Gary Belvin
c264e8f580
Configurable pkcs11-init output paths
2021-06-01 17:46:00 +01:00
Gary Belvin
623e387fb0
Allow configuration of PKCS11 subject name
2021-06-01 17:35:36 +01:00
Herman Slatman
6486e6016b
Make logic for which challenge types to use clearer
2021-05-29 00:37:22 +02:00
Herman Slatman
3e36522329
Add preliminary support for TLS-ALPN-01 challenge for IP identifiers
2021-05-29 00:19:14 +02:00
Herman Slatman
848b5202a5
Merge branch 'master' into hs/ip-verification
2021-05-28 16:42:05 +02:00
Herman Slatman
6d9710c88d
Add initial support for ACME IP validation
2021-05-28 16:40:46 +02:00
Herman Slatman
7e82bd6ef3
Add setup for Authority tests
2021-05-26 16:15:26 -07:00
Herman Slatman
74d8bdc298
Add tests for CreateDecrypter
2021-05-26 16:15:26 -07:00
Herman Slatman
a64974c179
Fix small typo in divisible
2021-05-26 16:15:26 -07:00
Herman Slatman
382b6f977c
Improve error logging
2021-05-26 16:15:26 -07:00
Herman Slatman
d46a4eaca4
Change fmt to errors package for formatting errors
2021-05-26 16:15:26 -07:00
Herman Slatman
2beea1aa89
Add configuration option for specifying the minimum public key length
...
Instead of using the defaultPublicKeyValidator a new validator called
publicKeyMinimumLengthValidator has been implemented that uses a
configurable minimum length for public keys in CSRs.
It's also an option to alter the defaultPublicKeyValidator to also
take a parameter, but that would touch quite some lines of code. This
might be a viable option after merging SCEP support.
2021-05-26 16:15:26 -07:00
Herman Slatman
4168449935
Fix typo
2021-05-26 16:15:26 -07:00
Herman Slatman
fa100a5138
Mask challenge password after it has been read
2021-05-26 16:15:26 -07:00
Herman Slatman
66a67ed691
Update to v2.0.0 of github.com/micromdm/scep
2021-05-26 16:15:24 -07:00
Herman Slatman
03c472359c
Add sync.WaitGroup for proper error handling in Run()
2021-05-26 16:14:57 -07:00
Herman Slatman
1cd0cb99f6
Add more template data
2021-05-26 16:13:58 -07:00
Herman Slatman
13fe7a0121
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-05-26 16:13:57 -07:00
Herman Slatman
bcacd2f4da
Fix typo
2021-05-26 16:13:38 -07:00
Herman Slatman
a0242ad6ce
Add validation to SCEP Options
2021-05-26 16:13:38 -07:00
Herman Slatman
4cd45f6374
Remove superfluous call to StoreCertificate
2021-05-26 16:13:36 -07:00
Herman Slatman
97b88c4d58
Address (most) PR comments
2021-05-26 16:12:57 -07:00
Herman Slatman
be528da709
Make tests green
2021-05-26 16:10:22 -07:00
Herman Slatman
57a62964b1
Make tests not fail hard on ECDSA keys
...
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-05-26 16:10:22 -07:00
Herman Slatman
5a80bc3ced
Make linter happy
2021-05-26 16:10:22 -07:00
Herman Slatman
dd4f548650
Fix certificateChain property
2021-05-26 16:10:22 -07:00
Herman Slatman
491c2b8d93
Improve initialization of SCEP authority
2021-05-26 16:10:21 -07:00
Herman Slatman
2d85d4c1c1
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-05-26 16:09:38 -07:00
Herman Slatman
e7cb80f880
Fix linter issues
2021-05-26 16:08:24 -07:00
Herman Slatman
aa2ce0a2a5
Store new certificates in database
2021-05-26 16:08:24 -07:00
Herman Slatman
f0050e5ca9
Add signed failure responses
2021-05-26 16:08:24 -07:00
Herman Slatman
4fe7179b95
Add support for configuring capabilities (cacaps)
2021-05-26 16:08:24 -07:00
Herman Slatman
3b86550dbf
Add support for challenge password
2021-05-26 16:08:24 -07:00
Herman Slatman
017e56c9fb
Remove some duplicate and unnecessary logic
2021-05-26 16:08:23 -07:00
Herman Slatman
75cd3ab0ac
Change to a fixed fork of go.mozilla.org/pkcs7
...
Hopefully this will be a temporary change until
the fix is merged in the upstream module.
2021-05-26 16:07:37 -07:00
Herman Slatman
5df60c5a9b
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
2021-05-26 16:06:22 -07:00
Herman Slatman
a191319da9
Improve SCEP API logic and error handling
2021-05-26 16:06:21 -07:00
Herman Slatman
30d3a26c20
Remove x509 template from API
2021-05-26 16:04:21 -07:00
Herman Slatman
da65f46d0f
Add AuthorizeSign method to SCEP authority
2021-05-26 16:04:21 -07:00
Herman Slatman
812e1c7218
Add handling of options
2021-05-26 16:04:21 -07:00
Herman Slatman
80026e1016
Remove the copy of mozilla/pkcs7
...
Apparently the existing library works out of the box, after all.
We'll have to see how it works out continuing forward.
2021-05-26 16:04:21 -07:00
Herman Slatman
2a249d20de
Refactor initialization of SCEP authority
2021-05-26 16:04:19 -07:00
Herman Slatman
99cd3b74fe
Add full copy of mozilla/pkcs7 module as internal dependency
...
The full contents of the git repository @432b2356ecb...
was copied. Only go.mod was removed from it.
2021-05-26 16:01:20 -07:00
Herman Slatman
393be5b03a
Add number of certs to return and fix CR LF in CACaps
2021-05-26 16:01:20 -07:00
Herman Slatman
b905d5fead
Improve setup for multiple SCEP providers (slightly)
2021-05-26 16:01:20 -07:00
Herman Slatman
339039768c
Refactor SCEP authority initialization and clean some code
2021-05-26 16:00:08 -07:00
Herman Slatman
48c86716a0
Add rudimentary (and incomplete) support for SCEP
2021-05-26 15:58:04 -07:00
max furman
ff7b829aa2
[action] forgot to add default labeler config file
2021-05-26 15:54:45 -07:00
max furman
114627de93
[action] labeler to v3 and use default config path location
2021-05-26 15:54:45 -07:00
Mariano Cano
d7a747b92b
Add SCEP in the provisioners proto.
...
Change provisioner.proto to match protobuf style guide.
2021-05-26 15:49:18 -07:00