Herman Slatman
bf53b394a1
Add `tpm` format test with simulated TPM
2 years ago
Herman Slatman
094f0521e2
Remove check for `PermanentIdentifier` from `tpm` format validation
2 years ago
Herman Slatman
589a62df74
Make validation of `tpm` format stricter
2 years ago
Herman Slatman
213b31bc2c
Simplify processing logic for unhandled critical extension
2 years ago
Herman Slatman
e1c7e8f00b
Return the CSR public key fingerprint for `tpm` format
2 years ago
Herman Slatman
6297bace1a
Merge branch 'master' into herman/acme-da-tpm
2 years ago
Herman Slatman
69489480ab
Add more complete `tpm` format validation
2 years ago
Mariano Cano
5ff0dde819
Remove json tag in acme.Authorization fingerprint
2 years ago
Mariano Cano
6ba20209c2
Verify CSR key fingerprint with attestation certificate key
...
This commit makes sure that the attestation certificate key matches the
key used on the CSR on an ACME device attestation flow.
2 years ago
Herman Slatman
3a6fc5e0b4
Remove dependency on `smallstep/assert` in ACME challenge tests
2 years ago
Herman Slatman
0f1c509e4b
Remove debug utility
2 years ago
Herman Slatman
0f9128c873
Fix linting issue and order of test SUT
2 years ago
Herman Slatman
2ab9beb7ed
Add tests for `deviceAttest01Validate`
2 years ago
Herman Slatman
ed61c5df5f
Cleanup some leftover debug statements
2 years ago
Herman Slatman
60a9e41c1c
Remove `Identifier` from top level ACME `Errors`
2 years ago
Herman Slatman
edee01c80c
Refactor debug utility
2 years ago
Herman Slatman
1c38113e44
Add ACME `Subproblem` for more detailed ACME client-side errors
...
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.
This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
2 years ago
Herman Slatman
f1724ea8c5
Merge branch 'master' into herman/acme-da-tpm
2 years ago
Herman Slatman
64d9ad7b38
Validate Subject Common Name for Orders with Permanent Identifier
2 years ago
Herman Slatman
817edcbba5
Remove `charset=utf-8` from ACME certificate requests
2 years ago
Herman Slatman
4cf25ede24
Merge branch 'master' into herman/acme-da-tpm
2 years ago
Herman Slatman
3eae04928f
Add tests for ACME Meta object
2 years ago
Herman Slatman
02d679e160
Merge branch 'master' into herman/ignore-empty-acme-meta
2 years ago
Mariano Cano
e27c6c529b
Add support for custom acme ports
...
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.
Fixes #1015
2 years ago
Herman Slatman
b9f238ad4d
Add additional ACME `meta` properties to provisioner configuration
2 years ago
Herman Slatman
c9793561ff
Make `meta` object optional in ACME directory response
...
Harware appliances from Kemp seem to validate the contents of the
`meta` object, even if none of the properties in the `meta` object
is set. According to the RFC, the `meta` object, as well as its
properties are optional, so technically this should be fixed by
the manufacturer.
This commit is to see if we validation of the `meta` object is
skipped if it's not available in the response.
2 years ago
Mariano Cano
a7e597450a
Update acme/challenge_test.go
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2 years ago
Mariano Cano
7a78c76199
Add test simulating YubiKey v5.2.4
...
There are YubiKeys v5.2.4 where the attestation intermediate (f9)
does not have a basic constraint extension, so that certificate
is not marked as a CA. The test and CA in this commit imitates
that use case. Currently the test case returns an error as we
don't support it. But if we change the verification to support
this use case, the test should change accordingly.
2 years ago
Mariano Cano
21666ba887
Revert "Set timestamp when marking an acme challenge invalid"
...
This reverts commit 5f130895f3
.
2 years ago
Mariano Cano
8538ff06b7
Add missing error case.
2 years ago
Mariano Cano
5f130895f3
Set timestamp when marking an acme challenge invalid
2 years ago
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2 years ago
Herman Slatman
a8125846dd
Add TPM attestation
2 years ago
max furman
f3d1863ec6
A few more linter errors
2 years ago
Mariano Cano
99299faeeb
Add AuthorizeChallenge unit tests
2 years ago
Mariano Cano
f0a24bd8ca
Add acme property to enable challenges
...
