76dfcb00e4
try silencing template data for dichotomies
9 months ago
a32bb66e47
trying to pass access token to template
9 months ago
ff41a1193d
fix deviceId computing in dpop challenge
9 months ago
5ceed08ae0
Reorganize parsing target
9 months ago
83ba0bdc51
Replace field access by accessor functions
9 months ago
c4fb19d01f
passing expected issuer to rusty-jwt-cli
9 months ago
2b1223a080
simpler
9 months ago
036a144e09
add oidc target
9 months ago
97002040a5
fix: challenge target field was not mapped to db entity
9 months ago
d32a3e23f0
wip
9 months ago
b58de27675
fix: do not convert URIs to lowercase for comparison purpose
9 months ago
7c9f8020d5
fix: add URI prefix to handle
9 months ago
680b6ea08f
adapt google demo for wire's special handle format "{firstname}_wire"
9 months ago
a97991aa83
infer domain from google email address
9 months ago
49ad2d9967
fix google id token matching in oidc challenge
9 months ago
a49966f4c9
try using google oidc for demo purpose
9 months ago
3576cc30c8
forward displayName in CSR with custom OID
9 months ago
4172b69816
remove displayName validation, potentially harmful
9 months ago
79501df5a2
fix: exclude displayName from SAN DNS
9 months ago
3f474f77d4
feat: change from impp prefix to just im
9 months ago
b6ec4422b4
feat: adapt to dex and pass the 'keyauth' in payload instead of in id_token. Also have a different mapping for id_token claims name
9 months ago
af31a167c6
skip empty entries for uniqueSortedLowerNames
9 months ago
01ef526d08
change uri prefix to impp:wireapp=
9 months ago
cc5fd0a6a5
fix san validation
9 months ago
b3dd169190
cleanup my mess
9 months ago
3eb0ff43c0
fix orderNames size
9 months ago
c41a99ad75
(finalize) have both display name & domain in SANs
9 months ago
5ba0ab3e44
fix csr domain validation in finalize
9 months ago
73ec6c89d0
fix csr org validation in finalize
9 months ago
ca01c74333
avoid manipulating the key PEM format and take a plain PEM key as input
9 months ago
74ddad69dc
fix: challenge is '.token' and not '.id'
9 months ago
83f6be1f58
print oidc options
9 months ago
1fe61bee7b
better observability
9 months ago
e6dd211637
acquire DPoP signing key from provisioner
9 months ago
227e932624
use json struct for challenge request payload otherwise it's a hell to craft from client side
9 months ago
5ca744567c
simplify OIDC verification
9 months ago
da1e64aa53
update wire challenges' status on happy end
9 months ago
8e0e35532c
Add Wire authz and challenges (OIDC+DPOP)
9 months ago
e52836f0ab
Add `RS1` support for ACME `device-attest-01`
9 months ago
c59d293d26
Add support for `HTTP_PROXY` and `HTTPS_PROXY` to ACME solver client
9 months ago
b20af51f32
Upgrade go.step.sm/crypto to use go-jose/v3
10 months ago
f453323ba9
Merge pull request #1631 from smallstep/herman/fix-apple-acmeclient-invalid-signatures
10 months ago
405aae798c
Simplify the `copy` logic used when patching JWS signature
10 months ago
d34f0f6a97
Fix linter warnings ( #1634 )
10 months ago
26a3bb3c11
Make the Apple JWS fix more robust and catch more cases.
10 months ago
113491e7af
Remove TODO for patching other algorithms for Apple ACME client
10 months ago
06f4cbbcda
Add (temporary) fix for missing null bytes in Apple JWS signatures
...
Apparently the Apple macOS (and iOS?) ACME client seems to omit
leading null bytes from JWS signatures. The base64-url encoded
bytes decode to a shorter byte slice than what the JOSE library
expects (e.g. 63 bytes instead of 64 bytes for ES256), and then
results in a `jose.ErrCryptoFailure`.
This commit retries verification of the JWS in case the first
verification fails with `jose.ErrCryptoFailure`. The signatures are
checked to be of the correct length, and if not, null bytes are
prepended to the signature. Then verification is retried, which
might fail again, but for other reasons. On success, the payload
is returned.
Apple should fix this in their ACME client, but in the meantime
this commit prevents some "bad request" error cases from happening.
10 months ago
231b5d8406
chore(deps): upgrade github.com/go-chi/chi to v5
...
Upgrade chi to the v5 module path to avoid deprecation warning about v4
and earlier on the old module path.
