7df52dbb76
Add ACME EAB policy
2 years ago
150eee70df
Updates based on Herman's feedback
2 years ago
acc75bc679
Add context name to startup info
2 years ago
4b9f44982d
Merge branch 'master' into startup-info
2 years ago
43f2c655b9
More info on startup
2 years ago
7ebb2e4c74
Update ca/ca.go
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2 years ago
1ba1584c7a
Formatted.
2 years ago
a13e58e340
Update GetAuthorityInfo -> GetInfo
2 years ago
90cb6315b1
Progress.
2 years ago
055e75f394
Progress?
2 years ago
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny
2 years ago
0e052fe299
Add authority policy API
2 years ago
00634fb648
api/render, api/log: initial implementation of the packages ( #860 )
...
* api/render: initial implementation of the package
* acme/api: refactored to support api/render
* authority/admin: refactored to support api/render
* ca: refactored to support api/render
* api: refactored to support api/render
* api/render: implemented Error
* api: refactored to support api/render.Error
* acme/api: refactored to support api/render.Error
* authority/admin: refactored to support api/render.Error
* ca: refactored to support api/render.Error
* ca: fixed broken tests
* api/render, api/log: moved error logging to this package
* acme: refactored Error so that it implements render.RenderableError
* authority/admin: refactored Error so that it implements render.RenderableError
* api/render: implemented RenderableError
* api/render: added test coverage for Error
* api/render: implemented statusCodeFromError
* api: refactored RootsPEM to work with render.Error
* acme, authority/admin: fixed pointer receiver name for consistency
* api/render, errs: moved StatusCoder & StackTracer to the render package
2 years ago
750e9ee2f8
Attempt to fix TestBootstrapClientServerRotation
...
This change attempts to fix the test TestBootstrapClientServerRotation.
Due to the backdate, the renew options get too large, causing
continuous renewals, and random errors. After experimenting with
different options, truncating durations to seconds have shown better
results than rounding or just use the plain time.
2 years ago
5ab79f53be
Fix linter errors
2 years ago
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
2 years ago
ba0b170818
Attempt to fix TestBootstrapClientServerRotation
...
This change attempts to fix the test TestBootstrapClientServerRotation.
Due to the backdate, the renew options get too large, causing
continuous renewals, and random errors. After experimenting with
different options, truncating durations to seconds have shown better
results than rounding or just use the plain time.
2 years ago
f20784be56
format
2 years ago
91be50cf70
Add --quiet flag
2 years ago
91a25b52bd
Print discord
2 years ago
baf3c40fef
Print some basic configuration info on startup
2 years ago
ad8a813abe
Fix linter errors
2 years ago
e6b2359273
ca: fixed import statement order
2 years ago
9ba33bab4e
ca: refactored to use the read package
2 years ago
915911efb6
Disable http loggers in test.
...
They hide the test that fail on tests in the CI.
2 years ago
ead742ca0f
Fix unit test
2 years ago
81b0c6c37c
Add API implementation for authority and provisioner policy
2 years ago
6dcde8a743
Fix typo
2 years ago
a4dd586a81
Add method to get the CA url from the client.
2 years ago
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2 years ago
41ea67ce10
Attempt to fix a bootstrap tests
2 years ago
4ebf43c011
Merge pull request #820 from smallstep/herman/acme-api
...
Refactor ACME Admin API
2 years ago
5cb23c6029
Merge pull request #804 from smallstep/herman/normalize-ipv6-dns-names
...
Normalize IPv6 hostname addresses
2 years ago
d00729df0b
Refactor ACME Admin API
2 years ago
11637b5793
Add descriptive provisioner JWK decryption error messages
...
Wrap other errors in decryption process with more helpful messaging. This should help users troubleshoot misconfiguration more easily.
Fixes #816
2 years ago
bfa2245abb
Merge branch 'master' into herman/normalize-ipv6-dns-names
2 years ago
c7c5c3c94e
Merge branch 'master' into herman/scep-macos-renewal-fixes
2 years ago
fd9845e9c7
Add cursor and limit to ACME EAB DB interface
2 years ago
716b946e7a
Normalize IPv6 hostname addresses
2 years ago
64680bb16d
Fix PR comments
2 years ago
3612eefc31
Cleanup
2 years ago
9c6580ccd2
Fix macOS SCEP client issues
...
