diff --git a/authority/authority.go b/authority/authority.go index c112bc25..72e21767 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -62,9 +62,10 @@ type Authority struct { x509Enforcers []provisioner.CertificateEnforcer // SCEP CA - scepOptions *scep.Options - validateSCEP bool - scepAuthority *scep.Authority + scepOptions *scep.Options + validateSCEP bool + scepAuthority *scep.Authority + scepKeyManager provisioner.SCEPKeyManager // SSH CA sshHostPassword []byte diff --git a/authority/options.go b/authority/options.go index 55c27321..9738b391 100644 --- a/authority/options.go +++ b/authority/options.go @@ -226,6 +226,16 @@ func WithFullSCEPOptions(options *scep.Options) Option { } } +// WithSCEPKeyManager defines the key manager used on SCEP provisioners. +// +// This feature is EXPERIMENTAL and might change at any time. +func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option { + return func(a *Authority) error { + a.scepKeyManager = skm + return nil + } +} + // WithSSHUserSigner defines the signer used to sign SSH user certificates. func WithSSHUserSigner(s crypto.Signer) Option { return func(a *Authority) error { diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go index a9b17066..f15378d6 100644 --- a/authority/provisioner/provisioner.go +++ b/authority/provisioner/provisioner.go @@ -10,6 +10,7 @@ import ( "strings" "github.com/pkg/errors" + kmsapi "go.step.sm/crypto/kms/apiv1" "golang.org/x/crypto/ssh" "github.com/smallstep/certificates/errs" @@ -206,6 +207,13 @@ type SSHKeys struct { HostKeys []ssh.PublicKey } +// SCEPKeyManager is a KMS interface that combines a KeyManager with a +// Decrypter. +type SCEPKeyManager interface { + kmsapi.KeyManager + kmsapi.Decrypter +} + // Config defines the default parameters used in the initialization of // provisioners. type Config struct { @@ -226,6 +234,8 @@ type Config struct { AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc // WebhookClient is an http client to use in webhook request WebhookClient *http.Client + // SCEPKeyManager, if defined, is the interface used by SCEP provisioners. + SCEPKeyManager SCEPKeyManager } type provisioner struct { diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index f4067bc5..7213285c 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -15,7 +15,6 @@ import ( "go.step.sm/crypto/kms" kmsapi "go.step.sm/crypto/kms/apiv1" - "go.step.sm/crypto/kms/uri" "go.step.sm/linkedca" "github.com/smallstep/certificates/webhook" @@ -59,7 +58,7 @@ type SCEP struct { encryptionAlgorithm int challengeValidationController *challengeValidationController notificationController *notificationController - keyManager kmsapi.KeyManager + keyManager SCEPKeyManager decrypter crypto.Decrypter decrypterCertificate *x509.Certificate signer crypto.Signer @@ -269,34 +268,38 @@ func (s *SCEP) Init(config Config) (err error) { ) // parse the decrypter key PEM contents if available - if decryptionKeyPEM := s.DecrypterKeyPEM; len(decryptionKeyPEM) > 0 { + if len(s.DecrypterKeyPEM) > 0 { // try reading the PEM for validation - block, rest := pem.Decode(decryptionKeyPEM) + block, rest := pem.Decode(s.DecrypterKeyPEM) if len(rest) > 0 { return errors.New("failed parsing decrypter key: trailing data") } if block == nil { return errors.New("failed parsing decrypter key: no PEM block found") } + opts := kms.Options{ Type: kmsapi.SoftKMS, } - if s.keyManager, err = kms.New(context.Background(), opts); err != nil { + km, err := kms.New(context.Background(), opts) + if err != nil { return fmt.Errorf("failed initializing kms: %w", err) } - kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter) + scepKeyManager, ok := km.(SCEPKeyManager) if !ok { return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type) } - if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ - DecryptionKeyPEM: decryptionKeyPEM, + s.keyManager = scepKeyManager + + if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ + DecryptionKeyPEM: s.DecrypterKeyPEM, Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating decrypter: %w", err) } if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ - SigningKeyPEM: decryptionKeyPEM, // TODO(hs): support distinct signer key in the future? + SigningKeyPEM: s.DecrypterKeyPEM, // TODO(hs): support distinct signer key in the future? Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { @@ -304,41 +307,44 @@ func (s *SCEP) Init(config Config) (err error) { } } - if decryptionKeyURI := s.DecrypterKeyURI; decryptionKeyURI != "" { - u, err := uri.Parse(s.DecrypterKeyURI) + if s.DecrypterKeyURI != "" { + kmsType, err := kmsapi.TypeOf(s.DecrypterKeyURI) if err != nil { return fmt.Errorf("failed parsing decrypter key: %w", err) } - var kmsType kmsapi.Type - switch { - case u.Scheme != "": - kmsType = kms.Type(u.Scheme) - default: - kmsType = kmsapi.SoftKMS - } - opts := kms.Options{ - Type: kmsType, - URI: s.DecrypterKeyURI, - } - if s.keyManager, err = kms.New(context.Background(), opts); err != nil { - return fmt.Errorf("failed initializing kms: %w", err) - } - kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter) - if !ok { - return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type) - } - if kmsType != "softkms" { // TODO(hs): this should likely become more transparent? - decryptionKeyURI = u.Opaque - } - if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ - DecryptionKey: decryptionKeyURI, + + if config.SCEPKeyManager != nil { + s.keyManager = config.SCEPKeyManager + } else { + if kmsType == kmsapi.DefaultKMS { + kmsType = kmsapi.SoftKMS + } + opts := kms.Options{ + Type: kmsType, + URI: s.DecrypterKeyURI, + } + km, err := kms.New(context.Background(), opts) + if err != nil { + return fmt.Errorf("failed initializing kms: %w", err) + } + scepKeyManager, ok := km.