Merge pull request #1797 from smallstep/mariano/init-scep

Allow custom SCEP key manager

authority/authority.go

@@ -62,9 +62,10 @@ type Authority struct {
 	x509Enforcers         []provisioner.CertificateEnforcer
 
 	// SCEP CA
-	scepOptions   *scep.Options
-	validateSCEP  bool
-	scepAuthority *scep.Authority
+	scepOptions    *scep.Options
+	validateSCEP   bool
+	scepAuthority  *scep.Authority
+	scepKeyManager provisioner.SCEPKeyManager
 
 	// SSH CA
 	sshHostPassword         []byte

authority/options.go

@@ -226,6 +226,16 @@ func WithFullSCEPOptions(options *scep.Options) Option {
 	}
 }
 
+// WithSCEPKeyManager defines the key manager used on SCEP provisioners.
+//
+// This feature is EXPERIMENTAL and might change at any time.
+func WithSCEPKeyManager(skm provisioner.SCEPKeyManager) Option {
+	return func(a *Authority) error {
+		a.scepKeyManager = skm
+		return nil
+	}
+}
+
 // WithSSHUserSigner defines the signer used to sign SSH user certificates.
 func WithSSHUserSigner(s crypto.Signer) Option {
 	return func(a *Authority) error {

authority/provisioner/provisioner.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	kmsapi "go.step.sm/crypto/kms/apiv1"
 	"golang.org/x/crypto/ssh"
 
 	"github.com/smallstep/certificates/errs"
@@ -206,6 +207,13 @@ type SSHKeys struct {
 	HostKeys []ssh.PublicKey
 }
 
+// SCEPKeyManager is a KMS interface that combines a KeyManager with a
+// Decrypter.
+type SCEPKeyManager interface {
+	kmsapi.KeyManager
+	kmsapi.Decrypter
+}
+
 // Config defines the default parameters used in the initialization of
 // provisioners.
 type Config struct {
@@ -226,6 +234,8 @@ type Config struct {
 	AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc
 	// WebhookClient is an http client to use in webhook request
 	WebhookClient *http.Client
+	// SCEPKeyManager, if defined, is the interface used by SCEP provisioners.
+	SCEPKeyManager SCEPKeyManager
 }
 
 type provisioner struct {

authority/provisioner/scep.go

@@ -15,7 +15,6 @@ import (
 
 	"go.step.sm/crypto/kms"
 	kmsapi "go.step.sm/crypto/kms/apiv1"
-	"go.step.sm/crypto/kms/uri"
 	"go.step.sm/linkedca"
 
 	"github.com/smallstep/certificates/webhook"
@@ -59,7 +58,7 @@ type SCEP struct {
 	encryptionAlgorithm           int
 	challengeValidationController *challengeValidationController
 	notificationController        *notificationController
-	keyManager                    kmsapi.KeyManager
+	keyManager                    SCEPKeyManager
 	decrypter                     crypto.Decrypter
 	decrypterCertificate          *x509.Certificate
 	signer                        crypto.Signer
@@ -269,34 +268,38 @@ func (s *SCEP) Init(config Config) (err error) {
 	)
 
 	// parse the decrypter key PEM contents if available
-	if decryptionKeyPEM := s.DecrypterKeyPEM; len(decryptionKeyPEM) > 0 {
+	if len(s.DecrypterKeyPEM) > 0 {
 		// try reading the PEM for validation
-		block, rest := pem.Decode(decryptionKeyPEM)
+		block, rest := pem.Decode(s.DecrypterKeyPEM)
 		if len(rest) > 0 {
 			return errors.New("failed parsing decrypter key: trailing data")
 		}
 		if block == nil {
 			return errors.New("failed parsing decrypter key: no PEM block found")
 		}
+
 		opts := kms.Options{
 			Type: kmsapi.SoftKMS,
 		}
-		if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
+		km, err := kms.New(context.Background(), opts)
+		if err != nil {
 			return fmt.Errorf("failed initializing kms: %w", err)
 		}
-		kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
+		scepKeyManager, ok := km.(SCEPKeyManager)
 		if !ok {
 			return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
 		}
-		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-			DecryptionKeyPEM: decryptionKeyPEM,
+		s.keyManager = scepKeyManager
+
+		if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+			DecryptionKeyPEM: s.DecrypterKeyPEM,
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			SigningKeyPEM:    decryptionKeyPEM, // TODO(hs): support distinct signer key in the future?
+			SigningKeyPEM:    s.DecrypterKeyPEM, // TODO(hs): support distinct signer key in the future?
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
@@ -304,41 +307,44 @@ func (s *SCEP) Init(config Config) (err error) {
 		}
 	}
 
