Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,116 Commits
37 Branches
218 Tags
44 MiB
master
root-not-found-error-message
relative-paths-config
herman/wire-dpop-struct
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.26.2
v0.27.0
v0.27.1
v0.27.2
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cb2c24fc88'
${ noResults }
Commit Graph

335 Commits (cb2c24fc88426496304fd320a79e2dd02dff520a)

Author SHA1 Message Date
Herman Slatman 7ad90d10b3
Refactor initialization of SCEP authority 4 years ago
Herman Slatman 713b571d7a
Refactor SCEP authority initialization and clean some code 4 years ago
Herman Slatman ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP 4 years ago
max furman 16665c97f0 Allow empty SAN in CSR for validation ... 
- The default template will always use the SANs from the token.
- If there are any SANs they must be validated against the token.
 4 years ago
Mariano Cano 5017b7d21f Recalculate token id instead of validating it. 4 years ago
Mariano Cano 86c947babc Upgrade crypto and fix test. 4 years ago
Mariano Cano 0cf594a003 Validate payload ID. 
Related to #435
 4 years ago
Mariano Cano 39b23c057d Add all AWS certificates used to verify base64 signatures. 4 years ago
Mariano Cano 7d1686dc53 Add option to specify the AWS IID certificates to use. 
This changes adds a new option `iidRoots` that allows a user to
define one or more certificates that will be used for AWS IID
signature validation.

Fixes #393
 4 years ago
Mariano Cano 4c8bf87dc1 Use new admin template for K8ssa and admin-OIDC provisioners. 
This change replaces the .Insecure.CR template to one that sets
all the SANs, but uses key usages and extended key usages for
regular TLS certificates.
 4 years ago
Mariano Cano 276e307a1d Add extra tests for CustomSSHTemplateOptions 4 years ago
max furman da9f0b09af Ignore `null` string for x509 and ssh templateData. 4 years ago
Mariano Cano 81c6e01269 Fix unit test. 4 years ago
max furman ce9af5c20f Standardize k8ssa check on issuer name 4 years ago
Mariano Cano 8ee246edda Upgrade go.step.sm to v0.4.0 4 years ago
Mariano Cano 35bd3ec383
Merge pull request #329 from smallstep/ssh-cert-templates 
SSH cert templates
 4 years ago
Mariano Cano b7269b6579 Fix comment. 4 years ago
Mariano Cano c94a1c51be Merge branch 'master' into ssh-cert-templates 4 years ago
Mariano Cano ba918100d0 Use go.step.sm/crypto/jose 
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
 4 years ago
max furman 46fc922afd Remove unused code; fix usage wrong word; add gap time for unit test 4 years ago
Mariano Cano d30a95236d Use always go.step.sm/crypto 4 years ago
Mariano Cano aaaa7e9b4e Merge branch 'master' into cert-templates 4 years ago
Mariano Cano e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 4 years ago
Mariano Cano f437b86a7b Merge branch 'cert-templates' into ssh-cert-templates 4 years ago
Mariano Cano c8d225a763 Use x509util from go.step.sm/crypto/x509util 4 years ago
Mariano Cano 37f84e9bb3 Add delay in test. 4 years ago
Mariano Cano 8d89bbd62f Remove unused code. 4 years ago
Mariano Cano c4bbc81d9f Fix authority tests. 4 years ago
Mariano Cano 413af88aad Fix provisioning tests. 4 years ago
Mariano Cano b66bdfabcd Enforce an OIDC users to send all template variables. 4 years ago
Mariano Cano 9822305bb6 Use only the IID template on IID provisioners. 
Use always sshutil.DefaultIIDCertificate and require at least one
principal on IID provisioners.
 4 years ago
Mariano Cano aa657cdb4b Use SSHOptions inside provisioner options. 4 years ago
Mariano Cano 02379d494b Add support for extensions and critical options on the identity 
function.
 4 years ago
Mariano Cano 8ff8d90f8c On JWK and X5C validate the key id on the request. 4 years ago
Mariano Cano a78f7e8913 Add template support on k8ssa provisioner. 4 years ago
Mariano Cano 6c36ceb158 Add initial template support for iid provisisioners. 4 years ago
Mariano Cano 8e7bf96769 Fix error prefix. 4 years ago
Mariano Cano e0dce54338 Add missing argument. 4 years ago
Mariano Cano c1fc45c872 Simplify SSH modifiers with options. 
It also changes the behavior of the request options to modify only
the validity of the certificate.
 4 years ago
Mariano Cano ad28f0f59a Move variable where it is used. 4 years ago
Mariano Cano 715eb4eacc Add initial support for ssh templates on OIDC. 4 years ago
Mariano Cano c2dc76550c Add ssh certificate template to X5C provisioner. 4 years ago
Mariano Cano 380a0d6daf Add ssh certificate templates to JWK provisioner. 4 years ago
Mariano Cano f75a12e10a Add omitempty tag option. 4 years ago
Mariano Cano 570ede45e7 Do not enforce number of principals or extensions. 4 years ago
Mariano Cano 631f1612a1 Add TemplateData to SignSSHOptions. 4 years ago
Mariano Cano c6746425a3 Add methods to initialize ssh templates in provisioners. 4 years ago
Mariano Cano 3e80f41c19 Change provisioner options to have X509 as a field. 4 years ago
David Cowden 86efe7aff0 aws: use http.NoBody instead of nil 
It's a little more descriptive.
 4 years ago
David Cowden 2b121efc8f aws: test constructor with empty IDMS string array 4 years ago
Mariano Cano 6c64fb3ed2 Rename provisioner options structs: 
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
 4 years ago
David Cowden dc39eef721 aws: test badIDMS functional path 
The existing test only covers the constructor logic. Also test the live
code path that is executed when a bad IDMS version is supplied.
 4 years ago
David Cowden 51f16ee2e0 aws: add tests covering metadata service versions 
* Add constructor tests for the aws provisioner.
* Add a test to make sure the "v1" logic continues to work.

