Herman Slatman
492256f2d7
Add first test cases for EAB and make provisioner unique per EAB
...
Before this commit, EAB keys could be used CA-wide, meaning that
an EAB credential could be used at any ACME provisioner. This
commit changes that behavior, so that EAB credentials are now
intended to be used with a specific ACME provisioner. I think
that makes sense, because from the perspective of an ACME client
the provisioner is like a distinct CA.
Besides that this commit also includes the first tests for EAB.
The logic for creating the EAB JWS as a client has been taken
from github.com/mholt/acmez. This logic may be moved or otherwise
sourced (i.e. from a vendor) as soon as the step client also
(needs to) support(s) EAB with ACME.
2021-08-09 10:37:32 +02:00
Herman Slatman
c6bfc6eac2
Fix PR comments
2021-07-22 23:48:41 +02:00
Herman Slatman
d669f3cb14
Fix misspelling
2021-07-17 20:39:12 +02:00
Herman Slatman
540d5fbbdc
Fix marshaling -> marshalling
2021-07-17 20:35:44 +02:00
Herman Slatman
2110c7722f
Fix JWK payload key equality check
2021-07-17 20:29:12 +02:00
Herman Slatman
d44cd18b96
Add External Accounting Binding key "BoundAt" marking
2021-07-17 19:02:47 +02:00
Herman Slatman
f81d49d963
Add first working version of External Account Binding
2021-07-17 17:35:44 +02:00
Herman Slatman
258efca0fa
Improve revocation authorization
2021-07-10 00:28:31 +02:00
Herman Slatman
97165f1844
Fix test mocking for CreateCertificate
2021-07-09 22:48:03 +02:00
Herman Slatman
2b15230aa4
Add Serial to Cert ID ACME table and lookup
2021-07-09 17:51:31 +02:00
Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation
2021-07-09 11:22:25 +02:00
max furman
857a50434c
Merge branch 'master' into max/cert-mgr-crud
2021-07-08 16:25:52 -07:00
max furman
9fdef64709
Admin level API for provisioner mgmt v1
2021-07-02 19:05:17 -07:00
Herman Slatman
16fe07d4dc
Fix mockSignAuth
2021-07-03 02:10:16 +02:00
Herman Slatman
0e56932e76
Add support for revocation using JWK
2021-07-03 01:57:27 +02:00
Herman Slatman
84e7d468f2
Improve handling of ACME revocation
2021-07-03 00:21:17 +02:00
Herman Slatman
d53bcaf830
Add base logic for ACME revoke-cert
2021-07-02 22:51:15 +02:00
Herman Slatman
8e4a4ecc1f
Refactor tests for sans
2021-06-26 00:48:40 +02:00
Herman Slatman
87b72afa25
Fix IP equality check and add more tests
2021-06-26 00:13:44 +02:00
Herman Slatman
a6d33b7d06
Add tests for sans()
2021-06-25 17:21:22 +02:00
Herman Slatman
64c15fde7e
Add tests for canonicalize function
2021-06-25 14:07:40 +02:00
Herman Slatman
c514a187b2
Fix Fail() -_-b
2021-06-18 17:37:56 +02:00
Herman Slatman
135e912ac8
Improve coverage for TLS-ALPN-01 challenge
2021-06-18 17:27:35 +02:00
Herman Slatman
218a2adb9f
Add tests for IP Order validations
2021-06-18 16:09:48 +02:00
Herman Slatman
523ae96749
Change identifier and challenge types to consts
2021-06-18 12:39:36 +02:00
Herman Slatman
84ea8bd67a
Fix PR comments
2021-06-18 12:03:46 +02:00
Herman Slatman
af4803b8b8
Fix tests
2021-06-04 11:14:59 +02:00
Herman Slatman
0c79914d0d
Improve check for single IP in TLS-ALPN-01 challenge
2021-06-04 00:18:26 +02:00
Herman Slatman
a6405e98a9
Remove fmt.
2021-06-04 00:06:15 +02:00
Herman Slatman
2f40011da8
Add support for TLS-ALPN-01 challenge
2021-06-04 00:01:43 +02:00
Herman Slatman
76dcf542d4
Fix mixed DNS and IP SANs in Order
2021-06-03 22:45:24 +02:00
Herman Slatman
af615db6b5
Support DNS and IPs as SANs in single Order
2021-06-03 22:03:21 +02:00
Herman Slatman
a0e92f8e99
Verify IP identifier contains valid IP
2021-06-03 22:02:13 +02:00
Herman Slatman
6486e6016b
Make logic for which challenge types to use clearer
2021-05-29 00:37:22 +02:00
Herman Slatman
3e36522329
Add preliminary support for TLS-ALPN-01 challenge for IP identifiers
2021-05-29 00:19:14 +02:00
Herman Slatman
6d9710c88d
Add initial support for ACME IP validation
2021-05-28 16:40:46 +02:00
max furman
7b5d6968a5
first commit
2021-05-19 15:20:16 -07:00
Joe Julian
0369151bfa
use InsecureSkipVerify for validation
...