-	if decryptionKeyURI := s.DecrypterKeyURI; decryptionKeyURI != "" {
-		u, err := uri.Parse(s.DecrypterKeyURI)
+	if s.DecrypterKeyURI != "" {
+		kmsType, err := kmsapi.TypeOf(s.DecrypterKeyURI)
 		if err != nil {
 			return fmt.Errorf("failed parsing decrypter key: %w", err)
 		}
-		var kmsType kmsapi.Type
-		switch {
-		case u.Scheme != "":
-			kmsType = kms.Type(u.Scheme)
-		default:
-			kmsType = kmsapi.SoftKMS
-		}
-		opts := kms.Options{
-			Type: kmsType,
-			URI:  s.DecrypterKeyURI,
-		}
-		if s.keyManager, err = kms.New(context.Background(), opts); err != nil {
-			return fmt.Errorf("failed initializing kms: %w", err)
-		}
-		kmsDecrypter, ok := s.keyManager.(kmsapi.Decrypter)
-		if !ok {
-			return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
-		}
-		if kmsType != "softkms" { // TODO(hs): this should likely become more transparent?
-			decryptionKeyURI = u.Opaque
-		}
-		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-			DecryptionKey:    decryptionKeyURI,
+
+		if config.SCEPKeyManager != nil {
+			s.keyManager = config.SCEPKeyManager
+		} else {
+			if kmsType == kmsapi.DefaultKMS {
+				kmsType = kmsapi.SoftKMS
+			}
+			opts := kms.Options{
+				Type: kmsType,
+				URI:  s.DecrypterKeyURI,
+			}
+			km, err := kms.New(context.Background(), opts)
+			if err != nil {
+				return fmt.Errorf("failed initializing kms: %w", err)
+			}
+			scepKeyManager, ok := km.(SCEPKeyManager)
+			if !ok {
+				return fmt.Errorf("%q is not a kmsapi.Decrypter", opts.Type)
+			}
+			s.keyManager = scepKeyManager
+		}
+
+		// Create decrypter and signer with the same key:
+		// TODO(hs): support distinct signer key in the future?
+		if s.decrypter, err = s.keyManager.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
+			DecryptionKey:    s.DecrypterKeyURI,
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			SigningKey:       decryptionKeyURI, // TODO(hs): support distinct signer key in the future?
+			SigningKey:       s.DecrypterKeyURI,
 			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {

authority/provisioner/scep_test.go

@@ -2,19 +2,27 @@ package provisioner
 
 import (
 	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"testing"
 
+	"github.com/smallstep/certificates/webhook"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
+	"go.step.sm/crypto/kms/softkms"
+	"go.step.sm/crypto/minica"
+	"go.step.sm/crypto/pemutil"
 	"go.step.sm/linkedca"
-
-	"github.com/smallstep/certificates/webhook"
 )
 
