Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,864 Commits
41 Branches
215 Tags
93 MiB
master
fix-1637
dependabot/go_modules/github.com/slackhq/nebula-1.9.3
dependabot/go_modules/github.com/google/go-tpm-0.9.1
wire-acme-extensions
mariano/init-provisioners
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.26.2
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57a62964b1'
${ noResults }
Commit Graph

82 Commits (57a62964b12bcd4ce31c3fa8af2129e0b09a5793)

Author SHA1 Message Date
Herman Slatman 57a62964b1 Make tests not fail hard on ECDSA keys 
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
 3 years ago
Herman Slatman 491c2b8d93 Improve initialization of SCEP authority 3 years ago
Herman Slatman 2d85d4c1c1 Add non-TLS server and improve crypto.Decrypter interface 
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
 3 years ago
Herman Slatman e7cb80f880 Fix linter issues 3 years ago
Herman Slatman 2a249d20de Refactor initialization of SCEP authority 3 years ago
Herman Slatman 339039768c Refactor SCEP authority initialization and clean some code 3 years ago
Herman Slatman 48c86716a0 Add rudimentary (and incomplete) support for SCEP 3 years ago
max furman 94ba057f01 wip 3 years ago
max furman 01a4460812 wip 3 years ago
max furman 5929244fda wip 3 years ago
max furman 9bf9bf142d wip 3 years ago
max furman 4f3e5ef64d wip 3 years ago
max furman 5d09d04d14 wip 3 years ago
max furman 4d48072746 wip admin CRUD 3 years ago
max furman af3cf7dae9 first steps 3 years ago
max furman 2f60f20b0b lots of codes 3 years ago
max furman 7b5d6968a5 first commit 3 years ago
Mariano Cano fbd2208044 Close key manager for safe reloads when a cgo module is used. 3 years ago
Miclain Keffeler 7545b4a625 leverage intermediate_ca.crt for appending certs. 4 years ago
Anton Lundin 3e6137110b Add support for using ssh-agent as a KMS 
This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.

This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.

That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.

This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.

Signed-off-by: Anton Lundin <glance@acc.umu.se>
 4 years ago
Mariano Cano ef92a3a6d7 Move cas options under authority. 4 years ago
Mariano Cano 072adc906e Print root fingerprint for CloudCAS. 4 years ago
Mariano Cano 38fa780775 Add interface to get root certificate from CAS. 
This change makes easier the configuration of cloudCAS as it does
not require to configure the root or intermediate certificate
in the ca.json. CloudCAS will get the root certificate using
the configured certificateAuthority.
 4 years ago
Mariano Cano 60515d92c5 Remove unnecessary properties. 4 years ago
Mariano Cano bd8dd9da41 Do not read issuer and signer twice. 4 years ago
Mariano Cano aad8f9e582 Pass issuer and signer to softCAS options. 
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
 4 years ago
Mariano Cano 1b1f73dec6 Early attempt to develop a CAS interface. 4 years ago
Mariano Cano d30a95236d Use always go.step.sm/crypto 4 years ago
Mariano Cano e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 4 years ago
Mariano Cano fcfc4e9b2b Fix ssh federated template variables. 4 years ago
Mariano Cano e3ae751b57 Use templates from authority instead of config. 4 years ago
Mariano Cano 6c844a0618 Load default templates if no templates are configured. 4 years ago
Mariano Cano c02fe77998 Close the key manager before shutting down. 4 years ago
Mariano Cano 4e544344f9 Initialize the required config fields on embedded authorities. 
This change is to make easier the use of embedded authorities. It
can be difficult for third parties to know what fields are required.
The new init methods will define the minimum usable configuration.
 4 years ago
Mariano Cano b5eab009b2 Rename method to NewEmbedded 4 years ago
Mariano Cano 824374bde0 Create a method to initialize the authority without a config file. 
When the CA is embedded in a third party product like Caddy, the
config needed to use placeholders to be valid. This change adds
a new method `NewEmbeddedAuthority` that allows to create an
authority with the given options, the minimum options are a root
and intermediate certificate, and the intermediate key.

Fixes #218
 4 years ago
Mariano Cano c49a9d5e33 Add context parameter to all SSH methods. 4 years ago
Mariano Cano 5c8c741fab Fix linting issues. 4 years ago
Mariano Cano 9021951f1a Fix types. 4 years ago
Mariano Cano e98d7832b9 Add options to read the roots and federated roots from a bundle. 4 years ago
Mariano Cano c62526b39f Add wip support for kms. 4 years ago
max furman 1e17ec7d33 Use x5cInsecure token for /ssh/check-host endpoint 5 years ago
max furman c2a3bcfab5 resolving merge 5 years ago
max furman 927784237d Use an actual Hosts type when returning ssh hosts 5 years ago
Mariano Cano 2f18a26d4f Add version endpoint. 5 years ago
max furman 35912cc906 change func def for getSSHHosts 
* continue to return all hosts if injection method not specified
 5 years ago
max furman c407a9319b Add getSSHHosts injection func 5 years ago
max furman 8b2105a8f9 Instrument getIdentity func for OIDC ssh provisioner 5 years ago
max furman 6ca1df5081 Add WithGetIdentityFunc option and attr to authority 
* Add Identity type to provisioner
 5 years ago
Mariano Cano 86a0558587 Add support for /ssh/bastion method. 5 years ago