(SCEPKeyManager) + if !ok { + return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type) + } + s.keyManager = scepKeyManager + } + + // Create decrypter and signer with the same key: + // TODO(hs): support distinct signer key in the future? + if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ + DecryptionKey: s.DecrypterKeyURI, Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating decrypter: %w", err) } if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ - SigningKey: decryptionKeyURI, // TODO(hs): support distinct signer key in the future? + SigningKey: s.DecrypterKeyURI, Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { diff --git a/authority/provisioner/scep_test.go b/authority/provisioner/scep_test.go index 2e9f3419..abdbe7a0 100644 --- a/authority/provisioner/scep_test.go +++ b/authority/provisioner/scep_test.go @@ -2,19 +2,27 @@ package provisioner import ( "context" + "crypto" + "crypto/rand" + "crypto/rsa" "crypto/x509" + "crypto/x509/pkix" "encoding/json" + "encoding/pem" "errors" "net/http" "net/http/httptest" + "os" + "path/filepath" "testing" + "github.com/smallstep/certificates/webhook" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - + "go.step.sm/crypto/kms/softkms" + "go.step.sm/crypto/minica" + "go.step.sm/crypto/pemutil" "go.step.sm/linkedca" - - "github.com/smallstep/certificates/webhook" ) func Test_challengeValidationController_Validate(t *testing.T) { @@ -366,3 +374,273 @@ func TestSCEP_ValidateChallenge(t *testing.T) { }) } } + +func TestSCEP_Init(t *testing.T) { + serialize := func(key crypto.PrivateKey, password string) []byte { + var opts []pemutil.Options + if password == "" { + opts = append(opts, pemutil.WithPasswordPrompt("no password", func(s string) ([]byte, error) { + return nil, nil + })) + } else { + opts = append(opts, pemutil.WithPassword([]byte("password"))) + } + block, err := pemutil.Serialize(key, opts...) + require.NoError(t, err) + return pem.EncodeToMemory(block) + } + + ca, err := minica.New() + require.NoError(t, err) + + key, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + badKey, err := rsa.GenerateKey(rand.Reader, 2048) + require.NoError(t, err) + + cert, err := ca.Sign(&x509.Certificate{ + Subject: pkix.Name{CommonName: "SCEP decryptor"}, + PublicKey: key.Public(), + }) + require.NoError(t, err) + + certPEM := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", Bytes: cert.Raw, + }) + certPEMWithIntermediate := append(pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", Bytes: cert.Raw, + }), pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", Bytes: ca.Intermediate.Raw, + })...) + + keyPEM := serialize(key, "password") + keyPEMNoPassword := serialize(key, "") + badKeyPEM := serialize(badKey, "password") + + tmp := t.TempDir() + path := filepath.Join(tmp, "rsa.priv") + pathNoPassword := filepath.Join(tmp, "rsa.key") + + require.NoError(t, os.WriteFile(path, keyPEM, 0600)) + require.NoError(t, os.WriteFile(pathNoPassword, keyPEMNoPassword, 0600)) + + type args struct { + config Config + } + tests := []struct { + name string + s *SCEP + args args + wantErr bool + }{ + {"ok", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok no password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEMNoPassword, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 1, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok with uri", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 1024, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + path, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 2, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok with uri no password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 2048, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + pathNoPassword, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 3, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"ok with SCEPKeyManager", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 2048, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + pathNoPassword, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 4, + }, args{Config{Claims: globalProvisionerClaims, SCEPKeyManager: &softkms.SoftKMS{}}}, false}, + {"ok intermediate", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: nil, + DecrypterKeyPEM: nil, + DecrypterKeyPassword: "", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, false}, + {"fail type", &SCEP{ + Type: "", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail name", &SCEP{ + Type: "SCEP", + Name: "", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail minimumPublicKeyLength", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 2001, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail encryptionAlgorithmIdentifier", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 5, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail negative encryptionAlgorithmIdentifier", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: -1, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail key decode", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: []byte("not a pem"), + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail certificate decode", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: []byte("not a pem"), + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail certificate with intermediate", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEMWithIntermediate, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail decrypter password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "badpassword", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail uri", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=missing.key", + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail