bc2bb53009
Merge branch 'master' into hs/scep
3 years ago
4f3e5ef64d
wip
3 years ago
5d09d04d14
wip
3 years ago
4d48072746
wip admin CRUD
3 years ago
98a6e54530
wip
3 years ago
af3cf7dae9
first steps
3 years ago
7b5d6968a5
first commit
3 years ago
26e7cc6177
Allow to use the SDK with ed25519 keys.
3 years ago
c04f556dc2
Merge branch 'master' into hs/scep
3 years ago
8c709fe3c2
Init config on load | Add wrapper for cli
3 years ago
5846314f88
Add missing Rekey method to the ca.Client
...
Fixes #315
3 years ago
68d5f6d0d2
Merge branch 'master' into hs/scep
3 years ago
1328aa3e47
Fix review comments.
3 years ago
50b9aaec57
Add new identity tests.
3 years ago
e414d0c8ea
Fix unit tests.
3 years ago
c5234e9c61
Refactor tls tunnel connections.
...
New method will use an identity-like file with the configuration
used to create the (m)TLS connection to the tunnel.
3 years ago
e75a9409a5
Add experimental support for a TLS over TLS tunnel.
3 years ago
0487686f69
Merge branch 'master' into hs/scep
3 years ago
02a5879cfe
Specify always a Proxy in all custom transports.
...
Fixes #535
3 years ago
93c3c2bf2e
Error handle non existent provisioner downstream and disable debug route logging
3 years ago
b1888fd34d
Use different method for unescpaed paths for the router
3 years ago
b724af30ad
Merge pull request #496 from smallstep/max/acme
...
Convert to ACME DB interface
3 years ago
672e3f976e
Few ACME fixes ...
...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
3 years ago
2320d0911e
Add sync.WaitGroup for proper error handling in Run()
3 years ago
b815478981
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
3 years ago
c5e4ea08b3
Merge branch 'master' into hs/scep
3 years ago
b97f024f8a
Remove superfluous call to StoreCertificate
3 years ago
df05340521
fixing broken unit tests
3 years ago
f72b2ff2c2
[acme db interface] nosql authz unit tests
3 years ago
074ab7b221
[acme db interface] add linker tests
3 years ago
bb8d54e596
[acme db interface] unit tests compiling
3 years ago
fc395f4d69
[acme db interface] compiles!
3 years ago
80a6640103
[acme db interface] wip
3 years ago
8c8c160c92
Fix method name in comment.
3 years ago
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
3 years ago
583d60dc0d
Address (most) PR comments
3 years ago
e1cab4966f
Improve initialization of SCEP authority
3 years ago
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
3 years ago
2d21b09d41
Remove some duplicate and unnecessary logic
3 years ago
3a5f633cdd
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
3 years ago
7948f65ac0
Merge branch 'master' into hs/scep
3 years ago
7ad90d10b3
Refactor initialization of SCEP authority
3 years ago
5be86691c1
Fix unit tests in Go 1.16.
3 years ago
78d78580b2
Add note about using a second (unsecured) server
3 years ago
9e43dc85d8
Merge branch 'master' into hs/scep-master
3 years ago
713b571d7a
Refactor SCEP authority initialization and clean some code
3 years ago
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP
3 years ago
b487edbd13
Clarify comment.
3 years ago
fbd2208044
Close key manager for safe reloads when a cgo module is used.
3 years ago
40d0596b71
Use smallstep/cli-utils instead of smallstep/cli
4 years ago
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
d30a95236d
Use always go.step.sm/crypto
4 years ago
533ad0ca20
Use always go.step.sm/crypto/x509util
4 years ago
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
4 years ago
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
44207523be
Add missing tests.
4 years ago
0c8376a7f6
Fix existing unit tests.
4 years ago
1951669e13
wip
4 years ago
6e69f99310
Always set nbf and naf for new ACME orders ...
...
- Use the default value from the ACME provisioner if values are not
defined in the request.
4 years ago
9f1d95d8bf
Fix renew of certificate at the start of the server.
4 years ago
1d7ab9145a
Avoid lint error.
4 years ago
0b62ce9d0e
Use go 1.13 to build certificates.
4 years ago
495e60a44b
Extraneous fmt.Sprintf
4 years ago
349bca06bb
Fix line error due to deprecated DialTLS.
4 years ago
f5d2f92099
Load identity certificate from disk in each connection.
4 years ago
9052da66a3
Fix linter, tidy go.mod file.
4 years ago
3d6a18180e
Fix a couple of race conditions in the renewal of certificates.
4 years ago
1cb8bb3ae1
Simplify statuscoder error generators.
4 years ago
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
4 years ago
a025f72af7
Disable backdata on ca tests.
4 years ago
a88ba8eb31
Use errs package for HTTP errors.
4 years ago
47f4ac1b53
Add method to just write the identity certificate.
