smallstep-certificates

mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00

Author	SHA1	Message	Date
Mariano Cano	e7f4eaf6c4	Remove explicit deprecation notice This will avoid linter errors on other projects for now.	2022-05-23 14:04:31 -07:00
Mariano Cano	d461918eb0	Merge branch 'master' into context-authority	2022-05-06 13:21:41 -07:00
Mariano Cano	2ea0c70344	Move acme context middleware to deprecated handler	2022-05-05 12:25:07 -07:00
Mariano Cano	9147356d8a	Fix linter errors	2022-05-02 18:47:47 -07:00
Mariano Cano	2ab7dc6f9d	Fix acme tests.	2022-05-02 18:09:26 -07:00
Mariano Cano	ba499eeb2a	Fix acme/api tests.	2022-05-02 17:40:10 -07:00
Mariano Cano	6f9d847bc6	Fix panic in acme/api tests.	2022-05-02 17:35:35 -07:00
Herman Slatman	d82e51b748	Update AllowWildcardNames configuration name	2022-04-29 15:08:19 +02:00
Mariano Cano	d1f75f1720	Refactor ACME api.	2022-04-28 19:15:18 -07:00
Mariano Cano	fddd6f7d95	Move linker to the acme package.	2022-04-28 15:15:50 -07:00
Mariano Cano	55b0f72821	Add context methods for the acme linker.	2022-04-28 15:14:15 -07:00
Mariano Cano	bb8d85a201	Fix unit tests - work in progress	2022-04-27 19:08:16 -07:00
Mariano Cano	42435ace64	Use scep authority from context This commit also converts all the methods from the handler to functions.	2022-04-27 18:06:53 -07:00
Mariano Cano	d13537d426	Use context in the acme handlers.	2022-04-27 15:42:26 -07:00
Mariano Cano	bd412c9f42	Add context methods for the acme database	2022-04-27 12:11:00 -07:00
Herman Slatman	6e1f8dd7ab	Refactor policy engines into container	2022-04-26 13:12:16 +02:00
Herman Slatman	2a7620641f	Fix more PR comments	2022-04-26 10:15:17 +02:00
Herman Slatman	fb81407d6f	Fix ACME policy comments	2022-04-21 13:21:06 +02:00
Herman Slatman	7f9034d22a	Add additional policy options	2022-04-19 10:24:52 +02:00
Herman Slatman	a9f033ece5	Fix JSON property name for ACME policy	2022-04-15 10:58:40 +02:00
Herman Slatman	256fe113f7	Improve tests for ACME account policy	2022-04-11 15:25:55 +02:00
Herman Slatman	034b7943fe	Merge branch 'master' into herman/allow-deny	2022-04-07 14:12:20 +02:00
Herman Slatman	7df52dbb76	Add ACME EAB policy	2022-04-07 14:11:53 +02:00
Herman Slatman	479c6d2bf5	Fix ACME IPv6 HTTP-01 challenges Fixes #890	2022-04-07 12:37:34 +02:00
Herman Slatman	2fbdf7d5b0	Merge branch 'master' into herman/allow-deny	2022-03-30 14:50:14 +02:00
Panagiotis Siatras	00634fb648	api/render, api/log: initial implementation of the packages (#860 ) * api/render: initial implementation of the package * acme/api: refactored to support api/render * authority/admin: refactored to support api/render * ca: refactored to support api/render * api: refactored to support api/render * api/render: implemented Error * api: refactored to support api/render.Error * acme/api: refactored to support api/render.Error * authority/admin: refactored to support api/render.Error * ca: refactored to support api/render.Error * ca: fixed broken tests * api/render, api/log: moved error logging to this package * acme: refactored Error so that it implements render.RenderableError * authority/admin: refactored Error so that it implements render.RenderableError * api/render: implemented RenderableError * api/render: added test coverage for Error * api/render: implemented statusCodeFromError * api: refactored RootsPEM to work with render.Error * acme, authority/admin: fixed pointer receiver name for consistency * api/render, errs: moved StatusCoder & StackTracer to the render package	2022-03-30 11:22:22 +03:00
Herman Slatman	b49307f326	Fix ACME order tests with mock ACME CA	2022-03-24 18:34:04 +01:00
