This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.
This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.
That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.
This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.
Signed-off-by: Anton Lundin <glance@acc.umu.se>
This changes adds a new option `iidRoots` that allows a user to
define one or more certificates that will be used for AWS IID
signature validation.
Fixes#393
This change makes easier the configuration of cloudCAS as it does
not require to configure the root or intermediate certificate
in the ca.json. CloudCAS will get the root certificate using
the configured certificateAuthority.
This change replaces the .Insecure.CR template to one that sets
all the SANs, but uses key usages and extended key usages for
regular TLS certificates.
- cs.NegotiatedProtocolIsMutual has been deprecated but we still build
in travis with 1.14 so for now we'll ignore this linting error
- string(int) was resolving to string of a single rune rather than
string of digits -> use fmt.Sprint