Fixes #1027
2 years ago
Mariano Cano
191d9e8629
Use go.step.sm/crypto to set the permanent identifier
2 years ago
Mariano Cano
2b3b2c283a
Add attestation certificate validation for Apple devices
2 years ago
Brandon Weeks
5f5315260a
iOS 16 beta 1 support
2 years ago
Brandon Weeks
de5b0ef5c2
Verify key authorization is contained within the TPM quote extraData field
2 years ago
Brandon Weeks
6f2b4d3042
Add ACME permanent-identifier identifier type
2 years ago
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2 years ago
Mariano Cano
7dc2067cb2
Update acme/errors.go
...
Co-authored-by: Max <mx.furman@gmail.com>
2 years ago
Mariano Cano
226d36f66f
Fix unit tests
2 years ago
Mariano Cano
8cf6675ce4
Return the internal error instead of the ACME error
...
For ACME errors, return the internal error string instead of the
ACME one on the "Error() string" function. This way the logs will
have more information about the cause of an error.
Fixes #1057
2 years ago
Mariano Cano
34c6c65671
Pass attestation information to the Sign method
...
Attestation information might be useful in authorizing webhooks
2 years ago
Mariano Cano
498549c95c
Extract common function used in tests
2 years ago
Mariano Cano
829530ae90
Fix linter errors
2 years ago
Mariano Cano
6b73a020e3
Add unit tests for apple and step attestations
2 years ago
Mariano Cano
0f651799d0
Reject not enabled attestation formats
2 years ago
Mariano Cano
fd4e96d1f4
Rename method to IsChallengeEnabled
2 years ago
Mariano Cano
c77b4ff9c5
Fix linter errors
2 years ago
Mariano Cano
59c5219a07
Use a type for acme challenges
2 years ago
Mariano Cano
a89bea701d
Format comment
2 years ago
Mariano Cano
5df9434286
Fix old comment, device-attest-01 uses the acme payload
2 years ago
Mariano Cano
c5d3714a63
Fix acme error map
2 years ago
Mariano Cano
08815c5e90
Reneame attestation statement error
2 years ago
Mariano Cano
3cd72ac72a
Remove debug statements
2 years ago
Mariano Cano
e75e7e7cd6
Fix linter warnings
2 years ago
Mariano Cano
54d92095ac
Validate proof of possession signature
...
On the step format, validate proof of possession of the private
key validating the signature in the attestation statement.
2 years ago
Mariano Cano
59b7603d1e
Use a clientAuth only cert for device-attest-01
2 years ago
Mariano Cano
ca412e77cc
Return error on attestation validation
...
The method storeError returns a nil error
2 years ago
Mariano Cano
ab5f916bd3
Define ErrorBadAttestationStatement
2 years ago
Mariano Cano
735c9d49b0
Add support for yubikey attestation
2 years ago
Mariano Cano
df96b126dc
Add AuthorizeChallenge unit tests
2 years ago
Mariano Cano
bca311b05e
Add acme property to enable challenges
...
Fixes #1027
2 years ago
Mariano Cano
ae8d4d8757
Fix unit test
2 years ago
Mariano Cano
693dc39481
Merge branch 'master' into device-attestation
2 years ago
Mariano Cano
23b8f45b37
Address gosec warnings
...
Most if not all false positives
2 years ago
max furman
c040e4b459
Add unit tests
2 years ago
max furman
b7c2f6c482
Check for DNS name validity
2 years ago
Mariano Cano
b62f4d1000
Add lgtm comments on some security warnings
2 years ago
Mariano Cano
2f7cb9225f
Use go.step.sm/crypto to set the permanent identifier
2 years ago
Mariano Cano
2ab1e6658e
Fix nonce validation
...
The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
2 years ago
Mariano Cano
66356cff43
Add attestation certificate validation for Apple devices
2 years ago
Brandon Weeks
274f6ccb41
iOS 16 beta 2 support
2 years ago
Brandon Weeks
7e1b0bebd9
iOS 16 beta 1 support
2 years ago
Brandon Weeks
77c6d10fd6
Verify key authorization is contained within the TPM quote extraData field
2 years ago
Brandon Weeks
e1ec31c0ed
Implement TPM attestation statement verification
2 years ago
Brandon Weeks
2ac8b69da2
Add ACME permanent-identifier identifier type
2 years ago
Brandon Weeks
aacd6f4cc6
Add device-attest-01 challenge type
2 years ago
Brandon Weeks
860baeb1c5
Verbose debug logging
2 years ago
Shulhan
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
...