Herman Slatman	9e0edc7b50	Add early authority policy evaluation to ACME order API	2022-03-24 14:55:40 +01:00
Herman Slatman	101ca6a2d3	Check admin subjects before changing policy	2022-03-21 15:53:59 +01:00
Herman Slatman	3ec9a7310c	Fix ACME order identifier allow/deny check	2022-03-08 14:17:59 +01:00
Herman Slatman	af53a17bb4	Merge branch 'master' into herman/allow-deny	2022-03-07 14:13:13 +01:00
Herman Slatman	b6f6bd879c	Fix PR comment and add tests for ACME prerequisites checker	2022-03-03 13:00:20 +01:00
Herman Slatman	e47dd0a666	Add ACME configuration prerequisites check	2022-02-28 16:08:00 +01:00
Herman Slatman	c3c6f3da72	Merge branch 'master' into herman/allow-deny	2022-02-22 17:36:56 +01:00
Herman Slatman	bfa2245abb	Merge branch 'master' into herman/normalize-ipv6-dns-names	2022-02-03 17:24:08 +01:00
Herman Slatman	1fe7362bee	Normalize IPv6 addresses in ACME linker	2022-02-03 13:55:15 +01:00
Herman Slatman	c1424036bf	Merge branch 'master' into herman/allow-deny	2022-01-31 14:24:34 +01:00
Herman Slatman	bf21319e76	Fix PR comments and issue with empty string slices	2022-01-28 13:26:56 +01:00
Herman Slatman	fd9845e9c7	Add cursor and limit to ACME EAB DB interface	2022-01-24 14:03:56 +01:00
Herman Slatman	c3f2fd8ef0	Add RW locks to prevent concurrent updates to the DB Although this may slow certain API calls down and may not be, strictly necessary, I think it's best to put all the ACME EAB operations behind RW locks to prevent concurrent updates to the DB and guarantee consistent result sets.	2022-01-20 17:25:15 +01:00
Herman Slatman	868cc4ad7f	Increase test coverage for additional indexes	2022-01-20 17:06:23 +01:00
Herman Slatman	c0eb420806	Remove special case for empty slices	2022-01-20 11:03:49 +01:00
Herman Slatman	6440870a80	Clean up, improve test cases and coverage	2022-01-18 14:39:21 +01:00
Herman Slatman	ef16febf40	Refactor ACME EAB queries The ACME EAB keys are now also indexed by the provisioner. This solves part of the issue in which too many EAB keys may be in memory at a given time.	2022-01-07 16:59:55 +01:00
Herman Slatman	30859d3c83	Remove server-side paging logic for ExternalAccountKeys	2022-01-06 14:09:35 +01:00
Herman Slatman	9539729bd9	Add initial implementation of x509 and SSH allow/deny policy engine	2022-01-03 12:25:24 +01:00
Herman Slatman	11a7f01177	Simplify lookup cursor logic for ExternalAccountKeys	2021-12-22 15:42:49 +01:00
Herman Slatman	22ff90f655	Merge branch 'master' into hs/acme-eab	2021-12-22 12:54:41 +01:00
Herman Slatman	a5f2f004e3	Change name of IP Common Name test for clarity	2021-12-20 18:55:23 +01:00
Herman Slatman	f9ae875f9d	Use short if-style statements	2021-12-20 14:30:01 +01:00
Herman Slatman	80bebda69c	Fix code style issue	2021-12-20 13:40:17 +01:00
Herman Slatman	bc0875bd7b	Disallow email address and URLs in the CSR Before this commit `step` would allow email addresses and URLs in the CSR. This doesn't fit nicely with the rest of ACME, in which identifiers need to be authorized before a certificate is issued.	2021-12-13 16:14:39 +01:00
Herman Slatman	13a31fd862	Merge branch 'master' into herman/ip-sans-improvements	2021-12-13 16:04:53 +01:00
Herman Slatman	ca707cbe05	Fix linting	2021-12-13 16:01:40 +01:00
Herman Slatman	a5d33512fe	Fix test	2021-12-13 15:59:01 +01:00
Herman Slatman	a2c9b5cd7e	Allow IP identifiers in subject, including authorization enforcement To support IPs in the subject using `step-cli`, this PR ensures that Subject Common Names that can be parsed as an IP are also checked to have been authorized before. The PR for `step-cli` is here: github.com/smallstep/cli/pull/576.	2021-12-13 15:34:56 +01:00
