Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,272 Commits
40 Branches
214 Tags
90 MiB
master
wire-acme-extensions
mariano/init-provisioners
fix-1637
dependabot/go_modules/github.com/slackhq/nebula-1.8.2
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Commit Graph

373 Commits (master)

Author SHA1 Message Date
Herman Slatman 589a62df74
Make validation of `tpm` format stricter 1 year ago
Herman Slatman 213b31bc2c
Simplify processing logic for unhandled critical extension 1 year ago
Herman Slatman e1c7e8f00b
Return the CSR public key fingerprint for `tpm` format 1 year ago
Herman Slatman 6297bace1a
Merge branch 'master' into herman/acme-da-tpm 1 year ago
Herman Slatman 69489480ab
Add more complete `tpm` format validation 1 year ago
Mariano Cano 5ff0dde819
Remove json tag in acme.Authorization fingerprint 1 year ago
Mariano Cano 6ba20209c2
Verify CSR key fingerprint with attestation certificate key 
This commit makes sure that the attestation certificate key matches the
key used on the CSR on an ACME device attestation flow.
 1 year ago
Herman Slatman 3a6fc5e0b4
Remove dependency on `smallstep/assert` in ACME challenge tests 1 year ago
Herman Slatman 0f1c509e4b
Remove debug utility 1 year ago
Herman Slatman 0f9128c873
Fix linting issue and order of test SUT 1 year ago
Herman Slatman 2ab9beb7ed
Add tests for `deviceAttest01Validate` 1 year ago
Herman Slatman ed61c5df5f
Cleanup some leftover debug statements 1 year ago
Herman Slatman 60a9e41c1c
Remove `Identifier` from top level ACME `Errors` 1 year ago
Herman Slatman edee01c80c
Refactor debug utility 1 year ago
Herman Slatman 1c38113e44
Add ACME `Subproblem` for more detailed ACME client-side errors 
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.

This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
 1 year ago
Herman Slatman f1724ea8c5
Merge branch 'master' into herman/acme-da-tpm 1 year ago
Herman Slatman 64d9ad7b38
Validate Subject Common Name for Orders with Permanent Identifier 1 year ago
Herman Slatman 817edcbba5
Remove `charset=utf-8` from ACME certificate requests 2 years ago
Herman Slatman 4cf25ede24
Merge branch 'master' into herman/acme-da-tpm 2 years ago
Herman Slatman 3eae04928f
Add tests for ACME Meta object 2 years ago
Herman Slatman 02d679e160
Merge branch 'master' into herman/ignore-empty-acme-meta 2 years ago
Mariano Cano e27c6c529b
Add support for custom acme ports 
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.

Fixes #1015
 2 years ago
Herman Slatman b9f238ad4d
Add additional ACME `meta` properties to provisioner configuration 2 years ago
Herman Slatman c9793561ff
Make `meta` object optional in ACME directory response 
Harware appliances from Kemp seem to validate the contents of the
`meta` object, even if none of the properties in the `meta` object
is set. According to the RFC, the `meta` object, as well as its
properties are optional, so technically this should be fixed by
the manufacturer.

This commit is to see if we validation of the `meta` object is
skipped if it's not available in the response.
 2 years ago
Mariano Cano a7e597450a
Update acme/challenge_test.go 
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
 2 years ago
Mariano Cano 7a78c76199
Add test simulating YubiKey v5.2.4 
There are YubiKeys v5.2.4 where the attestation intermediate (f9)
does not have a basic constraint extension, so that certificate
is not marked as a CA. The test and CA in this commit imitates
that use case. Currently the test case returns an error as we
don't support it. But if we change the verification to support
this use case, the test should change accordingly.
 2 years ago
Mariano Cano 21666ba887
Revert "Set timestamp when marking an acme challenge invalid" 
This reverts commit 5f130895f3.
 2 years ago
Mariano Cano 8538ff06b7
Add missing error case. 2 years ago
Mariano Cano 5f130895f3
Set timestamp when marking an acme challenge invalid 2 years ago
Andrew Reed 7101fbb0ee
Provisioner webhooks (#1001) 2 years ago
Herman Slatman a8125846dd
Add TPM attestation 2 years ago
max furman f3d1863ec6
A few more linter errors 2 years ago
Mariano Cano 99299faeeb
Add AuthorizeChallenge unit tests 2 years ago
Mariano Cano f0a24bd8ca
Add acme property to enable challenges 
Fixes #1027
 2 years ago
Mariano Cano 191d9e8629
Use go.step.sm/crypto to set the permanent identifier 2 years ago
Mariano Cano 2b3b2c283a
Add attestation certificate validation for Apple devices 2 years ago
Brandon Weeks 5f5315260a
iOS 16 beta 1 support 2 years ago
Brandon Weeks de5b0ef5c2
Verify key authorization is contained within the TPM quote extraData field 2 years ago
Brandon Weeks 6f2b4d3042
Add ACME permanent-identifier identifier type 2 years ago
max furman ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors 2 years ago
Mariano Cano 7dc2067cb2
Update acme/errors.go 
Co-authored-by: Max <mx.furman@gmail.com>
 2 years ago
Mariano Cano 226d36f66f Fix unit tests 2 years ago
Mariano Cano 8cf6675ce4 Return the internal error instead of the ACME error 
For ACME errors, return the internal error string instead of the
ACME one on the "Error() string" function. This way the logs will
have more information about the cause of an error.