Fixes #746
2 years ago
30859d3c83
Remove server-side paging logic for ExternalAccountKeys
2 years ago
6929e31fe0
Merge branch 'master' into hs/acme-eab
2 years ago
22ff90f655
Merge branch 'master' into hs/acme-eab
2 years ago
07addd0cac
Fix linting issue
2 years ago
a68208a3ba
Set Step CLI User-Agent when performing ACME requests
2 years ago
2c63abcf52
fix grammar
2 years ago
7c4e6dcc96
Remove duplicated code in bootstrap methods
2 years ago
64c19d4264
Fix subject in test, use ip
2 years ago
b0b2e77b0e
Avoid doing unauthenticated requests on the SDK
...
When step-ca runs with mTLS required on some endpoints, the SDK
used in autocert will fail to start because the identity certificate
is missing. This certificate is only required to retrieve all roots,
in most cases there's only one, and the SDK has access to it.
2 years ago
d799359917
Merge branch 'master' into hs/acme-eab
3 years ago
3bc3957b06
Merge branch 'master' into hs/acme-revocation
3 years ago
d0c23973cc
Merge branch 'master' into hs/acme-eab
3 years ago
2d357da99b
Add tests for ACME revocation
3 years ago
d35848f7a9
Fix unit tests.
3 years ago
b9beab071d
Fix unit tests.
3 years ago
8c8db0d4b7
Modify errs.BadRequestErr() to always return an error to the client.
3 years ago
8ce807a6cb
Modify errs.BadRequest() calls to always send an error to the client.
3 years ago
7fac8c96c3
Merge branch 'master' into max/context
3 years ago
a7d144996f
SSH backwards compat updates
...
- use existence of new value in data map as boolean
- add tests for backwards and forwards compatibility
- fix old tests that used static dir locations
3 years ago
d777fc23c2
Add ca.WithInsecure and use methods for file names
3 years ago
e5951fd84c
Use methods in the step package
...
* rather than variables set at execution time, which may not match the
actual current context
3 years ago
7eeebca529
Enable step path contexts in identity and pki paths
3 years ago
10db335f13
mv pkg config -> step
3 years ago
741ac64c61
change name of package cli-utils/config to cli-utils/step
3 years ago
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
bcd1240a0e
Merge branch 'master' into hs/acme-eab
3 years ago
36b622bfc2
Use Golang's default keep-alive.
...
Since Go 1.13 a net.Listen keep-alive is enabled by default if
the protocol and OS supports it. The new one is 15s to match
the net.Dial default one. Previously http.Server ListenAndServe
and ListenAndServeTLS used to add a wrapper with 3m that we
replicated.
See https://github.com/golang/go/issues/31510
3 years ago
dd4b4b0435
Fix remaining gocritic remarks
3 years ago
e0b495e4c8
Merge branch 'master' into hs/acme-eab
3 years ago
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
f34d68897a
Refactor retrieval of provisioner into middleware
3 years ago
9d4cafc4bd
Merge branch 'master' into hs/acme-eab
3 years ago
c2bc1351c6
Add provisioner to remove endpoint and clear reference index on delete
3 years ago
9c0020352b
Add lookup by reference and make reference optional
3 years ago
6729c79253
Add support for setting individual password for ssh and tls keys
...
This change add the following flags:
* --ssh-host-password-file
* --ssh-user-password-file
Fixes #693
3 years ago
f11c0cdc0c
Add endpoint for listing ACME EAB keys
3 years ago
9d09f5e575
Add support for deleting ACME EAB keys
3 years ago
a98fe03e80
Merge branch 'master' into hs/acme-eab
3 years ago
1dba8698e3
Use LinkedCA.EABKey type in ACME EAB API
3 years ago
e3ef4a7da9
Update test with default tls options.
3 years ago
c6a4c4ecba
Change ACME EAB endpoint
3 years ago
c6bfc6eac2
Fix PR comments
3 years ago
b65a588d5b
Make authentication work for /admin/eak
3 years ago
8fb5340dc9
Use a token at start time to configure linkedca.
...
Instead of using `step-ca login` we will use a new token provided
as a flag to configure and start linkedca. Certificates will be kept
in memory and refreshed automatically.
3 years ago
1df21b9b6a
Addressing comments in PR review
...
