Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/go_modules/github.com/slackhq/nebula-1.9.0
wire-acme-extensions
mariano/init-provisioners
fix-1637
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f2dd5c48cc'
${ noResults }
smallstep-certificates/authority/authority.go

365 lines
10 KiB
Go
Raw Normal View History Unescape Escape

first commit
6 years ago
package authority
import (
Use x5cInsecure token for /ssh/check-host endpoint
5 years ago
"context"
Add initial implementation of an SSH CA using the JWK provisioner. Fixes smallstep/ca-component#187
5 years ago
"crypto"
first commit
6 years ago
"crypto/sha256"
Add initial support for federated root certificates.
5 years ago
"crypto/x509"
first commit
6 years ago
"encoding/hex"
Close the key manager before shutting down.
4 years ago
"log"
first commit
6 years ago
"sync"
"time"
Early attempt to develop a CAS interface.
4 years ago
"github.com/smallstep/certificates/cas"
Allow to use custom SSH user/host key files.
5 years ago
"github.com/pkg/errors"
Use provisioner.Collection to store and request the provisioners.
5 years ago
"github.com/smallstep/certificates/authority/provisioner"
Early attempt to develop a CAS interface.
4 years ago
casapi "github.com/smallstep/certificates/cas/apiv1"
Add /revoke API with interface db backend
5 years ago
"github.com/smallstep/certificates/db"
Add wip support for kms.
4 years ago
"github.com/smallstep/certificates/kms"
kmsapi "github.com/smallstep/certificates/kms/apiv1"
Add version endpoint.
5 years ago
"github.com/smallstep/certificates/templates"
Use always go.step.sm/crypto
4 years ago
"go.step.sm/crypto/pemutil"
Add initial implementation of ssh config.
5 years ago
"golang.org/x/crypto/ssh"
first commit
6 years ago
)
Add ACME CA capabilities
5 years ago
const (
legacyAuthority = "step-certificate-authority"
)
Set audience using the sign url.
6 years ago
first commit
6 years ago
// Authority implements the Certificate Authority internal interface.
type Authority struct {
Add options to read the roots and federated roots from a bundle.
4 years ago
config *Config
keyManager kms.KeyManager
provisioners *provisioner.Collection
db db.AuthDB
Use templates from authority instead of config.
4 years ago
templates *templates.Templates
Add options to read the roots and federated roots from a bundle.
4 years ago
// X509 CA
Early attempt to develop a CAS interface.
4 years ago
x509CAService cas.CertificateAuthorityService
Add options to read the roots and federated roots from a bundle.
4 years ago
rootX509Certs []*x509.Certificate
federatedX509Certs []*x509.Certificate
x509Signer crypto.Signer
x509Issuer *x509.Certificate
certificates *sync.Map
// SSH CA
Add support for multiple ssh roots. Fixes #125
5 years ago
sshCAUserCertSignKey ssh.Signer
sshCAHostCertSignKey ssh.Signer
sshCAUserCerts []ssh.PublicKey
sshCAHostCerts []ssh.PublicKey
sshCAUserFederatedCerts []ssh.PublicKey
sshCAHostFederatedCerts []ssh.PublicKey
Add options to read the roots and federated roots from a bundle.
4 years ago
first commit
6 years ago
// Do not re-initialize
Add options to read the roots and federated roots from a bundle.
4 years ago
initOnce bool
startTime time.Time
Add support for /ssh/bastion method.
5 years ago
// Custom functions
Add context parameter to all SSH methods.
4 years ago
sshBastionFunc func(ctx context.Context, user, hostname string) (*Bastion, error)
Use x5cInsecure token for /ssh/check-host endpoint
5 years ago
sshCheckHostFunc func(ctx context.Context, principal string, tok string, roots []*x509.Certificate) (bool, error)
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
sshGetHostsFunc func(ctx context.Context, cert *x509.Certificate) ([]Host, error)
Use x5cInsecure token for /ssh/check-host endpoint
5 years ago
getIdentityFunc provisioner.GetIdentityFunc
first commit
6 years ago
}
// New creates and initiates a new Authority type.
