2d357da99b
Add tests for ACME revocation
3 years ago
ed295ca15d
Fix linting issue
3 years ago
2d50c96d99
Merge branch 'master' into hs/acme-revocation
3 years ago
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
c7a9c13060
Add tests for extractOrLookupJWK middleware
3 years ago
3151255a25
Merge branch 'master' into hs/acme-revocation
3 years ago
dd4b4b0435
Fix remaining gocritic remarks
3 years ago
e0b495e4c8
Merge branch 'master' into hs/acme-eab
3 years ago
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
0afea2e957
Improve tests for already bound EAB keys
3 years ago
02cd3b6b3b
Fix PR comments
3 years ago
a98fe03e80
Merge branch 'master' into hs/acme-eab
3 years ago
1dba8698e3
Use LinkedCA.EABKey type in ACME EAB API
3 years ago
470b546d59
Merge pull request #557 from joejulian/http01-isv
...
use InsecureSkipVerify for validation
3 years ago
f31ca4f6a4
Add tests for validateExternalAccountBinding
3 years ago
492256f2d7
Add first test cases for EAB and make provisioner unique per EAB
...
Before this commit, EAB keys could be used CA-wide, meaning that
an EAB credential could be used at any ACME provisioner. This
commit changes that behavior, so that EAB credentials are now
intended to be used with a specific ACME provisioner. I think
that makes sense, because from the perspective of an ACME client
the provisioner is like a distinct CA.
Besides that this commit also includes the first tests for EAB.
The logic for creating the EAB JWS as a client has been taken
from github.com/mholt/acmez. This logic may be moved or otherwise
sourced (i.e. from a vendor) as soon as the step client also
(needs to) support(s) EAB with ACME.
3 years ago
c6bfc6eac2
Fix PR comments
3 years ago
d669f3cb14
Fix misspelling
3 years ago
540d5fbbdc
Fix marshaling -> marshalling
3 years ago
2110c7722f
Fix JWK payload key equality check
3 years ago
d44cd18b96
Add External Accounting Binding key "BoundAt" marking
3 years ago
f81d49d963
Add first working version of External Account Binding
3 years ago
258efca0fa
Improve revocation authorization
3 years ago
2b15230aa4
Add Serial to Cert ID ACME table and lookup
3 years ago
8f7e700f09
Merge branch 'master' into hs/acme-revocation
3 years ago
857a50434c
Merge branch 'master' into max/cert-mgr-crud
3 years ago
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
0e56932e76
Add support for revocation using JWK
3 years ago
84e7d468f2
Improve handling of ACME revocation
3 years ago
d53bcaf830
Add base logic for ACME revoke-cert
3 years ago
64c15fde7e
Add tests for canonicalize function
3 years ago
523ae96749
Change identifier and challenge types to consts
3 years ago
84ea8bd67a
Fix PR comments
3 years ago
76dcf542d4
Fix mixed DNS and IP SANs in Order
3 years ago
a0e92f8e99
Verify IP identifier contains valid IP
3 years ago
6486e6016b
Make logic for which challenge types to use clearer
3 years ago
3e36522329
Add preliminary support for TLS-ALPN-01 challenge for IP identifiers
3 years ago
6d9710c88d
Add initial support for ACME IP validation
3 years ago
0369151bfa
use InsecureSkipVerify for validation
...
The server will not yet have a valid certificate so we need to disable
certificate validation in the HTTPGetter.
3 years ago
2e1524ec2f
Remove the creation on nonce on get acme directory.
...
According to RFC 8555, the replay nonces are only required in POST
requests. And of course in the new-nonce request.
3 years ago
93c3c2bf2e
Error handle non existent provisioner downstream and disable debug route logging
3 years ago
497ec0c79b
Fix linter issues
3 years ago
b1888fd34d
Use different method for unescpaed paths for the router
3 years ago
672e3f976e
Few ACME fixes ...
...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
3 years ago
440678cb62
Add markInvalid arg to storeError for invalidating challenge
3 years ago
6b8585c702
PR review fixes / updates
3 years ago
a785131d09
Fix lint issues
3 years ago
80c8567d99
change errnotfound type for getAccount
...
- more generalized NotFound type rather than the nosql
one we were using
- if the error is not recognized then the logic in create account will
break.
3 years ago
1831920363
Finish order unit tests and remove unused mocklinker
3 years ago
b6ebc0fd25
more unit tests
3 years ago
df05340521
fixing broken unit tests
3 years ago
f72b2ff2c2
[acme db interface] nosql authz unit tests
3 years ago
074ab7b221
[acme db interface] add linker tests
3 years ago
8d2ebcfd49
[acme db interface] more unit tests
3 years ago
20b9785d20
[acme db interface] continuing unit test work
3 years ago
291fd5d45a
[acme db interface] more unit tests
3 years ago
f71e27e787
[acme db interface] unit test progress
3 years ago
bb8d54e596
[acme db interface] unit tests compiling
3 years ago
f20fcae80e
[acme db interface] wip unit test fixing
3 years ago
fc395f4d69
[acme db interface] compiles!
3 years ago
116869ebc5
[acme db interface] wip
3 years ago
80a6640103
[acme db interface] wip
3 years ago
1135ae04fc
[acme db interface] wip
3 years ago
2ae43ef2dc
[acme db interface] wip errors
3 years ago
c94a1c51be
Merge branch 'master' into ssh-cert-templates
4 years ago
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
d30a95236d
Use always go.step.sm/crypto
4 years ago
55bf5a4526
Add cert logging for acme/certificate api
4 years ago
a26b5f322d
acme/api: Brush up documentation on key-change
...
Add more specific wording describing what a 501 means and add more color
explaining how official vs unofficial error types should be handled.
4 years ago
b26e6e42b3
acme: Return 501 for the key-change route
...
RFC 8555 § 7.3.5 is not listed as optional but we do not currently
support it. Rather than 404, return a 501 to inform clients that this
functionality is not yet implemented.
The notImplmented error type is not an official error registered in the
ietf:params:acme:error namespace, so prefix if with step:acme:error. An
ACME server is allowed to return other errors and clients should display
the message detail to users.
Fixes: https://github.com/smallstep/certificates/issues/209
4 years ago
6e69f99310
Always set nbf and naf for new ACME orders ...
...
- Use the default value from the ACME provisioner if values are not
defined in the request.
4 years ago
e1409349f3
Allow relative URL for all links in ACME api ...
...
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
4 years ago
639993bd09
Read host and protocol information from request for links
...
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
4 years ago
4cb777bdc1
ACME accountUpdate ignore fields not recognized by the server.
4 years ago
c255274572
Should be returning status code 400 for ACME Account Not Found.
...
Issue #173
4 years ago
d368791606
Add x5c provisioner capabilities
5 years ago
7aec7c2612
Create ACME database tables when initializing ACME autority.
5 years ago
e3826dd1c3
Add ACME CA capabilities
5 years ago
Herman Slatman
max furman
Mariano Cano
Joe Julian
Mariano Cano
David Cowden
Clive Jevons