smallstep-certificates

mirror of https://github.com/smallstep/certificates.git synced 2024-11-03 23:15:28 +00:00

Author	SHA1	Message	Date
Mariano Cano	a2749ca8ed	Merge branch 'master' into device-attestation	2022-09-06 12:29:06 -07:00
Raal Goff	7a03c43fe2	allow missing Email claim in OIDC tokens, use subject when its missing	2022-09-05 12:43:32 +08:00
Mariano Cano	1938b1bb34	Merge branch 'master' into herman/fix-template-validation	2022-08-25 13:31:33 -07:00
Mariano Cano	1d1e024b84	Upgrade to go.step.sm/crypto v0.18.0	2022-08-25 12:40:31 -07:00
Mariano Cano	f1c63bc38d	Fix challenge mapping	2022-08-24 19:30:28 -07:00
Mariano Cano	df96b126dc	Add AuthorizeChallenge unit tests	2022-08-24 12:31:09 -07:00
Mariano Cano	bca311b05e	Add acme property to enable challenges Fixes #1027	2022-08-23 17:11:40 -07:00
Herman Slatman	6b7b989988	Add provisioner template validation Fixes #1012	2022-08-23 16:27:49 +02:00
Mariano Cano	693dc39481	Merge branch 'master' into device-attestation	2022-08-22 17:59:17 -07:00
Mariano Cano	b1e9d5ee86	Revert "Run on plaintext HTTP to support Cloud Run" This reverts commit `09b9673a60`.	2022-08-22 17:50:14 -07:00
Mariano Cano	23b8f45b37	Address gosec warnings Most if not all false positives	2022-08-18 17:46:20 -07:00
Mariano Cano	0c7467ceb2	Allow to automatically configure and linked RA	2022-08-16 14:39:02 -07:00
Mariano Cano	5e0be92273	Allow option to skip the validation of config	2022-08-16 14:04:04 -07:00
Mariano Cano	b62f4d1000	Add lgtm comments on some security warnings	2022-08-11 17:32:57 -07:00
Mariano Cano	a5439c43cd	Remove ciphersuites without Lucky13 countermeasures SHA-256 variants of the CBC ciphersuites don't implement any Lucky13 countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and https://www.imperialviolet.org/2013/02/04/luckythirteen.html.	2022-08-11 17:11:04 -07:00
Mariano Cano	8bd0174251	Rename field to IsCAServerCert	2022-08-11 15:14:26 -07:00
Mariano Cano	5df1694250	Add endpoint id for the RA certificate In a linked RA mode, send an endpoint id to group the server certificates.	2022-08-11 14:47:11 -07:00
Mariano Cano	eb091aec54	Simplify field names for ProvisionerInfo	2022-08-10 17:44:14 -07:00
Mariano Cano	21427d5d65	Replace instead of prepend provisioner extension With non standard SANs this will generate the SAN and provisioner extension in the same order.	2022-08-09 16:48:00 -07:00
Mariano Cano	369b8f81c3	Use go.step.sm/crypto/kms Fixes #975	2022-08-08 17:58:18 -07:00
Mariano Cano	e02a190fa7	Merge branch 'master' into device-attestation	2022-08-08 17:29:59 -07:00
Max	3e2729e391	Merge pull request #989 from smallstep/max/disable-ssh-hosts Add attribute to disable SSH Hosts list API	2022-08-08 14:15:35 -07:00
max furman	99c9155467	disableSSHHostsListAPI -> disableGetSSHHosts	2022-08-04 18:44:44 -07:00
Mariano Cano	64744562c6	Send RA provisioner to linkedca.	2022-08-03 18:44:25 -07:00
Mariano Cano	6b5d3dca95	Add provisioner name to RA info	2022-08-03 18:44:04 -07:00
Mariano Cano	a1f54921d2	Rename internal field	2022-08-03 12:07:45 -07:00
Mariano Cano	f9df8ac05f	Remove unused interface	2022-08-03 12:03:49 -07:00
Mariano Cano	9408d0f24b	Send RA provisioner information to the CA	2022-08-02 19:28:49 -07:00
max furman	fb7f57a8df	Add attribute to disable SSH Hosts list API	2022-07-27 23:30:00 -07:00
