Mariano Cano
8ce807a6cb
Modify errs.BadRequest() calls to always send an error to the client.
3 years ago
Herman Slatman
3151255a25
Merge branch 'master' into hs/acme-revocation
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
42fde8ba28
Merge branch 'master' into linkedca
3 years ago
Mariano Cano
9e5762fe06
Allow the reuse of azure token if DisableTrustOnFirstUse is true
...
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.
The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.
Fixes #656
3 years ago
Mariano Cano
d72fa953ac
Remove debug statements.
3 years ago
Mariano Cano
3f07eb597a
Implement revocation using linkedca.
3 years ago
Mariano Cano
0730a165fd
Add collection of files and authority template.
3 years ago
Mariano Cano
71f8019243
Store x509 and ssh certificates on linkedca if enabled.
3 years ago
Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Herman Slatman
84e7d468f2
Improve handling of ACME revocation
3 years ago
max furman
7b5d6968a5
first commit
3 years ago
Mariano Cano
2cbaee9c1d
Allow to use an alternative interface to store renewed certs.
...
This can be useful to know if a certificate has been renewed and
link one certificate with the 'parent'.
3 years ago
Mariano Cano
e6833ecee3
Add extension of db.AuthDB to store the fullchain.
...
Add a temporary solution to allow an extension of an db.AuthDB
interface that logs the fullchain of certificates instead of just
the leaf.
3 years ago
Mariano Cano
0b8528ce6b
Allow mTLS revocation without provisioner.
4 years ago
Mariano Cano
bcf70206ac
Add support for revocation using an extra provisioner in the RA.
4 years ago
Mariano Cano
a6115e29c2
Add initial implementation of StepCAS.
...
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
4 years ago
Mariano Cano
3e0ab8fba7
Fix typo.
4 years ago
Mariano Cano
d64427487d
Add comment about the missing error check.
4 years ago
Mariano Cano
e17ce39e3a
Add support for Revoke using CAS.
4 years ago
Mariano Cano
aad8f9e582
Pass issuer and signer to softCAS options.
...
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
4 years ago
Mariano Cano
1b1f73dec6
Early attempt to develop a CAS interface.
4 years ago
Mariano Cano
cef0475e71
Make clear what's a template/unsigned certificate.
4 years ago
Mariano Cano
c94a1c51be
Merge branch 'master' into ssh-cert-templates
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
max furman
81875074e3
tie -> the in comment
4 years ago
max furman
cb594ed2e0
go mod tidy and golang 1.15.0 cleanup ...
...
- cs.NegotiatedProtocolIsMutual has been deprecated but we still build
in travis with 1.14 so for now we'll ignore this linting error
- string(int) was resolving to string of a single rune rather than
string of digits -> use fmt.Sprint
4 years ago
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
4 years ago
Mariano Cano
0a59efd853
Use new x509util to generate the CA certificate.
4 years ago
Mariano Cano
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
4 years ago
Mariano Cano
ce1eb0a01b
Use new x509util for renew/rekey.
4 years ago
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
4 years ago
Mariano Cano
a7b65f1e1e
Add authority.Sign test with custom templates.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
Mariano Cano
ccc705cdcd
Use alias x509legacy to cli x509util in tls.go.
4 years ago
Mariano Cano
8f0dd811af
Allow to send errors from template to cli.
4 years ago
Mariano Cano
4795e371bd
Add back the support for ca.json DN template.
4 years ago
Mariano Cano
d1d9ae42d6
Use certificates x509util instead of cli for certificate signing.
4 years ago
max furman
fd05f3249b
A few last fixes and tests added for rekey/renew ...
...
- remove all `renewOrRekey`
- explicitly test difference between renew and rekey (diff pub keys)
- add back tests for renew
4 years ago
Max
ea9bc493b8
Merge pull request #307 from dharanikumar-s/master
...