The server will not yet have a valid certificate so we need to disable
certificate validation in the HTTPGetter.
2021-04-27 08:18:35 -07:00
Mariano Cano
2e1524ec2f
Remove the creation on nonce on get acme directory.
...
According to RFC 8555, the replay nonces are only required in POST
requests. And of course in the new-nonce request.
2021-04-15 17:54:22 -07:00
max furman
93c3c2bf2e
Error handle non existent provisioner downstream and disable debug route logging
2021-04-14 15:35:43 -07:00
max furman
497ec0c79b
Fix linter issues
2021-04-14 15:14:27 -07:00
max furman
b1888fd34d
Use different method for unescpaed paths for the router
2021-04-14 15:11:15 -07:00
max furman
6cfb9b790c
Remove check of deprecated value
...
- NegotiatedProtocolIsMutual is always true: Deprecated according to
golang docs
2021-04-13 14:53:05 -07:00
max furman
63ec2e35b0
Change Clock to empty struct in nosql/nosql | truncate > round
...
- saves space
-
2021-04-13 14:42:37 -07:00
max furman
672e3f976e
Few ACME fixes ...
...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
2021-04-12 19:06:07 -07:00
max furman
2e0e62bc4c
add WriteError method for acme api
2021-03-29 23:16:39 -07:00
max furman
9aef84b9af
remove unused nonce.clone method
2021-03-29 23:02:41 -07:00
max furman
440678cb62
Add markInvalid arg to storeError for invalidating challenge
2021-03-29 22:58:26 -07:00
max furman
6b8585c702
PR review fixes / updates
2021-03-29 12:04:14 -07:00
max furman
bdace1e53f
Add failure scenarios to db.CreateOrder unit tests
2021-03-25 19:40:18 -07:00
max furman
fd447c5b54
Fix small nbf->naf bug in db.CreateOrder
...
- still needs unit test
2021-03-25 16:45:26 -07:00
max furman
a785131d09
Fix lint issues
2021-03-25 15:15:32 -07:00
max furman
80c8567d99
change errnotfound type for getAccount
...
- more generalized NotFound type rather than the nosql
one we were using
- if the error is not recognized then the logic in create account will
break.
2021-03-25 14:54:12 -07:00
max furman
1831920363
Finish order unit tests and remove unused mocklinker
2021-03-25 13:46:51 -07:00
max furman
b6ebc0fd25
more unit tests
2021-03-25 12:05:46 -07:00
max furman
df05340521
fixing broken unit tests
2021-03-25 12:05:46 -07:00
max furman
bdf4c0f836
add acme order unit tests
2021-03-25 12:05:46 -07:00
max furman
c0a9f24798
add authorization and order unit tests
2021-03-25 12:05:46 -07:00
max furman
a58466589f
add tls-alpn-01 validate unit tests
2021-03-25 12:05:46 -07:00
max furman
a8e4bbf715
start Validate unit tests
2021-03-25 12:05:46 -07:00
max furman
1fb0f1d7d9
add storeError unit tests
2021-03-25 12:05:46 -07:00
max furman
8b4a5a6d8b
add unit tests for dns01 validate
2021-03-25 12:05:46 -07:00
max furman
3612a0b990
gethttp01 validate unit tests working
2021-03-25 12:05:46 -07:00
max furman
7f9ffbd514
adding more acme nosql unit tests
2021-03-25 12:05:46 -07:00
max furman
88e6f00347
nosql account db unit tests
2021-03-25 12:05:46 -07:00
max furman
ce13d09dcb
add at
to time attributes in dbAccount
2021-03-25 12:05:46 -07:00
max furman
f72b2ff2c2
[acme db interface] nosql authz unit tests
2021-03-25 12:05:46 -07:00
max furman
206909b12e
[acme db interface] unit tests for challenge nosql db
2021-03-25 12:05:46 -07:00
max furman
4b1dda5bb6
[acme db interface] tests
2021-03-25 12:05:46 -07:00
max furman
074ab7b221
[acme db interface] add linker tests
2021-03-25 12:05:46 -07:00
max furman
8d2ebcfd49
[acme db interface] more unit tests
2021-03-25 12:05:46 -07:00
max furman
20b9785d20
[acme db interface] continuing unit test work
2021-03-25 12:05:46 -07:00
max furman
291fd5d45a
[acme db interface] more unit tests
2021-03-25 12:05:46 -07:00
max furman
f71e27e787
[acme db interface] unit test progress
2021-03-25 12:05:46 -07:00
max furman
bb8d54e596
[acme db interface] unit tests compiling
2021-03-25 12:05:46 -07:00
max furman
f20fcae80e
[acme db interface] wip unit test fixing
2021-03-25 12:05:46 -07:00
max furman
fc395f4d69
[acme db interface] compiles!