4 years ago
14e59775bd
Add method to renew the identity.
4 years ago
9aafe265d0
Should be returning nil from applyIdentity if cert expired.
4 years ago
b9f6aacb0f
Move api errors to their own package and modify the typedef
4 years ago
65b4dda420
Add wrappers to identity methods in the ca package.
4 years ago
524c221c61
Add mTLS test for identity client.
4 years ago
25144539f8
Improve identity tests.
4 years ago
d85386d0b4
Add identity client and move identity to a new package.
4 years ago
9e7b86342b
Fix test.
4 years ago
c6f6493bb7
Fail silently if the identity fails.
4 years ago
3ac388612a
Use x5cInsecure token for /ssh/check-host endpoint
4 years ago
ab126d6405
Add GetTransport to client.
4 years ago
2259f62638
Add method to create an ssh token.
4 years ago
caa2b8dbb7
Add leeway in identity not before.
4 years ago
0512f6e3e5
redundant variable type def
4 years ago
d2b1f1547f
Create a custom client that sends a custom User-Agent.
4 years ago
5d7829b198
Replace /ssh/get-hosts to /ssh/hosts
4 years ago
2fe07cd79c
Fix tests.
4 years ago
85d3843968
Add Identity helpers.
4 years ago
50188fc901
Add version support to the ca.Client.
4 years ago
db3b795eea
Fix directory permissions.
4 years ago
bbaf8e106e
Support for retry and identity files.
4 years ago
d555f310dc
Add support for identity authentication.
4 years ago
f9e5b27e63
Add client method for SSHBastion
4 years ago
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
4 years ago
862d704f6b
get-hosts fixes
4 years ago
5616386eed
Add SSH getHosts api
4 years ago
b8817ad648
Add proxycommand and new lines to templates.
4 years ago
37f17213bb
Add initial support for check-host endpoint.
4 years ago
d08db4df23
Rename SSH methods.
4 years ago
b5bc249e1c
Add support for multiple ssh roots.
...
Fixes #125
4 years ago
a35988ff08
Add initial support for ssh config.
...
Related to smallstep/cli#170
4 years ago
961be1fbc7
Add endpoint to return the SSH public keys.
...
Related to smallstep/ca-component#195
4 years ago
0a96062b76
Merge pull request #128 from jkralik/returnCertChain
...
Change api of functions Authority.Sign, Authority.Renew
5 years ago
d368791606
Add x5c provisioner capabilities
5 years ago
7aec7c2612
Create ACME database tables when initializing ACME autority.
5 years ago
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
5 years ago
fe7973c060
wip
5 years ago
e3826dd1c3
Add ACME CA capabilities
5 years ago
10e7b81b9f
Merge branch 'master' into ssh-ca
5 years ago
635c59ed24
Accept emails SANs
5 years ago
1c8f610ca9
Add initial implementation of an SSH CA using the JWK provisioner.
...
Fixes smallstep/ca-component#187
5 years ago
44e85b51f2
Add some extra coverage.
5 years ago
aa63f8f32c
Add missing root certificate to test.
5 years ago
f9e2ea9bd6
Revert "Do not depend on config package."
...
This reverts commit cc1c6f2cb4
5 years ago
cc1c6f2cb4
Do not depend on config package.
...
Config package will panic if it cannot create the step path folder.
5 years ago
01b6aebbf7
Make provisioner more configurable.
...
The intention of this change is to make it usable from cert-manager.
5 years ago
e8498bf612
Add new WithDatabase to test reload.
5 years ago
120e2d0caf
Fix restart with simple DB.
5 years ago
3a1a4c5ea9
Do not allow reload with database configuration changes.
...
Fixes #smallstep/ca-component#170
5 years ago
b595c55f0a
Update CA properties on reload.
...
Fixes #71
5 years ago
c242602231
reload and shutdown trickery
...
* Only shutdown the database once.
* Be careful when reloading the CA. Depending on whether the DB has
already been shutdown, and error may be unrecoverable.
5 years ago
cbeca9383b
Update nosql integration
...
* shutdown and reload database on SIGHUP
5 years ago
c2c9798149
Fix review issues.
5 years ago
46b9b117e3
Add test for provisioner type.
5 years ago
13783301ce
Remove test for unnecessary method.
5 years ago
b4739c185d
Remove unnecessary method GetCertificateRenewer.
5 years ago
fa216ccaad
Use SetTransport method.
5 years ago
43c5831582
Merge branch 'master' into step-sds
5 years ago
ab4d569f36
Add /revoke API with interface db backend
5 years ago
888ef147fa
Expose a way to update the transport.
5 years ago
c42265972a
Add the autocert provisioner to the ca package.
5 years ago
7800f5960a
Add test for GetCertificateRenewer
5 years ago
8d2de64811
Add method to get a certificate renewer.