Herman Slatman	d799359917	Merge branch 'master' into hs/acme-eab	2021-12-09 13:58:40 +01:00
Herman Slatman	63371a8fb6	Add additional tests for ACME EAB Admin	2021-12-09 13:46:47 +01:00
Herman Slatman	0524122191	Remove authorization flow for different Account private keys As discussed in https://github.com/smallstep/certificates/issues/767, we opted for not including this authorization flow to prevent users from getting OOMs. We can add the functionality back when the underlying data store can provide access to a long list of Authorizations more efficiently, for example when a callback is implemented.	2021-12-08 16:28:14 +01:00
Herman Slatman	2215a05c28	Add tests for ACME EAB Admin Refactored some of the existing bits for testing the Authority API by creation of a new LinkedAuthority interface and changing visibility of the MockAuthority to be usable by other packages. At this time, not all of the functions of MockAuthority it usable yet. Will refactor when needed or requested.	2021-12-08 15:19:38 +01:00
Herman Slatman	9885d42711	Fix linting issues	2021-12-07 16:28:06 +01:00
Herman Slatman	6e11657204	Refactor creation of (raw) EAB JWS contents	2021-12-07 14:57:39 +01:00
Herman Slatman	23898e9b76	Improve EAB JWS validation and increase test coverage	2021-12-07 12:17:41 +01:00
Herman Slatman	d0c23973cc	Merge branch 'master' into hs/acme-eab	2021-12-06 13:01:23 +01:00
Herman Slatman	004fc054d5	Fix PR comments	2021-12-03 15:06:28 +01:00
Herman Slatman	06bb97c91e	Add logic for Account authorizations and improve tests	2021-12-02 16:25:35 +01:00
Herman Slatman	bae1d256ee	Improve tests for JWK vs. KID revoke auth flow The logic for both test cases is fairly similar, but with some small differences. Made those clearer by means of some comments. Also added some comments to the middleware logic that decided whether to extract JWK or lookup by KID.	2021-12-02 10:59:56 +01:00
Herman Slatman	a7fbbc4748	Add tests for GetCertificateBySerial	2021-11-28 21:20:57 +01:00
Herman Slatman	4d01cf8135	Increase test code coverage	2021-11-28 20:30:36 +01:00
Herman Slatman	2d357da99b	Add tests for ACME revocation	2021-11-26 17:27:42 +01:00
Herman Slatman	ed295ca15d	Fix linting issue	2021-11-25 00:44:21 +01:00
Herman Slatman	2d50c96d99	Merge branch 'master' into hs/acme-revocation	2021-11-19 17:00:18 +01:00
Herman Slatman	e7a988b2cd	Pin golangci-lint to v1.43.0 and fix issues	2021-11-13 01:30:03 +01:00
Herman Slatman	29f9730485	Satisfy golangci-lint	2021-11-12 17:13:10 +01:00
Herman Slatman	c7a9c13060	Add tests for extractOrLookupJWK middleware	2021-11-12 16:37:44 +01:00
Herman Slatman	3151255a25	Merge branch 'master' into hs/acme-revocation	2021-10-30 15:41:29 +02:00
Herman Slatman	4d726d6b4c	Add pagination to ACME EAB credentials endpoint	2021-10-17 22:42:36 +02:00
Herman Slatman	d354d55e7f	Improve handling duplicate ACME EAB references	2021-10-16 14:44:56 +02:00
Herman Slatman	dd4b4b0435	Fix remaining gocritic remarks	2021-10-11 23:34:23 +02:00
Herman Slatman	a4660f73fa	Fix some of the gocritic remarks	2021-10-11 23:10:16 +02:00
Herman Slatman	e0b495e4c8	Merge branch 'master' into hs/acme-eab	2021-10-09 01:06:49 +02:00
Herman Slatman	c26041f835	Add ACME EAB nosql tests	2021-10-09 01:02:00 +02:00
max furman	933b40a02a	Introduce gocritic linter and address warnings	2021-10-08 14:59:57 -04:00
Herman Slatman	0afea2e957	Improve tests for already bound EAB keys	2021-10-08 13:19:35 +02:00
Herman Slatman	c2bc1351c6	Add provisioner to remove endpoint and clear reference index on delete	2021-09-17 17:48:09 +02:00