 func Test_challengeValidationController_Validate(t *testing.T) {
@@ -366,3 +374,270 @@ func TestSCEP_ValidateChallenge(t *testing.T) {
 		})
 	}
 }
+
+func TestSCEP_Init(t *testing.T) {
+	serialize := func(key crypto.PrivateKey, password string) []byte {
+		var opts []pemutil.Options
+		if password == "" {
+			opts = append(opts, pemutil.WithPasswordPrompt("no password", func(s string) ([]byte, error) {
+				return nil, nil
+			}))
+		} else {
+			opts = append(opts, pemutil.WithPassword([]byte("password")))
+		}
+		block, err := pemutil.Serialize(key, opts...)
+		require.NoError(t, err)
+		return pem.EncodeToMemory(block)
+	}
+
+	ca, err := minica.New()
+	require.NoError(t, err)
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+	badKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	cert, err := ca.Sign(&x509.Certificate{
+		Subject:   pkix.Name{CommonName: "SCEP decryptor"},
+		PublicKey: key.Public(),
+	})
+	require.NoError(t, err)
+
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type: "CERTIFICATE", Bytes: cert.Raw,
+	})
+	certPEMWithIntermediate := append(pem.EncodeToMemory(&pem.Block{
+		Type: "CERTIFICATE", Bytes: cert.Raw,
+	}), pem.EncodeToMemory(&pem.Block{
+		Type: "CERTIFICATE", Bytes: ca.Intermediate.Raw,
+	})...)
+
+	keyPEM := serialize(key, "password")
+	keyPEMNoPassword := serialize(key, "")
+	badKeyPEM := serialize(badKey, "password")
+
+	tmp := t.TempDir()
+	path := filepath.Join(tmp, "rsa.priv")
+	pathNoPassword := filepath.Join(tmp, "rsa.key")
+
+	require.NoError(t, os.WriteFile(path, keyPEM, 0600))
+	require.NoError(t, os.WriteFile(pathNoPassword, keyPEMNoPassword, 0600))
+
+	type args struct {
+		config Config
+	}
+	tests := []struct {
+		name    string
+		s       *SCEP
+		args    args
+		wantErr bool
+	}{
+		{"ok", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, false},
+		{"ok no password", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEMNoPassword,
+			DecrypterKeyPassword:          "",
+			EncryptionAlgorithmIdentifier: 1,
+		}, args{Config{Claims: globalProvisionerClaims}}, false},
+		{"ok with uri", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        1024,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyURI:               "softkms:path=" + path,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 2,
+		}, args{Config{Claims: globalProvisionerClaims}}, false},
+		{"ok with uri no password", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        2048,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyURI:               "softkms:path=" + pathNoPassword,
+			DecrypterKeyPassword:          "",
+			EncryptionAlgorithmIdentifier: 3,
+		}, args{Config{Claims: globalProvisionerClaims}}, false},
+		{"ok with SCEPKeyManager", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        2048,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyURI:               "softkms:path=" + pathNoPassword,
+			DecrypterKeyPassword:          "",
+			EncryptionAlgorithmIdentifier: 4,
+		}, args{Config{Claims: globalProvisionerClaims, SCEPKeyManager: &softkms.SoftKMS{}}}, false},
+		{"ok intermediate", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          nil,
+			DecrypterKeyPEM:               nil,
+			DecrypterKeyPassword:          "",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, false},
+		{"fail type", &SCEP{
+			Type:                          "",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail name", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail minimumPublicKeyLength", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        2001,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail encryptionAlgorithmIdentifier", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 5,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail negative encryptionAlgorithmIdentifier", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: -1,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail key decode", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               []byte("not a pem"),
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail certificate decode", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          []byte("not a pem"),
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail certificate with intermediate", &SCEP{
+			Type:                   "SCEP",
+			Name:                   "scep",
+			ChallengePassword:      "password123",
+			MinimumPublicKeyLength: 0,
+			DecrypterCertificate:   certPEMWithIntermediate,
+			DecrypterKeyPEM:        keyPEM,
+			DecrypterKeyPassword:   "password",
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail decrypter password", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "badpassword",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail uri", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyURI:               "softkms:path=missing.key",
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail uri password", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyURI:               "softkms:path=" + path,
+			DecrypterKeyPassword:          "badpassword",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail uri type", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyURI:               "foo:path=" + path,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail missing certificate", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          nil,
+			DecrypterKeyPEM:               keyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+		{"fail key match", &SCEP{
+			Type:                          "SCEP",
+			Name:                          "scep",
+			ChallengePassword:             "password123",
+			MinimumPublicKeyLength:        0,
+			DecrypterCertificate:          certPEM,
+			DecrypterKeyPEM:               badKeyPEM,
+			DecrypterKeyPassword:          "password",
+			EncryptionAlgorithmIdentifier: 0,
+		}, args{Config{Claims: globalProvisionerClaims}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := tt.s.Init(tt.args.config); (err != nil) != tt.wantErr {
+				t.Errorf("SCEP.Init() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}

