Commit Graph

177 Commits

Author SHA1 Message Date
Stefan Berthold
5ceed08ae0
Reorganize parsing target 2024-01-08 21:19:54 +01:00
Stefan Berthold
83ba0bdc51
Replace field access by accessor functions 2024-01-08 21:17:57 +01:00
beltram
2b1223a080
simpler 2024-01-08 21:14:17 +01:00
beltram
036a144e09
add oidc target 2024-01-08 21:10:46 +01:00
beltram
97002040a5
fix: challenge target field was not mapped to db entity 2024-01-08 21:09:07 +01:00
beltram
d32a3e23f0
wip 2024-01-08 21:08:34 +01:00
beltram
3f474f77d4
feat: change from impp prefix to just im 2024-01-08 20:55:32 +01:00
beltram
01ef526d08
change uri prefix to impp:wireapp= 2024-01-08 20:53:10 +01:00
Stefan Berthold
8e0e35532c
Add Wire authz and challenges (OIDC+DPOP) 2024-01-08 20:27:16 +01:00
Mariano Cano
b20af51f32
Upgrade go.step.sm/crypto to use go-jose/v3 2023-12-12 16:36:48 -08:00
Herman Slatman
405aae798c
Simplify the copy logic used when patching JWS signature 2023-11-30 14:27:32 +01:00
Herman Slatman
26a3bb3c11
Make the Apple JWS fix more robust and catch more cases. 2023-11-29 02:30:28 +01:00
Herman Slatman
113491e7af
Remove TODO for patching other algorithms for Apple ACME client 2023-11-24 18:29:22 +01:00
Herman Slatman
06f4cbbcda
Add (temporary) fix for missing null bytes in Apple JWS signatures
Apparently the Apple macOS (and iOS?) ACME client seems to omit
leading null bytes from JWS signatures. The base64-url encoded
bytes decode to a shorter byte slice than what the JOSE library
expects (e.g. 63 bytes instead of 64 bytes for ES256), and then
results in a `jose.ErrCryptoFailure`.

This commit retries verification of the JWS in case the first
verification fails with `jose.ErrCryptoFailure`. The signatures are
checked to be of the correct length, and if not, null bytes are
prepended to the signature. Then verification is retried, which
might fail again, but for other reasons. On success, the payload
is returned.

Apple should fix this in their ACME client, but in the meantime
this commit prevents some "bad request" error cases from happening.
2023-11-24 18:21:01 +01:00
Dominic Evans
231b5d8406 chore(deps): upgrade github.com/go-chi/chi to v5
Upgrade chi to the v5 module path to avoid deprecation warning about v4
and earlier on the old module path.

See https://github.com/go-chi/chi/blob/v4.1.3/go.mod#L1-L4

Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
2023-09-20 11:26:32 +01:00
Max
116ff8ed65
bump go.mod to go1.20 and associated linter fixes (#1518) 2023-08-29 11:52:13 -07:00
Max
7731edd816
Store and verify Acme account location (#1386)
* Store and verify account location on acme requests

Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
Co-authored-by: Mariano Cano <mariano@smallstep.com>
2023-06-06 23:37:51 -07:00
max furman
8b256f0351
address linter warning for go 1.19 2023-05-09 23:47:28 -07:00
Herman Slatman
0f1c509e4b
Remove debug utility 2023-01-31 23:48:53 +01:00
Herman Slatman
60a9e41c1c
Remove Identifier from top level ACME Errors 2023-01-26 14:59:08 +01:00
Herman Slatman
edee01c80c
Refactor debug utility 2023-01-26 13:41:01 +01:00
Herman Slatman
1c38113e44
Add ACME Subproblem for more detailed ACME client-side errors
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.

This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
2023-01-26 13:29:31 +01:00
Herman Slatman
817edcbba5
Remove charset=utf-8 from ACME certificate requests 2022-11-09 19:57:50 +01:00
Herman Slatman
3eae04928f
Add tests for ACME Meta object 2022-11-07 15:35:42 +01:00
Herman Slatman
b9f238ad4d
Add additional ACME meta properties to provisioner configuration 2022-10-24 22:37:57 +02:00
Herman Slatman
c9793561ff
Make meta object optional in ACME directory response
Harware appliances from Kemp seem to validate the contents of the
`meta` object, even if none of the properties in the `meta` object
is set. According to the RFC, the `meta` object, as well as its
properties are optional, so technically this should be fixed by
the manufacturer.

This commit is to see if we validation of the `meta` object is
skipped if it's not available in the response.
2022-10-24 14:14:28 +02:00
Mariano Cano
99299faeeb
Add AuthorizeChallenge unit tests 2022-09-20 19:03:03 -07:00
Mariano Cano
2b3b2c283a
Add attestation certificate validation for Apple devices 2022-09-20 18:51:43 -07:00
Brandon Weeks
5f5315260a
iOS 16 beta 1 support 2022-09-20 16:53:08 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors 2022-09-20 16:35:41 -07:00
Mariano Cano
829530ae90 Fix linter errors 2022-09-15 18:24:43 -07:00
Mariano Cano
0f651799d0 Reject not enabled attestation formats 2022-09-08 17:38:05 -07:00
Mariano Cano
fd4e96d1f4 Rename method to IsChallengeEnabled 2022-09-08 13:22:35 -07:00
Mariano Cano
c77b4ff9c5 Fix linter errors 2022-09-08 12:49:16 -07:00
Mariano Cano
59c5219a07 Use a type for acme challenges 2022-09-08 12:34:06 -07:00
Mariano Cano
a89bea701d Format comment 2022-09-08 11:06:17 -07:00
Mariano Cano
5df9434286 Fix old comment, device-attest-01 uses the acme payload 2022-09-08 10:59:51 -07:00
Mariano Cano
3cd72ac72a Remove debug statements 2022-09-08 10:44:48 -07:00
Mariano Cano
df96b126dc Add AuthorizeChallenge unit tests 2022-08-24 12:31:09 -07:00
Mariano Cano
bca311b05e Add acme property to enable challenges
Fixes #1027
2022-08-23 17:11:40 -07:00
Mariano Cano
ae8d4d8757 Fix unit test 2022-08-23 17:01:15 -07:00
Mariano Cano
693dc39481 Merge branch 'master' into device-attestation 2022-08-22 17:59:17 -07:00
max furman
c040e4b459 Add unit tests 2022-08-16 15:48:23 -07:00
max furman
b7c2f6c482 Check for DNS name validity 2022-08-16 00:12:31 -07:00
Mariano Cano
66356cff43 Add attestation certificate validation for Apple devices 2022-07-14 17:10:03 -07:00
Brandon Weeks
7e1b0bebd9 iOS 16 beta 1 support 2022-06-23 05:19:36 +10:00
Brandon Weeks
2ac8b69da2 Add ACME permanent-identifier identifier type 2022-06-23 05:19:36 +10:00
Brandon Weeks
aacd6f4cc6 Add device-attest-01 challenge type 2022-06-23 05:19:36 +10:00
Shulhan
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2022-06-16 01:28:59 +07:00
Herman Slatman
abfbbc8d49
Merge pull request #946 from smallstep/herman/acme-csr-padding
Strip base64-url padding from ACME CSR
2022-05-25 23:25:34 +02:00