Herman Slatman	746c5c9fd9	Disallow creation of EAB keys with non-unique references	2021-09-17 17:25:19 +02:00
Herman Slatman	9c0020352b	Add lookup by reference and make reference optional	2021-09-17 17:08:02 +02:00
Herman Slatman	02cd3b6b3b	Fix PR comments	2021-09-16 23:09:24 +02:00
Herman Slatman	f11c0cdc0c	Add endpoint for listing ACME EAB keys	2021-08-27 16:58:04 +02:00
Herman Slatman	a1afbce50c	Check EAB key exists before deleting it	2021-08-27 14:47:10 +02:00
Herman Slatman	9d09f5e575	Add support for deleting ACME EAB keys	2021-08-27 14:10:00 +02:00
Herman Slatman	a98fe03e80	Merge branch 'master' into hs/acme-eab	2021-08-27 12:50:19 +02:00
Herman Slatman	1dba8698e3	Use LinkedCA.EABKey type in ACME EAB API	2021-08-27 12:39:37 +02:00
Mariano Cano	470b546d59	Merge pull request #557 from joejulian/http01-isv use InsecureSkipVerify for validation	2021-08-26 18:06:57 -07:00
max furman	a3028bbc0e	Add test for updateAddOrderIDs	2021-08-18 23:44:57 -07:00
Mariano Cano	dc5205cc72	Extract the tls error code and fail accordingly.	2021-08-17 17:06:25 -07:00
Mariano Cano	ae58a0ee4e	Make tests compatible with Go 1.17. With Go 1.17 tls.Dial will fail if the client and server configured protocols do not overlap. See https://golang.org/doc/go1.17#ALPN	2021-08-17 16:31:53 -07:00
Herman Slatman	f31ca4f6a4	Add tests for validateExternalAccountBinding	2021-08-10 12:39:44 +02:00
Herman Slatman	492256f2d7	Add first test cases for EAB and make provisioner unique per EAB Before this commit, EAB keys could be used CA-wide, meaning that an EAB credential could be used at any ACME provisioner. This commit changes that behavior, so that EAB credentials are now intended to be used with a specific ACME provisioner. I think that makes sense, because from the perspective of an ACME client the provisioner is like a distinct CA. Besides that this commit also includes the first tests for EAB. The logic for creating the EAB JWS as a client has been taken from github.com/mholt/acmez. This logic may be moved or otherwise sourced (i.e. from a vendor) as soon as the step client also (needs to) support(s) EAB with ACME.	2021-08-09 10:37:32 +02:00
Herman Slatman	c6bfc6eac2	Fix PR comments	2021-07-22 23:48:41 +02:00
Herman Slatman	d669f3cb14	Fix misspelling	2021-07-17 20:39:12 +02:00
Herman Slatman	540d5fbbdc	Fix marshaling -> marshalling	2021-07-17 20:35:44 +02:00
Herman Slatman	2110c7722f	Fix JWK payload key equality check	2021-07-17 20:29:12 +02:00
Herman Slatman	d44cd18b96	Add External Accounting Binding key "BoundAt" marking	2021-07-17 19:02:47 +02:00
Herman Slatman	f81d49d963	Add first working version of External Account Binding	2021-07-17 17:35:44 +02:00
Herman Slatman	258efca0fa	Improve revocation authorization	2021-07-10 00:28:31 +02:00
Herman Slatman	97165f1844	Fix test mocking for CreateCertificate	2021-07-09 22:48:03 +02:00
Herman Slatman	2b15230aa4	Add Serial to Cert ID ACME table and lookup	2021-07-09 17:51:31 +02:00
Herman Slatman	8f7e700f09	Merge branch 'master' into hs/acme-revocation	2021-07-09 11:22:25 +02:00
max furman	857a50434c	Merge branch 'master' into max/cert-mgr-crud	2021-07-08 16:25:52 -07:00
max furman	9fdef64709	Admin level API for provisioner mgmt v1	2021-07-02 19:05:17 -07:00
Herman Slatman	16fe07d4dc	Fix mockSignAuth	2021-07-03 02:10:16 +02:00
Herman Slatman	0e56932e76	Add support for revocation using JWK	2021-07-03 01:57:27 +02:00
Herman Slatman	84e7d468f2	Improve handling of ACME revocation	2021-07-03 00:21:17 +02:00
Herman Slatman	d53bcaf830	Add base logic for ACME revoke-cert	2021-07-02 22:51:15 +02:00
