eb9893bd21
Refactor logic for processing `WireID` identifiers in Order
...
Processing `WireID` identifiers, the Wire subject, and the Wire
DPoP and OIDC tokens is now conditional.
6 months ago
40668ae09e
Refactor `WireID` target processing a bit
6 months ago
01169b2483
Make the `Target` optional in `Challenge` object
...
This is a non-standard property in the ACME challenge response, so
we shouldn't return it if it's not set. Also made it an optional
field in the DB.
6 months ago
85309bb8ec
Fix the integration test
6 months ago
fdea5e7db3
Fix tests for new ACME orders with Wire IDs
6 months ago
c1a7acc306
Make it compile with Go 1.20 again
6 months ago
84e9682476
feat: change the separator between user-id & device-id in a client-id. Use '!' instead of ':'
6 months ago
90b5347887
feat: try using the new ClientId & Handle format (i.e. plain URIs)
6 months ago
d6ceebba94
feat: update the protocol by including team & handle in the client dpop token, verifying the handle in the dpop challenge
6 months ago
6ffd913e28
feat: remove custom hardcoded OIDC challenge for Google
6 months ago
2be77385f6
fix: same issue as with oidc challenge
6 months ago
ff07fdc0fd
fix: oups
6 months ago
13df461e97
fix: could not reuse a signing key otherwise it would create in accounts & orders and fail the OIDC challenge. The OIDC challenge was not retryable
6 months ago
83f76433a8
b64 encode the kid since apparently it wasn't
6 months ago
8fd0192da3
print kid for debugging
6 months ago
4d028f7813
client jwk was there the whole time
6 months ago
ed2bce9a3c
fix: access token verification in DPoP challenge. Was previously verifying 'cnf.kid' against backend key whereas it must be against client's key
6 months ago
5fdf036a4d
fix: invalid OID for display name in CSR
6 months ago
9d5c974f44
fix: PR review
6 months ago
1b32957ff6
fix: verify custom display_name extension is present
6 months ago
ab9e1ddb28
Make `MockDB` implement `acme.DB` interface again
6 months ago
7b5740153d
support for oidc id token
6 months ago
f5b346ee36
i'm tired
6 months ago
03dbd91418
fix dpop token json serialization to db
6 months ago
613e6cae6e
wip
6 months ago
0b68e1bbcf
Add `GetAllOrdersByAccountID` to `MockDB`
6 months ago
8888262e45
cheat by allowing also looking up for ready orders
6 months ago
0bc530c98e
log more things
6 months ago
2e128056dc
have updateOrder also update the update joint table [order by account]
6 months ago
1a711e1b91
Add new Wire DB methods to `acme.DB` interface
6 months ago
abe86002ee
try by storing everything in db
6 months ago
76dfcb00e4
try silencing template data for dichotomies
6 months ago
a32bb66e47
trying to pass access token to template
6 months ago
ff41a1193d
fix deviceId computing in dpop challenge
6 months ago
5ceed08ae0
Reorganize parsing target
6 months ago
83ba0bdc51
Replace field access by accessor functions
6 months ago
c4fb19d01f
passing expected issuer to rusty-jwt-cli
6 months ago
2b1223a080
simpler
6 months ago
036a144e09
add oidc target
6 months ago
97002040a5
fix: challenge target field was not mapped to db entity
6 months ago
d32a3e23f0
wip
6 months ago
b58de27675
fix: do not convert URIs to lowercase for comparison purpose
6 months ago
7c9f8020d5
fix: add URI prefix to handle
6 months ago
680b6ea08f
adapt google demo for wire's special handle format "{firstname}_wire"
6 months ago
a97991aa83
infer domain from google email address
6 months ago
49ad2d9967
fix google id token matching in oidc challenge
6 months ago
a49966f4c9
try using google oidc for demo purpose
6 months ago
3576cc30c8
forward displayName in CSR with custom OID
6 months ago
4172b69816
remove displayName validation, potentially harmful
6 months ago
79501df5a2
fix: exclude displayName from SAN DNS
6 months ago
3f474f77d4
feat: change from impp prefix to just im
6 months ago
b6ec4422b4
feat: adapt to dex and pass the 'keyauth' in payload instead of in id_token. Also have a different mapping for id_token claims name
6 months ago
af31a167c6
skip empty entries for uniqueSortedLowerNames
6 months ago
01ef526d08
change uri prefix to impp:wireapp=
6 months ago
cc5fd0a6a5
fix san validation
6 months ago
b3dd169190
cleanup my mess
6 months ago
3eb0ff43c0
fix orderNames size
6 months ago
c41a99ad75
(finalize) have both display name & domain in SANs
6 months ago
5ba0ab3e44
fix csr domain validation in finalize
6 months ago
73ec6c89d0
fix csr org validation in finalize
6 months ago
ca01c74333
avoid manipulating the key PEM format and take a plain PEM key as input
6 months ago
74ddad69dc
fix: challenge is '.token' and not '.id'
6 months ago
83f6be1f58
print oidc options
6 months ago
1fe61bee7b
better observability
6 months ago
e6dd211637
acquire DPoP signing key from provisioner
6 months ago
227e932624
use json struct for challenge request payload otherwise it's a hell to craft from client side
6 months ago
5ca744567c
simplify OIDC verification
6 months ago
da1e64aa53
update wire challenges' status on happy end
6 months ago
8e0e35532c
Add Wire authz and challenges (OIDC+DPOP)
6 months ago
e52836f0ab
Add `RS1` support for ACME `device-attest-01`
6 months ago
c59d293d26
Add support for `HTTP_PROXY` and `HTTPS_PROXY` to ACME solver client
6 months ago
b20af51f32
Upgrade go.step.sm/crypto to use go-jose/v3
7 months ago
f453323ba9
Merge pull request #1631 from smallstep/herman/fix-apple-acmeclient-invalid-signatures
7 months ago
405aae798c
Simplify the `copy` logic used when patching JWS signature
7 months ago
d34f0f6a97
Fix linter warnings ( #1634 )
7 months ago
26a3bb3c11
Make the Apple JWS fix more robust and catch more cases.
7 months ago
113491e7af
Remove TODO for patching other algorithms for Apple ACME client
7 months ago
06f4cbbcda
Add (temporary) fix for missing null bytes in Apple JWS signatures
...
Apparently the Apple macOS (and iOS?) ACME client seems to omit
leading null bytes from JWS signatures. The base64-url encoded
bytes decode to a shorter byte slice than what the JOSE library
expects (e.g. 63 bytes instead of 64 bytes for ES256), and then
results in a `jose.ErrCryptoFailure`.
This commit retries verification of the JWS in case the first
verification fails with `jose.ErrCryptoFailure`. The signatures are
checked to be of the correct length, and if not, null bytes are
prepended to the signature. Then verification is retried, which
might fail again, but for other reasons. On success, the payload
is returned.
Apple should fix this in their ACME client, but in the meantime
this commit prevents some "bad request" error cases from happening.
7 months ago
231b5d8406
chore(deps): upgrade github.com/go-chi/chi to v5
...
Upgrade chi to the v5 module path to avoid deprecation warning about v4
and earlier on the old module path.
See https://github.com/go-chi/chi/blob/v4.1.3/go.mod#L1-L4
Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
9 months ago
f2993c4c3b
Use the legacy `tpm2` package import
9 months ago
116ff8ed65
bump go.mod to go1.20 and associated linter fixes ( #1518 )
10 months ago
d8eeebfd51
Fix error string in tests
...
This commit fixes a test checking an error string from an external
dependency.
10 months ago
c952e9fc9d
Use `NewDetailedError` instead
11 months ago
f3c24fe875
Change how multiple identifiers are printed in errors
11 months ago
a0cdad335d
Add test for `WithAdditionalErrorDetail`
11 months ago
9a52675865
Return descriptive error when using unsupported format
11 months ago
0d3338ff3a
Return consistent ACME error types for specific cases
11 months ago
df22b8a303
Cleanup some leftover TODOs
11 months ago
dd9bf1e915
Add error details for the `step` format
11 months ago
9cbbd1d575
Add error details to ACME `tpm` format validation errors
11 months ago
d5dd8feccd
Prevent internal errors from being returned to ACME clients
11 months ago
979e0f8f51
Add error details to select error cases for `apple` format
11 months ago
a5801b3c74
Fix TPM simulator initialization for tests
12 months ago
7731edd816
Store and verify Acme account location ( #1386 )
...
* Store and verify account location on acme requests
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
Co-authored-by: Mariano Cano <mariano@smallstep.com>
1 year ago
e71b62e95c
Merge branch 'master' into herman/update-crypto-v0.29.4
1 year ago
8b256f0351
address linter warning for go 1.19
1 year ago
0c2b00f6a1
Depend on our fork of `go-attestation`
1 year ago
d9aa2c110f
Increase test coverage for AK certificate properties
1 year ago
ed1a62206e
Add additional verification of AK certificate
1 year ago
1c38e252a6
Cast `alg` to a valid `COSEAlgorithmIdentifier`
1 year ago
Herman Slatman
beltram
Stefan Berthold
Mariano Cano
Herman Slatman
Max
Dominic Evans