Add support for rekeying Fixes #292
4 years ago
dharanikumar-s
57fb0c80cf
Removed calculating SubjectKeyIdentifier on Rekey
4 years ago
dharanikumar-s
dfda497929
Renamed RenewOrRekey to Rekey
4 years ago
dharanikumar-s
fe73154a20
Corrected misspelling
4 years ago
dharanikumar-s
2479371c06
Added error check while marshalling public key
4 years ago
dharanikumar-s
c8c3581e2f
SubjectKeyIdentifier extention is calculated from public key passed to this function instead of copying from old certificate
4 years ago
dharanikumar-s
8f504483ce
Added RenewOrRekey function based on @maraino suggestion. RenewOrReky is called from Renew.
4 years ago
dharanikumar-s
3813f57b1a
Add support for rekeying Fixes #292
4 years ago
max furman
d25e7f64c2
wip
4 years ago
max furman
3636ba3228
wip
4 years ago
max furman
1951669e13
wip
4 years ago
Mariano Cano
bfe1f4952d
Rename interface to CertificateEnforcer and add tests.
5 years ago
Mariano Cano
64f26c0f40
Enforce a duration for identity certificates.
5 years ago
Mariano Cano
05cc1437b7
Remove unnecessary parse of certificate.
5 years ago
Mariano Cano
43bd8113aa
Remove unnecessary comments.
5 years ago
Mariano Cano
69a1b68283
Merge branch 'ssh' into kms
5 years ago
max furman
b265877050
Simplify statuscoder error generators.
5 years ago
max furman
c387b21808
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
Mariano Cano
c62526b39f
Add wip support for kms.
5 years ago
Mariano Cano
e67ccd9e3d
Add fault tolerance against clock skew accross system on TLS certificates.
5 years ago
Mariano Cano
8eeb82d0ce
Store renew certificate in the database.
5 years ago
Mariano Cano
0c3b9ebf45
Fix indentation.
5 years ago
max furman
a9ea292bd4
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
Jozef Kralik
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
5 years ago
max furman
fe7973c060
wip
5 years ago
Mariano Cano
2127d09ef3
Rename context type to apiCtx.
...
It will conflict with the context package.
5 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
8c8547bf65
Remove unnecessary parse and improve tests.
6 years ago
Mariano Cano
a3e2b4a552
Move certificate check to the right place.
6 years ago
Mariano Cano
30a6889d1f
Use standard x509 instead of step one.
6 years ago
Mariano Cano
7fd737cbb1
Fix lint warnings.
6 years ago
Mariano Cano
1f5ff5c899
Fix sign and renew tests.
6 years ago
Mariano Cano
c0ef6f8dc5
Add missing modifier and change return codes.
6 years ago
Mariano Cano
a97ea87caa
Move options to provisioner so we can set the duration of the cert.
6 years ago
Mariano Cano
1671ab2590
Fix some tests.
6 years ago
Mariano Cano
57b705f6cf
Use provisioner sign options.
6 years ago
Mariano Cano
d78febec7a
Fix extensions copy on renew
...
Fixes #36
6 years ago
max furman
7e43402575
bug fix: don't add common name to CSR validation claims in Sign
...
* added unit test for this case
6 years ago
max furman
e6e8443f3c
allow multiple identical SANs in cert
6 years ago
max furman
f0683c2e0a
Enable signing certificates with custom SANs
...
* validate against SANs in token. must be 1:1 equivalent.
6 years ago
Mariano Cano
d6cad2a7f3
Add provisioner option to disable renewal.
...
Fixes smallstep/ca-component#108
6 years ago
Mariano Cano
d574545d94
Format code with `gofmt -s`
6 years ago
max furman
7fa06643b2
change step provisioner OID and ASN1 representation
6 years ago
max furman
a4a461466b
withProvisionerOID and unit test
6 years ago
max furman
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
6 years ago
max furman
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
6 years ago
max furman
c284a2c0ab
first commit
6 years ago