From c7c7decd5e0c74dd697180c2648432f07f4fb975 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 20 Jul 2023 10:59:38 -0700 Subject: [PATCH] Add support for the disableSmallstepExtensions claim This commit adds a new claim to exclude the Smallstep provisioner extension from the generated certificates. Fixes #620 --- authority/config/config.go | 28 +++++++++------- authority/provisioner/acme.go | 2 +- authority/provisioner/aws.go | 2 +- authority/provisioner/azure.go | 2 +- authority/provisioner/claims.go | 38 +++++++++++++++------- authority/provisioner/gcp.go | 2 +- authority/provisioner/jwk.go | 2 +- authority/provisioner/k8sSA.go | 2 +- authority/provisioner/nebula.go | 2 +- authority/provisioner/oidc.go | 2 +- authority/provisioner/scep.go | 2 +- authority/provisioner/sign_options.go | 12 +++++++ authority/provisioner/sign_options_test.go | 32 +++++++++++++++--- authority/provisioner/utils_test.go | 34 ++++++++++--------- authority/provisioner/x5c.go | 2 +- authority/provisioners.go | 14 +++++--- go.mod | 6 ---- pki/testdata/helm/with-ssh-and-acme.yml | 2 +- pki/testdata/helm/with-ssh.yml | 2 +- 19 files changed, 121 insertions(+), 67 deletions(-) diff --git a/authority/config/config.go b/authority/config/config.go index ae284fb9..27c4919b 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -35,6 +35,9 @@ var ( // DefaultEnableSSHCA enable SSH CA features per provisioner or globally // for all provisioners. DefaultEnableSSHCA = false + // DefaultDisableSmallstepExtensions disables the Smallstep extensions in + // the certificate. + DefaultDisableSmallstepExtensions = false // DefaultCRLCacheDuration is the default cache duration for the CRL. DefaultCRLCacheDuration = &provisioner.Duration{Duration: 24 * time.Hour} // DefaultCRLExpiredDuration is the default duration in which expired @@ -43,18 +46,19 @@ var ( // GlobalProvisionerClaims is the default duration that expired certificates // remain in the CRL after expiration. GlobalProvisionerClaims = provisioner.Claims{ - MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs - MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, - DefaultTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, - MinUserSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs - MaxUserSSHDur: &provisioner.Duration{Duration: 24 * time.Hour}, - DefaultUserSSHDur: &provisioner.Duration{Duration: 16 * time.Hour}, - MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs - MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, - DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, - EnableSSHCA: &DefaultEnableSSHCA, - DisableRenewal: &DefaultDisableRenewal, - AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry, + MinTLSDur: &provisioner.Duration{Duration: 5 * time.Minute}, // TLS certs + MaxTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, + DefaultTLSDur: &provisioner.Duration{Duration: 24 * time.Hour}, + MinUserSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // User SSH certs + MaxUserSSHDur: &provisioner.Duration{Duration: 24 * time.Hour}, + DefaultUserSSHDur: &provisioner.Duration{Duration: 16 * time.Hour}, + MinHostSSHDur: &provisioner.Duration{Duration: 5 * time.Minute}, // Host SSH certs + MaxHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, + DefaultHostSSHDur: &provisioner.Duration{Duration: 30 * 24 * time.Hour}, + EnableSSHCA: &DefaultEnableSSHCA, + DisableRenewal: &DefaultDisableRenewal, + AllowRenewalAfterExpiry: &DefaultAllowRenewalAfterExpiry, + DisableSmallstepExtensions: &DefaultDisableSmallstepExtensions, } ) diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index d52bbe0a..96f37d58 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -257,7 +257,7 @@ func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) { opts := []SignOption{ p, // modifiers / withOptions - newProvisionerExtensionOption(TypeACME, p.Name, ""), + newProvisionerExtensionOption(TypeACME, p.Name, "").WithControllerOptions(p.ctl), newForceCNOption(p.ForceCN), profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()), // validators diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 11b18ebb..90155b3e 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -515,7 +515,7 @@ func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro p, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID), + newProvisionerExtensionOption(TypeAWS, p.Name, doc.AccountID, "InstanceID", doc.InstanceID).WithControllerOptions(p.ctl), profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()), // validators defaultPublicKeyValidator{}, diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go index 1c70a132..76bcebb6 100644 --- a/authority/provisioner/azure.go +++ b/authority/provisioner/azure.go @@ -398,7 +398,7 @@ func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, er p, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID), + newProvisionerExtensionOption(TypeAzure, p.Name, p.TenantID).WithControllerOptions(p.ctl), profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()), // validators defaultPublicKeyValidator{}, diff --git a/authority/provisioner/claims.go b/authority/provisioner/claims.go index b6a5a81e..9cd9c42c 100644 --- a/authority/provisioner/claims.go +++ b/authority/provisioner/claims.go @@ -26,6 +26,9 @@ type Claims struct { // Renewal properties DisableRenewal *bool `json:"disableRenewal,omitempty"` AllowRenewalAfterExpiry *bool `json:"allowRenewalAfterExpiry,omitempty"` + + // Other properties + DisableSmallstepExtensions *bool `json:"disableSmallstepExtensions,omitempty"` } // Claimer is the type that controls claims. It provides an interface around the @@ -47,20 +50,22 @@ func (c *Claimer) Claims() Claims { disableRenewal := c.IsDisableRenewal() allowRenewalAfterExpiry := c.AllowRenewalAfterExpiry() enableSSHCA := c.IsSSHCAEnabled() + disableSmallstepExtensions := c.IsDisableSmallstepExtensions() return Claims{ - MinTLSDur: &Duration{c.MinTLSCertDuration()}, - MaxTLSDur: &Duration{c.MaxTLSCertDuration()}, - DefaultTLSDur: &Duration{c.DefaultTLSCertDuration()}, - MinUserSSHDur: &Duration{c.MinUserSSHCertDuration()}, - MaxUserSSHDur: &Duration{c.MaxUserSSHCertDuration()}, - DefaultUserSSHDur: &Duration{c.DefaultUserSSHCertDuration()}, - MinHostSSHDur: &Duration{c.MinHostSSHCertDuration()}, - MaxHostSSHDur: &Duration{c.MaxHostSSHCertDuration()}, - DefaultHostSSHDur: &Duration{c.DefaultHostSSHCertDuration()}, - EnableSSHCA: &enableSSHCA, - DisableRenewal: &disableRenewal, - AllowRenewalAfterExpiry: &allowRenewalAfterExpiry, + MinTLSDur: &Duration{c.MinTLSCertDuration()}, + MaxTLSDur: &Duration{c.MaxTLSCertDuration()}, + DefaultTLSDur: &Duration{c.DefaultTLSCertDuration()}, + MinUserSSHDur: &Duration{c.MinUserSSHCertDuration()}, + MaxUserSSHDur: &Duration{c.MaxUserSSHCertDuration()}, + DefaultUserSSHDur: &Duration{c.DefaultUserSSHCertDuration()}, + MinHostSSHDur: &Duration{c.MinHostSSHCertDuration()}, + MaxHostSSHDur: &Duration{c.MaxHostSSHCertDuration()}, + DefaultHostSSHDur: &Duration{c.DefaultHostSSHCertDuration()}, + EnableSSHCA: &enableSSHCA, + DisableRenewal: &disableRenewal, + AllowRenewalAfterExpiry: &allowRenewalAfterExpiry, + DisableSmallstepExtensions: &disableSmallstepExtensions, } } @@ -110,6 +115,15 @@ func (c *Claimer) IsDisableRenewal() bool { return *c.claims.DisableRenewal } +// IsDisableSmallstepExtensions returns if the Smallstep extensions, like the +// provisioner extension, should be excluded from the certificate. +func (c *Claimer) IsDisableSmallstepExtensions() bool { + if c.claims == nil || c.claims.DisableSmallstepExtensions == nil { + return *c.global.DisableSmallstepExtensions + } + return *c.claims.DisableSmallstepExtensions +} + // AllowRenewalAfterExpiry returns if the renewal flow is authorized if the // certificate is expired. If the property is not set within the