smallstep-certificates

Commit Graph

Author	SHA1	Message	Date
Herman Slatman	70a2f431fa	Address review remarks	9 months ago
Herman Slatman	c7892e9cd3	Remove the `rusty-jwt-cli` configuration	9 months ago
Herman Slatman	8997ce1a1e	Disable `wire-dpop-01` and `wire-oidc-01` by default	9 months ago
Herman Slatman	bf8c17e3ec	Remove the Wire `oidc` and `dpop` from attestation formats	9 months ago
Herman Slatman	6a98fea1f3	Fix linter issues	9 months ago
Herman Slatman	e2a2e00526	Make template use `DeviceId` for now	9 months ago
Herman Slatman	776a839a42	Fix linter issues and improve error handling	9 months ago
beltram	39bf889925	feat: remove query parameters from OIDC issuerUrl so that it allows us to use it to carry the OAuth ClientId in the Challenge.target field without at the same time undermining the idToken verification which relies on a issuer (iss) claim without this query parameter	9 months ago
Stefan Berthold	5ceed08ae0	Reorganize parsing target	9 months ago
Stefan Berthold	83ba0bdc51	Replace field access by accessor functions	9 months ago
beltram	2b1223a080	simpler	9 months ago
beltram	036a144e09	add oidc target	9 months ago
beltram	d32a3e23f0	wip	9 months ago
Stefan Berthold	2208b03744	avoid panic when OIDC config is not provided	9 months ago
Stefan Berthold	e6dd211637	acquire DPoP signing key from provisioner	9 months ago
Stefan Berthold	8e0e35532c	Add Wire authz and challenges (OIDC+DPOP)	9 months ago
Herman Slatman	25c109e75d	Change error message for CSR validation	9 months ago
Mariano Cano	b20af51f32	Upgrade go.step.sm/crypto to use go-jose/v3	10 months ago
Max	d34f0f6a97	Fix linter warnings (#1634 )	10 months ago
Herman Slatman	f082cbc421	Denormalize provisioner name in SCEP webhook	11 months ago
Herman Slatman	9ebc8779f5	Normalize SCEP provisioner name in webhook body	11 months ago
Herman Slatman	e815864ed8	Add verification of `provisionerName` in test	11 months ago
Herman Slatman	de45d66cdb	Add `provisionerName` to webhook request body	11 months ago
Mariano Cano	49045a1150	Change CommonName validator in JWK This commit changes the common name validator in the JWK provisioner to accept either the token subject or any of the sans in the token.	11 months ago
Max	9f84f7ce35	Allow for identity certificate signing (in sshSign) by skipping validators (#1572 ) - skip urisValidator for identity certificate signing. Implemented by building the validator with the context in a hacky way.	12 months ago
Mariano Cano	52baf52f84	Change scep password type to string This commit changes the type of the decrypter key password to string to be consistent with other passwords in the ca.json	1 year ago
Herman Slatman	c0fbace882	Address review remarks	1 year ago
Herman Slatman	4dc5a688fd	Set SCEP authority options once	1 year ago
Herman Slatman	15c46ebbaa	Switch logic for SCEP initialization around	1 year ago
Herman Slatman	f1da256ca4	Change SCEP authority initialization	1 year ago
Herman Slatman	4554f86f16	Make SCEP decrypter properties use `omitempty`	1 year ago
Herman Slatman	ffe079f31b	Merge branch 'master' into herman/scep-provisioner-decrypter	1 year ago
Mariano Cano	31da66c124	Fix webhooks signature This commit fixes the way webhooks signatures are created. Before this change, the signature of an empty body was prepended by the body itself.	1 year ago
Herman Slatman	3f3b67e05c	Merge branch 'herman/scep-provisioner-decrypter' into herman/scep-notifying-webhook	1 year ago
Herman Slatman	ba72710e2d	Address code review remarks	1 year ago
Herman Slatman	5f8e0de1c3	Fix duplicate import in SCEP provisioner	1 year ago
Herman Slatman	4fd4227b73	Use shorter SCEP decrypter property names from linkedca	1 year ago
Herman Slatman	5fd70af2c8	Make API responses aware of the new SCEP decrypter properties	1 year ago
Herman Slatman	3ade92f8d5	Support both a decrypter key URI as well as PEM	1 year ago
Herman Slatman	b6c95d7be2	Add additional properties to SCEP notify webhook request body	1 year ago
Herman Slatman	63257e0576	Add full certificate DER bytes to success notification webhook	1 year ago
