Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,220 Commits
44 Branches
215 Tags
44 MiB
mariano/validity
master
root-not-found-error-message
relative-paths-config
fix-1637
dependabot/go_modules/github.com/slackhq/nebula-1.9.3
dependabot/go_modules/github.com/google/go-tpm-0.9.1
wire-acme-extensions
mariano/init-provisioners
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.26.2
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '66a8158f26'
${ noResults }
Commit Graph

216 Commits (66a8158f26d86c36d23fbd2d73b737b688bbbb9d)

Author SHA1 Message Date
max furman fc395f4d69 [acme db interface] compiles! 3 years ago
max furman 80a6640103 [acme db interface] wip 3 years ago
Mariano Cano 8c8c160c92 Fix method name in comment. 3 years ago
Mariano Cano bdeb0ccd7c Add support for the flag --issuer-password-file 
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
 3 years ago
Herman Slatman 583d60dc0d
Address (most) PR comments 3 years ago
Herman Slatman e1cab4966f
Improve initialization of SCEP authority 3 years ago
Herman Slatman 8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface 
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
 3 years ago
Herman Slatman 2d21b09d41
Remove some duplicate and unnecessary logic 3 years ago
Herman Slatman 3a5f633cdd
Add support for multiple SCEP provisioners 
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
 3 years ago
Herman Slatman 7948f65ac0
Merge branch 'master' into hs/scep 3 years ago
Herman Slatman 7ad90d10b3
Refactor initialization of SCEP authority 3 years ago
Mariano Cano 5be86691c1 Fix unit tests in Go 1.16. 3 years ago
Herman Slatman 78d78580b2
Add note about using a second (unsecured) server 3 years ago
Herman Slatman 9e43dc85d8
Merge branch 'master' into hs/scep-master 3 years ago
Herman Slatman 713b571d7a
Refactor SCEP authority initialization and clean some code 3 years ago
Herman Slatman ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP 3 years ago
Mariano Cano b487edbd13 Clarify comment. 3 years ago
Mariano Cano fbd2208044 Close key manager for safe reloads when a cgo module is used. 3 years ago
Mariano Cano 40d0596b71 Use smallstep/cli-utils instead of smallstep/cli 4 years ago
Mariano Cano ba918100d0 Use go.step.sm/crypto/jose 
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
 4 years ago
Mariano Cano d30a95236d Use always go.step.sm/crypto 4 years ago
Mariano Cano 533ad0ca20 Use always go.step.sm/crypto/x509util 4 years ago
Mariano Cano 4943ae58d8 Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates. 4 years ago
Mariano Cano e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 4 years ago
Mariano Cano 6c64fb3ed2 Rename provisioner options structs: 
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
 4 years ago
Mariano Cano 44207523be Add missing tests. 4 years ago
Mariano Cano 0c8376a7f6 Fix existing unit tests. 4 years ago
max furman 1951669e13 wip 4 years ago
max furman 6e69f99310 Always set nbf and naf for new ACME orders ... 
- Use the default value from the ACME provisioner if values are not
defined in the request.
 4 years ago
Mariano Cano 9f1d95d8bf Fix renew of certificate at the start of the server. 4 years ago
Mariano Cano 1d7ab9145a Avoid lint error. 4 years ago
Mariano Cano 0b62ce9d0e Use go 1.13 to build certificates. 4 years ago
max furman 495e60a44b Extraneous fmt.Sprintf 4 years ago
Mariano Cano 349bca06bb Fix line error due to deprecated DialTLS. 4 years ago
Mariano Cano f5d2f92099 Load identity certificate from disk in each connection. 4 years ago
Ivan Bertona 9052da66a3 Fix linter, tidy go.mod file. 4 years ago
Mariano Cano 3d6a18180e Fix a couple of race conditions in the renewal of certificates. 4 years ago
max furman 1cb8bb3ae1 Simplify statuscoder error generators. 4 years ago
max furman dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests. 
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
 4 years ago
Mariano Cano a025f72af7 Disable backdata on ca tests. 4 years ago
Mariano Cano a88ba8eb31 Use errs package for HTTP errors. 4 years ago
Mariano Cano 47f4ac1b53 Add method to just write the identity certificate. 4 years ago
Mariano Cano 14e59775bd Add method to renew the identity. 4 years ago
max furman 9aafe265d0 Should be returning nil from applyIdentity if cert expired. 4 years ago
max furman b9f6aacb0f Move api errors to their own package and modify the typedef 4 years ago
Mariano Cano 65b4dda420 Add wrappers to identity methods in the ca package. 4 years ago
Mariano Cano 524c221c61 Add mTLS test for identity client. 4 years ago
Mariano Cano 25144539f8 Improve identity tests. 4 years ago
Mariano Cano d85386d0b4 Add identity client and move identity to a new package. 4 years ago
Mariano Cano 9e7b86342b Fix test. 4 years ago
Mariano Cano c6f6493bb7 Fail silently if the identity fails. 4 years ago
max furman 3ac388612a Use x5cInsecure token for /ssh/check-host endpoint 4 years ago
Mariano Cano ab126d6405 Add GetTransport to client. 4 years ago
Mariano Cano 2259f62638 Add method to create an ssh token. 4 years ago
Mariano Cano caa2b8dbb7 Add leeway in identity not before. 4 years ago
max furman 0512f6e3e5 redundant variable type def 4 years ago
Mariano Cano d2b1f1547f Create a custom client that sends a custom User-Agent. 4 years ago
Mariano Cano 5d7829b198 Replace /ssh/get-hosts to /ssh/hosts 4 years ago
Mariano Cano 2fe07cd79c Fix tests. 4 years ago
Mariano Cano 85d3843968 Add Identity helpers. 4 years ago
Mariano Cano 50188fc901 Add version support to the ca.Client. 4 years ago
Mariano Cano db3b795eea Fix directory permissions. 4 years ago
Mariano Cano bbaf8e106e Support for retry and identity files. 4 years ago
Mariano Cano d555f310dc Add support for identity authentication. 4 years ago
Mariano Cano f9e5b27e63 Add client method for SSHBastion 4 years ago
max furman 29853ae016 sshpop provisioner + ssh renew | revoke | rekey first pass 4 years ago
max furman 862d704f6b get-hosts fixes 4 years ago
max furman 5616386eed Add SSH getHosts api 4 years ago
Mariano Cano b8817ad648 Add proxycommand and new lines to templates. 4 years ago
Mariano Cano 37f17213bb Add initial support for check-host endpoint. 4 years ago
Mariano Cano d08db4df23 Rename SSH methods. 4 years ago
Mariano Cano b5bc249e1c Add support for multiple ssh roots. 
Fixes #125
 4 years ago
Mariano Cano a35988ff08 Add initial support for ssh config. 
Related to smallstep/cli#170
 4 years ago
Mariano Cano 961be1fbc7 Add endpoint to return the SSH public keys. 
Related to smallstep/ca-component#195
 4 years ago
Max 0a96062b76
Merge pull request #128 from jkralik/returnCertChain 
Change api of functions Authority.Sign, Authority.Renew
 5 years ago
max furman d368791606 Add x5c provisioner capabilities 5 years ago
max furman 7aec7c2612 Create ACME database tables when initializing ACME autority. 5 years ago
Jozef Kralik bc6074f596 Change api of functions Authority.Sign, Authority.Renew 
Returns certificate chain instead of 2 members.