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170
5 years ago
func New(config *Config, opts ...Option) (*Authority, error) {
Add backend support for provisioners with cursors. Fixes #83
6 years ago
err := config.Validate()
if err != nil {
first commit
6 years ago
return nil, err
}
Add backend support for provisioners with cursors. Fixes #83
6 years ago
first commit
6 years ago
var a = &Authority{
Use provisioner.Collection to store and request the provisioners.
5 years ago
config: config,
certificates: new(sync.Map),
first commit
6 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Apply options.
for _, fn := range opts {
if err := fn(a); err != nil {
return nil, err
}
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Initialize authority from options or configuration.
first commit
6 years ago
if err := a.init(); err != nil {
return nil, err
}
Add options to read the roots and federated roots from a bundle.
4 years ago
first commit
6 years ago
return a, nil
}
Rename method to NewEmbedded
4 years ago
// NewEmbedded initializes an authority that can be embedded in a different
// project without the limitations of the config.
func NewEmbedded(opts ...Option) (*Authority, error) {
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
a := &Authority{
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
config: &Config{},
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
certificates: new(sync.Map),
}
// Apply options.
for _, fn := range opts {
if err := fn(a); err != nil {
return nil, err
}
}
// Validate required options
switch {
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
case a.config == nil:
return nil, errors.New("cannot create an authority without a configuration")
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
case len(a.rootX509Certs) == 0 && a.config.Root.HasEmpties():
return nil, errors.New("cannot create an authority without a root certificate")
case a.x509Issuer == nil && a.config.IntermediateCert == "":
return nil, errors.New("cannot create an authority without an issuer certificate")
case a.x509Signer == nil && a.config.IntermediateKey == "":
return nil, errors.New("cannot create an authority without an issuer signer")
}
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
// Initialize config required fields.
a.config.init()
Create a method to initialize the authority without a config file. When the CA is embedded in a third party product like Caddy, the config needed to use placeholders to be valid. This change adds a new method `NewEmbeddedAuthority` that allows to create an authority with the given options, the minimum options are a root and intermediate certificate, and the intermediate key. Fixes #218
4 years ago
// Initialize authority from options or configuration.
if err := a.init(); err != nil {
return nil, err
}
return a, nil
}
first commit
6 years ago
// init performs validation and initializes the fields of an Authority struct.
func (a *Authority) init() error {
// Check if handler has already been validated/initialized.
if a.initOnce {
return nil
}
var err error
Add wip support for kms.
4 years ago
Add options to read the roots and federated roots from a bundle.
4 years ago
// Initialize key manager if it has not been set in the options.
Add wip support for kms.
4 years ago
if a.keyManager == nil {
Fix types.
4 years ago
var options kmsapi.Options
if a.config.KMS != nil {
options = *a.config.KMS
}
a.keyManager, err = kms.New(context.Background(), options)
Add wip support for kms.
4 years ago
if err != nil {
return err
}
}
Fix typo.
5 years ago
// Initialize step-ca Database if it's not already initialized with WithDB.
NoopDB -> SimpleDB
5 years ago
// If a.config.DB is nil then a simple, barebones in memory DB will be used.
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170
5 years ago
if a.db == nil {
if a.db, err = db.New(a.config.DB); err != nil {
return err
}
Add /revoke API with interface db backend
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Read root certificates and store them in the certificates map.
if len(a.rootX509Certs) == 0 {
a.rootX509Certs = make([]*x509.Certificate, len(a.config.Root))
for i, path := range a.config.Root {
crt, err := pemutil.ReadCertificate(path)
if err != nil {
return err
}
a.rootX509Certs[i] = crt
Add support for multiple roots.
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
}
for _, crt := range a.rootX509Certs {
Add support for multiple roots.
5 years ago
sum := sha256.Sum256(crt.Raw)
a.certificates.Store(hex.EncodeToString(sum[:]), crt)
}
first commit
6 years ago
Add options to read the roots and federated roots from a bundle.
4 years ago
// Read federated certificates and store them in the certificates map.
if len(a.federatedX509Certs) == 0 {
a.federatedX509Certs = make([]*x509.Certificate, len(a.config.FederatedRoots))
for i, path := range a.config.FederatedRoots {
crt, err := pemutil.ReadCertificate(path)
if err != nil {
return err
}
a.federatedX509Certs[i] = crt
Add initial support for federated root certificates.
5 years ago
}
Add options to read the roots and federated roots from a bundle.
