Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,762 Commits 37 Branches 223 Tags 44 MiB
master
Commit Graph

33 Commits

Author SHA1 Message Date
Max
88443ddab9
Use dnsNamesSubsetValidator for IID provisioners (#2044) 
* Use dnsNamesSubsetValidator for IID provisioners

... when disableCustomSANs is set to 'true'.

The DNS names in the certificate request must be a subset of the
authorized set of DNS names (from the IID token). The previous
functionality required that the DNS names in the certificate request
exactly matched the authorized DNS names.

* Update authority/provisioner/sign_options.go

Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>

* Update authority/provisioner/sign_options.go

Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>

* Use map[string]struct rather than map[string]bool for clarity

---------

Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
 2024-10-25 10:39:04 -07:00
Mariano Cano
f8bda96940
Apply suggestions from code review 
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
 2024-07-01 12:49:26 -07:00
Mariano Cano
cb9abbe25b
Add support for validities in templates 
This commit upgrades go.step.sm/crypto with a version that adds support
for setting validity bounds in templates. It also adds support for these
in the certificate modifiers.

The priority for the validity bounds are:
1. Coming from flags.
2. Coming from the template.
3. Defaults.
 2024-06-28 16:21:12 -07:00
Max
9f84f7ce35
Allow for identity certificate signing (in sshSign) by skipping validators (#1572) 
- skip urisValidator for identity certificate signing. Implemented
  by building the validator with the context in a hacky way.
 2023-10-06 14:02:19 -07:00
Mariano Cano
c7c7decd5e
Add support for the disableSmallstepExtensions claim 
This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.

Fixes #620
 2023-07-27 15:05:01 -07:00
Mariano Cano
ac35f3489c
Remove unused certificate validators and modifiers 
With the introduction of certificate templates some certificate
validators and modifiers are not used anymore. This commit deletes the
ones that are not used.
 2023-03-31 14:54:49 -07:00
Mariano Cano
21427d5d65 Replace instead of prepend provisioner extension 
With non standard SANs this will generate the SAN and provisioner
extension in the same order.
 2022-08-09 16:48:00 -07:00
Mariano Cano
4690fa64ed Add public methods to retrieve the provisioner extensions. 2022-03-11 14:59:42 -08:00
Mariano Cano
b9beab071d Fix unit tests. 2021-11-23 18:43:36 -08:00
max furman
16665c97f0 Allow empty SAN in CSR for validation ... 
- The default template will always use the SANs from the token.
- If there are any SANs they must be validated against the token.
 2021-01-14 15:26:46 -06:00
Mariano Cano
35bd3ec383
Merge pull request #329 from smallstep/ssh-cert-templates 
SSH cert templates
 2020-08-28 14:42:58 -07:00
max furman
46fc922afd Remove unused code; fix usage wrong word; add gap time for unit test 2020-08-20 18:48:17 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
37f84e9bb3 Add delay in test. 2020-08-03 19:01:15 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs: 
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
 2020-07-22 18:24:45 -07:00
Mariano Cano
0c8376a7f6 Fix existing unit tests. 2020-07-21 14:21:54 -07:00
max furman
71d87b4e61 wip 2020-06-24 23:25:15 -07:00
max furman
d25e7f64c2 wip 2020-06-24 09:58:40 -07:00
max furman
1951669e13 wip 2020-06-23 11:10:45 -07:00
max furman
7d5cf34ce5 Update profileLimitDuration validator ... 
- respect notBefore of the provisioner
- modify/fix the reported errors
 2020-06-16 12:16:43 -07:00
Oleksandr Kovalchuk
4cd01b6868
Implement tests for forceCNOption modifier 
Implement unit tests which checks forceCNOption modifier (implemented
in 322200b7db) is not broken and works
correctly.

Ref: https://github.com/smallstep/certificates/issues/259
 2020-05-17 20:29:28 +03:00
Mariano Cano
a2dfa6faa8 Fix unit tests. 2020-04-20 12:29:23 -07:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests. 
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
 2020-01-28 13:29:40 -08:00
Mariano Cano
895d3054a3 Remove the use of custom x509 package. 
Upgrade cli dependency.
 2020-01-28 13:29:39 -08:00
Mariano Cano
06411d1715 Add tests of profileLimitDuration with backdate. 2020-01-28 13:29:39 -08:00
Mariano Cano
8297e5c717 Add tests for backdate and sshDefaultDuration 2020-01-28 13:29:39 -08:00
Mariano Cano
93b65bee7c Add unit test for profileDefaultDuration. 2020-01-28 13:29:39 -08:00
max furman
d368791606 Add x5c provisioner capabilities 2019-10-14 14:51:37 -07:00
max furman
2b41faa9cf Enforce >= 2048 bit rsa keys at the provisioner layer 
* Fixes #94
* In the future this should be configurable by provisioner
 2019-08-27 14:44:59 -07:00
max furman
635c59ed24 Accept emails SANs 2019-08-23 15:59:30 -07:00
Mariano Cano
900ab9cc12 Allow custom common names in cloud identity provisioners. 2019-07-15 15:52:36 -07:00
Mariano Cano
c24d868d9d Add tests for sign options. 2019-03-11 13:25:19 -07:00
Mariano Cano
54d86ca1c1 testing work in progress. 2019-03-07 19:30:17 -08:00