Implements #126
 5 years ago
max furman fe7973c060 wip 5 years ago
max furman e3826dd1c3 Add ACME CA capabilities 5 years ago
Mariano Cano 10e7b81b9f Merge branch 'master' into ssh-ca 5 years ago
max furman 635c59ed24 Accept emails SANs 5 years ago
Mariano Cano 1c8f610ca9 Add initial implementation of an SSH CA using the JWK provisioner. 
Fixes smallstep/ca-component#187
 5 years ago
Mariano Cano 44e85b51f2 Add some extra coverage. 5 years ago
Mariano Cano aa63f8f32c Add missing root certificate to test. 5 years ago
Mariano Cano f9e2ea9bd6 Revert "Do not depend on config package." 
This reverts commit cc1c6f2cb4.
 5 years ago
Mariano Cano cc1c6f2cb4 Do not depend on config package. 
Config package will panic if it cannot create the step path folder.
 5 years ago
Mariano Cano 01b6aebbf7 Make provisioner more configurable. 
The intention of this change is to make it usable from cert-manager.
 5 years ago
Mariano Cano e8498bf612 Add new WithDatabase to test reload. 5 years ago
Mariano Cano 120e2d0caf Fix restart with simple DB. 5 years ago
Mariano Cano 3a1a4c5ea9 Do not allow reload with database configuration changes. 
Fixes #smallstep/ca-component#170
 5 years ago
Mariano Cano b595c55f0a Update CA properties on reload. 
Fixes #71
 5 years ago
max furman c242602231 reload and shutdown trickery 
* Only shutdown the database once.
* Be careful when reloading the CA. Depending on whether the DB has
already been shutdown, and error may be unrecoverable.
 5 years ago
max furman cbeca9383b Update nosql integration 
* shutdown and reload database on SIGHUP
 5 years ago
Mariano Cano c2c9798149 Fix review issues. 5 years ago
Mariano Cano 46b9b117e3 Add test for provisioner type. 5 years ago
Mariano Cano 13783301ce Remove test for unnecessary method. 5 years ago
Mariano Cano b4739c185d Remove unnecessary method GetCertificateRenewer. 5 years ago
Mariano Cano fa216ccaad Use SetTransport method. 5 years ago
Mariano Cano 43c5831582 Merge branch 'master' into step-sds 5 years ago