Herman Slatman	8e4a4ecc1f	Refactor tests for sans	2021-06-26 00:48:40 +02:00
Herman Slatman	87b72afa25	Fix IP equality check and add more tests	2021-06-26 00:13:44 +02:00
Herman Slatman	a6d33b7d06	Add tests for sans()	2021-06-25 17:21:22 +02:00
Herman Slatman	64c15fde7e	Add tests for canonicalize function	2021-06-25 14:07:40 +02:00
Herman Slatman	c514a187b2	Fix Fail() -_-b	2021-06-18 17:37:56 +02:00
Herman Slatman	135e912ac8	Improve coverage for TLS-ALPN-01 challenge	2021-06-18 17:27:35 +02:00
Herman Slatman	218a2adb9f	Add tests for IP Order validations	2021-06-18 16:09:48 +02:00
Herman Slatman	523ae96749	Change identifier and challenge types to consts	2021-06-18 12:39:36 +02:00
Herman Slatman	84ea8bd67a	Fix PR comments	2021-06-18 12:03:46 +02:00
Herman Slatman	af4803b8b8	Fix tests	2021-06-04 11:14:59 +02:00
Herman Slatman	0c79914d0d	Improve check for single IP in TLS-ALPN-01 challenge	2021-06-04 00:18:26 +02:00
Herman Slatman	a6405e98a9	Remove fmt.	2021-06-04 00:06:15 +02:00
Herman Slatman	2f40011da8	Add support for TLS-ALPN-01 challenge	2021-06-04 00:01:43 +02:00
Herman Slatman	76dcf542d4	Fix mixed DNS and IP SANs in Order	2021-06-03 22:45:24 +02:00
Herman Slatman	af615db6b5	Support DNS and IPs as SANs in single Order	2021-06-03 22:03:21 +02:00
Herman Slatman	a0e92f8e99	Verify IP identifier contains valid IP	2021-06-03 22:02:13 +02:00
Herman Slatman	6486e6016b	Make logic for which challenge types to use clearer	2021-05-29 00:37:22 +02:00
Herman Slatman	3e36522329	Add preliminary support for TLS-ALPN-01 challenge for IP identifiers	2021-05-29 00:19:14 +02:00
Herman Slatman	6d9710c88d	Add initial support for ACME IP validation	2021-05-28 16:40:46 +02:00
max furman	7b5d6968a5	first commit	2021-05-19 15:20:16 -07:00
Joe Julian	0369151bfa	use InsecureSkipVerify for validation The server will not yet have a valid certificate so we need to disable certificate validation in the HTTPGetter.	2021-04-27 08:18:35 -07:00
Mariano Cano	2e1524ec2f	Remove the creation on nonce on get acme directory. According to RFC 8555, the replay nonces are only required in POST requests. And of course in the new-nonce request.	2021-04-15 17:54:22 -07:00
max furman	93c3c2bf2e	Error handle non existent provisioner downstream and disable debug route logging	2021-04-14 15:35:43 -07:00
max furman	497ec0c79b	Fix linter issues	2021-04-14 15:14:27 -07:00
max furman	b1888fd34d	Use different method for unescpaed paths for the router	2021-04-14 15:11:15 -07:00
max furman	6cfb9b790c	Remove check of deprecated value - NegotiatedProtocolIsMutual is always true: Deprecated according to golang docs	2021-04-13 14:53:05 -07:00
max furman	63ec2e35b0	Change Clock to empty struct in nosql/nosql \| truncate > round - saves space -	2021-04-13 14:42:37 -07:00
max furman	672e3f976e	Few ACME fixes ... - always URL escape linker output - validateJWS should accept RSAPSS - GetUpdateAccount -> GetOrUpdateAccount	2021-04-12 19:06:07 -07:00
max furman	2e0e62bc4c	add WriteError method for acme api	2021-03-29 23:16:39 -07:00
max furman	9aef84b9af	remove unused nonce.clone method	2021-03-29 23:02:41 -07:00
max furman	440678cb62	Add markInvalid arg to storeError for invalidating challenge	2021-03-29 22:58:26 -07:00
max furman	6b8585c702	PR review fixes / updates	2021-03-29 12:04:14 -07:00
max furman	bdace1e53f	Add failure scenarios to db.CreateOrder unit tests	2021-03-25 19:40:18 -07:00
max furman	fd447c5b54	Fix small nbf->naf bug in db.CreateOrder - still needs unit test	2021-03-25 16:45:26 -07:00
max furman	a785131d09	Fix lint issues	2021-03-25 15:15:32 -07:00

1 2 3 4 5 ...

340 Commits