Commit Graph

50 Commits (817edcbba500d937805cc6b86b26c7fd74b9f616)

Author SHA1 Message Date
Herman Slatman 817edcbba5
Remove `charset=utf-8` from ACME certificate requests 2 years ago
Herman Slatman 3eae04928f
Add tests for ACME Meta object 2 years ago
Herman Slatman b9f238ad4d
Add additional ACME `meta` properties to provisioner configuration 2 years ago
Herman Slatman c9793561ff
Make `meta` object optional in ACME directory response
Harware appliances from Kemp seem to validate the contents of the
`meta` object, even if none of the properties in the `meta` object
is set. According to the RFC, the `meta` object, as well as its
properties are optional, so technically this should be fixed by
the manufacturer.

This commit is to see if we validation of the `meta` object is
skipped if it's not available in the response.
2 years ago
Mariano Cano a89bea701d Format comment 2 years ago
Mariano Cano 5df9434286 Fix old comment, device-attest-01 uses the acme payload 2 years ago
Brandon Weeks aacd6f4cc6 Add device-attest-01 challenge type 2 years ago
Mariano Cano e7f4eaf6c4 Remove explicit deprecation notice
This will avoid linter errors on other projects for now.
2 years ago
Mariano Cano 2ea0c70344 Move acme context middleware to deprecated handler 2 years ago
Mariano Cano 9147356d8a Fix linter errors 2 years ago
Mariano Cano 6f9d847bc6 Fix panic in acme/api tests. 2 years ago
Mariano Cano d1f75f1720 Refactor ACME api. 2 years ago
Mariano Cano 42435ace64 Use scep authority from context
This commit also converts all the methods from the handler to
functions.
2 years ago
Mariano Cano d13537d426 Use context in the acme handlers. 2 years ago
Panagiotis Siatras 00634fb648
api/render, api/log: initial implementation of the packages (#860)
* api/render: initial implementation of the package

* acme/api: refactored to support api/render

* authority/admin: refactored to support api/render

* ca: refactored to support api/render

* api: refactored to support api/render

* api/render: implemented Error

* api: refactored to support api/render.Error

* acme/api: refactored to support api/render.Error

* authority/admin: refactored to support api/render.Error

* ca: refactored to support api/render.Error

* ca: fixed broken tests

* api/render, api/log: moved error logging to this package

* acme: refactored Error so that it implements render.RenderableError

* authority/admin: refactored Error so that it implements render.RenderableError

* api/render: implemented RenderableError

* api/render: added test coverage for Error

* api/render: implemented statusCodeFromError

* api: refactored RootsPEM to work with render.Error

* acme, authority/admin: fixed pointer receiver name for consistency

* api/render, errs: moved StatusCoder & StackTracer to the render package
2 years ago
Herman Slatman e47dd0a666
Add ACME configuration prerequisites check 2 years ago
Herman Slatman d799359917
Merge branch 'master' into hs/acme-eab 2 years ago
Herman Slatman d0c23973cc
Merge branch 'master' into hs/acme-eab 2 years ago
Herman Slatman 004fc054d5
Fix PR comments 2 years ago
Herman Slatman 2d357da99b
Add tests for ACME revocation 3 years ago
Herman Slatman 2d50c96d99
Merge branch 'master' into hs/acme-revocation 3 years ago
Herman Slatman e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues 3 years ago
Herman Slatman 3151255a25
Merge branch 'master' into hs/acme-revocation 3 years ago
Herman Slatman a98fe03e80
Merge branch 'master' into hs/acme-eab 3 years ago
Herman Slatman c6bfc6eac2
Fix PR comments 3 years ago
Herman Slatman f81d49d963
Add first working version of External Account Binding 3 years ago
Herman Slatman 0e56932e76
Add support for revocation using JWK 3 years ago
Herman Slatman d53bcaf830
Add base logic for ACME revoke-cert 3 years ago
Joe Julian 0369151bfa
use InsecureSkipVerify for validation
The server will not yet have a valid certificate so we need to disable
certificate validation in the HTTPGetter.
3 years ago
Mariano Cano 2e1524ec2f Remove the creation on nonce on get acme directory.
According to RFC 8555, the replay nonces are only required in POST
requests. And of course in the new-nonce request.
3 years ago
max furman b1888fd34d Use different method for unescpaed paths for the router 3 years ago
max furman 672e3f976e Few ACME fixes ...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
3 years ago
max furman 440678cb62 Add markInvalid arg to storeError for invalidating challenge 3 years ago
max furman 6b8585c702 PR review fixes / updates 3 years ago
max furman a785131d09 Fix lint issues 3 years ago
max furman 1831920363 Finish order unit tests and remove unused mocklinker 3 years ago
max furman b6ebc0fd25 more unit tests 3 years ago
max furman 20b9785d20 [acme db interface] continuing unit test work 3 years ago
max furman 291fd5d45a [acme db interface] more unit tests 3 years ago
max furman f71e27e787 [acme db interface] unit test progress 3 years ago
max furman bb8d54e596 [acme db interface] unit tests compiling 3 years ago
max furman f20fcae80e [acme db interface] wip unit test fixing 3 years ago
max furman 80a6640103 [acme db interface] wip 3 years ago
max furman 55bf5a4526 Add cert logging for acme/certificate api 4 years ago
David Cowden a26b5f322d acme/api: Brush up documentation on key-change
Add more specific wording describing what a 501 means and add more color
explaining how official vs unofficial error types should be handled.
4 years ago
David Cowden b26e6e42b3 acme: Return 501 for the key-change route
RFC 8555 § 7.3.5 is not listed as optional but we do not currently
support it. Rather than 404, return a 501 to inform clients that this
functionality is not yet implemented.

The notImplmented error type is not an official error registered in the
ietf:params:acme:error namespace, so prefix if with step:acme:error. An
ACME server is allowed to return other errors and clients should display
the message detail to users.

Fixes: https://github.com/smallstep/certificates/issues/209
4 years ago
max furman e1409349f3 Allow relative URL for all links in ACME api ...
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
4 years ago
Clive Jevons 639993bd09 Read host and protocol information from request for links
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
4 years ago
max furman d368791606 Add x5c provisioner capabilities 5 years ago
max furman e3826dd1c3 Add ACME CA capabilities 5 years ago