5 years ago
27b6ac0a58
Add INT and TERM signal handler.
5 years ago
64f2615864
Fix tests.
5 years ago
b07fe546fd
Fix types in tests.
5 years ago
5ce5a891f7
Add email SAN with email parameter in the JWK
5 years ago
262a9d0978
Merge pull request #27 from smallstep/mariano/renew-pool
...
SDK should update certificate pools safely
5 years ago
e0fff4d80b
Fix typo.
5 years ago
f1f6c548ad
Fix typo.
5 years ago
758d829355
Fix tests.
5 years ago
3415a1fef8
move SplitSANs to cli
5 years ago
975cb75fbd
Fix typo.
5 years ago
3c06d6f9bc
Fix comment.
5 years ago
e330ac547c
Fix comment.
5 years ago
cd934bbede
Remove println
5 years ago
6937bfea7b
claims.SANS -> claims.SANs
5 years ago
4c9dccd3f6
Allow multiple certificates in the root pem.
5 years ago
ab78534b08
add test for SAN backwards compatibility with CLI
...
* new provisioner tokens always contain the crt.Subject.CommonName
in the SANS attribute of the token claims. added tests that verifies
backwards compatibility still works in cases where the token does not
contain the subject as a SAN claim.
5 years ago
e6e8443f3c
allow multiple identical SANs in cert
5 years ago
f0683c2e0a
Enable signing certificates with custom SANs
...
* validate against SANs in token. must be 1:1 equivalent.
5 years ago
d394dd233a
Initiate default RootCAs/ClientCAs when no options are passed.
5 years ago
25eba1a96c
WIP on the safely rotate of root and federated certificates.
...
Fixes #23
5 years ago
bacbf85aa3
Add new bootstrap method that creates a listener.
5 years ago
984bf8d38c
Add missing file.
5 years ago
1cc5e94666
Add simple test for federation.
5 years ago
dbd1bf11f1
Rename variable.
5 years ago
7dc61bf233
Remove deprecated code
5 years ago
518b597535
Remove mTLS client requirement in /roots and /federation
5 years ago
9adc65febf
Add test for newTLSOptionCtx
5 years ago
6116523055
Fix random order in tests.
5 years ago
8510e25b3b
Add test with bootstrap server.
5 years ago
f99ae9da93
Add root rotation test.
5 years ago
af9e6488fc
Make the renew test shorter.
5 years ago
25ddbaedff
Allow to customize the minimal cert duration for tests.
5 years ago
10aaece1b0
Update root certificates on renew.
5 years ago
6d3e8ed93c
Add all root certificates by default on bootstrap methods.
5 years ago
d296cf95a9
Add mTLS request to get all the root CAs, not the federated ones.
5 years ago
98cc243a37
Add support for multiple roots.
5 years ago
722bcb7e7a
Add initial support for federated root certificates.
5 years ago
7e2f80ac30
Fix grammar error
6 years ago
c0107ab5b9
Fix ca renew documentation
6 years ago
f7a5be3942
Force the renew of the CA server.
6 years ago
b0a410066b
Add support for parsing endpoints without schema.
...
Fixes smallstep/ca-component#117
6 years ago
d872f09910
Use mTLS by default on SDK methods.
...
Add options to modify the tls.Config for different configurations.
Fixes #7
6 years ago
9c64dbda9a
Add helpers to add direct support for mTLS.
6 years ago
b23e3bec7f
Remove comment of removed arguments.
6 years ago
5f2d998584
change documentation for bootstrap Server|Client
...
* provide documentation for default and non-default invocation.
6 years ago
ba88c8c5cb
Add context to bootstrap methods.
6 years ago
7eb8aeb1f1
Add tests for bootstrap functions.
6 years ago
091506a994
Add bootstrap helpers that uses just a token.
6 years ago
c74fcd57a7
ca-component -> certificates
...
* fix redundant error check
* add README
6 years ago
0d9dd2d14b
provisioner issuer -> name
6 years ago
71a3587b76
Add client support for provisioner cursor and limit options.
...
Fixes #83
6 years ago
99cab73360
Remove unused import /provisioners/jwk-set-by-issuer
6 years ago
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
6 years ago
d7c31c3133
Properly fill CSR DNSNames or IPAddresses
6 years ago
2b2598c695
Fix audience to fix ca tests.
6 years ago
511e1a9e23
Fix getting transport from root fingerprint.
6 years ago
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
6 years ago
7b6a3ea427
Add client methods for provisioning endpoints.
6 years ago
378166a3b2
add full stack tests for multiple provisioners api
...
* /provisioners and /provisioners/<key-id>/encrypted-key
6 years ago
d773770a44
add authority.New unit tests
6 years ago
c284a2c0ab
first commit
6 years ago
Herman Slatman
max furman
Mariano Cano
Mariano Cano
Ivan Bertona
Jozef Kralik