* Use dnsNamesSubsetValidator for IID provisioners
... when disableCustomSANs is set to 'true'.
The DNS names in the certificate request must be a subset of the
authorized set of DNS names (from the IID token). The previous
functionality required that the DNS names in the certificate request
exactly matched the authorized DNS names.
* Update authority/provisioner/sign_options.go
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
* Update authority/provisioner/sign_options.go
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
* Use map[string]struct rather than map[string]bool for clarity
---------
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
* move to use embed instead of a multi-line string
* add test to ensure all certificates are valid
* add test to ensure validity (no expired certificate)
* api/render: initial implementation of the package
* acme/api: refactored to support api/render
* authority/admin: refactored to support api/render
* ca: refactored to support api/render
* api: refactored to support api/render
* api/render: implemented Error
* api: refactored to support api/render.Error
* acme/api: refactored to support api/render.Error
* authority/admin: refactored to support api/render.Error
* ca: refactored to support api/render.Error
* ca: fixed broken tests
* api/render, api/log: moved error logging to this package
* acme: refactored Error so that it implements render.RenderableError
* authority/admin: refactored Error so that it implements render.RenderableError
* api/render: implemented RenderableError
* api/render: added test coverage for Error
* api/render: implemented statusCodeFromError
* api: refactored RootsPEM to work with render.Error
* acme, authority/admin: fixed pointer receiver name for consistency
* api/render, errs: moved StatusCoder & StackTracer to the render package
This changes adds a new option `iidRoots` that allows a user to
define one or more certificates that will be used for AWS IID
signature validation.
Fixes#393
* Add constructor tests for the aws provisioner.
* Add a test to make sure the "v1" logic continues to work.
By and large, v2 is the way to go. However, there are some instances of
things that specifically request metadata service version 1 and so this
adds minimal coverage to make sure we don't accidentally break the path
should anyone need to depend on the former logic.