Mariano Cano
fddd6f7d95
Move linker to the acme package.
3 years ago
Mariano Cano
55b0f72821
Add context methods for the acme linker.
3 years ago
Mariano Cano
bb8d85a201
Fix unit tests - work in progress
3 years ago
Mariano Cano
42435ace64
Use scep authority from context
...
This commit also converts all the methods from the handler to
functions.
3 years ago
Mariano Cano
d13537d426
Use context in the acme handlers.
3 years ago
Mariano Cano
bd412c9f42
Add context methods for the acme database
3 years ago
Herman Slatman
6e1f8dd7ab
Refactor policy engines into container
3 years ago
Herman Slatman
2a7620641f
Fix more PR comments
3 years ago
Herman Slatman
fb81407d6f
Fix ACME policy comments
3 years ago
Herman Slatman
7f9034d22a
Add additional policy options
3 years ago
Herman Slatman
a9f033ece5
Fix JSON property name for ACME policy
3 years ago
Herman Slatman
256fe113f7
Improve tests for ACME account policy
3 years ago
Herman Slatman
034b7943fe
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
7df52dbb76
Add ACME EAB policy
3 years ago
Herman Slatman
479c6d2bf5
Fix ACME IPv6 HTTP-01 challenges
...
Fixes #890
3 years ago
Herman Slatman
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny
3 years ago
Panagiotis Siatras
00634fb648
api/render, api/log: initial implementation of the packages ( #860 )
...
* api/render: initial implementation of the package
* acme/api: refactored to support api/render
* authority/admin: refactored to support api/render
* ca: refactored to support api/render
* api: refactored to support api/render
* api/render: implemented Error
* api: refactored to support api/render.Error
* acme/api: refactored to support api/render.Error
* authority/admin: refactored to support api/render.Error
* ca: refactored to support api/render.Error
* ca: fixed broken tests
* api/render, api/log: moved error logging to this package
* acme: refactored Error so that it implements render.RenderableError
* authority/admin: refactored Error so that it implements render.RenderableError
* api/render: implemented RenderableError
* api/render: added test coverage for Error
* api/render: implemented statusCodeFromError
* api: refactored RootsPEM to work with render.Error
* acme, authority/admin: fixed pointer receiver name for consistency
* api/render, errs: moved StatusCoder & StackTracer to the render package
3 years ago
Herman Slatman
b49307f326
Fix ACME order tests with mock ACME CA
3 years ago
Herman Slatman
9e0edc7b50
Add early authority policy evaluation to ACME order API
3 years ago
Herman Slatman
101ca6a2d3
Check admin subjects before changing policy
3 years ago
Herman Slatman
3ec9a7310c
Fix ACME order identifier allow/deny check
3 years ago
Herman Slatman
af53a17bb4
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
b6f6bd879c
Fix PR comment and add tests for ACME prerequisites checker
3 years ago
Herman Slatman
e47dd0a666
Add ACME configuration prerequisites check
3 years ago
Herman Slatman
c3c6f3da72
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
bfa2245abb
Merge branch 'master' into herman/normalize-ipv6-dns-names
3 years ago
Herman Slatman
1fe7362bee
Normalize IPv6 addresses in ACME linker
3 years ago
Herman Slatman
c1424036bf
Merge branch 'master' into herman/allow-deny
3 years ago
Herman Slatman
bf21319e76
Fix PR comments and issue with empty string slices
3 years ago
Herman Slatman
fd9845e9c7
Add cursor and limit to ACME EAB DB interface
3 years ago
Herman Slatman
c3f2fd8ef0
Add RW locks to prevent concurrent updates to the DB
...
Although this may slow certain API calls down and may not be, strictly
necessary, I think it's best to put all the ACME EAB operations behind
RW locks to prevent concurrent updates to the DB and guarantee
consistent result sets.