2021-03-25 12:05:46 -07:00
max furman
116869ebc5
[acme db interface] wip
2021-03-25 12:05:46 -07:00
max furman
80a6640103
[acme db interface] wip
2021-03-25 12:05:46 -07:00
max furman
491c188a5e
[acme db interface] wip
2021-03-25 12:05:46 -07:00
max furman
1135ae04fc
[acme db interface] wip
2021-03-25 12:05:46 -07:00
max furman
03ba229bcb
[acme db interface] wip more errors
2021-03-25 12:05:46 -07:00
max furman
2ae43ef2dc
[acme db interface] wip errors
2021-03-25 12:05:46 -07:00
max furman
121cc34cca
[acme db interface] wip
2021-03-25 12:05:45 -07:00
max furman
461bad3fef
[acme db interface] wip
2021-03-25 12:05:45 -07:00
max furman
0368957e79
[acmedb] (wip)
2021-03-25 12:05:45 -07:00
max furman
31ad7f2e9b
[acme] Continued work on acme db interface (wip)
2021-03-25 12:05:45 -07:00
max furman
34859551ef
Add new directory structure
2021-03-25 12:05:45 -07:00
max furman
088432150d
Beginnings of acmeDB interface
2021-03-25 12:05:45 -07:00
max furman
265d49dbf8
Remove debug statement
2020-12-18 18:17:55 -05:00
max furman
1f9aa65d66
Add test case
2020-12-18 17:05:25 -05:00
max furman
20f8d950c4
Fix broken ValidateChallenge test
2020-12-18 11:18:42 -05:00
max furman
4c48048615
Use sync.Mutex as value
2020-10-20 17:56:15 -07:00
max furman
272cce522e
Fix test and change method name
2020-10-20 17:18:20 -07:00
max furman
f34fb80eb6
[acme] Use lock for ordersByAccID and type to house methods
2020-10-20 16:25:16 -07:00
Mariano Cano
c94a1c51be
Merge branch 'master' into ssh-cert-templates
2020-08-24 15:08:28 -07:00
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
2020-08-14 15:33:50 -07:00
Mariano Cano
aaaa7e9b4e
Merge branch 'master' into cert-templates
2020-08-14 10:45:41 -07:00
max furman
55bf5a4526
Add cert logging for acme/certificate api
2020-08-12 15:50:45 -07:00
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
2020-08-10 11:26:51 -07:00
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
2020-08-05 16:02:46 -07:00
Mariano Cano
f1773489fc
Fix comment.
2020-07-31 10:45:59 -07:00
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
0c8376a7f6
Fix existing unit tests.
2020-07-21 14:21:54 -07:00
Mariano Cano
a7fe0104c4
Remove ACME restrictions and add proper template support.
2020-07-21 14:18:06 -07:00
max furman
d25e7f64c2
wip
2020-06-24 09:58:40 -07:00
max furman
1951669e13
wip
2020-06-23 11:10:45 -07:00
max furman
41a1a053d8
Always convert empty list to nil when saving orderIDs index.
2020-06-01 18:04:51 -07:00
max furman
704a510a2a
Remove non-pending orders from the acme_orders_by_account index ...
...
- Each acme account has an index in this table. Before this change, the
index would grow unchecked as orders accumulate. This change removes
orders that have moved out of the 'PENDING' state.
2020-06-01 12:56:50 -07:00
David Cowden
a26b5f322d
acme/api: Brush up documentation on key-change
...
Add more specific wording describing what a 501 means and add more color
explaining how official vs unofficial error types should be handled.
2020-05-28 11:22:37 -07:00
David Cowden
b26e6e42b3
acme: Return 501 for the key-change route
...
RFC 8555 § 7.3.5 is not listed as optional but we do not currently
support it. Rather than 404, return a 501 to inform clients that this
functionality is not yet implemented.
The notImplmented error type is not an official error registered in the
ietf:params:acme:error namespace, so prefix if with step:acme:error. An
ACME server is allowed to return other errors and clients should display
the message detail to users.
Fixes: https://github.com/smallstep/certificates/issues/209
2020-05-26 01:47:08 -07:00
max furman
6e69f99310
Always set nbf and naf for new ACME orders ...
...
- Use the default value from the ACME provisioner if values are not
defined in the request.
2020-05-22 10:31:58 -07:00
Max
ba91f4ed13
Merge pull request #260 from anxolerd/feat-force-cn-if-empty
...