authority/provisioners.go

@@ -201,6 +201,7 @@ func (a *Authority) generateProvisionerConfig(ctx context.Context) (provisioner.
 		AuthorizeRenewFunc:    a.authorizeRenewFunc,
 		AuthorizeSSHRenewFunc: a.authorizeSSHRenewFunc,
 		WebhookClient:         a.webhookClient,
+		SCEPKeyManager:        a.scepKeyManager,
 	}, nil
 }
 

go.mod

@@ -33,7 +33,7 @@ require (
 	github.com/stretchr/testify v1.9.0
 	github.com/urfave/cli v1.22.14
 	go.step.sm/cli-utils v0.9.0
-	go.step.sm/crypto v0.44.2
+	go.step.sm/crypto v0.44.3
 	go.step.sm/linkedca v0.20.1
 	golang.org/x/crypto v0.22.0
 	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81
@@ -51,7 +51,7 @@ require (
 	cloud.google.com/go/kms v1.15.8 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
@@ -60,20 +60,20 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect
-	github.com/aws/smithy-go v1.20.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
@@ -99,7 +99,7 @@ require (
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/certificate-transparency-go v1.1.6 // indirect
-	github.com/google/go-tpm-tools v0.4.3 // indirect
+	github.com/google/go-tpm-tools v0.4.4 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect

go.sum

@@ -17,8 +17,8 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 h1:n1DH8TPV4qqPTje2RcUBYwtrTWlabVp4n46+74X2pn4=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0/go.mod h1:HDcZnuGbiyppErN6lB+idp4CKhjbc8gwjto6OPpyggM=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ=
@@ -44,34 +44,34 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA=
-github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
-github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg=
-github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48=
+github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA=
+github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA=
+github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU=
-github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU=
-github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0=
-github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=
-github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk=
+github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 h1:SBn4I0fJXF9FYOVRSVMWuhvEKoAHDikjGpS3wlmw5DE=
+github.com/aws/aws-sdk-go-v2/service/kms v1.30.1/go.mod h1:2snWQJQUKsbN66vAawJuOGX7dr37pfOq9hb0tZDGIqQ=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@@ -214,8 +214,8 @@ github.com/google/go-sev-guest v0.9.3 h1:GOJ+EipURdeWFl/YYdgcCxyPeMgQUWlI056iFkB
 github.com/google/go-tdx-guest v0.3.1 h1:gl0KvjdsD4RrJzyLefDOvFOUH3NAJri/3qvaL5m83Iw=
 github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
 github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
-github.com/google/go-tpm-tools v0.4.3 h1:L5dc34fttMIREoKRmnIJfv2NSZDSZ+RfBD+izN0EZoA=
-github.com/google/go-tpm-tools v0.4.3/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY=
+github.com/google/go-tpm-tools v0.4.4 h1:oiQfAIkc6xTy9Fl5NKTeTJkBTlXdHsxAofmQyxBKY98=
+github.com/google/go-tpm-tools v0.4.4/go.mod h1:T8jXkp2s+eltnCDIsXR84/MTcVU9Ja7bh3Mit0pa4AY=
 github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
 github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
 github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
@@ -489,8 +489,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.step.sm/cli-utils v0.9.0 h1:55jYcsQbnArNqepZyAwcato6Zy2MoZDRkWW+jF+aPfQ=
 go.step.sm/cli-utils v0.9.0/go.mod h1:Y/CRoWl1FVR9j+7PnAewufAwKmBOTzR6l9+7EYGAnp8=
-go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk=
-go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ=
+go.step.sm/crypto v0.44.3 h1:HA/eHC6mqw+WRP0wT2SqJq/Ch//Z4yJoSLV7kBmAIME=
+go.step.sm/crypto v0.44.3/go.mod h1:gGYw4D+5J8uFhBY6dzOBvDE8iwUo+gaOpKPFLcQwv9Q=
 go.step.sm/linkedca v0.20.1 h1:bHDn1+UG1NgRrERkWbbCiAIvv4lD5NOFaswPDTyO5vU=
 go.step.sm/linkedca v0.20.1/go.mod h1:Vaq4+Umtjh7DLFI1KuIxeo598vfBzgSYZUjgVJ7Syxw=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=