3 years ago
Herman Slatman
868cc4ad7f
Increase test coverage for additional indexes
3 years ago
Herman Slatman
c0eb420806
Remove special case for empty slices
3 years ago
Herman Slatman
6440870a80
Clean up, improve test cases and coverage
3 years ago
Herman Slatman
ef16febf40
Refactor ACME EAB queries
...
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
3 years ago
Herman Slatman
30859d3c83
Remove server-side paging logic for ExternalAccountKeys
3 years ago
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
3 years ago
Herman Slatman
11a7f01177
Simplify lookup cursor logic for ExternalAccountKeys
3 years ago
Herman Slatman
22ff90f655
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
a5f2f004e3
Change name of IP Common Name test for clarity
3 years ago
Herman Slatman
f9ae875f9d
Use short if-style statements
3 years ago
Herman Slatman
80bebda69c
Fix code style issue
3 years ago
Herman Slatman
bc0875bd7b
Disallow email address and URLs in the CSR
...
Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.
3 years ago
Herman Slatman
13a31fd862
Merge branch 'master' into herman/ip-sans-improvements
3 years ago
Herman Slatman
ca707cbe05
Fix linting
3 years ago
Herman Slatman
a5d33512fe
Fix test
3 years ago
Herman Slatman
a2c9b5cd7e
Allow IP identifiers in subject, including authorization enforcement
...
To support IPs in the subject using `step-cli`, this PR ensures that
Subject Common Names that can be parsed as an IP are also checked
to have been authorized before.
The PR for `step-cli` is here: github.com/smallstep/cli/pull/576.
3 years ago
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
63371a8fb6
Add additional tests for ACME EAB Admin
3 years ago
Herman Slatman
0524122191
Remove authorization flow for different Account private keys
...
As discussed in https://github.com/smallstep/certificates/issues/767 ,
we opted for not including this authorization flow to prevent users
from getting OOMs. We can add the functionality back when the
underlying data store can provide access to a long list of
Authorizations more efficiently, for example when a callback is
implemented.
3 years ago
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
...
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.
At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
3 years ago
Herman Slatman
9885d42711
Fix linting issues
3 years ago
Herman Slatman
6e11657204
Refactor creation of (raw) EAB JWS contents
3 years ago
Herman Slatman
23898e9b76
Improve EAB JWS validation and increase test coverage
3 years ago
Herman Slatman
d0c23973cc
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
004fc054d5
Fix PR comments
3 years ago
Herman Slatman
06bb97c91e
Add logic for Account authorizations and improve tests
3 years ago
Herman Slatman
bae1d256ee
Improve tests for JWK vs. KID revoke auth flow
...
The logic for both test cases is fairly similar, but with some
small differences. Made those clearer by means of some comments.
Also added some comments to the middleware logic that decided
whether to extract JWK or lookup by KID.
3 years ago
Herman Slatman
a7fbbc4748
Add tests for GetCertificateBySerial
3 years ago
Herman Slatman
4d01cf8135
Increase test code coverage
3 years ago
Herman Slatman
2d357da99b
Add tests for ACME revocation
3 years ago
Herman Slatman
ed295ca15d
Fix linting issue
3 years ago
Herman Slatman
2d50c96d99
Merge branch 'master' into hs/acme-revocation
3 years ago
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
3 years ago
Herman Slatman
29f9730485
Satisfy golangci-lint
3 years ago
Herman Slatman
c7a9c13060
Add tests for extractOrLookupJWK middleware
3 years ago
Herman Slatman
3151255a25
Merge branch 'master' into hs/acme-revocation
3 years ago
Herman Slatman
4d726d6b4c
Add pagination to ACME EAB credentials endpoint
3 years ago
Herman Slatman
d354d55e7f
Improve handling duplicate ACME EAB references
3 years ago
Herman Slatman
dd4b4b0435
Fix remaining gocritic remarks
3 years ago
Herman Slatman
a4660f73fa
Fix some of the gocritic remarks
3 years ago
Herman Slatman
e0b495e4c8
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
c26041f835
Add ACME EAB nosql tests
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Herman Slatman
0afea2e957
Improve tests for already bound EAB keys
3 years ago
Herman Slatman
c2bc1351c6
Add provisioner to remove endpoint and clear reference index on delete
3 years ago
Herman Slatman
746c5c9fd9
Disallow creation of EAB keys with non-unique references
3 years ago
Herman Slatman
9c0020352b
Add lookup by reference and make reference optional
3 years ago
Herman Slatman
02cd3b6b3b
Fix PR comments
3 years ago
Herman Slatman
f11c0cdc0c
Add endpoint for listing ACME EAB keys
3 years ago
Herman Slatman
a1afbce50c
Check EAB key exists before deleting it
3 years ago
Herman Slatman
9d09f5e575
Add support for deleting ACME EAB keys
3 years ago
Herman Slatman
a98fe03e80
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
1dba8698e3
Use LinkedCA.EABKey type in ACME EAB API
3 years ago
Mariano Cano
470b546d59
Merge pull request #557 from joejulian/http01-isv
...