- added a bit of validation to admin create and update
- using protojson where possible in admin api
- fixing a few instances of admin -> acme in errors
3 years ago
77fdfc9fa3
Merge branch 'master' into max/cert-mgr-crud
3 years ago
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
03c472359c
Add sync.WaitGroup for proper error handling in Run()
3 years ago
13fe7a0121
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
3 years ago
97b88c4d58
Address (most) PR comments
3 years ago
5df60c5a9b
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
3 years ago
339039768c
Refactor SCEP authority initialization and clean some code
3 years ago
48c86716a0
Add rudimentary (and incomplete) support for SCEP
3 years ago
94ba057f01
wip
3 years ago
01a4460812
wip
3 years ago
9bfb1c2e7b
wip
3 years ago
d8d5d7332b
wip
3 years ago
9bf9bf142d
wip
3 years ago
bc2bb53009
Merge branch 'master' into hs/scep
3 years ago
4f3e5ef64d
wip
3 years ago
5d09d04d14
wip
3 years ago
4d48072746
wip admin CRUD
3 years ago
98a6e54530
wip
3 years ago
af3cf7dae9
first steps
3 years ago
7b5d6968a5
first commit
3 years ago
26e7cc6177
Allow to use the SDK with ed25519 keys.
3 years ago
c04f556dc2
Merge branch 'master' into hs/scep
3 years ago
8c709fe3c2
Init config on load | Add wrapper for cli
3 years ago
5846314f88
Add missing Rekey method to the ca.Client
...
Fixes #315
3 years ago
68d5f6d0d2
Merge branch 'master' into hs/scep
3 years ago
1328aa3e47
Fix review comments.
3 years ago
50b9aaec57
Add new identity tests.
3 years ago
e414d0c8ea
Fix unit tests.
3 years ago
c5234e9c61
Refactor tls tunnel connections.
...
New method will use an identity-like file with the configuration
used to create the (m)TLS connection to the tunnel.
3 years ago
e75a9409a5
Add experimental support for a TLS over TLS tunnel.
3 years ago
0487686f69
Merge branch 'master' into hs/scep
3 years ago
02a5879cfe
Specify always a Proxy in all custom transports.
...
Fixes #535
3 years ago
93c3c2bf2e
Error handle non existent provisioner downstream and disable debug route logging
3 years ago
b1888fd34d
Use different method for unescpaed paths for the router
3 years ago
b724af30ad
Merge pull request #496 from smallstep/max/acme
...
Convert to ACME DB interface
3 years ago
672e3f976e
Few ACME fixes ...
...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
3 years ago
2320d0911e
Add sync.WaitGroup for proper error handling in Run()
3 years ago
b815478981
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
3 years ago
c5e4ea08b3
Merge branch 'master' into hs/scep
3 years ago
b97f024f8a
Remove superfluous call to StoreCertificate
3 years ago
df05340521
fixing broken unit tests
3 years ago
f72b2ff2c2
[acme db interface] nosql authz unit tests
3 years ago
074ab7b221
[acme db interface] add linker tests
3 years ago
bb8d54e596
[acme db interface] unit tests compiling
3 years ago
fc395f4d69
[acme db interface] compiles!
3 years ago
80a6640103
[acme db interface] wip
3 years ago
8c8c160c92
Fix method name in comment.
3 years ago
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
3 years ago
583d60dc0d
Address (most) PR comments
3 years ago
e1cab4966f
Improve initialization of SCEP authority
3 years ago
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
3 years ago
2d21b09d41
Remove some duplicate and unnecessary logic
3 years ago
3a5f633cdd
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
3 years ago
7948f65ac0
Merge branch 'master' into hs/scep
3 years ago
7ad90d10b3
Refactor initialization of SCEP authority
3 years ago
5be86691c1
Fix unit tests in Go 1.16.
3 years ago
78d78580b2
Add note about using a second (unsecured) server
3 years ago
9e43dc85d8
Merge branch 'master' into hs/scep-master
3 years ago
713b571d7a
Refactor SCEP authority initialization and clean some code
3 years ago
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP
3 years ago
b487edbd13
Clarify comment.
3 years ago
fbd2208044
Close key manager for safe reloads when a cgo module is used.
3 years ago
40d0596b71
Use smallstep/cli-utils instead of smallstep/cli
4 years ago
Herman Slatman
Carl Tashian
Panagiotis Siatras
Mariano Cano
Herman Slatman
Chris Crook
max furman
Mariano Cano