max furman
80a6640103
[acme db interface] wip
2021-03-25 12:05:46 -07:00
Mariano Cano
8c8c160c92
Fix method name in comment.
2021-03-25 11:06:37 -07:00
Mariano Cano
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
2021-03-24 14:53:19 -07:00
Herman Slatman
583d60dc0d
Address (most) PR comments
2021-03-21 16:42:41 +01:00
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority
2021-03-12 15:49:39 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
2d21b09d41
Remove some duplicate and unnecessary logic
2021-03-06 23:24:49 +01:00
Herman Slatman
3a5f633cdd
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
2021-03-05 12:40:42 +01:00
Herman Slatman
7948f65ac0
Merge branch 'master' into hs/scep
2021-02-26 00:41:33 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority
2021-02-26 00:32:21 +01:00
Mariano Cano
5be86691c1
Fix unit tests in Go 1.16.
2021-02-23 15:29:56 -08:00
Herman Slatman
78d78580b2
Add note about using a second (unsecured) server
2021-02-19 11:00:52 +01:00
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master
2021-02-19 10:16:39 +01:00
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code
2021-02-12 17:02:39 +01:00
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP
2021-02-12 12:03:08 +01:00
Mariano Cano
b487edbd13
Clarify comment.
2021-02-11 17:38:14 -08:00
Mariano Cano
fbd2208044
Close key manager for safe reloads when a cgo module is used.
2021-02-01 17:14:44 -08:00
Mariano Cano
40d0596b71
Use smallstep/cli-utils instead of smallstep/cli
2020-10-29 13:10:03 -07:00
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
2020-08-14 15:33:50 -07:00
Mariano Cano
533ad0ca20
Use always go.step.sm/crypto/x509util
2020-08-11 17:59:33 -07:00
Mariano Cano
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
2020-08-10 15:29:18 -07:00
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
2020-08-10 11:26:51 -07:00
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
44207523be
Add missing tests.
2020-07-21 14:21:54 -07:00
Mariano Cano
0c8376a7f6
Fix existing unit tests.
2020-07-21 14:21:54 -07:00
max furman
1951669e13
wip
2020-06-23 11:10:45 -07:00
max furman
6e69f99310
Always set nbf and naf for new ACME orders ...
...
- Use the default value from the ACME provisioner if values are not
defined in the request.
2020-05-22 10:31:58 -07:00
Mariano Cano
9f1d95d8bf
Fix renew of certificate at the start of the server.
2020-05-07 18:21:11 -07:00
Mariano Cano
1d7ab9145a
Avoid lint error.
2020-03-24 14:33:01 -07:00
Mariano Cano
0b62ce9d0e
Use go 1.13 to build certificates.
2020-03-24 14:23:02 -07:00
max furman
495e60a44b
Extraneous fmt.Sprintf
2020-03-23 12:15:46 -07:00
Mariano Cano
349bca06bb
Fix line error due to deprecated DialTLS.
2020-03-05 15:11:03 -08:00
Mariano Cano
f5d2f92099
Load identity certificate from disk in each connection.
2020-03-04 15:02:17 -08:00
Ivan Bertona
9052da66a3
Fix linter, tidy go.mod file.
2020-02-07 14:42:56 -05:00
Mariano Cano
3d6a18180e
Fix a couple of race conditions in the renewal of certificates.
2020-01-28 13:29:40 -08:00
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
a025f72af7
Disable backdata on ca tests.
2020-01-28 13:29:39 -08:00
Mariano Cano
a88ba8eb31
Use errs package for HTTP errors.
2020-01-28 13:29:39 -08:00
Mariano Cano
47f4ac1b53
Add method to just write the identity certificate.
2020-01-28 13:29:39 -08:00
Mariano Cano
14e59775bd
Add method to renew the identity.
2020-01-28 13:29:39 -08:00
max furman
9aafe265d0
Should be returning nil from applyIdentity if cert expired.
2020-01-28 13:29:39 -08:00
max furman
b9f6aacb0f
Move api errors to their own package and modify the typedef
2020-01-28 13:29:39 -08:00
Mariano Cano
65b4dda420
Add wrappers to identity methods in the ca package.
2020-01-28 13:29:39 -08:00
Mariano Cano
524c221c61
Add mTLS test for identity client.
2020-01-28 13:29:39 -08:00
Mariano Cano
25144539f8
Improve identity tests.
2020-01-28 13:29:39 -08:00
Mariano Cano
d85386d0b4
Add identity client and move identity to a new package.
2020-01-28 13:29:39 -08:00
Mariano Cano
9e7b86342b
Fix test.
2020-01-28 13:29:39 -08:00
Mariano Cano
c6f6493bb7
Fail silently if the identity fails.
2020-01-28 13:29:39 -08:00
max furman
3ac388612a
Use x5cInsecure token for /ssh/check-host endpoint
2020-01-28 13:29:39 -08:00
Mariano Cano
ab126d6405
Add GetTransport to client.
2020-01-28 13:29:39 -08:00
Mariano Cano
2259f62638
Add method to create an ssh token.
2020-01-28 13:29:39 -08:00
Mariano Cano
caa2b8dbb7
Add leeway in identity not before.
2020-01-28 13:29:39 -08:00
max furman
0512f6e3e5
redundant variable type def
2020-01-28 13:29:39 -08:00
Mariano Cano
d2b1f1547f
Create a custom client that sends a custom User-Agent.