Raal Goff	60671b07d7	Merge branch 'master' into crl-support # Conflicts: # api/api.go # authority/config/config.go # cas/softcas/softcas.go # db/db.go	2022-07-13 08:52:58 +08:00
Brandon Weeks	09b9673a60	Run on plaintext HTTP to support Cloud Run	2022-06-23 05:19:36 +10:00
Shulhan	fe04f93d7f	all: reformat all go files with the next gofmt (Go 1.19) There are some changes that manually edited, for example using '-' as default list and grouping imports.	2022-06-16 01:28:59 +07:00
Mariano Cano	9c049eec5a	Add revoke ssh unit test	2022-05-25 17:10:07 -07:00
Mariano Cano	ce9a23a0f7	Fix SSH certificate revocation	2022-05-25 16:55:22 -07:00
Mariano Cano	911cec21da	Merge pull request #943 from smallstep/ssh-renew-provisioner Add provisioner to SSH renewals	2022-05-23 17:21:55 -07:00
Mariano Cano	94f5b92513	Use proper context in authority package	2022-05-23 15:31:43 -07:00
Mariano Cano	1be74eca62	Merge branch 'master' into ssh-renew-provisioner	2022-05-23 14:31:15 -07:00
Mariano Cano	26dd97e718	Merge branch 'master' into context-authority	2022-05-23 12:36:16 -07:00
Mariano Cano	6b3a8f22f3	Add provisioner to SSH renewals This commit allows to report the provisioner to the linkedca when a SSH certificate is renewed.	2022-05-20 14:41:44 -07:00
Mariano Cano	3c4d0412ef	Merge pull request #941 from smallstep/ssh-provisioner Report SSH provisioner	2022-05-20 12:24:30 -07:00
Max	f8148071fb	Merge pull request #915 from smallstep/max/removing-beta exposing authority configuration for provisioner cli commands	2022-05-19 22:53:59 -07:00
max furman	5443aa073a	gofmt -s	2022-05-19 22:46:25 -07:00
Max	586e4fd3b5	Update authority/options.go Co-authored-by: Mariano Cano <mariano@smallstep.com>	2022-05-19 22:26:20 -07:00
Mariano Cano	dd985ce154	Clarify errors when sending renewed certificates	2022-05-19 18:41:13 -07:00
Mariano Cano	a627f21440	Fix AuthorizeSSHSign tests with extra SignOption	2022-05-18 18:51:36 -07:00
Mariano Cano	e7d7eb1a94	Add provisioner as a signOption for SSH	2022-05-18 18:42:42 -07:00
Mariano Cano	293586079a	Store provisioner with SignSSH This change also allows to store the old certificate on renewal on linkedca or if the db interface supports it.	2022-05-18 18:33:53 -07:00
Mariano Cano	c8d7ad7ab9	Fix store certificates methods with new interface	2022-05-18 18:33:22 -07:00
Mariano Cano	de99c3cac0	Report provisioner and parent on linkedca	2022-05-18 18:30:53 -07:00
Herman Slatman	479eda7339	Improve error message when client renews with expired certificate When a client provides an expired certificate and `AllowAfterExpiry` is not enabled, the client would get a rather generic error with instructions to view the CA logs. Viewing the CA logs can be done when running `step-ca`, but they can't be accessed easily in the hosted solution. This commit returns a slightly more informational message to the client in this specific situation.	2022-05-19 01:25:30 +02:00
max furman	bfb406bf70	Fixes for PR review	2022-05-18 09:43:32 -07:00
Mariano Cano	898ca41268	Merge branch 'master' into context-authority	2022-05-12 17:14:46 -07:00
Herman Slatman	c695b23e24	Fix check for admin not belonging to policy	2022-05-12 16:33:32 +02:00
