Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-11-15 18:12:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,091 Commits 39 Branches 223 Tags 44 MiB
2e128056dc
Commit Graph

404 Commits

Author SHA1 Message Date
beltram
2e128056dc
have updateOrder also update the update joint table [order by account] 2024-01-08 21:35:54 +01:00
Herman Slatman
1a711e1b91
Add new Wire DB methods to acme.DB interface 2024-01-08 21:34:01 +01:00
beltram
abe86002ee
try by storing everything in db 2024-01-08 21:33:53 +01:00
beltram
76dfcb00e4
try silencing template data for dichotomies 2024-01-08 21:23:09 +01:00
beltram
a32bb66e47
trying to pass access token to template 2024-01-08 21:22:50 +01:00
beltram
ff41a1193d
fix deviceId computing in dpop challenge 2024-01-08 21:21:01 +01:00
Stefan Berthold
5ceed08ae0
Reorganize parsing target 2024-01-08 21:19:54 +01:00
Stefan Berthold
83ba0bdc51
Replace field access by accessor functions 2024-01-08 21:17:57 +01:00
beltram
c4fb19d01f
passing expected issuer to rusty-jwt-cli 2024-01-08 21:15:30 +01:00
beltram
2b1223a080
simpler 2024-01-08 21:14:17 +01:00
beltram
036a144e09
add oidc target 2024-01-08 21:10:46 +01:00
beltram
97002040a5
fix: challenge target field was not mapped to db entity 2024-01-08 21:09:07 +01:00
beltram
d32a3e23f0
wip 2024-01-08 21:08:34 +01:00
beltram
b58de27675
fix: do not convert URIs to lowercase for comparison purpose 2024-01-08 21:05:41 +01:00
beltram
7c9f8020d5
fix: add URI prefix to handle 2024-01-08 21:04:23 +01:00
beltram
680b6ea08f
adapt google demo for wire's special handle format "{firstname}_wire" 2024-01-08 21:03:54 +01:00
beltram
a97991aa83
infer domain from google email address 2024-01-08 21:01:50 +01:00
beltram
49ad2d9967
fix google id token matching in oidc challenge 2024-01-08 21:01:30 +01:00
beltram
a49966f4c9
try using google oidc for demo purpose 2024-01-08 20:59:09 +01:00
beltram
3576cc30c8
forward displayName in CSR with custom OID 2024-01-08 20:58:32 +01:00
beltram
4172b69816
remove displayName validation, potentially harmful 2024-01-08 20:57:35 +01:00
beltram
79501df5a2
fix: exclude displayName from SAN DNS 2024-01-08 20:56:39 +01:00
beltram
3f474f77d4
feat: change from impp prefix to just im 2024-01-08 20:55:32 +01:00
beltram
b6ec4422b4
feat: adapt to dex and pass the 'keyauth' in payload instead of in id_token. Also have a different mapping for id_token claims name 2024-01-08 20:54:54 +01:00
Stefan Berthold
af31a167c6
skip empty entries for uniqueSortedLowerNames 2024-01-08 20:54:17 +01:00
beltram
01ef526d08
change uri prefix to impp:wireapp= 2024-01-08 20:53:10 +01:00
beltram
cc5fd0a6a5
fix san validation 2024-01-08 20:52:52 +01:00
beltram
b3dd169190
cleanup my mess 2024-01-08 20:52:32 +01:00
beltram
3eb0ff43c0
fix orderNames size 2024-01-08 20:47:51 +01:00
beltram
c41a99ad75
(finalize) have both display name & domain in SANs 2024-01-08 20:47:28 +01:00
beltram
5ba0ab3e44
fix csr domain validation in finalize 2024-01-08 20:46:48 +01:00
beltram
73ec6c89d0
fix csr org validation in finalize 2024-01-08 20:46:07 +01:00
beltram
ca01c74333
avoid manipulating the key PEM format and take a plain PEM key as input 2024-01-08 20:42:52 +01:00
beltram
74ddad69dc
fix: challenge is '.token' and not '.id' 2024-01-08 20:39:27 +01:00
beltram
83f6be1f58
print oidc options 2024-01-08 20:38:26 +01:00
beltram
1fe61bee7b
better observability 2024-01-08 20:36:37 +01:00
Stefan Berthold
e6dd211637
acquire DPoP signing key from provisioner 2024-01-08 20:34:58 +01:00
beltram
227e932624
use json struct for challenge request payload otherwise it's a hell to craft from client side 2024-01-08 20:33:46 +01:00
Stefan Berthold
5ca744567c
simplify OIDC verification 2024-01-08 20:32:44 +01:00
Stefan Berthold
da1e64aa53
update wire challenges' status on happy end 2024-01-08 20:28:37 +01:00
Stefan Berthold
8e0e35532c
Add Wire authz and challenges (OIDC+DPOP) 2024-01-08 20:27:16 +01:00
Herman Slatman
e52836f0ab
Add RS1 support for ACME device-attest-01 2024-01-07 21:25:36 +01:00
Herman Slatman
c59d293d26
Add support for HTTP_PROXY and HTTPS_PROXY to ACME solver client 2024-01-03 15:09:24 +01:00
Mariano Cano
b20af51f32
Upgrade go.step.sm/crypto to use go-jose/v3 2023-12-12 16:36:48 -08:00
Herman Slatman
f453323ba9
Merge pull request #1631 from smallstep/herman/fix-apple-acmeclient-invalid-signatures 2023-12-01 09:48:37 +01:00
Herman Slatman
405aae798c
Simplify the copy logic used when patching JWS signature 2023-11-30 14:27:32 +01:00
Max
d34f0f6a97
Fix linter warnings (#1634) 2023-11-28 20:58:58 -08:00
Herman Slatman
26a3bb3c11
Make the Apple JWS fix more robust and catch more cases. 2023-11-29 02:30:28 +01:00
Herman Slatman
113491e7af
Remove TODO for patching other algorithms for Apple ACME client 2023-11-24 18:29:22 +01:00
Herman Slatman
06f4cbbcda
Add (temporary) fix for missing null bytes in Apple JWS signatures 
Apparently the Apple macOS (and iOS?) ACME client seems to omit
leading null bytes from JWS signatures. The base64-url encoded
bytes decode to a shorter byte slice than what the JOSE library
expects (e.g. 63 bytes instead of 64 bytes for ES256), and then
results in a `jose.ErrCryptoFailure`.

This commit retries verification of the JWS in case the first
verification fails with `jose.ErrCryptoFailure`. The signatures are
checked to be of the correct length, and if not, null bytes are
prepended to the signature. Then verification is retried, which
might fail again, but for other reasons. On success, the payload
is returned.

Apple should fix this in their ACME client, but in the meantime
this commit prevents some "bad request" error cases from happening.
 2023-11-24 18:21:01 +01:00