Commit Graph

74 Commits (6297bace1abdc6ecbcdb24f226c90d867f57ee10)

Author SHA1 Message Date
Herman Slatman 6297bace1a
Merge branch 'master' into herman/acme-da-tpm 1 year ago
Herman Slatman 69489480ab
Add more complete `tpm` format validation 1 year ago
Mariano Cano 6ba20209c2
Verify CSR key fingerprint with attestation certificate key
This commit makes sure that the attestation certificate key matches the
key used on the CSR on an ACME device attestation flow.
1 year ago
Herman Slatman 0f9128c873
Fix linting issue and order of test SUT 1 year ago
Herman Slatman 2ab9beb7ed
Add tests for `deviceAttest01Validate` 1 year ago
Herman Slatman ed61c5df5f
Cleanup some leftover debug statements 1 year ago
Herman Slatman edee01c80c
Refactor debug utility 1 year ago
Herman Slatman 1c38113e44
Add ACME `Subproblem` for more detailed ACME client-side errors
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.

This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
1 year ago
Herman Slatman 4cf25ede24
Merge branch 'master' into herman/acme-da-tpm 2 years ago
Mariano Cano e27c6c529b
Add support for custom acme ports
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.

Fixes #1015
2 years ago
Mariano Cano 21666ba887
Revert "Set timestamp when marking an acme challenge invalid"
This reverts commit 5f130895f3.
2 years ago
Mariano Cano 5f130895f3
Set timestamp when marking an acme challenge invalid 2 years ago
Herman Slatman a8125846dd
Add TPM attestation 2 years ago
max furman f3d1863ec6
A few more linter errors 2 years ago
Mariano Cano 2b3b2c283a
Add attestation certificate validation for Apple devices 2 years ago
Brandon Weeks 5f5315260a
iOS 16 beta 1 support 2 years ago
Brandon Weeks de5b0ef5c2
Verify key authorization is contained within the TPM quote extraData field 2 years ago
max furman ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors 2 years ago
Mariano Cano 6b73a020e3 Add unit tests for apple and step attestations 2 years ago
Mariano Cano 0f651799d0 Reject not enabled attestation formats 2 years ago
Mariano Cano 08815c5e90 Reneame attestation statement error 2 years ago
Mariano Cano 3cd72ac72a Remove debug statements 2 years ago
Mariano Cano e75e7e7cd6 Fix linter warnings 2 years ago
Mariano Cano 54d92095ac Validate proof of possession signature
On the step format, validate proof of possession of the private
key validating the signature in the attestation statement.
2 years ago
Mariano Cano ca412e77cc Return error on attestation validation
The method storeError returns a nil error
2 years ago
Mariano Cano 735c9d49b0 Add support for yubikey attestation 2 years ago
Mariano Cano 693dc39481 Merge branch 'master' into device-attestation 2 years ago
Mariano Cano 23b8f45b37 Address gosec warnings
Most if not all false positives
2 years ago
Mariano Cano 2ab1e6658e Fix nonce validation
The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
2 years ago
Mariano Cano 66356cff43 Add attestation certificate validation for Apple devices 2 years ago
Brandon Weeks 274f6ccb41 iOS 16 beta 2 support 2 years ago
Brandon Weeks 7e1b0bebd9 iOS 16 beta 1 support 2 years ago
Brandon Weeks 77c6d10fd6 Verify key authorization is contained within the TPM quote extraData field 2 years ago
Brandon Weeks e1ec31c0ed Implement TPM attestation statement verification 2 years ago
Brandon Weeks aacd6f4cc6 Add device-attest-01 challenge type 2 years ago
Mariano Cano d1f75f1720 Refactor ACME api. 2 years ago
Herman Slatman 479c6d2bf5
Fix ACME IPv6 HTTP-01 challenges
Fixes #890
2 years ago
Herman Slatman 2d50c96d99
Merge branch 'master' into hs/acme-revocation 3 years ago
Herman Slatman e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues 3 years ago
Herman Slatman 29f9730485
Satisfy golangci-lint 3 years ago
max furman 933b40a02a Introduce gocritic linter and address warnings 3 years ago
Mariano Cano dc5205cc72 Extract the tls error code and fail accordingly. 3 years ago
Mariano Cano ae58a0ee4e Make tests compatible with Go 1.17.
With Go 1.17 tls.Dial will fail if the client and server configured
protocols do not overlap. See https://golang.org/doc/go1.17#ALPN
3 years ago
Herman Slatman 64c15fde7e
Add tests for canonicalize function 3 years ago
Herman Slatman 135e912ac8
Improve coverage for TLS-ALPN-01 challenge 3 years ago
Herman Slatman 523ae96749
Change identifier and challenge types to consts 3 years ago
Herman Slatman af4803b8b8
Fix tests 3 years ago
Herman Slatman 0c79914d0d
Improve check for single IP in TLS-ALPN-01 challenge 3 years ago
Herman Slatman a6405e98a9
Remove fmt. 3 years ago
Herman Slatman 2f40011da8
Add support for TLS-ALPN-01 challenge 3 years ago