Fixes #1057
 2 years ago
Mariano Cano 34c6c65671 Pass attestation information to the Sign method 
Attestation information might be useful in authorizing webhooks
 2 years ago
Mariano Cano 498549c95c Extract common function used in tests 2 years ago
Mariano Cano 829530ae90 Fix linter errors 2 years ago
Mariano Cano 6b73a020e3 Add unit tests for apple and step attestations 2 years ago
Mariano Cano 0f651799d0 Reject not enabled attestation formats 2 years ago
Mariano Cano fd4e96d1f4 Rename method to IsChallengeEnabled 2 years ago
Mariano Cano c77b4ff9c5 Fix linter errors 2 years ago
Mariano Cano 59c5219a07 Use a type for acme challenges 2 years ago
Mariano Cano a89bea701d Format comment 2 years ago
Mariano Cano 5df9434286 Fix old comment, device-attest-01 uses the acme payload 2 years ago
Mariano Cano c5d3714a63 Fix acme error map 2 years ago
Mariano Cano 08815c5e90 Reneame attestation statement error 2 years ago
Mariano Cano 3cd72ac72a Remove debug statements 2 years ago
Mariano Cano e75e7e7cd6 Fix linter warnings 2 years ago
Mariano Cano 54d92095ac Validate proof of possession signature 
On the step format, validate proof of possession of the private
key validating the signature in the attestation statement.
 2 years ago
Mariano Cano 59b7603d1e Use a clientAuth only cert for device-attest-01 2 years ago
Mariano Cano ca412e77cc Return error on attestation validation 
The method storeError returns a nil error
 2 years ago
Mariano Cano ab5f916bd3 Define ErrorBadAttestationStatement 2 years ago
Mariano Cano 735c9d49b0 Add support for yubikey attestation 2 years ago
Mariano Cano df96b126dc Add AuthorizeChallenge unit tests 2 years ago
Mariano Cano bca311b05e Add acme property to enable challenges 
Fixes #1027
 2 years ago
Mariano Cano ae8d4d8757 Fix unit test 2 years ago
Mariano Cano 693dc39481 Merge branch 'master' into device-attestation 2 years ago
Mariano Cano 23b8f45b37 Address gosec warnings 
Most if not all false positives
 2 years ago
max furman c040e4b459 Add unit tests 2 years ago
max furman b7c2f6c482 Check for DNS name validity 2 years ago
Mariano Cano b62f4d1000 Add lgtm comments on some security warnings 2 years ago
Mariano Cano 2f7cb9225f Use go.step.sm/crypto to set the permanent identifier 2 years ago
Mariano Cano 2ab1e6658e Fix nonce validation 
The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
 2 years ago
Mariano Cano 66356cff43 Add attestation certificate validation for Apple devices 2 years ago
Brandon Weeks 274f6ccb41 iOS 16 beta 2 support 2 years ago
Brandon Weeks 7e1b0bebd9 iOS 16 beta 1 support 2 years ago
Brandon Weeks 77c6d10fd6 Verify key authorization is contained within the TPM quote extraData field 2 years ago
Brandon Weeks e1ec31c0ed Implement TPM attestation statement verification 2 years ago
Brandon Weeks 2ac8b69da2 Add ACME permanent-identifier identifier type 2 years ago
Brandon Weeks aacd6f4cc6 Add device-attest-01 challenge type 2 years ago
Brandon Weeks 860baeb1c5 Verbose debug logging 2 years ago
Shulhan fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19) 
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
 2 years ago
Herman Slatman abfbbc8d49
Merge pull request #946 from smallstep/herman/acme-csr-padding 
Strip base64-url padding from ACME CSR
 2 years ago
Herman Slatman fd546287ac
Strip base64-url padding from ACME CSR 
This commit strips the padding from a base64-url encoded CSR
submitted by a client that doesn't use raw base64-url encoding.
 2 years ago
Mariano Cano e7f4eaf6c4 Remove explicit deprecation notice 
This will avoid linter errors on other projects for now.
 2 years ago
Mariano Cano d461918eb0 Merge branch 'master' into context-authority 2 years ago
Mariano Cano 2ea0c70344 Move acme context middleware to deprecated handler 2 years ago
Mariano Cano 9147356d8a Fix linter errors 2 years ago
Mariano Cano 2ab7dc6f9d Fix acme tests. 2 years ago
Mariano Cano ba499eeb2a Fix acme/api tests. 2 years ago
Mariano Cano 6f9d847bc6 Fix panic in acme/api tests. 2 years ago
Herman Slatman d82e51b748
Update AllowWildcardNames configuration name 2 years ago
Mariano Cano d1f75f1720 Refactor ACME api. 2 years ago
Mariano Cano fddd6f7d95 Move linker to the acme package. 2 years ago
Mariano Cano 55b0f72821 Add context methods for the acme linker. 2 years ago
Mariano Cano bb8d85a201 Fix unit tests - work in progress 2 years ago
Mariano Cano 42435ace64 Use scep authority from context 
This commit also converts all the methods from the handler to
functions.
 2 years ago
Mariano Cano d13537d426 Use context in the acme handlers. 2 years ago
Mariano Cano bd412c9f42 Add context methods for the acme database 2 years ago
Herman Slatman 6e1f8dd7ab
Refactor policy engines into container 2 years ago
Herman Slatman 2a7620641f
Fix more PR comments 2 years ago