[Feature] Force CommonName for certificates from ACME provisioner
2020-05-18 14:40:01 -07:00
Oleksandr Kovalchuk
893a53793a
Modify existing tests to accept forceCNOption modifier
...
Modify existing tests to pass with changes introduced in commit
322200b7db
. This is safe to do as
tests assert exact length of modifiers, which has changed.
2020-05-17 20:27:09 +03:00
Oleksandr Kovalchuk
322200b7db
Implement modifier to set CommonName
...
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.
Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
2020-05-17 20:23:13 +03:00
max furman
e1409349f3
Allow relative URL for all links in ACME api ...
...
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
2020-05-14 17:32:54 -07:00
Oleksandr Kovalchuk
0218018cee
Generate Subject if forceCN
and Subject is empty
...
When `forceCN` is set in provisioner configuration and
Subject.CommonName is empty, set Subject.CommonName to the first SAN
from the CSR to follow the letsencrypt's boulder behavior. This is done
in order to support system which require certificate's Subject field to
be non-empty.
N.B. certbot does not send Subject in its certificate request and relies
on similar behavior of letsencrypt.
Closes https://github.com/smallstep/certificates/issues/259
2020-05-14 13:23:42 +03:00
Clive Jevons
639993bd09
Read host and protocol information from request for links
...
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
2020-05-12 16:58:12 -07:00
max furman
4cb777bdc1
ACME accountUpdate ignore fields not recognized by the server.
2020-05-08 11:52:30 -07:00
Ivan Bertona
cb46a8b741
Small test fixes.
2020-02-11 09:57:28 -05:00
Ivan Bertona
10bc548c6e
Remove leftover file.
2020-02-10 14:58:16 -05:00
Ivan Bertona
200cfd2433
Add test for missing TLS certificates in response.
2020-02-10 14:50:13 -05:00
Ivan Bertona
157686e338
Tiny finishes.
2020-02-07 19:57:29 -05:00
Ivan Bertona
6843408d42
Reject obsolete id-pe-acmeIdentifier.
2020-02-07 19:26:18 -05:00
Ivan Bertona
6b5a2b17b5
Add challenge unmarshal test cases.
2020-02-07 15:25:27 -05:00
Ivan Bertona
b8208ec401
Add test case for failed came-tls/1 protocol negotiation.
2020-02-07 15:14:08 -05:00
Ivan Bertona
4b473732d9
Add support for TLS-ALPN-01 challenge.
2020-02-07 14:37:13 -05:00
max furman
c255274572
Should be returning status code 400 for ACME Account Not Found.
...
Issue #173
2020-02-01 17:35:41 -08:00
Mariano Cano
0a890a5c16
Add the commonName as a DNSName to match RFC.
...
Normalize names and remove the use of reflection.
2020-01-28 15:34:01 -08:00
max furman
432ed0090f
Use _'s in table names.
2020-01-28 13:29:40 -08:00
max furman
967e86a48b
Simplify trimming *. prefix of domain in acme dns validation.
2019-12-20 13:32:44 -08:00
Oleksandr Kovalchuk
ec8ff0bced
Add testcase which ensures we pass correct domain to lookupTxt
...
Make sure we do not pass domains with asterisk (wildcard) in the middle,
like _acme-challenge.*.example.com to lookupTxt function, but preprocess
domain and remove leading wildcard so we lookup for
_acme-challenge.example.com.
2019-12-20 22:54:41 +02:00
Oleksandr Kovalchuk
46832bb9b3
Remove superflurous Printf statement
...
The statement was used for debug purposes and should not be included in
the final build
2019-12-20 22:22:12 +02:00
Oleksandr Kovalchuk
a995cca418
Perform domain normalization for wildcard domains
...
Perform domain normalization for wildcard domains, so we do query
TXT records for _acme-challenge.example.domain instead of
_acme-challenge.*.example.domain when performing DNS-01 challenge. In
this way the behavior is consistent with letsencrypt and records queried
are in sync with the ones that are shown in certbot manual mode.
2019-12-20 19:17:53 +02:00
Max
0a96062b76
Merge pull request #128 from jkralik/returnCertChain
...
Change api of functions Authority.Sign, Authority.Renew
2019-10-18 14:00:18 -07:00
max furman
d368791606
Add x5c provisioner capabilities
2019-10-14 14:51:37 -07:00
max furman
7aec7c2612
Create ACME database tables when initializing ACME autority.
2019-10-14 14:51:03 -07:00
Jozef Kralik
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
2019-10-09 22:23:00 +02:00
max furman
e92dfb2516
Fix authz shadow declarations
2019-09-30 11:49:15 -07:00
max furman
fe7973c060
wip
2019-09-19 13:17:45 -07:00
max furman
e3826dd1c3
Add ACME CA capabilities
2019-09-13 15:48:33 -07:00