine image
+Image=docker.io/smallstep/step-ca
+# Debian image with TPM support
+#Image=docker.io/smallstep/step-ca:hsm
+PublishPort=10.89.0.10:9000:9000/tcp
+PublishPort=127.0.0.1:9000:9000/tcp
+Secret=source=stepca,type=mount,uid=1000,gid=1000,mode=400
+Volume=/path/to/volumes/stepca/config:/home/step:Z
+DNS=10.89.0.1
+DNSOption=~custom.domain
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target
+```
+
+* Contributed by: [Stuart Cardall](https://github.com/itoffshore)

examples/podman/stepca.run.md

@@ -0,0 +1,47 @@
+## Example creation of a Podman container & secret
+
+* Using a [cryptographically strong secret from `openssl` with an `8192` character `hex` string](https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html#examples)
+
+see also:
+
+- [Create a "quadlet"](https://github.com/containers/podlet)
+- [Netbird VPN](https://github.com/netbirdio/netbird)
+- [examples/podman/stepca.container.md](https://github.com/smallstep/certificates/tree/master/examples/podman/stepca.container.md)
+
+```
+iface=wt0 # running over netbird
+ctr=stepca
+ip=$(ip -f inet addr show $iface | sed -En -e 's/.*inet ([0-9.]+).*/\1/p')
+repo=docker.io/smallstep/step-ca
+# TPM supported image
+# repo=docker.io/smallstep/step-ca:hsm
+dns="ca.custom.domain,$ip,localhost,127.0.0.1"
+email="admin@custom.domain"
+ca="My CA"
+
+####################
+# auto config      #
+####################
+
+bytes=8096
+openssl rand -hex $bytes | podman secret create --replace $ctr -
+
+podman run -d --replace \
+    --name $ctr \
+    --hostname $ctr \
+    --secret source=$ctr,type=mount,uid=1000,gid=1000,mode=400 \
+    --env "DOCKER_STEPCA_INIT_NAME=$ca" \
+    --env "DOCKER_STEPCA_INIT_DNS_NAMES=$dns" \
+    --env "DOCKER_STEPCA_INIT_PROVISIONER_NAME=$email" \
+    --env "DOCKER_STEPCA_INIT_SSH=true" \
+    --env "DOCKER_STEPCA_INIT_ACME=true" \
+    --env "DOCKER_STEPCA_PASSWORD_FILE=/run/secrets/$ctr" \
+    --cap-drop ALL \
+    --restart always \
+    --privileged \
+    --label "io.containers.autoupdate=registry" \
+    -v ${HOME}/volumes/$ctr/config:/home/step:Z \
+$repo
+```
+
+* Contributed by: [Stuart Cardall](https://github.com/itoffshore)