b62f4d1000
Add lgtm comments on some security warnings
2 years ago
2f7cb9225f
Use go.step.sm/crypto to set the permanent identifier
2 years ago
2ab1e6658e
Fix nonce validation
...
The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
2 years ago
66356cff43
Add attestation certificate validation for Apple devices
2 years ago
274f6ccb41
iOS 16 beta 2 support
2 years ago
7e1b0bebd9
iOS 16 beta 1 support
2 years ago
77c6d10fd6
Verify key authorization is contained within the TPM quote extraData field
2 years ago
e1ec31c0ed
Implement TPM attestation statement verification
2 years ago
2ac8b69da2
Add ACME permanent-identifier identifier type
2 years ago
aacd6f4cc6
Add device-attest-01 challenge type
2 years ago
860baeb1c5
Verbose debug logging
2 years ago
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
...
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2 years ago
abfbbc8d49
Merge pull request #946 from smallstep/herman/acme-csr-padding
...
Strip base64-url padding from ACME CSR
2 years ago
fd546287ac
Strip base64-url padding from ACME CSR
...
This commit strips the padding from a base64-url encoded CSR
submitted by a client that doesn't use raw base64-url encoding.
2 years ago
e7f4eaf6c4
Remove explicit deprecation notice
...
This will avoid linter errors on other projects for now.
2 years ago
d461918eb0
Merge branch 'master' into context-authority
2 years ago
2ea0c70344
Move acme context middleware to deprecated handler
2 years ago
9147356d8a
Fix linter errors
2 years ago
2ab7dc6f9d
Fix acme tests.
2 years ago
ba499eeb2a
Fix acme/api tests.
2 years ago
6f9d847bc6
Fix panic in acme/api tests.
2 years ago
d82e51b748
Update AllowWildcardNames configuration name
2 years ago
d1f75f1720
Refactor ACME api.
2 years ago
fddd6f7d95
Move linker to the acme package.
2 years ago
55b0f72821
Add context methods for the acme linker.
2 years ago
bb8d85a201
Fix unit tests - work in progress
2 years ago
42435ace64
Use scep authority from context
...
This commit also converts all the methods from the handler to
functions.
2 years ago
d13537d426
Use context in the acme handlers.
2 years ago
bd412c9f42
Add context methods for the acme database
2 years ago
6e1f8dd7ab
Refactor policy engines into container
2 years ago
2a7620641f
Fix more PR comments
2 years ago
fb81407d6f
Fix ACME policy comments
2 years ago
7f9034d22a
Add additional policy options
2 years ago
a9f033ece5
Fix JSON property name for ACME policy
2 years ago
256fe113f7
Improve tests for ACME account policy
2 years ago
034b7943fe
Merge branch 'master' into herman/allow-deny
2 years ago
7df52dbb76
Add ACME EAB policy
2 years ago
479c6d2bf5
Fix ACME IPv6 HTTP-01 challenges
...
Fixes #890
2 years ago
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny
2 years ago
00634fb648
api/render, api/log: initial implementation of the packages ( #860 )
...
* api/render: initial implementation of the package
* acme/api: refactored to support api/render
* authority/admin: refactored to support api/render
* ca: refactored to support api/render
* api: refactored to support api/render
* api/render: implemented Error
* api: refactored to support api/render.Error
* acme/api: refactored to support api/render.Error
* authority/admin: refactored to support api/render.Error
* ca: refactored to support api/render.Error
* ca: fixed broken tests
* api/render, api/log: moved error logging to this package
* acme: refactored Error so that it implements render.RenderableError
* authority/admin: refactored Error so that it implements render.RenderableError
* api/render: implemented RenderableError
* api/render: added test coverage for Error
* api/render: implemented statusCodeFromError
* api: refactored RootsPEM to work with render.Error
* acme, authority/admin: fixed pointer receiver name for consistency
* api/render, errs: moved StatusCoder & StackTracer to the render package
2 years ago
b49307f326
Fix ACME order tests with mock ACME CA
2 years ago
9e0edc7b50
Add early authority policy evaluation to ACME order API
2 years ago
101ca6a2d3
Check admin subjects before changing policy
2 years ago
3ec9a7310c
Fix ACME order identifier allow/deny check
2 years ago
af53a17bb4
Merge branch 'master' into herman/allow-deny
2 years ago
b6f6bd879c
Fix PR comment and add tests for ACME prerequisites checker
2 years ago
e47dd0a666
Add ACME configuration prerequisites check
2 years ago
c3c6f3da72
Merge branch 'master' into herman/allow-deny
2 years ago
bfa2245abb
Merge branch 'master' into herman/normalize-ipv6-dns-names
2 years ago
1fe7362bee
Normalize IPv6 addresses in ACME linker
2 years ago
c1424036bf
Merge branch 'master' into herman/allow-deny
2 years ago
bf21319e76
Fix PR comments and issue with empty string slices
2 years ago
fd9845e9c7
Add cursor and limit to ACME EAB DB interface
2 years ago
c3f2fd8ef0
Add RW locks to prevent concurrent updates to the DB
...
