Mariano Cano
f3f484cee2
Log errors using slog.Logger
...
This commit allows logging errors in a slog.Logger injected in the
context. This type of logger is not currently used directly in step-ca,
but this will change in the future.
2024-05-15 15:40:40 -07:00
Herman Slatman
6bc0a86207
Fix CA startup with Vault RA configuration
2024-04-18 16:12:30 +02:00
Herman Slatman
b226b6eb4c
Prevent exposing any internal details in SCEP failure message
...
To be on the safe side, block errors from signing operations from
being returned to the client. We should revisit, and make it return
a more informative error, but with high assurance that no sensitive
information is added to the message.
2024-04-10 01:59:56 +02:00
Herman Slatman
037554e774
Fix the id-scep-failInfoText
OID
2024-04-10 01:19:17 +02:00
Herman Slatman
041b486c55
Remove usages of Sign
without context
2024-02-27 14:16:21 +01:00
Herman Slatman
2a8b80a3e1
Merge branch 'master' into herman/webhook-request-id
2024-02-27 12:17:10 +01:00
Max
d34f0f6a97
Fix linter warnings ( #1634 )
2023-11-28 20:58:58 -08:00
Herman Slatman
1abada69b0
Update import aliases from microscep
to smallscep
2023-10-24 21:48:24 +02:00
Herman Slatman
4c17f25389
Replace MicroMDM and Mozilla libraries with Smallstep forks
2023-10-24 21:44:34 +02:00
Herman Slatman
25f4b4014d
Add base64
to the raw message decoding error
2023-10-04 13:34:26 +02:00
Herman Slatman
965d7aa7f4
Fix linting issues
2023-10-04 13:33:01 +02:00
Herman Slatman
cd78b9fd43
Implement workaround for weird macOS SCEP message in query
...
Apparently the macOS SCEP client sends a SCEP message in the query
that's not fully escaped. Only the base64 padding is escaped, the
'+' and '/' characters aren't.
This is a bit of a special case, because the macOS SCEP client
will default to using HTTP POST for the PKIOperation. But if the
CA is configured without the POSTPKIOperation capability, the
macOS SCEP client will use HTTP GET instead. This behavior might
be the same on iOS.
2023-10-04 13:16:48 +02:00
Herman Slatman
3c12b4f5ad
Improve decoding SCEP requests
2023-10-03 16:32:55 +02:00
Herman Slatman
ffe079f31b
Merge branch 'master' into herman/scep-provisioner-decrypter
2023-09-23 00:06:56 +02:00
Herman Slatman
ba72710e2d
Address code review remarks
2023-09-22 12:40:14 +02:00
Herman Slatman
6d2d21e989
Fix undefined and unused variables
...
Forgot to save the latest version...
2023-09-21 18:15:03 +02:00
Herman Slatman
b6c95d7be2
Add additional properties to SCEP notify webhook request body
2023-09-21 18:12:13 +02:00
Herman Slatman
52bc96760b
Add SCEP certificate issuance notification webhook
2023-09-21 12:01:03 +02:00
Dominic Evans
231b5d8406
chore(deps): upgrade github.com/go-chi/chi to v5
...
Upgrade chi to the v5 module path to avoid deprecation warning about v4
and earlier on the old module path.
See https://github.com/go-chi/chi/blob/v4.1.3/go.mod#L1-L4
Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
2023-09-20 11:26:32 +01:00
Herman Slatman
9e3807eaa3
Use SignWithContext
in the critical paths
2023-09-19 16:34:29 +02:00
Herman Slatman
36f1dd70bf
Add CSR to SCEPCHALLENGE
webhook request body
2023-09-07 14:11:53 +02:00
Herman Slatman
d9f56cdbdc
Merge branch 'master' into herman/scep-provisioner-decrypter
2023-09-04 15:24:19 +02:00
Herman Slatman
9d3b78ae49
Add excludeIntermediate
to SCEP provisioner
2023-09-04 14:55:27 +02:00
Max
116ff8ed65
bump go.mod to go1.20 and associated linter fixes ( #1518 )
2023-08-29 11:52:13 -07:00
Herman Slatman
0d09f3e202
Prevent data races with multiple PKCS7 encryption operations
2023-08-04 12:14:29 +02:00
Herman Slatman
e2e9bf5494
Clarify some SCEP properties
2023-08-04 01:55:52 +02:00
Herman Slatman
c0a1837cd9
Verify full decrypter/signer configuration at usage time
...
When changing the SCEP configuration it is possible that one
or both of the decrypter configurations required are not available
or have been provided in a way that's not usable for actual SCEP
requests.
Instead of failing hard when provisioners are loaded,
which could result in the CA not starting properly, this type of
problematic configuration errors will now be handled at usage
time instead.
2023-08-03 16:09:51 +02:00
Herman Slatman
0f35bb1af5
Defer missing decrypter/signer configuration errors to SCEP authority
2023-08-03 15:34:20 +02:00
Herman Slatman
fc1fb51854
Improve SCEP authority initialization and reload
2023-08-02 18:35:38 +02:00
Herman Slatman
7163c4f95f
Add helper for getting the appropriate SCEP response signer
2023-08-02 16:01:58 +02:00
Herman Slatman
567fc25404
Use the RSA decryption configuration for signing responses too
2023-07-27 00:55:39 +02:00
Herman Slatman
557672bb4b
Add some notes for SCEP provisioners
2023-07-26 19:11:51 +02:00
Herman Slatman
b2bf2c330b
Simplify SCEP provisioner context handling
2023-06-01 16:22:00 +02:00
Herman Slatman
8fc3a46387
Refactor the SCEP authority initialization
...
Instead of relying on an intermediate `scep.Service` struct,
initialize the `scep.Authority` directly. This removes one redundant
layer of indirection.
2023-06-01 15:50:51 +02:00
Herman Slatman
6985b4be62
Clean up the SCEP authority and provisioner
2023-06-01 14:43:32 +02:00
Herman Slatman
180162bd6a
Refactor SCEP provisioner and decrypter
2023-06-01 12:10:54 +02:00
Herman Slatman
0377fe559b
Add basic version of provisioner specific SCEP decrypter
2023-05-26 23:52:49 +02:00
max furman
8b256f0351
address linter warning for go 1.19
2023-05-09 23:47:28 -07:00
Herman Slatman
e8c1e8719d
Refactor SCEP webhook validation
2023-05-01 22:09:42 +02:00
Herman Slatman
668ff9b515
Cleanup some comments and tests
2023-05-01 11:55:05 +02:00
Herman Slatman
5f0f0f4bcc
Add SCEP webhook validation tests
2023-05-01 11:14:50 +02:00
Herman Slatman
ad4d8e6c68
Add SCEPCHALLENGE
as valid webhook type in admin API
2023-04-29 01:40:03 +02:00
Herman Slatman
419478d1e5
Make SCEP webhook validation look better
2023-04-29 01:15:39 +02:00
Herman Slatman
27cdcaf5ee
Integrate the SCEP webhook with the existing webhook logic
2023-04-28 17:15:05 +02:00
Herman Slatman
05f7ab979f
Create basic webhook for SCEP challenge validation
2023-04-28 15:47:22 +02:00
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2022-09-29 19:16:26 -05:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2022-09-20 16:35:41 -07:00
Mariano Cano
400b1ece0b
Remove scep handler after merge.
2022-05-12 17:39:36 -07:00
Mariano Cano
898ca41268
Merge branch 'master' into context-authority
2022-05-12 17:14:46 -07:00
Herman Slatman
688ae837a4
Add some tests for SCEP request decoding
2022-05-07 00:26:18 +02:00