Herman Slatman
6bc0a86207
Fix CA startup with Vault RA configuration
2024-04-18 16:12:30 +02:00
Mariano Cano
0ac9023590
Fix typo in error message and comment
2024-03-12 14:58:36 -07:00
Mariano Cano
10f6a901ec
Let the CA determine the RA lifetime
...
When the RA mode with StepCAS is used, let the CA decide which lifetime
the RA should get instead of requiring always 24h.
This commit also fixes linter warnings.
Related to #1094
2024-03-12 14:29:55 -07:00
Venky Gopal
fbc1e895c2
Allow x509 Service CA implementation to be injected through ca and authority options
2024-01-21 08:50:09 -05:00
Mariano Cano
b20af51f32
Upgrade go.step.sm/crypto to use go-jose/v3
2023-12-12 16:36:48 -08:00
Mariano Cano
6705b7dde4
Build RA token using SANs from the template
...
This commit updates the RA token to use the SANs coming from the
template instead of the CSR.
Note that this PR might break some admin tokens.
2023-10-31 15:41:59 -07:00
Theron
9d7dff6995
Add namespace field to VaultCAS JSON config
2023-06-07 13:25:47 -05:00
max furman
8b256f0351
address linter warning for go 1.19
2023-05-09 23:47:28 -07:00
Mariano Cano
afd5d46a90
Use vaultcas ttl as a duration string
...
According to docs at thttps://developer.hashicorp.com/vault/api-docs/secret/pki#ttl
the ttl can be sent as a time.Duration string.
Fixes #1375
2023-05-04 18:36:08 -07:00
Herman Slatman
b5961beba9
Fix and/or ignore linting issues
2022-12-21 16:02:26 +01:00
max furman
57c1c2071d
Correct bad comment on NotImplementedError.Error()
2022-11-07 15:37:39 -08:00
Mariano Cano
e8726d24fa
Merge pull request #1156 from smallstep/ra-renew
...
Add support for renew when using stepcas
2022-11-07 15:36:01 -08:00
max furman
e351bd90dc
Run make generate with mockgen@v1.6.0
2022-11-07 13:14:23 -08:00
max furman
8f7fae585c
Add mockgen commands for cloudcas_test
2022-11-07 13:09:07 -08:00
max furman
d4e81723ee
Updates for deprecated google cloud security APIs
2022-11-07 11:31:57 -08:00
Mariano Cano
c7f226bcec
Add support for renew when using stepcas
...
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.
The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.
Fixes #1021 for stepcas
2022-11-04 16:42:07 -07:00
Mariano Cano
8200d19894
Improve CRL implementation
...
This commit adds some changes to PR #731 , some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL
This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
2022-10-26 18:55:24 -07:00
Raal Goff
d0e81af524
Merge branch 'master' into crl-support
2022-09-30 08:45:48 +08:00
max furman
7c5e5b2b87
Even more linter fixes
2022-09-20 21:48:04 -07:00
max furman
6af9437875
Rebase over master and a few more linter fixes
2022-09-20 19:05:12 -07:00
max furman
18a648cffa
Fix linter warning about bad error name
2022-09-20 19:05:12 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2022-09-20 16:35:41 -07:00
Mariano Cano
b0d24fb801
Fix test with gcloud local credentialss
2022-09-16 12:35:09 -07:00
Raal Goff
924082bb49
fix linter errors
2022-09-08 10:09:37 +08:00
Raal Goff
d2483f3a70
Merge branch 'master' into crl-support
...
# Conflicts:
# authority/config/config.go
2022-09-08 09:45:04 +08:00
Mariano Cano
a7fcfe0e4e
Verify with roots and intermediates
2022-08-30 17:11:44 -07:00
Mariano Cano
ea8579f3df
Fix bad signature algorithm on EC+RSA PKI
...
When the root certificate has an EC key and he intermediate has an
RSA key, the signature algorithm of the leafs should be the default
one, SHA256WithRSA, instead of the one that the intermediate has.
Fixes #1033
2022-08-30 16:49:56 -07:00
Mariano Cano
8bd0174251
Rename field to IsCAServerCert
2022-08-11 15:14:26 -07:00
Mariano Cano
5df1694250
Add endpoint id for the RA certificate
...
In a linked RA mode, send an endpoint id to group the server
certificates.
2022-08-11 14:47:11 -07:00
Mariano Cano
eb091aec54
Simplify field names for ProvisionerInfo
2022-08-10 17:44:14 -07:00
Mariano Cano
369b8f81c3
Use go.step.sm/crypto/kms
...
Fixes #975
2022-08-08 17:58:18 -07:00
Mariano Cano
f1aabaa99c
Use functions from os instead of io/ioutil
2022-08-08 12:12:53 -07:00
Mariano Cano
c5c7c30cc2
Fix typo in ProvisionerInfo
2022-08-04 10:07:20 -07:00
Mariano Cano
64744562c6
Send RA provisioner to linkedca.
2022-08-03 18:44:25 -07:00
Mariano Cano
6b5d3dca95
Add provisioner name to RA info
2022-08-03 18:44:04 -07:00
Mariano Cano
9648fe6b4c
Remove debug statement
2022-08-03 15:32:39 -07:00
Mariano Cano
7a1e6a0e1f
Fix and extend stepcas unit tests
2022-08-03 11:57:42 -07:00
Mariano Cano
9408d0f24b
Send RA provisioner information to the CA
2022-08-02 19:28:49 -07:00
Raal Goff
60671b07d7
Merge branch 'master' into crl-support
...
# Conflicts:
# api/api.go
# authority/config/config.go
# cas/softcas/softcas.go
# db/db.go
2022-07-13 08:52:58 +08:00
Mariano Cano
f140874e42
Merge pull request #958 from smallstep/rsa-signature-algorithm
...
Sign certificates with the issuer signature algorithm
2022-06-16 15:08:10 -07:00
Mariano Cano
31af1efa48
Sign certificates with the issuer signature algorithm
...
An RSA key can sign another certificates using the RSA PKCS#1
and the RSA-PSS scheme, this change will keep the signature
algorithm used in the issuer in the signed certificates instead
of using PKCS#1 by default.
2022-06-15 19:10:58 -07:00
Mariano Cano
34f926804d
Merge pull request #954 from shuLhan/shulhan-gofmt
...
all: reformat all go files with the next gofmt (Go 1.19)
2022-06-15 18:11:51 -07:00
Shulhan
ee53530d1f
cas/cloudcas: update test on createPublicKey for the next Go release
...
The next Go release call panic on elliptic.Marshal [1][2], which
affect the test case fail_ec_marshal on createPublicKey.
This changes fix this by initializing the P and B in test case
PublicKey CurveParams to prevent panic.
[1] https://github.com/golang/go/issues/50975
[2] a218b3520a
2022-06-16 03:01:38 +07:00
Shulhan
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
...
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2022-06-16 01:28:59 +07:00
Erik DeLamarter
07984a968f
better error messages
...
Co-authored-by: Mariano Cano <mariano.cano@gmail.com>
2022-05-21 21:11:52 +02:00
Erik De Lamarter
9ec154aab0
rewrite and improve secret-id config
2022-05-21 21:06:15 +02:00
Erik De Lamarter
6989c7f146
vault auth unit tests
2022-05-21 21:06:15 +02:00
Erik De Lamarter
6c44291d8d
refactor vault auth
2022-05-21 21:06:15 +02:00
Erik De Lamarter
dec1067add
vault kubernetes auth
2022-05-21 21:06:14 +02:00
Mariano Cano
3aebe8d019
Add missing comma in comment.
2022-04-15 12:19:32 -07:00