By and large, v2 is the way to go. However, there are some instances of
things that specifically request metadata service version 1 and so this
adds minimal coverage to make sure we don't accidentally break the path
should anyone need to depend on the former logic.
 4 years ago
David Cowden 5efe5f3573 metadata-v2: pull in joshathysolate-master 
Taking of this PR to get it across the goal line.
 4 years ago
Mariano Cano 5ac3f8a160 Add provisioner options tests. 4 years ago
Mariano Cano 02c4f9817d Set full token payload instead of only the known properties. 4 years ago
Mariano Cano 0c8376a7f6 Fix existing unit tests. 4 years ago
Mariano Cano a7fe0104c4 Remove ACME restrictions and add proper template support. 4 years ago
Mariano Cano cf2989a848 Add token and subject to K8sSA provisioner to be used in custom 
templates.
 4 years ago
Mariano Cano 71be83b25e Add iss#sub uri in OIDC certificates. 
Admin will use the CR template if none is provided.
 4 years ago
Mariano Cano c58117b30d Allow to use base64 when defining a template in the ca.json. 4 years ago
Mariano Cano b2ca3176f5 Prepend insecure to user and CR variables names. 4 years ago
Mariano Cano b11486f41f Fix option method for template variable. 4 years ago
Mariano Cano 04f5053a7a Add template support for x5c. 4 years ago
Mariano Cano eb8886d828 Add CR subject as iid default subject. 
Add a minimal subject with just a common name to iid provisioners
in case we want to use it.
 4 years ago
Mariano Cano e60ea419cc Add template support for gcp provisioner. 4 years ago
Mariano Cano 32646c49bf Add templates support to Azure provisioner. 4 years ago
Mariano Cano a44f0ca866 Add token payload. 4 years ago
Mariano Cano 00fd41a3d0 Add template support to K8sSA provisioners. 4 years ago
Mariano Cano 13b704aeed Add template support for AWS provisioner. 4 years ago
Mariano Cano 49b9aa6e3f Fix log string. 4 years ago
Mariano Cano 4795e371bd Add back the support for ca.json DN template. 4 years ago
Mariano Cano e6fed5e0aa Minor fixes and comments. 4 years ago
Mariano Cano 81cd288104 Enable templates in acme provisioners. 4 years ago
Mariano Cano ca2fb42d68 Move options to the provisioner. 4 years ago
Mariano Cano 206bc6757a Add initial support for templates in the OIDC provisioner. 4 years ago
Mariano Cano 95c3a41bf0 Rename UserData to TemplateData and fix unmarshaling. 4 years ago
Mariano Cano 9f3acc254b Set the token payload in the JWK provisioner. 4 years ago
Mariano Cano ef0ed0ff95 Integrate simple templates in the JWK provisioner. 4 years ago
Mariano Cano 9032018cf2 Convert x509util.WithOptions to new modifiers. 4 years ago
Carl Tashian 912e298043 Whitelist -> Allowlist per https://tools.ietf.org/id/draft-knodel-terminology-01.html 4 years ago
max furman accf1be7e9 wip 4 years ago
max furman 71d87b4e61 wip 4 years ago
max furman d25e7f64c2 wip 4 years ago
max furman 3636ba3228 wip 4 years ago
max furman 1951669e13 wip 4 years ago
max furman 7d5cf34ce5 Update profileLimitDuration validator ... 
- respect notBefore of the provisioner
- modify/fix the reported errors
 4 years ago
Mariano Cano 4ac51dd508
Merge pull request #274 from smallstep/oidc-raw-locals 
Allow dots and other symbols in principals for OIDC
 4 years ago
Mariano Cano 3246a3e81f Add missing test case. 4 years ago
max furman 6e69f99310 Always set nbf and naf for new ACME orders ... 
- Use the default value from the ACME provisioner if values are not
defined in the request.
 4 years ago
Mariano Cano 0b5fd156e8 Add a third principal on OIDC tokens with the raw local part of the email. 
For the email first.last@example.com it will create the principals
  ["firstlast", "first.last", "first.last@example.com"]

Fixes #253, #254
 4 years ago
Josh Hogle e9b500daf2 Updated error message 4 years ago
Josh Hogle 044d00045a Fixed missing initialization of IMDS versions 4 years ago
Josh Hogle 18ac5c07e2 Added support for specifying IMDS version preference 4 years ago
Josh Hogle 8c6a46887b Added token URL fixes to tests 4 years ago
Josh Hogle dd27901b12 Moved token URL and TTL to config values 4 years ago
Josh Hogle bbbe4738c7 Added status code checking 4 years ago
Josh Hogle af0f21d744 added support for IMDSv2 API 4 years ago
Oleksandr Kovalchuk 4cd01b6868
Implement tests for forceCNOption modifier 
Implement unit tests which checks forceCNOption modifier (implemented
in 322200b7db) is not broken and works
correctly.

Ref: https://github.com/smallstep/certificates/issues/259
 4 years ago
Oleksandr Kovalchuk 893a53793a
Modify existing tests to accept forceCNOption modifier 
Modify existing tests to pass with changes introduced in commit
322200b7db. This is safe to do as
tests assert exact length of modifiers, which has changed.
 4 years ago