2020-01-28 13:29:39 -08:00
Mariano Cano
5d7829b198
Replace /ssh/get-hosts to /ssh/hosts
2020-01-28 13:29:39 -08:00
Mariano Cano
2fe07cd79c
Fix tests.
2020-01-28 13:29:39 -08:00
Mariano Cano
85d3843968
Add Identity helpers.
2020-01-28 13:29:39 -08:00
Mariano Cano
50188fc901
Add version support to the ca.Client.
2020-01-28 13:28:17 -08:00
Mariano Cano
db3b795eea
Fix directory permissions.
2020-01-28 13:28:16 -08:00
Mariano Cano
bbaf8e106e
Support for retry and identity files.
2020-01-28 13:28:16 -08:00
Mariano Cano
d555f310dc
Add support for identity authentication.
2020-01-28 13:28:16 -08:00
Mariano Cano
f9e5b27e63
Add client method for SSHBastion
2020-01-28 13:28:16 -08:00
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
2020-01-28 13:28:16 -08:00
max furman
862d704f6b
get-hosts fixes
2020-01-28 13:28:16 -08:00
max furman
5616386eed
Add SSH getHosts api
2020-01-28 13:28:16 -08:00
Mariano Cano
b8817ad648
Add proxycommand and new lines to templates.
2020-01-28 13:28:16 -08:00
Mariano Cano
37f17213bb
Add initial support for check-host endpoint.
2020-01-28 13:28:16 -08:00
Mariano Cano
d08db4df23
Rename SSH methods.
2020-01-28 13:28:16 -08:00
Mariano Cano
b5bc249e1c
Add support for multiple ssh roots.
...
Fixes #125
2020-01-28 13:28:16 -08:00
Mariano Cano
a35988ff08
Add initial support for ssh config.
...
Related to smallstep/cli#170
2020-01-28 13:28:16 -08:00
Mariano Cano
961be1fbc7
Add endpoint to return the SSH public keys.
...
Related to smallstep/ca-component#195
2020-01-28 13:28:16 -08:00
Max
0a96062b76
Merge pull request #128 from jkralik/returnCertChain
...
Change api of functions Authority.Sign, Authority.Renew
2019-10-18 14:00:18 -07:00
max furman
d368791606
Add x5c provisioner capabilities
2019-10-14 14:51:37 -07:00
max furman
7aec7c2612
Create ACME database tables when initializing ACME autority.
2019-10-14 14:51:03 -07:00
Jozef Kralik
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
2019-10-09 22:23:00 +02:00
max furman
fe7973c060
wip
2019-09-19 13:17:45 -07:00
max furman
e3826dd1c3
Add ACME CA capabilities
2019-09-13 15:48:33 -07:00
Mariano Cano
10e7b81b9f
Merge branch 'master' into ssh-ca
2019-09-05 23:06:01 +02:00
max furman
635c59ed24
Accept emails SANs
2019-08-23 15:59:30 -07:00
Mariano Cano
1c8f610ca9
Add initial implementation of an SSH CA using the JWK provisioner.
...
Fixes smallstep/ca-component#187
2019-07-23 18:46:43 -07:00
Mariano Cano
44e85b51f2
Add some extra coverage.
2019-06-21 15:12:36 -07:00
Mariano Cano
aa63f8f32c
Add missing root certificate to test.
2019-06-21 14:52:06 -07:00
Mariano Cano
f9e2ea9bd6
Revert "Do not depend on config package."
...
This reverts commit cc1c6f2cb4
.
2019-06-18 14:44:19 -07:00
Mariano Cano
cc1c6f2cb4
Do not depend on config package.
...
Config package will panic if it cannot create the step path folder.
2019-06-18 13:16:23 -07:00
Mariano Cano
01b6aebbf7
Make provisioner more configurable.
...
The intention of this change is to make it usable from cert-manager.
2019-06-17 19:01:04 -07:00
Mariano Cano
e8498bf612
Add new WithDatabase to test reload.
2019-05-10 17:49:15 -07:00
Mariano Cano
120e2d0caf
Fix restart with simple DB.
2019-05-10 16:14:21 -07:00
Mariano Cano
3a1a4c5ea9
Do not allow reload with database configuration changes.
...
Fixes #smallstep/ca-component#170
2019-05-10 15:58:37 -07:00
Mariano Cano
b595c55f0a
Update CA properties on reload.
...
Fixes #71
2019-05-03 15:40:59 -07:00
max furman
c242602231
reload and shutdown trickery
...
* Only shutdown the database once.
* Be careful when reloading the CA. Depending on whether the DB has
already been shutdown, and error may be unrecoverable.
2019-04-25 13:25:41 -07:00
max furman
cbeca9383b
Update nosql integration
...
* shutdown and reload database on SIGHUP
2019-04-24 18:00:59 -07:00
Mariano Cano
c2c9798149
Fix review issues.
2019-04-12 14:59:55 -07:00
Mariano Cano
46b9b117e3
Add test for provisioner type.
2019-04-12 13:05:56 -07:00
Mariano Cano
13783301ce
Remove test for unnecessary method.
2019-04-12 11:22:49 -07:00
Mariano Cano
b4739c185d
Remove unnecessary method GetCertificateRenewer.
2019-04-12 11:10:56 -07:00
Mariano Cano
fa216ccaad
Use SetTransport method.
2019-04-12 11:06:38 -07:00
Mariano Cano
43c5831582
Merge branch 'master' into step-sds
2019-04-11 11:47:20 -07:00
max furman
ab4d569f36
Add /revoke API with interface db backend
2019-04-10 13:50:35 -07:00