See https://github.com/go-chi/chi/blob/v4.1.3/go.mod#L1-L4
Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
1 year ago
f2993c4c3b
Use the legacy `tpm2` package import
1 year ago
116ff8ed65
bump go.mod to go1.20 and associated linter fixes ( #1518 )
1 year ago
d8eeebfd51
Fix error string in tests
...
This commit fixes a test checking an error string from an external
dependency.
1 year ago
c952e9fc9d
Use `NewDetailedError` instead
1 year ago
f3c24fe875
Change how multiple identifiers are printed in errors
1 year ago
a0cdad335d
Add test for `WithAdditionalErrorDetail`
1 year ago
9a52675865
Return descriptive error when using unsupported format
1 year ago
0d3338ff3a
Return consistent ACME error types for specific cases
1 year ago
df22b8a303
Cleanup some leftover TODOs
1 year ago
dd9bf1e915
Add error details for the `step` format
1 year ago
9cbbd1d575
Add error details to ACME `tpm` format validation errors
1 year ago
d5dd8feccd
Prevent internal errors from being returned to ACME clients
1 year ago
979e0f8f51
Add error details to select error cases for `apple` format
1 year ago
a5801b3c74
Fix TPM simulator initialization for tests
1 year ago
7731edd816
Store and verify Acme account location ( #1386 )
...
* Store and verify account location on acme requests
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
Co-authored-by: Mariano Cano <mariano@smallstep.com>
1 year ago
e71b62e95c
Merge branch 'master' into herman/update-crypto-v0.29.4
1 year ago
8b256f0351
address linter warning for go 1.19
1 year ago
0c2b00f6a1
Depend on our fork of `go-attestation`
1 year ago
d9aa2c110f
Increase test coverage for AK certificate properties
2 years ago
ed1a62206e
Add additional verification of AK certificate
2 years ago
1c38e252a6
Cast `alg` to a valid `COSEAlgorithmIdentifier`
2 years ago
e25acff13c
Simplify `alg` validity check
2 years ago
9cd4b362f7
Extract the `ParseSubjectAlternativeNames` function
2 years ago
b6957358fc
Fix PR remarks
...
- Root CA error message improved
- Looping through intermediate certs
- Change checking unhandled extensions to using `if`
2 years ago
09bd7705cd
Fix linting issues
2 years ago
f88ef6621f
Add `PermanentIdentifier` SAN parsing and tests
2 years ago
52023d6083
Add tests for `doTPMAttestationFormat`
2 years ago
ae30f6e96b
Add failing TPM simulator test
2 years ago
bf53b394a1
Add `tpm` format test with simulated TPM
2 years ago
094f0521e2
Remove check for `PermanentIdentifier` from `tpm` format validation
2 years ago
589a62df74
Make validation of `tpm` format stricter
2 years ago
213b31bc2c
Simplify processing logic for unhandled critical extension
2 years ago
e1c7e8f00b
Return the CSR public key fingerprint for `tpm` format
2 years ago
6297bace1a
Merge branch 'master' into herman/acme-da-tpm
2 years ago
69489480ab
Add more complete `tpm` format validation
2 years ago
5ff0dde819
Remove json tag in acme.Authorization fingerprint
2 years ago
6ba20209c2
Verify CSR key fingerprint with attestation certificate key
...
This commit makes sure that the attestation certificate key matches the
key used on the CSR on an ACME device attestation flow.
2 years ago
3a6fc5e0b4
Remove dependency on `smallstep/assert` in ACME challenge tests
2 years ago
0f1c509e4b
Remove debug utility
2 years ago
0f9128c873
Fix linting issue and order of test SUT
2 years ago
2ab9beb7ed
Add tests for `deviceAttest01Validate`
2 years ago
ed61c5df5f
Cleanup some leftover debug statements
2 years ago
60a9e41c1c
Remove `Identifier` from top level ACME `Errors`
2 years ago
edee01c80c
Refactor debug utility
2 years ago
1c38113e44
Add ACME `Subproblem` for more detailed ACME client-side errors
...
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.
This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
2 years ago
f1724ea8c5
Merge branch 'master' into herman/acme-da-tpm
2 years ago
64d9ad7b38
Validate Subject Common Name for Orders with Permanent Identifier
2 years ago
817edcbba5
Remove `charset=utf-8` from ACME certificate requests
2 years ago
4cf25ede24
Merge branch 'master' into herman/acme-da-tpm
2 years ago
3eae04928f
Add tests for ACME Meta object
2 years ago
02d679e160
Merge branch 'master' into herman/ignore-empty-acme-meta
2 years ago
e27c6c529b
Add support for custom acme ports
...
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.
Fixes #1015
2 years ago
beltram
Stefan Berthold
Herman Slatman
Mariano Cano
Herman Slatman
Max
Dominic Evans