use InsecureSkipVerify for validation
3 years ago
max furman
a3028bbc0e
Add test for updateAddOrderIDs
3 years ago
Mariano Cano
dc5205cc72
Extract the tls error code and fail accordingly.
3 years ago
Mariano Cano
ae58a0ee4e
Make tests compatible with Go 1.17.
...
With Go 1.17 tls.Dial will fail if the client and server configured
protocols do not overlap. See https://golang.org/doc/go1.17#ALPN
3 years ago
Herman Slatman
f31ca4f6a4
Add tests for validateExternalAccountBinding
3 years ago
Herman Slatman
492256f2d7
Add first test cases for EAB and make provisioner unique per EAB
...
Before this commit, EAB keys could be used CA-wide, meaning that
an EAB credential could be used at any ACME provisioner. This
commit changes that behavior, so that EAB credentials are now
intended to be used with a specific ACME provisioner. I think
that makes sense, because from the perspective of an ACME client
the provisioner is like a distinct CA.
Besides that this commit also includes the first tests for EAB.
The logic for creating the EAB JWS as a client has been taken
from github.com/mholt/acmez. This logic may be moved or otherwise
sourced (i.e. from a vendor) as soon as the step client also
(needs to) support(s) EAB with ACME.
3 years ago
Herman Slatman
c6bfc6eac2
Fix PR comments
3 years ago
Herman Slatman
d669f3cb14
Fix misspelling
3 years ago
Herman Slatman
540d5fbbdc
Fix marshaling -> marshalling
3 years ago
Herman Slatman
2110c7722f
Fix JWK payload key equality check
3 years ago
Herman Slatman
d44cd18b96
Add External Accounting Binding key "BoundAt" marking
3 years ago
Herman Slatman
f81d49d963
Add first working version of External Account Binding
3 years ago
Herman Slatman
258efca0fa
Improve revocation authorization
3 years ago
Herman Slatman
97165f1844
Fix test mocking for CreateCertificate
3 years ago
Herman Slatman
2b15230aa4
Add Serial to Cert ID ACME table and lookup
3 years ago
Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation
3 years ago
max furman
857a50434c
Merge branch 'master' into max/cert-mgr-crud
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Herman Slatman
16fe07d4dc
Fix mockSignAuth
3 years ago
Herman Slatman
0e56932e76
Add support for revocation using JWK
3 years ago
Herman Slatman
84e7d468f2
Improve handling of ACME revocation
3 years ago
Herman Slatman
d53bcaf830
Add base logic for ACME revoke-cert
3 years ago
Herman Slatman
8e4a4ecc1f
Refactor tests for sans
3 years ago
Herman Slatman
87b72afa25
Fix IP equality check and add more tests
3 years ago
Herman Slatman
a6d33b7d06
Add tests for sans()
3 years ago
Herman Slatman
64c15fde7e
Add tests for canonicalize function
3 years ago
Herman Slatman
c514a187b2
Fix Fail() -_-b
3 years ago
Herman Slatman
135e912ac8
Improve coverage for TLS-ALPN-01 challenge
3 years ago
Herman Slatman
218a2adb9f
Add tests for IP Order validations
3 years ago
Herman Slatman
523ae96749
Change identifier and challenge types to consts
3 years ago
Herman Slatman
84ea8bd67a
Fix PR comments
3 years ago
Herman Slatman
af4803b8b8
Fix tests
3 years ago
Herman Slatman
0c79914d0d
Improve check for single IP in TLS-ALPN-01 challenge
3 years ago
Herman Slatman
a6405e98a9
Remove fmt.