4 years ago
}
for _, crt := range a.federatedX509Certs {
Add initial support for federated root certificates.
5 years ago
sum := sha256.Sum256(crt.Raw)
a.certificates.Store(hex.EncodeToString(sum[:]), crt)
}
Add options to read the roots and federated roots from a bundle.
4 years ago
// Read intermediate and create X509 signer.
Add wip support for kms.
4 years ago
if a.x509Signer == nil {
crt, err := pemutil.ReadCertificate(a.config.IntermediateCert)
first commit
6 years ago
if err != nil {
return err
}
Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS.
4 years ago
a.x509Issuer = crt
// Read signer only is the CAS is the default one.
if a.config.CAS.HasType(casapi.SoftCAS) {
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
})
if err != nil {
return err
}
a.x509Signer = signer
}
}
// Initialize the X.509 CA Service if it has not been set in the options
if a.x509CAService == nil {
var options casapi.Options
if a.config.CAS != nil {
options = *a.config.CAS
}
// Set issuer and signer for default CAS.
if options.HasType(casapi.SoftCAS) {
Do not read issuer and signer twice.
4 years ago
options.Issuer = a.x509Issuer
options.Signer = a.x509Signer
Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS.
4 years ago
}
a.x509CAService, err = cas.New(context.Background(), options)
first commit
6 years ago
if err != nil {
Pass issuer and signer to softCAS options. Remove commented code and initialize CAS properly. Minor fixes in CloudCAS.
4 years ago
return nil
first commit
6 years ago
}
}
Allow to use custom SSH user/host key files.
5 years ago
// Decrypt and load SSH keys
Load default templates if no templates are configured.
4 years ago
var tmplVars templates.Step
Allow to use custom SSH user/host key files.
5 years ago
if a.config.SSH != nil {
if a.config.SSH.HostKey != "" {
Add wip support for kms.
4 years ago
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.SSH.HostKey,
Fix types.
4 years ago
Password: []byte(a.config.Password),
Add wip support for kms.
4 years ago
})
Allow to use custom SSH user/host key files.
5 years ago
if err != nil {
return err
}
Add initial implementation of ssh config.
5 years ago
a.sshCAHostCertSignKey, err = ssh.NewSignerFromSigner(signer)
if err != nil {
return errors.Wrap(err, "error creating ssh signer")
}
Add support for multiple ssh roots. Fixes #125
5 years ago
// Append public key to list of host certs
a.sshCAHostCerts = append(a.sshCAHostCerts, a.sshCAHostCertSignKey.PublicKey())
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, a.sshCAHostCertSignKey.PublicKey())
Allow to use custom SSH user/host key files.
5 years ago
}
if a.config.SSH.UserKey != "" {
Add wip support for kms.
4 years ago
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.SSH.UserKey,
Fix types.
4 years ago
Password: []byte(a.config.Password),
Add wip support for kms.
4 years ago
})
Allow to use custom SSH user/host key files.
5 years ago
if err != nil {
return err
}
Add initial implementation of ssh config.
5 years ago
a.sshCAUserCertSignKey, err = ssh.NewSignerFromSigner(signer)
if err != nil {
return errors.Wrap(err, "error creating ssh signer")
}
Add support for multiple ssh roots. Fixes #125
5 years ago
// Append public key to list of user certs
Fix list of user ssh public keys.
5 years ago
a.sshCAUserCerts = append(a.sshCAUserCerts, a.sshCAUserCertSignKey.PublicKey())
Add support for multiple ssh roots. Fixes #125
5 years ago
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, a.sshCAUserCertSignKey.PublicKey())
}
// Append other public keys
for _, key := range a.config.SSH.Keys {
switch key.Type {
case provisioner.SSHHostCert:
if key.Federated {
a.sshCAHostFederatedCerts = append(a.sshCAHostFederatedCerts, key.PublicKey())
} else {
a.sshCAHostCerts = append(a.sshCAHostCerts, key.PublicKey())
}
case provisioner.SSHUserCert:
if key.Federated {
a.sshCAUserFederatedCerts = append(a.sshCAUserFederatedCerts, key.PublicKey())
} else {
a.sshCAUserCerts = append(a.sshCAUserCerts, key.PublicKey())
}
default:
return errors.Errorf("unsupported type %s", key.Type)
}
Allow to use custom SSH user/host key files.