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2 years ago
Herman Slatman
abfbbc8d49
Merge pull request #946 from smallstep/herman/acme-csr-padding
...
Strip base64-url padding from ACME CSR
2 years ago
Herman Slatman
fd546287ac
Strip base64-url padding from ACME CSR
...
This commit strips the padding from a base64-url encoded CSR
submitted by a client that doesn't use raw base64-url encoding.
2 years ago
Mariano Cano
e7f4eaf6c4
Remove explicit deprecation notice
...
This will avoid linter errors on other projects for now.
2 years ago
Mariano Cano
d461918eb0
Merge branch 'master' into context-authority
2 years ago
Mariano Cano
2ea0c70344
Move acme context middleware to deprecated handler
2 years ago
Mariano Cano
9147356d8a
Fix linter errors
2 years ago
Mariano Cano
2ab7dc6f9d
Fix acme tests.
2 years ago
Mariano Cano
ba499eeb2a
Fix acme/api tests.
2 years ago
Mariano Cano
6f9d847bc6
Fix panic in acme/api tests.
2 years ago
Herman Slatman
d82e51b748
Update AllowWildcardNames configuration name
2 years ago
Mariano Cano
d1f75f1720
Refactor ACME api.
2 years ago
Mariano Cano
fddd6f7d95
Move linker to the acme package.
2 years ago
Mariano Cano
55b0f72821
Add context methods for the acme linker.
2 years ago
Mariano Cano
bb8d85a201
Fix unit tests - work in progress
2 years ago
Mariano Cano
42435ace64
Use scep authority from context
...
This commit also converts all the methods from the handler to
functions.
2 years ago
Mariano Cano
d13537d426
Use context in the acme handlers.
2 years ago
Mariano Cano
bd412c9f42
Add context methods for the acme database
2 years ago
Herman Slatman
6e1f8dd7ab
Refactor policy engines into container
2 years ago
Herman Slatman
2a7620641f
Fix more PR comments
2 years ago
Herman Slatman
fb81407d6f
Fix ACME policy comments
2 years ago
Herman Slatman
7f9034d22a
Add additional policy options
2 years ago
Herman Slatman
a9f033ece5
Fix JSON property name for ACME policy
3 years ago
Herman Slatman
256fe113f7
Improve tests for ACME account policy
3 years ago
Herman Slatman
034b7943fe
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
7df52dbb76
Add ACME EAB policy
3 years ago
Herman Slatman
479c6d2bf5
Fix ACME IPv6 HTTP-01 challenges
...
Fixes #890
3 years ago
Herman Slatman
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny
3 years ago
Panagiotis Siatras
00634fb648
api/render, api/log: initial implementation of the packages ( #860 )
...
* api/render: initial implementation of the package
* acme/api: refactored to support api/render
* authority/admin: refactored to support api/render
* ca: refactored to support api/render
* api: refactored to support api/render
* api/render: implemented Error
* api: refactored to support api/render.Error
* acme/api: refactored to support api/render.Error
* authority/admin: refactored to support api/render.Error
* ca: refactored to support api/render.Error
* ca: fixed broken tests
* api/render, api/log: moved error logging to this package
* acme: refactored Error so that it implements render.RenderableError
* authority/admin: refactored Error so that it implements render.RenderableError
* api/render: implemented RenderableError
* api/render: added test coverage for Error
* api/render: implemented statusCodeFromError
* api: refactored RootsPEM to work with render.Error
* acme, authority/admin: fixed pointer receiver name for consistency
* api/render, errs: moved StatusCoder & StackTracer to the render package
3 years ago
Herman Slatman
b49307f326
Fix ACME order tests with mock ACME CA
3 years ago
Herman Slatman
9e0edc7b50
Add early authority policy evaluation to ACME order API
3 years ago
Herman Slatman
101ca6a2d3
Check admin subjects before changing policy
3 years ago
Herman Slatman
3ec9a7310c
Fix ACME order identifier allow/deny check
3 years ago
Herman Slatman
af53a17bb4
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
b6f6bd879c
Fix PR comment and add tests for ACME prerequisites checker
3 years ago
Herman Slatman
e47dd0a666
Add ACME configuration prerequisites check
3 years ago
Herman Slatman
c3c6f3da72
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
bfa2245abb
Merge branch 'master' into herman/normalize-ipv6-dns-names
3 years ago
Herman Slatman
1fe7362bee
Normalize IPv6 addresses in ACME linker
3 years ago
Herman Slatman
c1424036bf
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
bf21319e76
Fix PR comments and issue with empty string slices
3 years ago
Herman Slatman
fd9845e9c7
Add cursor and limit to ACME EAB DB interface
3 years ago
Herman Slatman
c3f2fd8ef0
Add RW locks to prevent concurrent updates to the DB
...