max furman	25b8d196d8	Couple changes in response to PR - add skipInit option to skip authority initialization - check admin API status when removing provisioners - no need to check admins when not using Admin API	2022-05-11 17:04:43 -07:00
Mariano Cano	8942422973	Add GetID() and add authority to initial context	2022-05-10 16:51:09 -07:00
Mariano Cano	1e03bbb1af	Change types in the ACMEAdminResponder	2022-05-06 14:11:10 -07:00
Mariano Cano	f639bfc53b	Use contexts on the new PolicyAdminResponder	2022-05-06 14:05:08 -07:00
Mariano Cano	d461918eb0	Merge branch 'master' into context-authority	2022-05-06 13:21:41 -07:00
Herman Slatman	0f4ffa504a	Fix linting issues	2022-05-06 13:23:09 +02:00
Herman Slatman	7104299119	Add full policy validation in API	2022-05-06 13:12:13 +02:00
Herman Slatman	105211392c	Don't rely on linkedca model stability in API response bodies	2022-05-05 14:10:52 +02:00
Herman Slatman	5e9bce508d	Unexport GetPolicy()	2022-05-05 12:32:53 +02:00
Herman Slatman	60d8b22d89	Change context retrievers to MustTFromContext	2022-05-05 11:05:57 +02:00
Mariano Cano	43ddcf2efe	Do not use deprecated AuthorizeSign	2022-05-04 17:35:34 -07:00
Mariano Cano	9147356d8a	Fix linter errors	2022-05-02 18:47:47 -07:00
Mariano Cano	a8a4261980	Fix authority/admin/api tests	2022-05-02 18:39:03 -07:00
Herman Slatman	77893ea55c	Change authority policy to use dbPolicy model	2022-05-02 15:55:26 +02:00
max furman	4cb74e7d8b	fix linter warnings	2022-04-30 13:08:28 -07:00
Herman Slatman	d82e51b748	Update AllowWildcardNames configuration name	2022-04-29 15:08:19 +02:00
Herman Slatman	2b7f6931f3	Change Subject Common Name verification Subject Common Names can now also be configured to be allowed or denied, similar to SANs. When a Subject Common Name is not explicitly allowed or denied, its type will be determined and its value will be validated according to the constraints for that type of name (i.e. URI).	2022-04-28 14:49:23 +02:00
Mariano Cano	00f181dec3	Use contexts in admin api handlers	2022-04-27 11:59:32 -07:00
Mariano Cano	623c296555	Create context methods from admin database	2022-04-27 11:58:52 -07:00
Mariano Cano	48e2fabeb8	Add authority.MustFromContext	2022-04-27 11:38:06 -07:00
Mariano Cano	9628fa3562	Add methods to store and retrieve an authority from the context.	2022-04-26 12:54:54 -07:00
Herman Slatman	bddd08d4b0	Remove "proto:" prefix from bad proto JSON messages	2022-04-26 14:01:16 +02:00
Herman Slatman	6e1f8dd7ab	Refactor policy engines into container	2022-04-26 13:12:16 +02:00
Herman Slatman	2a7620641f	Fix more PR comments	2022-04-26 10:15:17 +02:00
Herman Slatman	76112c2da1	Improve error creation and testing for core policy engine	2022-04-26 01:47:07 +02:00
max furman	b91affdd34	exposing authority configuration for provisioner cli commands	2022-04-25 10:23:07 -07:00
Herman Slatman	20f5d12b99	Improve test rigour for reloadPolicyEngines	2022-04-25 11:02:03 +02:00
Herman Slatman	6264e8495c	Improve policy error handling code coverage	2022-04-24 16:29:31 +02:00
Herman Slatman	3fa96ebf13	Improve policy errors returned to client	2022-04-24 13:11:32 +02:00
Herman Slatman	c40a4d2694	Contain policy engines inside provisioner Controller	2022-04-22 01:20:38 +02:00
Herman Slatman	ef110a94df	Change pointer booleans to regular boolean configuration	2022-04-21 23:45:05 +02:00
Herman Slatman	e9f5a1eb98	Improve policy bad request handling	2022-04-21 17:16:02 +02:00