3 years ago
Herman Slatman
2f40011da8
Add support for TLS-ALPN-01 challenge
3 years ago
Herman Slatman
76dcf542d4
Fix mixed DNS and IP SANs in Order
3 years ago
Herman Slatman
af615db6b5
Support DNS and IPs as SANs in single Order
3 years ago
Herman Slatman
a0e92f8e99
Verify IP identifier contains valid IP
3 years ago
Herman Slatman
6486e6016b
Make logic for which challenge types to use clearer
3 years ago
Herman Slatman
3e36522329
Add preliminary support for TLS-ALPN-01 challenge for IP identifiers
3 years ago
Herman Slatman
6d9710c88d
Add initial support for ACME IP validation
3 years ago
max furman
7b5d6968a5
first commit
3 years ago
Joe Julian
0369151bfa
use InsecureSkipVerify for validation
...
The server will not yet have a valid certificate so we need to disable
certificate validation in the HTTPGetter.
4 years ago
Mariano Cano
2e1524ec2f
Remove the creation on nonce on get acme directory.
...
According to RFC 8555, the replay nonces are only required in POST
requests. And of course in the new-nonce request.
4 years ago
max furman
93c3c2bf2e
Error handle non existent provisioner downstream and disable debug route logging
4 years ago
max furman
497ec0c79b
Fix linter issues
4 years ago
max furman
b1888fd34d
Use different method for unescpaed paths for the router
4 years ago
max furman
6cfb9b790c
Remove check of deprecated value
...
- NegotiatedProtocolIsMutual is always true: Deprecated according to
golang docs
4 years ago
max furman
63ec2e35b0
Change Clock to empty struct in nosql/nosql | truncate > round
...
- saves space
-
4 years ago
max furman
672e3f976e
Few ACME fixes ...
...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
4 years ago
max furman
2e0e62bc4c
add WriteError method for acme api
4 years ago
max furman
9aef84b9af
remove unused nonce.clone method
4 years ago
max furman
440678cb62
Add markInvalid arg to storeError for invalidating challenge
4 years ago
max furman
6b8585c702
PR review fixes / updates
4 years ago
max furman
bdace1e53f
Add failure scenarios to db.CreateOrder unit tests
4 years ago
max furman
fd447c5b54
Fix small nbf->naf bug in db.CreateOrder
...
- still needs unit test
4 years ago
max furman
a785131d09
Fix lint issues
4 years ago
max furman
80c8567d99
change errnotfound type for getAccount
...
- more generalized NotFound type rather than the nosql
one we were using
- if the error is not recognized then the logic in create account will
break.
