Commit Graph

46 Commits

Author SHA1 Message Date
Max
d34f0f6a97
Fix linter warnings (#1634) 2023-11-28 20:58:58 -08:00
Max
67a41dca83
Remove db datasource from error msg to prevent leaking of secrets (#1528) 2023-09-11 09:11:48 -07:00
Mariano Cano
c7f226bcec
Add support for renew when using stepcas
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.

The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.

Fixes #1021 for stepcas
2022-11-04 16:42:07 -07:00
Mariano Cano
f066ac3d40
Remove buggy logic on GetRevokedCertificates() 2022-10-27 11:58:01 -07:00
Mariano Cano
8200d19894
Improve CRL implementation
This commit adds some changes to PR #731, some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL

This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
2022-10-26 18:55:24 -07:00
Raal Goff
f7df865687 refactor crl config, add some tests 2022-10-07 10:30:00 +08:00
Raal Goff
40baf73dff remove incorrect check on revoked certificate dates, add mutex lock for generating CRLs, 2022-09-15 15:03:42 +08:00
Raal Goff
9fa5f46213 add minor doco, Test_CRLGeneration(), fix some issues from merge 2022-07-13 08:56:47 +08:00
Raal Goff
60671b07d7 Merge branch 'master' into crl-support
# Conflicts:
#	api/api.go
#	authority/config/config.go
#	cas/softcas/softcas.go
#	db/db.go
2022-07-13 08:52:58 +08:00
Mariano Cano
26dd97e718 Merge branch 'master' into context-authority 2022-05-23 12:36:16 -07:00
Mariano Cano
20b2c6a201 Extract cert storer methods from AuthDB
To be able to extend the AuthDB with methods that also extend the
provisioner we need to either create a new method or to split the
interface. This change splits the interface so we can have a cleaner
implementation.
2022-05-18 18:27:37 -07:00
Mariano Cano
0446e82320 Add context methods for the authority database 2022-04-27 12:05:19 -07:00
Mariano Cano
3694ba30dc Store certificate and provisioner in one transaction. 2022-04-12 18:42:27 -07:00
Mariano Cano
1d1e095447 Add tests for LoadProvisionerByCertificate. 2022-04-08 13:06:29 -07:00
Raal Goff
c8b38c0e13 implemented requested changes 2022-04-06 10:50:09 +08:00
Mariano Cano
7d6116c3d0 Add GetCertificateData and refactor x509_certs_data. 2022-04-05 19:24:53 -07:00
Mariano Cano
41c6ded85e Store in the db the provisioner that granted a cert. 2022-04-05 18:00:01 -07:00
Raal Goff
773741eda8 Merge remote-tracking branch 'origin/crl-support' into crl-support
# Conflicts:
#	api/api_test.go
#	authority/tls.go
2022-04-06 08:35:13 +08:00
Raal Goff
53dbe2309b implemented some requested changes 2022-04-06 08:24:49 +08:00
Raal Goff
d417ce3232 implement changes from review 2022-04-06 08:23:53 +08:00
Raal Goff
7d024cc4cb change GenerateCertificateRevocationList to return DER, store DER in db instead of PEM, nicer PEM encoding of CRL, add Mock stubs 2022-04-06 08:22:26 +08:00
Raal Goff
e8fdb703c9 initial support for CRL 2022-04-06 08:19:45 +08:00
Raal Goff
8520c861d5 implemented some requested changes 2022-04-05 11:19:13 +08:00
Herman Slatman
47a8a3c463
Add test case for ACME Revoke to Authority 2021-12-02 17:11:36 +01:00
Raal Goff
222b52db13 implement changes from review 2021-11-04 14:05:07 +08:00
Raal Goff
8545adea92 change GenerateCertificateRevocationList to return DER, store DER in db instead of PEM, nicer PEM encoding of CRL, add Mock stubs 2021-11-02 13:26:07 +08:00
Raal Goff
56926b9012 initial support for CRL 2021-10-30 15:52:50 +08:00
Mariano Cano
8381e9bd17 Fix typos. 2020-10-05 17:20:22 -07:00
Mariano Cano
e17ce39e3a Add support for Revoke using CAS. 2020-09-15 18:14:03 -07:00
max furman
d51f254ee4 ValueLogLoadingMode -> FileLoading Mode badger 2020-04-20 16:09:07 -07:00
max furman
0573c00bd3 Simultaneous support for Badger V1+V2 and ...
* valueLogLoadingMode config for low RAM badger environments
2020-04-20 11:46:47 -07:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
max furman
db1b7a7f8f extraneous new line 2020-01-28 13:29:39 -08:00
max furman
29853ae016 sshpop provisioner + ssh renew | revoke | rekey first pass 2020-01-28 13:28:16 -08:00
max furman
862d704f6b get-hosts fixes 2020-01-28 13:28:16 -08:00
max furman
5616386eed Add SSH getHosts api 2020-01-28 13:28:16 -08:00
Mariano Cano
37f17213bb Add initial support for check-host endpoint. 2020-01-28 13:28:16 -08:00
max furman
83a8139543 dep update nosql
* Fixes #112
2019-09-24 14:31:07 -07:00
max furman
e3826dd1c3 Add ACME CA capabilities 2019-09-13 15:48:33 -07:00
max furman
599fc1058c loadOrStore -> cmpAndSwap 2019-06-10 13:21:06 -07:00
max furman
81db527f12 NoopDB -> SimpleDB 2019-05-07 12:26:30 -07:00
max furman
b73fe8c157 Add used OTT to DB during authToken step 2019-05-06 15:52:02 -07:00
max furman
46c7592f34 db: Omit empty optional fields from JSON 2019-04-26 13:08:14 -07:00
max furman
c242602231 reload and shutdown trickery
* Only shutdown the database once.
* Be careful when reloading the CA. Depending on whether the DB has
already been shutdown, and error may be unrecoverable.
2019-04-25 13:25:41 -07:00
max furman
cbeca9383b Update nosql integration
* shutdown and reload database on SIGHUP
2019-04-24 18:00:59 -07:00
max furman
ab4d569f36 Add /revoke API with interface db backend 2019-04-10 13:50:35 -07:00