Herman Slatman	b72430f4ea	Block all APIs when using linked deployment mode	2022-04-21 16:18:55 +02:00
Herman Slatman	fb81407d6f	Fix ACME policy comments	2022-04-21 13:21:06 +02:00
Herman Slatman	a2cfbe3d54	Fix (part of) PR comments	2022-04-21 12:14:03 +02:00
Herman Slatman	3eecc4f7bb	Improve test coverage for reloadPolicyEngines	2022-04-19 17:10:13 +02:00
Herman Slatman	72bbe53376	Add additional policy options	2022-04-19 14:41:36 +02:00
Herman Slatman	9a21208f22	Add deduplication of policy configuration values	2022-04-19 13:21:37 +02:00
Herman Slatman	f2f9cb899e	Add conditional defaults to policy protobuf request bodies	2022-04-19 12:09:45 +02:00
Herman Slatman	647538e9e8	Merge branch 'herman/allow-deny' into herman/allow-deny-options	2022-04-19 10:32:16 +02:00
Herman Slatman	ad2de16299	Merge branch 'master' into herman/allow-deny	2022-04-19 10:26:31 +02:00
Herman Slatman	7f9034d22a	Add additional policy options	2022-04-19 10:24:52 +02:00
Mariano Cano	fe9c3cf753	Merge branch 'master' into ahmet2mir-feat/vault	2022-04-18 15:35:26 -07:00
Herman Slatman	def9438ad6	Improve handling of bad JSON protobuf bodies	2022-04-18 23:38:13 +02:00
Herman Slatman	2ca5c0170f	Fix flaky test behavior for protobuf messages	2022-04-18 22:39:47 +02:00
Herman Slatman	abcad679ff	Merge branch 'master' into herman/allow-deny	2022-04-18 21:54:55 +02:00
Herman Slatman	8d15a027a7	Fix if-else linting issue	2022-04-18 21:47:13 +02:00
Mariano Cano	c066694c0c	Allow renew token issuer to be the provisioner name. For consistency with AuthorizeAdminToken, AuthorizeRenewToken will allow the issuer to be either the fixed string 'step-ca-client/1.0' or the provisioner name.	2022-04-18 12:38:09 -07:00
Herman Slatman	99702d3648	Fix case of no authority policy existing	2022-04-18 21:14:30 +02:00
Herman Slatman	d6be9450be	Merge branch 'master' into herman/allow-deny	2022-04-15 11:57:05 +02:00
Herman Slatman	30d5d89a13	Improve test coverage for Policy Admin API	2022-04-15 10:43:25 +02:00
Mariano Cano	d3b6bc3c75	Merge branch 'master' into fix/adminra	2022-04-13 17:44:23 -07:00
Mariano Cano	ad5aedfa60	Fix backward compatibility in AuthorizeAdminToken This commit validates both new and old issuers.	2022-04-13 16:00:15 -07:00
Mariano Cano	5f714f2485	Fix tests for AuthorizeRenewToken	2022-04-13 15:59:37 -07:00
Mariano Cano	674dc3c844	Rename unreleased claim to allowRenewalAfterExpiry for consistency.	2022-04-13 15:11:54 -07:00
Mariano Cano	4e4d4e882f	Use a fixed string for renewal token issuer.	2022-04-13 14:50:06 -07:00
Mariano Cano	0a5dc237df	Fix typo in comment.	2022-04-12 17:56:39 -07:00
Mariano Cano	00cd0f5f21	Apply suggestions from code review Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>	2022-04-12 14:44:55 -07:00
Mariano Cano	ea5f7f2acc	Fix SANs for step-ca certificate Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>	2022-04-12 13:57:55 -07:00
Mariano Cano	37b521ec6c	Merge branch 'master' into feat/vault	2022-04-11 14:57:45 -07:00
Mariano Cano	c8c59d68f5	Allow mTLS renewals if the provisioner extension does not exists. This fixes a backward compatibility issue with with the new LoadProvisionerByCertificate.	2022-04-11 12:19:42 -07:00
Herman Slatman	256fe113f7	Improve tests for ACME account policy	2022-04-11 15:25:55 +02:00
