Mariano Cano
c7f226bcec
Add support for renew when using stepcas
...
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.
The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.
Fixes #1021 for stepcas
2 years ago
Mariano Cano
2d582e5694
Remove use of time.Duration.Abs
...
time.Duration.Abs() was added in Go 1.19
2 years ago
Mariano Cano
51c7f56030
Truncate time to the second
2 years ago
Mariano Cano
59775fff0c
Merge branch 'master' into crl-support
2 years ago
Mariano Cano
8200d19894
Improve CRL implementation
...
This commit adds some changes to PR #731 , some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL
This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
2 years ago
Mariano Cano
aefdfc7be7
Use RawSubject on renew and rekey
...
Renew was not replicating exactly the subject because extra names
gets decoded into pkix.Name.Names, the non-default ones should be
added to pkix.Name.ExtraNames. Instead of doing that, this commit
sets the RawSubject that will also keep the order.
Fixes #1106
2 years ago
Raal Goff
f7df865687
refactor crl config, add some tests
2 years ago
Mariano Cano
bd1938b0da
Add support for storing or sending attestation data to linkedca
2 years ago
Raal Goff
d0e81af524
Merge branch 'master' into crl-support
2 years ago
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2 years ago
Mariano Cano
c9e7af3722
Use only name constraints in GetTLSCertificate
2 years ago
Mariano Cano
2eba5326db
Remove policy validation on renew
2 years ago
Mariano Cano
d68c765e20
Add context to errors
2 years ago
Mariano Cano
72e2c4eb2e
Render proper policy and constrains errors
2 years ago
Mariano Cano
4b79405dac
Check constraints and policy for leaf certificates too
2 years ago
Mariano Cano
325d8bca4f
Merge branch 'master' into name-constraints
2 years ago
Mariano Cano
debe565e42
Validate constraints on Sign and Renew/Rekey
...
Fixes #1060
2 years ago
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2 years ago
Mariano Cano
34c6c65671
Pass attestation information to the Sign method
...
Attestation information might be useful in authorizing webhooks
2 years ago
Raal Goff
40baf73dff
remove incorrect check on revoked certificate dates, add mutex lock for generating CRLs,
2 years ago
Raal Goff
924082bb49
fix linter errors
2 years ago
Raal Goff
d2483f3a70
Merge branch 'master' into crl-support
...
# Conflicts:
# authority/config/config.go
2 years ago
Mariano Cano
8bd0174251
Rename field to IsCAServerCert
2 years ago
Mariano Cano
5df1694250
Add endpoint id for the RA certificate
...
In a linked RA mode, send an endpoint id to group the server
certificates.
2 years ago
Mariano Cano
eb091aec54
Simplify field names for ProvisionerInfo
2 years ago
Mariano Cano
6b5d3dca95
Add provisioner name to RA info
2 years ago
Mariano Cano
f9df8ac05f
Remove unused interface
2 years ago
Mariano Cano
9408d0f24b
Send RA provisioner information to the CA
2 years ago
Raal Goff
60671b07d7
Merge branch 'master' into crl-support
...
# Conflicts:
# api/api.go
# authority/config/config.go
# cas/softcas/softcas.go
# db/db.go
2 years ago
Mariano Cano
ce9a23a0f7
Fix SSH certificate revocation
2 years ago
Mariano Cano
c8d7ad7ab9
Fix store certificates methods with new interface
2 years ago
Herman Slatman
6e1f8dd7ab
Refactor policy engines into container
2 years ago
Herman Slatman
76112c2da1
Improve error creation and testing for core policy engine
2 years ago
Herman Slatman
3fa96ebf13
Improve policy errors returned to client
2 years ago
Herman Slatman
ad2de16299
Merge branch 'master' into herman/allow-deny
2 years ago
Mariano Cano
fe9c3cf753
Merge branch 'master' into ahmet2mir-feat/vault
3 years ago
Herman Slatman
abcad679ff
Merge branch 'master' into herman/allow-deny
3 years ago
Mariano Cano
ea5f7f2acc
Fix SANs for step-ca certificate
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
3 years ago
Mariano Cano
37b521ec6c
Merge branch 'master' into feat/vault
3 years ago
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny
3 years ago
Mariano Cano
db337debcd
Load provisioner from the database instead of the extension.
3 years ago
Raal Goff
49c41636cc
implemented some requested changes
3 years ago
Raal Goff
53dbe2309b
implemented some requested changes
3 years ago
Raal Goff
a607ab189a
requested changes
3 years ago
Raal Goff
d417ce3232
implement changes from review
3 years ago
Raal Goff
668cb6f39c
missed some mentions of PEM when changing the returned format to DER regarding CRL generation
3 years ago
Raal Goff
7d024cc4cb
change GenerateCertificateRevocationList to return DER, store DER in db instead of PEM, nicer PEM encoding of CRL, add Mock stubs
3 years ago
Raal Goff
e8fdb703c9
initial support for CRL
3 years ago
Herman Slatman
571b21abbc
Fix (most) PR comments
3 years ago
Herman Slatman
b49307f326
Fix ACME order tests with mock ACME CA
3 years ago