Although this may slow certain API calls down and may not be, strictly
necessary, I think it's best to put all the ACME EAB operations behind
RW locks to prevent concurrent updates to the DB and guarantee
consistent result sets.
3 years ago
Herman Slatman
868cc4ad7f
Increase test coverage for additional indexes
3 years ago
Herman Slatman
c0eb420806
Remove special case for empty slices
3 years ago
Herman Slatman
6440870a80
Clean up, improve test cases and coverage
3 years ago
Herman Slatman
ef16febf40
Refactor ACME EAB queries
...
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
3 years ago
Herman Slatman
30859d3c83
Remove server-side paging logic for ExternalAccountKeys
3 years ago
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
Herman Slatman
11a7f01177
Simplify lookup cursor logic for ExternalAccountKeys
3 years ago
Herman Slatman
22ff90f655
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
a5f2f004e3
Change name of IP Common Name test for clarity
3 years ago
Herman Slatman
f9ae875f9d
Use short if-style statements
3 years ago
Herman Slatman
80bebda69c
Fix code style issue
3 years ago
Herman Slatman
bc0875bd7b
Disallow email address and URLs in the CSR
...
Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.
3 years ago
Herman Slatman
13a31fd862
Merge branch 'master' into herman/ip-sans-improvements
3 years ago
Herman Slatman
ca707cbe05
Fix linting
3 years ago
Herman Slatman
a5d33512fe
Fix test
3 years ago
Herman Slatman
a2c9b5cd7e
Allow IP identifiers in subject, including authorization enforcement
...
To support IPs in the subject using `step-cli`, this PR ensures that
Subject Common Names that can be parsed as an IP are also checked
to have been authorized before.
The PR for `step-cli` is here: github.com/smallstep/cli/pull/576.
3 years ago
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
63371a8fb6
Add additional tests for ACME EAB Admin
3 years ago
Herman Slatman
0524122191
Remove authorization flow for different Account private keys
...
As discussed in https://github.com/smallstep/certificates/issues/767 ,
we opted for not including this authorization flow to prevent users
from getting OOMs. We can add the functionality back when the
underlying data store can provide access to a long list of
Authorizations more efficiently, for example when a callback is
implemented.
3 years ago
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
...
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.
At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
3 years ago
Herman Slatman
9885d42711
Fix linting issues
3 years ago
Herman Slatman
6e11657204
Refactor creation of (raw) EAB JWS contents
3 years ago
Herman Slatman
23898e9b76
Improve EAB JWS validation and increase test coverage
3 years ago
Herman Slatman
d0c23973cc
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
004fc054d5
Fix PR comments
3 years ago
Herman Slatman
06bb97c91e
Add logic for Account authorizations and improve tests
3 years ago
Herman Slatman
bae1d256ee
Improve tests for JWK vs. KID revoke auth flow
...
The logic for both test cases is fairly similar, but with some
small differences. Made those clearer by means of some comments.
Also added some comments to the middleware logic that decided
whether to extract JWK or lookup by KID.