4 years ago
max furman
1831920363
Finish order unit tests and remove unused mocklinker
4 years ago
max furman
b6ebc0fd25
more unit tests
4 years ago
max furman
df05340521
fixing broken unit tests
4 years ago
max furman
bdf4c0f836
add acme order unit tests
4 years ago
max furman
c0a9f24798
add authorization and order unit tests
4 years ago
max furman
a58466589f
add tls-alpn-01 validate unit tests
4 years ago
max furman
a8e4bbf715
start Validate unit tests
4 years ago
max furman
1fb0f1d7d9
add storeError unit tests
4 years ago
max furman
8b4a5a6d8b
add unit tests for dns01 validate
4 years ago
max furman
3612a0b990
gethttp01 validate unit tests working
4 years ago
max furman
7f9ffbd514
adding more acme nosql unit tests
4 years ago
max furman
88e6f00347
nosql account db unit tests
4 years ago
max furman
ce13d09dcb
add `at` to time attributes in dbAccount
4 years ago
max furman
f72b2ff2c2
[acme db interface] nosql authz unit tests
4 years ago
max furman
206909b12e
[acme db interface] unit tests for challenge nosql db
4 years ago
max furman
4b1dda5bb6
[acme db interface] tests
4 years ago
max furman
074ab7b221
[acme db interface] add linker tests
4 years ago
max furman
8d2ebcfd49
[acme db interface] more unit tests
4 years ago
max furman
20b9785d20
[acme db interface] continuing unit test work
4 years ago
max furman
291fd5d45a
[acme db interface] more unit tests
4 years ago
max furman
f71e27e787
[acme db interface] unit test progress
4 years ago
max furman
bb8d54e596
[acme db interface] unit tests compiling
4 years ago
max furman
f20fcae80e
[acme db interface] wip unit test fixing
4 years ago
max furman
fc395f4d69
[acme db interface] compiles!
4 years ago
max furman
116869ebc5
[acme db interface] wip
4 years ago
max furman
80a6640103
[acme db interface] wip
4 years ago
max furman
491c188a5e
[acme db interface] wip
4 years ago
max furman
1135ae04fc
[acme db interface] wip
4 years ago
max furman
03ba229bcb
[acme db interface] wip more errors
4 years ago
max furman
2ae43ef2dc
[acme db interface] wip errors
4 years ago
max furman
121cc34cca
[acme db interface] wip
4 years ago
max furman
461bad3fef
[acme db interface] wip
4 years ago
max furman
0368957e79
[acmedb] (wip)
4 years ago
max furman
31ad7f2e9b
[acme] Continued work on acme db interface (wip)
4 years ago
max furman
34859551ef
Add new directory structure
4 years ago
max furman
088432150d
Beginnings of acmeDB interface
4 years ago
max furman
265d49dbf8
Remove debug statement
4 years ago
max furman
1f9aa65d66
Add test case
4 years ago
max furman
20f8d950c4
Fix broken ValidateChallenge test
4 years ago
max furman
4c48048615
Use sync.Mutex as value
4 years ago
max furman
272cce522e
Fix test and change method name
4 years ago
max furman
f34fb80eb6
[acme] Use lock for ordersByAccID and type to house methods
4 years ago
Mariano Cano
c94a1c51be
Merge branch 'master' into ssh-cert-templates
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
4 years ago
Mariano Cano
aaaa7e9b4e
Merge branch 'master' into cert-templates
4 years ago
max furman
55bf5a4526
Add cert logging for acme/certificate api
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
4 years ago
Mariano Cano
f1773489fc
Fix comment.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
Mariano Cano
0c8376a7f6
Fix existing unit tests.
4 years ago
Mariano Cano
a7fe0104c4
Remove ACME restrictions and add proper template support.
4 years ago
max furman
d25e7f64c2
wip
4 years ago
max furman
1951669e13
wip
4 years ago
max furman
41a1a053d8
Always convert empty list to nil when saving orderIDs index.
4 years ago
max furman
704a510a2a
Remove non-pending orders from the acme_orders_by_account index ...
...
- Each acme account has an index in this table. Before this change, the
index would grow unchecked as orders accumulate. This change removes
orders that have moved out of the 'PENDING' state.
4 years ago
David Cowden
a26b5f322d
acme/api: Brush up documentation on key-change
...
Add more specific wording describing what a 501 means and add more color
explaining how official vs unofficial error types should be handled.
4 years ago