Although this may slow certain API calls down and may not be, strictly
necessary, I think it's best to put all the ACME EAB operations behind
RW locks to prevent concurrent updates to the DB and guarantee
consistent result sets.
2 years ago
868cc4ad7f
Increase test coverage for additional indexes
2 years ago
c0eb420806
Remove special case for empty slices
2 years ago
6440870a80
Clean up, improve test cases and coverage
2 years ago
ef16febf40
Refactor ACME EAB queries
...
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
3 years ago
30859d3c83
Remove server-side paging logic for ExternalAccountKeys
3 years ago
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
11a7f01177
Simplify lookup cursor logic for ExternalAccountKeys
3 years ago
22ff90f655
Merge branch 'master' into hs/acme-eab
3 years ago
a5f2f004e3
Change name of IP Common Name test for clarity
3 years ago
f9ae875f9d
Use short if-style statements
3 years ago
80bebda69c
Fix code style issue
3 years ago
bc0875bd7b
Disallow email address and URLs in the CSR
...
Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.
3 years ago
13a31fd862
Merge branch 'master' into herman/ip-sans-improvements
3 years ago
ca707cbe05
Fix linting
3 years ago
a5d33512fe
Fix test
3 years ago
a2c9b5cd7e
Allow IP identifiers in subject, including authorization enforcement
...
To support IPs in the subject using `step-cli`, this PR ensures that
Subject Common Names that can be parsed as an IP are also checked
to have been authorized before.
The PR for `step-cli` is here: github.com/smallstep/cli/pull/576.
3 years ago
d799359917
Merge branch 'master' into hs/acme-eab
3 years ago
63371a8fb6
Add additional tests for ACME EAB Admin
3 years ago
0524122191
Remove authorization flow for different Account private keys
...
As discussed in https://github.com/smallstep/certificates/issues/767 ,
we opted for not including this authorization flow to prevent users
from getting OOMs. We can add the functionality back when the
underlying data store can provide access to a long list of
Authorizations more efficiently, for example when a callback is
implemented.
3 years ago
2215a05c28
Add tests for ACME EAB Admin
...
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.
At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
3 years ago
9885d42711
Fix linting issues
3 years ago
6e11657204
Refactor creation of (raw) EAB JWS contents
3 years ago
23898e9b76
Improve EAB JWS validation and increase test coverage
3 years ago
d0c23973cc
Merge branch 'master' into hs/acme-eab
3 years ago
004fc054d5
Fix PR comments
3 years ago
06bb97c91e
Add logic for Account authorizations and improve tests
3 years ago
bae1d256ee
Improve tests for JWK vs. KID revoke auth flow
...
The logic for both test cases is fairly similar, but with some
small differences. Made those clearer by means of some comments.
Also added some comments to the middleware logic that decided
whether to extract JWK or lookup by KID.
3 years ago
a7fbbc4748
Add tests for GetCertificateBySerial
3 years ago
4d01cf8135
Increase test code coverage
3 years ago
2d357da99b
Add tests for ACME revocation
3 years ago
ed295ca15d
Fix linting issue
3 years ago
2d50c96d99
Merge branch 'master' into hs/acme-revocation
3 years ago
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
29f9730485
Satisfy golangci-lint
3 years ago
c7a9c13060
Add tests for extractOrLookupJWK middleware
3 years ago
3151255a25
Merge branch 'master' into hs/acme-revocation
3 years ago
4d726d6b4c
Add pagination to ACME EAB credentials endpoint
3 years ago
d354d55e7f
Improve handling duplicate ACME EAB references
3 years ago
dd4b4b0435
Fix remaining gocritic remarks
3 years ago
a4660f73fa
Fix some of the gocritic remarks
3 years ago
e0b495e4c8
Merge branch 'master' into hs/acme-eab
3 years ago
c26041f835
Add ACME EAB nosql tests
3 years ago
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
0afea2e957
Improve tests for already bound EAB keys
3 years ago
c2bc1351c6
Add provisioner to remove endpoint and clear reference index on delete
3 years ago
746c5c9fd9
Disallow creation of EAB keys with non-unique references
3 years ago
Mariano Cano
Brandon Weeks
Shulhan
Herman Slatman
Herman Slatman
Panagiotis Siatras
max furman