Commit Graph

19 Commits

Author SHA1 Message Date
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
7948f65ac0
Merge branch 'master' into hs/scep 2021-02-26 00:41:33 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority 2021-02-26 00:32:21 +01:00
Mariano Cano
163eb7029c Refactor cloudkms signer to return an error on the constructor. 2021-02-19 15:36:55 -08:00
Mariano Cano
cae08bff80 Validate that the signer can get the public key. 2021-02-19 11:28:35 -08:00
Mariano Cano
4c562160fc Fix typo. 2021-02-16 14:52:55 -08:00
Mariano Cano
a947779795 Add uri support initializing cloudkms. 2021-02-16 13:11:47 -08:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
63e36ecd7a Refactor the initialization of KeyManagers. 2020-05-11 18:47:22 -07:00
Mariano Cano
1138cc4207 Retry CloudKMS GetPublicKey.
On HSM keys are not generated instantly and the GetPublicKey fails
with a FailedPrecondition error. This change will retry GetPublicKey
if this happens.
2020-02-21 12:36:29 -08:00
Mariano Cano
b11bbd5728 Fix typo. 2020-02-13 18:34:43 -08:00
Mariano Cano
cff346e7fd Skip test on travis, it won't fail because they have access to the KMS. 2020-02-13 15:49:16 -08:00
Mariano Cano
fa8116497c Make Signer public and add contructor NewCloudKMS. 2020-01-21 19:09:21 -08:00
Mariano Cano
5d5ee68d88 Make GCP client public to facilitate extensibility. 2020-01-21 12:50:21 -08:00
Mariano Cano
dff498f17f Add tests for cloudkms. 2020-01-15 19:32:26 -08:00
Mariano Cano
a773977a81 Fix interface change. 2020-01-15 17:29:34 -08:00
Mariano Cano
927a3b3a86 Return crypto.PublicKey on kms.GetPublicKey. 2020-01-15 17:27:21 -08:00
Mariano Cano
e60beeb7fc Make cloudkms more robust.
* Automatically create key rings if needed.
* User CryptoKeyVersions if needed.
* Add support to close the client.
* Add new pareters to CreateKey responses to make things easier.
2020-01-14 18:43:39 -08:00
Mariano Cano
d13754166a Add support for cloudkms and softkms. 2020-01-09 18:41:13 -08:00