5 years ago
}
Fix ssh federated template variables.
4 years ago
// Configure template variables.
tmplVars.SSH.HostKey = a.sshCAHostCertSignKey.PublicKey()
tmplVars.SSH.UserKey = a.sshCAUserCertSignKey.PublicKey()
// On the templates we skip the first one because there's a distinction
// between the main key and federated keys.
tmplVars.SSH.HostFederatedKeys = append(tmplVars.SSH.HostFederatedKeys, a.sshCAHostFederatedCerts[1:]...)
tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts[1:]...)
Allow to use custom SSH user/host key files.
5 years ago
}
Add initial implementation of an SSH CA using the JWK provisioner. Fixes smallstep/ca-component#187
5 years ago
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
// Merge global and configuration claims
claimer, err := provisioner.NewClaimer(a.config.AuthorityConfig.Claims, globalProvisionerClaims)
if err != nil {
return err
}
// TODO: should we also be combining the ssh federated roots here?
// If we rotate ssh roots keys, sshpop provisioner will lose ability to
// validate old SSH certificates, unless they are added as federated certs.
Add context parameter to all SSH methods.
4 years ago
sshKeys, err := a.GetSSHRoots(context.Background())
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
if err != nil {
return err
}
// Initialize provisioners
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
audiences := a.config.getAudiences()
a.provisioners = provisioner.NewCollection(audiences)
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
config := provisioner.Config{
Claims: claimer.Claims(),
Initialize the required config fields on embedded authorities. This change is to make easier the use of embedded authorities. It can be difficult for third parties to know what fields are required. The new init methods will define the minimum usable configuration.
4 years ago
Audiences: audiences,
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
DB: a.db,
SSHKeys: &provisioner.SSHKeys{
UserKeys: sshKeys.UserKeys,
HostKeys: sshKeys.HostKeys,
},
Instrument getIdentity func for OIDC ssh provisioner
5 years ago
GetIdentityFunc: a.getIdentityFunc,
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
}
Use provisioner.Collection to store and request the provisioners.
5 years ago
// Store all the provisioners
first commit
6 years ago
for _, p := range a.config.AuthorityConfig.Provisioners {
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
if err := p.Init(config); err != nil {
return err
}
Use provisioner.Collection to store and request the provisioners.
5 years ago
if err := a.provisioners.Store(p); err != nil {
return err
first commit
6 years ago
}
}
Load default templates if no templates are configured.
4 years ago
// Configure templates, currently only ssh templates are supported.
if a.sshCAHostCertSignKey != nil || a.sshCAUserCertSignKey != nil {
Use templates from authority instead of config.
4 years ago
a.templates = a.config.Templates
if a.templates == nil {
a.templates = templates.DefaultTemplates()
Add initial support for ssh config. Related to smallstep/cli#170
5 years ago
}
Use templates from authority instead of config.
4 years ago
if a.templates.Data == nil {
a.templates.Data = make(map[string]interface{})
Add initial support for ssh config. Related to smallstep/cli#170
5 years ago
}
Use templates from authority instead of config.
4 years ago
a.templates.Data["Step"] = tmplVars
Add initial support for ssh config. Related to smallstep/cli#170
5 years ago
}
Truncate to seconds the startTime to simplify tests.
5 years ago
// JWT numeric dates are seconds.
a.startTime = time.Now().Truncate(time.Second)
first commit
6 years ago
// Set flag indicating that initialization has been completed, and should
// not be repeated.
a.initOnce = true
return nil
}
Add /revoke API with interface db backend
5 years ago
Fix comments.
5 years ago
// GetDatabase returns the authority database. If the configuration does not
// define a database, GetDatabase will return a db.SimpleDB instance.
Do not allow reload with database configuration changes. Fixes #smallstep/ca-component#170
5 years ago
func (a *Authority) GetDatabase() db.AuthDB {
return a.db
}
Add /revoke API with interface db backend
5 years ago
// Shutdown safely shuts down any clients, databases, etc. held by the Authority.
func (a *Authority) Shutdown() error {
Close the key manager before shutting down.
4 years ago
if err := a.keyManager.Close(); err != nil {
log.Printf("error closing the key manager: %v", err)
}
Add /revoke API with interface db backend
5 years ago
return a.db.Shutdown()
}