Herman Slatman	52bc96760b	Add SCEP certificate issuance notification webhook	1 year ago
Herman Slatman	a3c9dd796a	Merge branch 'herman/scep-provisioner-decrypter' of github.com:smallstep/certificates into herman/scep-provisioner-decrypter	1 year ago
Herman Slatman	69a53eec33	Merge branch 'master' into herman/scep-provisioner-decrypter	1 year ago
Dominic Evans	231b5d8406	chore(deps): upgrade github.com/go-chi/chi to v5 Upgrade chi to the v5 module path to avoid deprecation warning about v4 and earlier on the old module path. See https://github.com/go-chi/chi/blob/v4.1.3/go.mod#L1-L4 Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>	1 year ago
Herman Slatman	4e06bdbc51	Add `SignWithContext` method to authority and mocks	1 year ago
Herman Slatman	b2301ea127	Remove the webhook `Do` method	1 year ago
Herman Slatman	f3229d3e3c	Propagate (original) request ID to webhook requests Technically the webhook request is a new request, so maybe the `X-Request-ID` should not be set to the value of the original request? But then the original request ID should be propageted in the webhook request body, or using a different header. The way the request ID is used in this functionality is actually more like a tracing ID, so that may be an option too.	1 year ago
Max	b7c4ed26fb	Use provisioner name in error message (#1524 )	1 year ago
Herman Slatman	33e661ce7d	Add a dummy CSR to SCEP request body tests	1 year ago
Herman Slatman	36f1dd70bf	Add CSR to `SCEPCHALLENGE` webhook request body	1 year ago
Herman Slatman	98d015b5c3	Fix linting issues	1 year ago
Herman Slatman	d9f56cdbdc	Merge branch 'master' into herman/scep-provisioner-decrypter	1 year ago
Herman Slatman	9d3b78ae49	Add `excludeIntermediate` to SCEP provisioner	1 year ago
Max	e22166c628	provisionerOptionsToLinkedCA missing template and templateData (#1520 )	1 year ago
Max	116ff8ed65	bump go.mod to go1.20 and associated linter fixes (#1518 )	1 year ago
Remi Vichery	82b8e16d7f	Add all AWS identity document certificates * move to use embed instead of a multi-line string * add test to ensure all certificates are valid * add test to ensure validity (no expired certificate)	1 year ago
Herman Slatman	e182c620c8	Merge branch 'master' into herman/scep-provisioner-decrypter	1 year ago
Herman Slatman	645b6ffc18	Ensure no prompt is fired for loading provisioner decrypter	1 year ago
Mariano Cano	30ce9e65f7	Write configuration only if encoding succeeds This commit fixes a problem when the ca.json is truncated if the encoding of the configuration fails. This can happen by adding a new provisioner with bad template data. Related to smallstep/cli#994	1 year ago
Herman Slatman	e2e9bf5494	Clarify some SCEP properties	1 year ago
Herman Slatman	c0a1837cd9	Verify full decrypter/signer configuration at usage time When changing the SCEP configuration it is possible that one or both of the decrypter configurations required are not available or have been provided in a way that's not usable for actual SCEP requests. Instead of failing hard when provisioners are loaded, which could result in the CA not starting properly, this type of problematic configuration errors will now be handled at usage time instead.	1 year ago
Herman Slatman	fc1fb51854	Improve SCEP authority initialization and reload	1 year ago
Herman Slatman	569a1be12c	Merge branch 'master' into herman/scep-provisioner-decrypter	1 year ago
Mariano Cano	cce7d9e839	Address comments from code review	1 year ago
Mariano Cano	c7c7decd5e	Add support for the disableSmallstepExtensions claim This commit adds a new claim to exclude the Smallstep provisioner extension from the generated certificates. Fixes #620	1 year ago
Herman Slatman	1ce80cf740	Merge branch 'master' into herman/scep-provisioner-decrypter	1 year ago
Herman Slatman	567fc25404	Use the RSA decryption configuration for signing responses too	1 year ago
Mariano Cano	7061147885	Use step.Abs to load the certificate templates step.Abs has been removed from crypto and they need to be set when those methods are used	1 year ago
Herman Slatman	557672bb4b	Add some notes for SCEP provisioners	1 year ago
Mariano Cano	95887ebf40	Merge pull request #1481 from smallstep/remove-user-regex Remove OIDC user regexp check	1 year ago
Josh Drake	ff424fa944	Fix tests.	1 year ago
Josh Drake	904f416d20	Include authorization principal in provisioner webhooks.	1 year ago
Mariano Cano	5bfe96d8c7	Send X5C leaf certificate to webhooks This commit adds a new property that will be sent to authorizing and enriching webhooks when signing certificates using the X5C provisioner.	1 year ago
Mariano Cano	7fa97bedec	Remove OIDC user regexp check This commit removes the regular expression check on OIDC usernames. Although it is not recommended to use any character in a username, it is possible to create and use them. The tool useradd has the flag --badname and adduser has --allow-badname and --allow-all-names to create new users with any character. Moreover, it is possible to create any username with the rest of provisioners. Fixes #1436	1 year ago
Herman Slatman	b2bf2c330b	Simplify SCEP provisioner context handling	1 year ago
Herman Slatman	8fc3a46387	Refactor the SCEP authority initialization Instead of relying on an intermediate `scep.Service` struct, initialize the `scep.Authority` directly. This removes one redundant layer of indirection.	1 year ago
Herman Slatman	6985b4be62	Clean up the SCEP authority and provisioner	1 year ago
Herman Slatman	a1f187e3df	Merge branch 'master' into herman/scep-provisioner-decrypter	1 year ago
Herman Slatman	180162bd6a	Refactor SCEP provisioner and decrypter	1 year ago
Herman Slatman	0377fe559b	Add basic version of provisioner specific SCEP decrypter	1 year ago
Mariano Cano	71fcdf8a0a	Fix linter errors from #1404	1 year ago
Ruslan Nugmanov	1031324273	add AWS public certificates for me-central-1 and ap-southeast-3 As per https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html	1 year ago
max furman	8b256f0351	address linter warning for go 1.19	1 year ago
Herman Slatman	8c53dc9029	Use `require.NoError` where appropriate in provisioner tests	1 year ago
Herman Slatman	0153ff4377	Remove superfluous `GetChallengePassword`	1 year ago
Herman Slatman	f9ec62f46c	Merge branch 'master' into herman/improve-scep-marshaling	1 year ago
Herman Slatman	c73f157ea4	Remove unused error from challenge validation controller creator	1 year ago
Herman Slatman	4bb88adf63	Move SCEP checks after reload of provisioners in CA initialization	1 year ago
Herman Slatman	e8c1e8719d	Refactor SCEP webhook validation	1 year ago
Herman Slatman	ad4d8e6c68	Add `SCEPCHALLENGE` as valid webhook type in admin API	1 year ago
Herman Slatman	419478d1e5	Make SCEP webhook validation look better	1 year ago
Herman Slatman	dfc56f21b8	Merge branch 'master' into herman/acme-da-tpm	2 years ago
Mariano Cano	ac35f3489c	Remove unused certificate validators and modifiers With the introduction of certificate templates some certificate validators and modifiers are not used anymore. This commit deletes the ones that are not used.	2 years ago
Remi Vichery	09cbe8ba65	fixup! Add identity token for all Azure cloud environments	2 years ago
Herman Slatman	6297bace1a	Merge branch 'master' into herman/acme-da-tpm	2 years ago
Remi Vichery	b2c2eec76b	Add identity token for all Azure cloud environments * Azure Public Cloud (default) * Azure China Cloud * Azure US Gov Cloud * Azure German Cloud	2 years ago
LarsBingBong	0d5c40e059	Mark the IDP critical in the generated CRL data. Trying to get CRL to work on my environment I've been reading up on [RFC5280](https://www.rfc-editor.org/rfc/rfc5280#section-5.2.5) ... and the IDP to be marked as `Critical`. I hope I'm correct and that my understanding on how to mark the IDP is critical. Looking at e.g. ``3470b1ec57/x509util/extensions_test.go (L48)`` makes me think so. --- Hopefully the above change - if accepted - can get CRL's to work on my environment. If not we're at least one step closer.	2 years ago
Herman Slatman	59462e826c	Improve testing errors for OIDC `authorizeToken` function	2 years ago
Herman Slatman	10958a124b	Add email address to error message returned for OIDC validation	2 years ago

1 2 3 4 5 ...

1264 Commits (364566bb01477a05a405561329ea5822ee0bdfa0)