3 years ago
Herman Slatman
a7fbbc4748
Add tests for GetCertificateBySerial
3 years ago
Herman Slatman
4d01cf8135
Increase test code coverage
3 years ago
Herman Slatman
2d357da99b
Add tests for ACME revocation
3 years ago
Herman Slatman
ed295ca15d
Fix linting issue
3 years ago
Herman Slatman
2d50c96d99
Merge branch 'master' into hs/acme-revocation
3 years ago
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
Herman Slatman
29f9730485
Satisfy golangci-lint
3 years ago
Herman Slatman
c7a9c13060
Add tests for extractOrLookupJWK middleware
3 years ago
Herman Slatman
3151255a25
Merge branch 'master' into hs/acme-revocation
3 years ago
Herman Slatman
4d726d6b4c
Add pagination to ACME EAB credentials endpoint
3 years ago
Herman Slatman
d354d55e7f
Improve handling duplicate ACME EAB references
3 years ago
Herman Slatman
dd4b4b0435
Fix remaining gocritic remarks
3 years ago
Herman Slatman
a4660f73fa
Fix some of the gocritic remarks
3 years ago
Herman Slatman
e0b495e4c8
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
c26041f835
Add ACME EAB nosql tests
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Herman Slatman
0afea2e957
Improve tests for already bound EAB keys
3 years ago
Herman Slatman
c2bc1351c6
Add provisioner to remove endpoint and clear reference index on delete
3 years ago
Herman Slatman
746c5c9fd9
Disallow creation of EAB keys with non-unique references
3 years ago
Herman Slatman
9c0020352b
Add lookup by reference and make reference optional
3 years ago
Herman Slatman
02cd3b6b3b
Fix PR comments
3 years ago
Herman Slatman
f11c0cdc0c
Add endpoint for listing ACME EAB keys
3 years ago
Herman Slatman
a1afbce50c
Check EAB key exists before deleting it
3 years ago
Herman Slatman
9d09f5e575
Add support for deleting ACME EAB keys
3 years ago
Herman Slatman
a98fe03e80
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
1dba8698e3
Use LinkedCA.EABKey type in ACME EAB API
3 years ago
Mariano Cano
470b546d59
Merge pull request #557 from joejulian/http01-isv
...
use InsecureSkipVerify for validation
3 years ago
max furman
a3028bbc0e
Add test for updateAddOrderIDs
3 years ago
Mariano Cano
dc5205cc72
Extract the tls error code and fail accordingly.
3 years ago
Mariano Cano
ae58a0ee4e
Make tests compatible with Go 1.17.
...
With Go 1.17 tls.Dial will fail if the client and server configured
protocols do not overlap. See https://golang.org/doc/go1.17#ALPN
3 years ago
Herman Slatman
f31ca4f6a4
Add tests for validateExternalAccountBinding
3 years ago
Herman Slatman
492256f2d7
Add first test cases for EAB and make provisioner unique per EAB
...
Before this commit, EAB keys could be used CA-wide, meaning that
an EAB credential could be used at any ACME provisioner. This
commit changes that behavior, so that EAB credentials are now
intended to be used with a specific ACME provisioner. I think
that makes sense, because from the perspective of an ACME client
the provisioner is like a distinct CA.
Besides that this commit also includes the first tests for EAB.
The logic for creating the EAB JWS as a client has been taken
from github.com/mholt/acmez. This logic may be moved or otherwise
sourced (i.e. from a vendor) as soon as the step client also
(needs to) support(s) EAB with ACME.
3 years ago
Herman Slatman
c6bfc6eac2
Fix PR comments
3 years ago
Herman Slatman
d669f3cb14
Fix misspelling
3 years ago
Herman Slatman
540d5fbbdc
Fix marshaling -> marshalling
3 years ago
Herman Slatman
2110c7722f
Fix JWK payload key equality check
3 years ago
Herman Slatman
d44cd18b96
Add External Accounting Binding key "BoundAt" marking
3 years ago
Herman Slatman
f81d49d963
Add first working version of External Account Binding
3 years ago
Herman Slatman
258efca0fa
Improve revocation authorization
3 years ago
Herman Slatman
97165f1844
Fix test mocking for CreateCertificate
3 years ago
Herman Slatman
2b15230aa4
Add Serial to Cert ID ACME table and lookup
3 years ago
Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation
3 years ago
max furman
857a50434c
Merge branch 'master' into max/cert-mgr-crud
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Herman Slatman
16fe07d4dc
Fix mockSignAuth
3 years ago
Herman Slatman
0e56932e76
Add support for revocation using JWK
3 years ago
Herman Slatman
84e7d468f2
Improve handling of ACME revocation
3 years ago
Herman Slatman
d53bcaf830
Add base logic for ACME revoke-cert
3 years ago