uri password", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "softkms:path=" + path, + DecrypterKeyPassword: "badpassword", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail uri type", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyURI: "foo:path=" + path, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail missing certificate", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: nil, + DecrypterKeyPEM: keyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + {"fail key match", &SCEP{ + Type: "SCEP", + Name: "scep", + ChallengePassword: "password123", + MinimumPublicKeyLength: 0, + DecrypterCertificate: certPEM, + DecrypterKeyPEM: badKeyPEM, + DecrypterKeyPassword: "password", + EncryptionAlgorithmIdentifier: 0, + }, args{Config{Claims: globalProvisionerClaims}}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if tt.name == "fail key type" { + t.Log(1) + } + if err := tt.s.Init(tt.args.config); (err != nil) != tt.wantErr { + t.Errorf("SCEP.Init() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/authority/provisioners.go b/authority/provisioners.go index 34cc75ed..1502ea2b 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -201,6 +201,7 @@ func (a *Authority) generateProvisionerConfig(ctx context.Context) (provisioner. AuthorizeRenewFunc: a.authorizeRenewFunc, AuthorizeSSHRenewFunc: a.authorizeSSHRenewFunc, WebhookClient: a.webhookClient, + SCEPKeyManager: a.scepKeyManager, }, nil } diff --git a/go.mod b/go.mod index 33b69bc1..447d6c94 100644 --- a/go.mod +++ b/go.mod @@ -33,7 +33,7 @@ require ( github.com/stretchr/testify v1.9.0 github.com/urfave/cli v1.22.14 go.step.sm/cli-utils v0.9.0 - go.step.sm/crypto v0.44.2 + go.step.sm/crypto v0.44.3 go.step.sm/linkedca v0.20.1 golang.org/x/crypto v0.22.0 golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 @@ -51,7 +51,7 @@ require ( cloud.google.com/go/kms v1.15.8 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect @@ -60,20 +60,20 @@ require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.2.0 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect - github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect + github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect - github.com/aws/smithy-go v1.20.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect + github.com/aws/smithy-go v1.20.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v3 v3.0.0 // indirect github.com/cespare/xxhash v1.1.0 // indirect @@ -99,7 +99,7 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.1.2 // indirect github.com/google/certificate-transparency-go v1.1.6 // indirect - github.com/google/go-tpm-tools v0.4.3 // indirect + github.com/google/go-tpm-tools v0.4.4 // indirect github.com/google/go-tspi v0.3.0 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect diff --git a/go.sum b/go.sum index 9f3f7d27..9a91d345 100644 --- a/go.sum +++ b/go.sum @@ -17,8 +17,8 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M= github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 h1:n1DH8TPV4qqPTje2RcUBYwtrTWlabVp4n46+74X2pn4= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0/go.mod h1:HDcZnuGbiyppErN6lB+idp4CKhjbc8gwjto6OPpyggM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= @@ -44,34 +44,34 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= -github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= -github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= -github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48= +github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= +github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= +github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU= -github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU= -github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0= -github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= -github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= +github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 h1:SBn4I0fJXF9FYOVRSVMWuhvEKoAHDikjGpS3wlmw5DE= +github.com/aws/aws-sdk-go-v2/service/kms v1.30.1/go.mod h1:2snWQJQUKsbN66vAawJuOGX7dr37pfOq9hb0tZDGIqQ= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= @@ -214,8 +214,8 @@ github.com/google/go-sev-guest v0.9.3 h1:GOJ+EipURdeWFl/YYdgcCxyPeMgQUWlI056iFkB github.com/google/go-tdx-guest v0.3.1 h1:gl0KvjdsD4RrJzyLefDOvFOUH3NAJri/3qvaL5m83Iw= github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk= github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU= -github.com/google/go-tpm-tools v0.4.3 h1:L5dc34fttMIREoKRmnIJfv2NSZDSZ+RfBD+izN0EZoA= -github.com/google/go-tpm-tools v0.4.3/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY= +github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98= +github.com/google/go-tpm-tools v0.4.4/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY= github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus= github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI= github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= @@ -489,8 +489,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= go.step.sm/cli-utils v0.9.0 h1:55jYcsQbnArNqepZyAwcato6Zy2MoZDRkWW+jF+aPfQ= go.step.sm/cli-utils v0.9.0/go.mod h1:Y/CRoWl1FVR9j+7PnAewufAwKmBOTzR6l9+7EYGAnp8= -go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk= -go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ= +go.step.sm/crypto v0.44.3 h1:HA/eHC6mqw+WRP0wT2SqJq/Ch//Z4yJoSLV7kBmAIME= +go.step.sm/crypto v0.44.3/go.mod h1:gGYw4D+5J8uFhBY6dzOBvDE8iwUo+gaOpKPFLcQwv9Q= go.step.sm/linkedca v0.20.1 h1:bHDn1+UG1NgRrERkWbbCiAIvv4lD5NOFaswPDTyO5vU= go.step.sm/linkedca v0.20.1/go.mod h1:Vaq4+Umtjh7DLFI1KuIxeo598vfBzgSYZUjgVJ7Syxw= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=