Panagiotis Siatras	f2cf9cf828	authority/status: removed the package (#892 )	2022-04-11 11:56:16 +03:00
Mariano Cano	af8fcf5b01	Use always LoadProvisionerByCertificate on authority package	2022-04-08 14:18:24 -07:00
Mariano Cano	1d1e095447	Add tests for LoadProvisionerByCertificate.	2022-04-08 13:06:29 -07:00
Herman Slatman	0bb15e16f9	Fix missing ACME provisioner option	2022-04-08 16:10:26 +02:00
Herman Slatman	9797b3350e	Merge branch 'master' into herman/allow-deny	2022-04-08 16:01:56 +02:00
Mariano Cano	dfdc9c06ed	Fix linter error importShadow	2022-04-07 18:33:13 -07:00
Mariano Cano	8abd568f03	Merge branch 'master' into fix/adminra	2022-04-07 18:25:41 -07:00
Mariano Cano	b7e11da480	Merge branch 'master' into feat/linkedra	2022-04-07 18:19:04 -07:00
Mariano Cano	c55b27a2fc	Refactor admin token to use with RAs.	2022-04-07 18:14:43 -07:00
Herman Slatman	034b7943fe	Merge branch 'master' into herman/allow-deny	2022-04-07 14:12:20 +02:00
Herman Slatman	7df52dbb76	Add ACME EAB policy	2022-04-07 14:11:53 +02:00
Mariano Cano	db337debcd	Load provisioner from the database instead of the extension.	2022-04-05 19:25:47 -07:00
Mariano Cano	df8ffb35af	Remove unnecessary database in provisioner config.	2022-04-05 17:39:06 -07:00
Raal Goff	49c41636cc	implemented some requested changes	2022-04-06 08:31:40 +08:00
Raal Goff	53dbe2309b	implemented some requested changes	2022-04-06 08:24:49 +08:00
Raal Goff	a607ab189a	requested changes	2022-04-06 08:23:55 +08:00
Raal Goff	d417ce3232	implement changes from review	2022-04-06 08:23:53 +08:00
Raal Goff	668cb6f39c	missed some mentions of PEM when changing the returned format to DER regarding CRL generation	2022-04-06 08:22:29 +08:00
Raal Goff	7d024cc4cb	change GenerateCertificateRevocationList to return DER, store DER in db instead of PEM, nicer PEM encoding of CRL, add Mock stubs	2022-04-06 08:22:26 +08:00
Raal Goff	e8fdb703c9	initial support for CRL	2022-04-06 08:19:45 +08:00
Carl Tashian	150eee70df	Updates based on Herman's feedback	2022-04-05 10:59:25 -07:00
Carl Tashian	4b9f44982d	Merge branch 'master' into startup-info	2022-04-04 12:19:55 -07:00
Carl Tashian	43f2c655b9	More info on startup	2022-04-04 12:16:37 -07:00
Herman Slatman	679e2945f2	Disallow name constraint wildcard notation	2022-04-04 15:35:49 +02:00
Herman Slatman	96f4c49b0c	Improve how policy errors are returned and used	2022-04-04 13:58:16 +02:00
Herman Slatman	d8776d8f7f	Add K8sSA SSH user policy back According to the docs, the K8sSA provisioner can be configured to issue SSH user certs.	2022-04-01 15:37:48 +02:00
Herman Slatman	571b21abbc	Fix (most) PR comments	2022-03-31 16:12:29 +02:00
Carl Tashian	1ba1584c7a	Formatted.	2022-03-30 16:08:10 -07:00
Carl Tashian	a13e58e340	Update GetAuthorityInfo -> GetInfo	2022-03-30 16:07:16 -07:00
Carl Tashian	90cb6315b1	Progress.	2022-03-30 16:05:26 -07:00
Carl Tashian	055e75f394	Progress?	2022-03-30 15:48:42 -07:00
Herman Slatman	bfa4d809fd	Improve middleware test coverage	2022-03-30 18:21:25 +02:00
Herman Slatman	6da243c34d	Add policy precheck for all admins	2022-03-30 15:39:03 +02:00
Herman Slatman	628d7448de	Don't return policy in provisioner JSON	2022-03-30 15:20:38 +02:00
Herman Slatman	2fbdf7d5b0	Merge branch 'master' into herman/allow-deny	2022-03-30 14:50:14 +02:00

1 2 3 4 5 ...

1106 Commits