Herman Slatman
2320d0911e
Add sync.WaitGroup for proper error handling in Run()
4 years ago
Herman Slatman
b815478981
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
4 years ago
Herman Slatman
c5e4ea08b3
Merge branch 'master' into hs/scep
4 years ago
Herman Slatman
b97f024f8a
Remove superfluous call to StoreCertificate
4 years ago
Mariano Cano
8c8c160c92
Fix method name in comment.
4 years ago
Mariano Cano
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
4 years ago
Herman Slatman
583d60dc0d
Address (most) PR comments
4 years ago
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority
4 years ago
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
4 years ago
Herman Slatman
2d21b09d41
Remove some duplicate and unnecessary logic
4 years ago
Herman Slatman
3a5f633cdd
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
4 years ago
Herman Slatman
7948f65ac0
Merge branch 'master' into hs/scep
4 years ago
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority
4 years ago
Mariano Cano
5be86691c1
Fix unit tests in Go 1.16.
4 years ago
Herman Slatman
78d78580b2
Add note about using a second (unsecured) server
4 years ago
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master
4 years ago
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code
4 years ago
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP
4 years ago
Mariano Cano
b487edbd13
Clarify comment.
4 years ago
Mariano Cano
fbd2208044
Close key manager for safe reloads when a cgo module is used.
4 years ago
Mariano Cano
40d0596b71
Use smallstep/cli-utils instead of smallstep/cli
4 years ago
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
4 years ago
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
4 years ago
Mariano Cano
533ad0ca20
Use always go.step.sm/crypto/x509util
4 years ago
Mariano Cano
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
4 years ago
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
4 years ago
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
4 years ago
Mariano Cano
44207523be
Add missing tests.
4 years ago
Mariano Cano
0c8376a7f6
Fix existing unit tests.
4 years ago
max furman
1951669e13
wip
4 years ago
max furman
6e69f99310
Always set nbf and naf for new ACME orders ...
...
- Use the default value from the ACME provisioner if values are not
defined in the request.
4 years ago
Mariano Cano
9f1d95d8bf
Fix renew of certificate at the start of the server.
4 years ago
Mariano Cano
1d7ab9145a
Avoid lint error.
5 years ago
Mariano Cano
0b62ce9d0e
Use go 1.13 to build certificates.
5 years ago
max furman
495e60a44b
Extraneous fmt.Sprintf
5 years ago
Mariano Cano
349bca06bb
Fix line error due to deprecated DialTLS.
5 years ago
Mariano Cano
f5d2f92099
Load identity certificate from disk in each connection.
5 years ago
Ivan Bertona
9052da66a3
Fix linter, tidy go.mod file.
5 years ago
Mariano Cano
3d6a18180e
Fix a couple of race conditions in the renewal of certificates.
5 years ago
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
5 years ago
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
5 years ago
Mariano Cano
a025f72af7
Disable backdata on ca tests.
5 years ago
Mariano Cano
a88ba8eb31
Use errs package for HTTP errors.
5 years ago
Mariano Cano
47f4ac1b53
Add method to just write the identity certificate.
5 years ago
Mariano Cano
14e59775bd
Add method to renew the identity.
5 years ago
max furman
9aafe265d0
Should be returning nil from applyIdentity if cert expired.
5 years ago
max furman
b9f6aacb0f
Move api errors to their own package and modify the typedef
5 years ago
Mariano Cano
65b4dda420
Add wrappers to identity methods in the ca package.
5 years ago
Mariano Cano
524c221c61
Add mTLS test for identity client.
5 years ago
Mariano Cano
25144539f8
Improve identity tests.
5 years ago