provisioner // then the global value from the authority configuration will be used. diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go index 8634fecc..b6274f8f 100644 --- a/authority/provisioner/gcp.go +++ b/authority/provisioner/gcp.go @@ -270,7 +270,7 @@ func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro p, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName), + newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName).WithControllerOptions(p.ctl), profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()), // validators defaultPublicKeyValidator{}, diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 45012d0e..6c5ee657 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -187,7 +187,7 @@ func (p *JWK) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro self, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID), + newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID).WithControllerOptions(p.ctl), profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()), // validators commonNameValidator(claims.Subject), diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go index eb7084b3..96267d1c 100644 --- a/authority/provisioner/k8sSA.go +++ b/authority/provisioner/k8sSA.go @@ -238,7 +238,7 @@ func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, er p, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeK8sSA, p.Name, ""), + newProvisionerExtensionOption(TypeK8sSA, p.Name, "").WithControllerOptions(p.ctl), profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()), // validators defaultPublicKeyValidator{}, diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index 9d418303..6c24bd00 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -150,7 +150,7 @@ func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, e p, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeNebula, p.Name, ""), + newProvisionerExtensionOption(TypeNebula, p.Name, "").WithControllerOptions(p.ctl), profileLimitDuration{ def: p.ctl.Claimer.DefaultTLSCertDuration(), notBefore: crt.Details.NotBefore, diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 882d0972..06823e2f 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -351,7 +351,7 @@ func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, err o, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID), + newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID).WithControllerOptions(o.ctl), profileDefaultDuration(o.ctl.Claimer.DefaultTLSCertDuration()), // validators defaultPublicKeyValidator{}, diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index b0acc8fe..ff5b28d2 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -190,7 +190,7 @@ func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) { return []SignOption{ s, // modifiers / withOptions - newProvisionerExtensionOption(TypeSCEP, s.Name, ""), + newProvisionerExtensionOption(TypeSCEP, s.Name, "").WithControllerOptions(s.ctl), newForceCNOption(s.ForceCN), profileDefaultDuration(s.ctl.Claimer.DefaultTLSCertDuration()), // validators diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index c3db239a..cab7aa43 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -430,6 +430,7 @@ func (o *forceCNOption) Modify(cert *x509.Certificate, _ SignOptions) error { type provisionerExtensionOption struct { Extension + Disabled bool } func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValuePairs ...string) *provisionerExtensionOption { @@ -443,7 +444,18 @@ func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValue } } +// WithControllerOptions returns the provisionerExtensionOption options from the +// controller. Currently only the claim DisableSmallstepExtensions is used. +func (o *provisionerExtensionOption) WithControllerOptions(c *Controller) *provisionerExtensionOption { + o.Disabled = c.Claimer.IsDisableSmallstepExtensions() + return o +} + func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOptions) error { + if o.Disabled { + return nil + } + ext, err := o.ToExtension() if err != nil { return errs.NewError(http.StatusInternalServerError, err, "error creating certificate") diff --git a/authority/provisioner/sign_options_test.go b/authority/provisioner/sign_options_test.go index 01d2a0cd..e36d051f 100644 --- a/authority/provisioner/sign_options_test.go +++ b/authority/provisioner/sign_options_test.go @@ -604,14 +604,24 @@ func Test_newProvisionerExtension_Option(t *testing.T) { t.Fatal(err) } + // Claims with smallstep extensions disabled. + claimer, err := NewClaimer(&Claims{ + DisableSmallstepExtensions: &trueValue, + }, globalProvisionerClaims) + if err != nil { + t.Fatal(err) + } + type test struct { - cert *x509.Certificate - valid func(*x509.Certificate) + modifier *provisionerExtensionOption + cert *x509.Certificate + valid func(*x509.Certificate) } tests := map[string]func() test{ "ok/one-element": func() test { return test{ - cert: new(x509.Certificate), + modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"), + cert: new(x509.Certificate), valid: func(cert *x509.Certificate) { if assert.Len(t, 1, cert.ExtraExtensions) { ext := cert.ExtraExtensions[0] @@ -625,7 +635,8 @@ func Test_newProvisionerExtension_Option(t *testing.T) { }, "ok/replace": func() test { return test{ - cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}}, + modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value"), + cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}}, valid: func(cert *x509.Certificate) { if assert.Len(t, 2, cert.ExtraExtensions) { ext := cert.ExtraExtensions[0] @@ -636,11 +647,22 @@ func Test_newProvisionerExtension_Option(t *testing.T) { }, } }, + "ok/disabled": func() test { + return test{ + modifier: newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").WithControllerOptions(&Controller{ + Claimer: claimer, + }), + cert: new(x509.Certificate), + valid: func(cert *x509.Certificate) { + assert.Len(t, 0, cert.ExtraExtensions) + }, + } + }, } for name, run := range tests { t.Run(name, func(t *testing.T) { tt := run() - assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").Modify(tt.cert, SignOptions{})) + assert.FatalError(t, tt.modifier.Modify(tt.cert, SignOptions{})) tt.valid(tt.cert) }) } diff --git a/authority/provisioner/utils_test.go b/authority/provisioner/utils_test.go index 55fdfe6f..a599a835 100644 --- a/authority/provisioner/utils_test.go +++ b/authority/provisioner/utils_test.go @@ -24,22 +24,24 @@ import ( ) var ( - defaultDisableRenewal = false - defaultAllowRenewalAfterExpiry = false - defaultEnableSSHCA = true - globalProvisionerClaims = Claims{ - MinTLSDur: &Duration{5 * time.Minute}, - MaxTLSDur: &Duration{24 * time.Hour}, - DefaultTLSDur: &Duration{24 * time.Hour}, - MinUserSSHDur: &Duration{Duration: 5 * time.Minute}, // User SSH certs - MaxUserSSHDur: &Duration{Duration: 24 * time.Hour}, - DefaultUserSSHDur: &Duration{Duration: 16 * time.Hour}, - MinHostSSHDur: &Duration{Duration: 5 * time.Minute}, // Host SSH certs - MaxHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour}, - DefaultHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour}, - EnableSSHCA: &defaultEnableSSHCA, - DisableRenewal: &defaultDisableRenewal, - AllowRenewalAfterExpiry: &defaultAllowRenewalAfterExpiry, + defaultDisableRenewal = false + defaultAllowRenewalAfterExpiry = false + defaultEnableSSHCA = true + defaultDisableSmallstepExtensions = false + globalProvisionerClaims = Claims{ + MinTLSDur: &Duration{5 * time.Minute}, + MaxTLSDur: &Duration{24 * time.Hour}, + DefaultTLSDur: &Duration{24 * time.Hour}, + MinUserSSHDur: &Duration{Duration: 5 * time.Minute}, // User SSH certs + MaxUserSSHDur: &Duration{Duration: 24 * time.Hour}, + DefaultUserSSHDur: &Duration{Duration: 16 * time.Hour}, + MinHostSSHDur: &Duration{Duration: 5 * time.Minute}, // Host SSH certs + MaxHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour}, + DefaultHostSSHDur: &Duration{Duration: 30 * 24 * time.Hour}, + EnableSSHCA: &defaultEnableSSHCA, + DisableRenewal: &defaultDisableRenewal, + AllowRenewalAfterExpiry: &defaultAllowRenewalAfterExpiry, + DisableSmallstepExtensions: &defaultDisableSmallstepExtensions, } testAudiences = Audiences{ Sign: []string{"https://ca.smallstep.com/1.0/sign", "https://ca.smallstep.com/sign"}, diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index be606ae8..b6e78697 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -237,7 +237,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro self, templateOptions, // modifiers / withOptions - newProvisionerExtensionOption(TypeX5C, p.Name, ""), + newProvisionerExtensionOption(TypeX5C, p.Name, "").WithControllerOptions(p.ctl), profileLimitDuration{ p.ctl.Claimer.DefaultTLSCertDuration(), x5cLeaf.NotBefore, x5cLeaf.NotAfter, diff --git a/authority/provisioners.go b/authority/provisioners.go index 5d594536..27361236 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -646,8 +646,9 @@ func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) { } pc := &provisioner.Claims{ - DisableRenewal: &c.DisableRenewal, - AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry, + DisableRenewal: &c.DisableRenewal, + AllowRenewalAfterExpiry: &c.AllowRenewalAfterExpiry, + DisableSmallstepExtensions: &c.DisableSmallstepExtensions, } var err error @@ -686,6 +687,7 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims { disableRenewal := config.DefaultDisableRenewal allowRenewalAfterExpiry := config.DefaultAllowRenewalAfterExpiry + disableSmallstepExtensions := config.DefaultDisableSmallstepExtensions if c.DisableRenewal != nil { disableRenewal = *c.DisableRenewal @@ -693,10 +695,14 @@ func claimsToLinkedca(c *provisioner.Claims) *linkedca.Claims { if c.AllowRenewalAfterExpiry != nil { allowRenewalAfterExpiry = *c.AllowRenewalAfterExpiry } + if c.DisableSmallstepExtensions != nil { + disableSmallstepExtensions = *c.DisableSmallstepExtensions + } lc := &linkedca.Claims{ - DisableRenewal: disableRenewal, - AllowRenewalAfterExpiry: allowRenewalAfterExpiry, + DisableRenewal: disableRenewal, + AllowRenewalAfterExpiry: allowRenewalAfterExpiry, + DisableSmallstepExtensions: disableSmallstepExtensions, } if c.DefaultTLSDur != nil || c.MinTLSDur != nil || c.MaxTLSDur != nil { diff --git a/go.mod b/go.mod index 37ac04ec..ceb6b28b 100644 --- a/go.mod +++ b/go.mod @@ -140,11 +140,5 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect ) -// replace github.com/smallstep/nosql => ../nosql -// replace go.step.sm/crypto => ../crypto - -// replace go.step.sm/cli-utils => ../cli-utils -// replace go.step.sm/linkedca => ../linkedca - // use github.com/smallstep/pkcs7 fork with patches applied replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20230302202335-4c094085c948 diff --git a/pki/testdata/helm/with-ssh-and-acme.yml b/pki/testdata/helm/with-ssh-and-acme.yml index 639aca6a..7398c7e5 100644 --- a/pki/testdata/helm/with-ssh-and-acme.yml +++ b/pki/testdata/helm/with-ssh-and-acme.yml @@ -23,7 +23,7 @@ inject: authority: enableAdmin: false provisioners: - - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}} + - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}} - {"type":"ACME","name":"acme"} - {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}} tls: diff --git a/pki/testdata/helm/with-ssh.yml b/pki/testdata/helm/with-ssh.yml index 2e4845f0..d5b38de7 100644 --- a/pki/testdata/helm/with-ssh.yml +++ b/pki/testdata/helm/with-ssh.yml @@ -23,7 +23,7 @@ inject: authority: enableAdmin: false provisioners: - - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false},"options":{"x509":{},"ssh":{}}} + - {"type":"JWK","name":"step-cli","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}} - {"type":"SSHPOP","name":"sshpop","claims":{"enableSSHCA":true}} tls: cipherSuites: