beltram
3f474f77d4
feat: change from impp prefix to just im
6 months ago
beltram
b6ec4422b4
feat: adapt to dex and pass the 'keyauth' in payload instead of in id_token. Also have a different mapping for id_token claims name
6 months ago
Stefan Berthold
af31a167c6
skip empty entries for uniqueSortedLowerNames
6 months ago
beltram
01ef526d08
change uri prefix to impp:wireapp=
6 months ago
beltram
cc5fd0a6a5
fix san validation
6 months ago
beltram
b3dd169190
cleanup my mess
6 months ago
beltram
3eb0ff43c0
fix orderNames size
6 months ago
beltram
c41a99ad75
(finalize) have both display name & domain in SANs
6 months ago
beltram
5ba0ab3e44
fix csr domain validation in finalize
6 months ago
beltram
73ec6c89d0
fix csr org validation in finalize
6 months ago
beltram
ca01c74333
avoid manipulating the key PEM format and take a plain PEM key as input
6 months ago
beltram
74ddad69dc
fix: challenge is '.token' and not '.id'
6 months ago
beltram
83f6be1f58
print oidc options
6 months ago
beltram
1fe61bee7b
better observability
6 months ago
Stefan Berthold
e6dd211637
acquire DPoP signing key from provisioner
6 months ago
beltram
227e932624
use json struct for challenge request payload otherwise it's a hell to craft from client side
6 months ago
Stefan Berthold
5ca744567c
simplify OIDC verification
6 months ago
Stefan Berthold
da1e64aa53
update wire challenges' status on happy end
6 months ago
Stefan Berthold
8e0e35532c
Add Wire authz and challenges (OIDC+DPOP)
6 months ago
Herman Slatman
e52836f0ab
Add `RS1` support for ACME `device-attest-01`
6 months ago
Herman Slatman
c59d293d26
Add support for `HTTP_PROXY` and `HTTPS_PROXY` to ACME solver client
6 months ago
Mariano Cano
b20af51f32
Upgrade go.step.sm/crypto to use go-jose/v3
7 months ago
Herman Slatman
f453323ba9
Merge pull request #1631 from smallstep/herman/fix-apple-acmeclient-invalid-signatures
7 months ago
Herman Slatman
405aae798c
Simplify the `copy` logic used when patching JWS signature
7 months ago
Max
d34f0f6a97
Fix linter warnings ( #1634 )
7 months ago
Herman Slatman
26a3bb3c11
Make the Apple JWS fix more robust and catch more cases.
7 months ago
Herman Slatman
113491e7af
Remove TODO for patching other algorithms for Apple ACME client
7 months ago
Herman Slatman
06f4cbbcda
Add (temporary) fix for missing null bytes in Apple JWS signatures
...
Apparently the Apple macOS (and iOS?) ACME client seems to omit
leading null bytes from JWS signatures. The base64-url encoded
bytes decode to a shorter byte slice than what the JOSE library
expects (e.g. 63 bytes instead of 64 bytes for ES256), and then
results in a `jose.ErrCryptoFailure`.
This commit retries verification of the JWS in case the first
verification fails with `jose.ErrCryptoFailure`. The signatures are
checked to be of the correct length, and if not, null bytes are
prepended to the signature. Then verification is retried, which
might fail again, but for other reasons. On success, the payload
is returned.
Apple should fix this in their ACME client, but in the meantime
this commit prevents some "bad request" error cases from happening.
7 months ago
Dominic Evans
231b5d8406
chore(deps): upgrade github.com/go-chi/chi to v5
...
Upgrade chi to the v5 module path to avoid deprecation warning about v4
and earlier on the old module path.
See https://github.com/go-chi/chi/blob/v4.1.3/go.mod#L1-L4
Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
9 months ago
Herman Slatman
f2993c4c3b
Use the legacy `tpm2` package import
9 months ago
Max
116ff8ed65
bump go.mod to go1.20 and associated linter fixes ( #1518 )
10 months ago
Mariano Cano
d8eeebfd51
Fix error string in tests
...
This commit fixes a test checking an error string from an external
dependency.
10 months ago
Herman Slatman
c952e9fc9d
Use `NewDetailedError` instead
11 months ago
Herman Slatman
f3c24fe875
Change how multiple identifiers are printed in errors
11 months ago
Herman Slatman
a0cdad335d
Add test for `WithAdditionalErrorDetail`
11 months ago
Herman Slatman
9a52675865
Return descriptive error when using unsupported format
11 months ago
Herman Slatman
0d3338ff3a
Return consistent ACME error types for specific cases
11 months ago
Herman Slatman
df22b8a303
Cleanup some leftover TODOs
11 months ago
Herman Slatman
dd9bf1e915
Add error details for the `step` format
11 months ago
Herman Slatman
9cbbd1d575
Add error details to ACME `tpm` format validation errors
11 months ago
Herman Slatman
d5dd8feccd
Prevent internal errors from being returned to ACME clients
11 months ago
Herman Slatman
979e0f8f51
Add error details to select error cases for `apple` format
11 months ago
Herman Slatman
a5801b3c74
Fix TPM simulator initialization for tests
12 months ago
Max
7731edd816
Store and verify Acme account location ( #1386 )
...
* Store and verify account location on acme requests
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
Co-authored-by: Mariano Cano <mariano@smallstep.com>
1 year ago
Herman Slatman
e71b62e95c
Merge branch 'master' into herman/update-crypto-v0.29.4
1 year ago
max furman
8b256f0351
address linter warning for go 1.19
1 year ago
Herman Slatman
0c2b00f6a1
Depend on our fork of `go-attestation`
1 year ago
Herman Slatman
d9aa2c110f
Increase test coverage for AK certificate properties
1 year ago
Herman Slatman
ed1a62206e
Add additional verification of AK certificate
1 year ago
Herman Slatman
1c38e252a6
Cast `alg` to a valid `COSEAlgorithmIdentifier`
1 year ago
Herman Slatman
e25acff13c
Simplify `alg` validity check
1 year ago
Herman Slatman
9cd4b362f7
Extract the `ParseSubjectAlternativeNames` function
1 year ago
Herman Slatman
b6957358fc
Fix PR remarks
...
- Root CA error message improved
- Looping through intermediate certs
- Change checking unhandled extensions to using `if`
1 year ago
Herman Slatman
09bd7705cd
Fix linting issues
1 year ago
Herman Slatman
f88ef6621f
Add `PermanentIdentifier` SAN parsing and tests
1 year ago
Herman Slatman
52023d6083
Add tests for `doTPMAttestationFormat`
1 year ago
Herman Slatman
ae30f6e96b
Add failing TPM simulator test
1 year ago
Herman Slatman
bf53b394a1
Add `tpm` format test with simulated TPM
1 year ago
Herman Slatman
094f0521e2
Remove check for `PermanentIdentifier` from `tpm` format validation
1 year ago
Herman Slatman
589a62df74
Make validation of `tpm` format stricter
1 year ago
Herman Slatman
213b31bc2c
Simplify processing logic for unhandled critical extension
1 year ago
Herman Slatman
e1c7e8f00b
Return the CSR public key fingerprint for `tpm` format
1 year ago
Herman Slatman
6297bace1a
Merge branch 'master' into herman/acme-da-tpm
1 year ago
Herman Slatman
69489480ab
Add more complete `tpm` format validation
1 year ago
Mariano Cano
5ff0dde819
Remove json tag in acme.Authorization fingerprint
1 year ago
Mariano Cano
6ba20209c2
Verify CSR key fingerprint with attestation certificate key
...
This commit makes sure that the attestation certificate key matches the
key used on the CSR on an ACME device attestation flow.
1 year ago
Herman Slatman
3a6fc5e0b4
Remove dependency on `smallstep/assert` in ACME challenge tests
1 year ago
Herman Slatman
0f1c509e4b
Remove debug utility
1 year ago
Herman Slatman
0f9128c873
Fix linting issue and order of test SUT
1 year ago
Herman Slatman
2ab9beb7ed
Add tests for `deviceAttest01Validate`
1 year ago
Herman Slatman
ed61c5df5f
Cleanup some leftover debug statements
1 year ago
Herman Slatman
60a9e41c1c
Remove `Identifier` from top level ACME `Errors`
1 year ago
Herman Slatman
edee01c80c
Refactor debug utility
1 year ago
Herman Slatman
1c38113e44
Add ACME `Subproblem` for more detailed ACME client-side errors
...
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.
This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
1 year ago
Herman Slatman
f1724ea8c5
Merge branch 'master' into herman/acme-da-tpm
1 year ago
Herman Slatman
64d9ad7b38
Validate Subject Common Name for Orders with Permanent Identifier
1 year ago
Herman Slatman
817edcbba5
Remove `charset=utf-8` from ACME certificate requests
2 years ago
Herman Slatman
4cf25ede24
Merge branch 'master' into herman/acme-da-tpm
2 years ago
Herman Slatman
3eae04928f
Add tests for ACME Meta object
2 years ago
Herman Slatman
02d679e160
Merge branch 'master' into herman/ignore-empty-acme-meta
2 years ago
Mariano Cano
e27c6c529b
Add support for custom acme ports
...
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.
Fixes #1015
2 years ago
Herman Slatman
b9f238ad4d
Add additional ACME `meta` properties to provisioner configuration
2 years ago
Herman Slatman
c9793561ff
Make `meta` object optional in ACME directory response
...
Harware appliances from Kemp seem to validate the contents of the
`meta` object, even if none of the properties in the `meta` object
is set. According to the RFC, the `meta` object, as well as its
properties are optional, so technically this should be fixed by
the manufacturer.
This commit is to see if we validation of the `meta` object is
skipped if it's not available in the response.
2 years ago
Mariano Cano
a7e597450a
Update acme/challenge_test.go
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2 years ago
Mariano Cano
7a78c76199
Add test simulating YubiKey v5.2.4
...
There are YubiKeys v5.2.4 where the attestation intermediate (f9)
does not have a basic constraint extension, so that certificate
is not marked as a CA. The test and CA in this commit imitates
that use case. Currently the test case returns an error as we
don't support it. But if we change the verification to support
this use case, the test should change accordingly.
2 years ago
Mariano Cano
21666ba887
Revert "Set timestamp when marking an acme challenge invalid"
...
This reverts commit 5f130895f3
.
2 years ago
Mariano Cano
8538ff06b7
Add missing error case.
2 years ago
Mariano Cano
5f130895f3
Set timestamp when marking an acme challenge invalid
2 years ago
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2 years ago
Herman Slatman
a8125846dd
Add TPM attestation
2 years ago
max furman
f3d1863ec6
A few more linter errors
2 years ago
Mariano Cano
99299faeeb
Add AuthorizeChallenge unit tests
2 years ago
Mariano Cano
f0a24bd8ca
Add acme property to enable challenges
...
Fixes #1027
2 years ago
Mariano Cano
191d9e8629
Use go.step.sm/crypto to set the permanent identifier
2 years ago
Mariano Cano
2b3b2c283a
Add attestation certificate validation for Apple devices
2 years ago
Brandon Weeks
5f5315260a
iOS 16 beta 1 support
2 years ago
Brandon Weeks
de5b0ef5c2
Verify key authorization is contained within the TPM quote extraData field
2 years ago
Brandon Weeks
6f2b4d3042
Add ACME permanent-identifier identifier type
2 years ago
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2 years ago
Mariano Cano
7dc2067cb2
Update acme/errors.go
...
Co-authored-by: Max <mx.furman@gmail.com>
2 years ago
Mariano Cano
226d36f66f
Fix unit tests
2 years ago
Mariano Cano
8cf6675ce4
Return the internal error instead of the ACME error
...
For ACME errors, return the internal error string instead of the
ACME one on the "Error() string" function. This way the logs will
have more information about the cause of an error.
Fixes #1057
2 years ago
Mariano Cano
34c6c65671
Pass attestation information to the Sign method
...
Attestation information might be useful in authorizing webhooks
2 years ago
Mariano Cano
498549c95c
Extract common function used in tests
2 years ago
Mariano Cano
829530ae90
Fix linter errors
2 years ago
Mariano Cano
6b73a020e3
Add unit tests for apple and step attestations
2 years ago
Mariano Cano
0f651799d0
Reject not enabled attestation formats
2 years ago
Mariano Cano
fd4e96d1f4
Rename method to IsChallengeEnabled
2 years ago
Mariano Cano
c77b4ff9c5
Fix linter errors
2 years ago
Mariano Cano
59c5219a07
Use a type for acme challenges
2 years ago
Mariano Cano
a89bea701d
Format comment
2 years ago
Mariano Cano
5df9434286
Fix old comment, device-attest-01 uses the acme payload
2 years ago
Mariano Cano
c5d3714a63
Fix acme error map
2 years ago
Mariano Cano
08815c5e90
Reneame attestation statement error
2 years ago
Mariano Cano
3cd72ac72a
Remove debug statements
2 years ago
Mariano Cano
e75e7e7cd6
Fix linter warnings
2 years ago
Mariano Cano
54d92095ac
Validate proof of possession signature
...
On the step format, validate proof of possession of the private
key validating the signature in the attestation statement.
2 years ago
Mariano Cano
59b7603d1e
Use a clientAuth only cert for device-attest-01
2 years ago
Mariano Cano
ca412e77cc
Return error on attestation validation
...
The method storeError returns a nil error
2 years ago
Mariano Cano
ab5f916bd3
Define ErrorBadAttestationStatement
2 years ago
Mariano Cano
735c9d49b0
Add support for yubikey attestation
2 years ago
Mariano Cano
df96b126dc
Add AuthorizeChallenge unit tests
2 years ago
Mariano Cano
bca311b05e
Add acme property to enable challenges
...
Fixes #1027
2 years ago
Mariano Cano
ae8d4d8757
Fix unit test
2 years ago
Mariano Cano
693dc39481
Merge branch 'master' into device-attestation
2 years ago
Mariano Cano
23b8f45b37
Address gosec warnings
...
Most if not all false positives
2 years ago
max furman
c040e4b459
Add unit tests
2 years ago
max furman
b7c2f6c482
Check for DNS name validity
2 years ago
Mariano Cano
b62f4d1000
Add lgtm comments on some security warnings
2 years ago
Mariano Cano
2f7cb9225f
Use go.step.sm/crypto to set the permanent identifier
2 years ago
Mariano Cano
2ab1e6658e
Fix nonce validation
...
The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
2 years ago
Mariano Cano
66356cff43
Add attestation certificate validation for Apple devices
2 years ago
Brandon Weeks
274f6ccb41
iOS 16 beta 2 support
2 years ago
Brandon Weeks
7e1b0bebd9
iOS 16 beta 1 support
2 years ago
Brandon Weeks
77c6d10fd6
Verify key authorization is contained within the TPM quote extraData field
2 years ago
Brandon Weeks
e1ec31c0ed
Implement TPM attestation statement verification
2 years ago
Brandon Weeks
2ac8b69da2
Add ACME permanent-identifier identifier type
2 years ago
Brandon Weeks
aacd6f4cc6
Add device-attest-01 challenge type
2 years ago
Brandon Weeks
860baeb1c5
Verbose debug logging
2 years ago
Shulhan
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
...
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2 years ago
Herman Slatman
abfbbc8d49
Merge pull request #946 from smallstep/herman/acme-csr-padding
...
Strip base64-url padding from ACME CSR
2 years ago
Herman Slatman
fd546287ac
Strip base64-url padding from ACME CSR
...
This commit strips the padding from a base64-url encoded CSR
submitted by a client that doesn't use raw base64-url encoding.
2 years ago
Mariano Cano
e7f4eaf6c4
Remove explicit deprecation notice
...
This will avoid linter errors on other projects for now.
2 years ago
Mariano Cano
d461918eb0
Merge branch 'master' into context-authority
2 years ago
Mariano Cano
2ea0c70344
Move acme context middleware to deprecated handler
2 years ago
Mariano Cano
9147356d8a
Fix linter errors
2 years ago
Mariano Cano
2ab7dc6f9d
Fix acme tests.
2 years ago
Mariano Cano
ba499eeb2a
Fix acme/api tests.
2 years ago
Mariano Cano
6f9d847bc6
Fix panic in acme/api tests.
2 years ago
Herman Slatman
d82e51b748
Update AllowWildcardNames configuration name
2 years ago