Mariano Cano
b0b2e77b0e
Avoid doing unauthenticated requests on the SDK
...
When step-ca runs with mTLS required on some endpoints, the SDK
used in autocert will fail to start because the identity certificate
is missing. This certificate is only required to retrieve all roots,
in most cases there's only one, and the SDK has access to it.
2021-12-14 14:42:38 -08:00
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab
2021-12-09 13:58:40 +01:00
Herman Slatman
3bc3957b06
Merge branch 'master' into hs/acme-revocation
2021-12-09 09:36:52 +01:00
Herman Slatman
d0c23973cc
Merge branch 'master' into hs/acme-eab
2021-12-06 13:01:23 +01:00
Herman Slatman
2d357da99b
Add tests for ACME revocation
2021-11-26 17:27:42 +01:00
Mariano Cano
d35848f7a9
Fix unit tests.
2021-11-24 11:43:24 -08:00
Mariano Cano
b9beab071d
Fix unit tests.
2021-11-23 18:43:36 -08:00
Mariano Cano
8c8db0d4b7
Modify errs.BadRequestErr() to always return an error to the client.
2021-11-18 18:17:36 -08:00
Mariano Cano
8ce807a6cb
Modify errs.BadRequest() calls to always send an error to the client.
2021-11-18 15:12:44 -08:00
max furman
7fac8c96c3
Merge branch 'master' into max/context
2021-11-17 11:40:01 -08:00
max furman
a7d144996f
SSH backwards compat updates
...
- use existence of new value in data map as boolean
- add tests for backwards and forwards compatibility
- fix old tests that used static dir locations
2021-11-16 21:47:14 -08:00
max furman
d777fc23c2
Add ca.WithInsecure and use methods for file names
2021-11-16 21:47:14 -08:00
max furman
e5951fd84c
Use methods in the step package
...
* rather than variables set at execution time, which may not match the
actual current context
2021-11-16 21:47:14 -08:00
max furman
7eeebca529
Enable step path contexts in identity and pki paths
2021-11-16 21:47:14 -08:00
max furman
10db335f13
mv pkg config -> step
2021-11-16 21:47:14 -08:00
max furman
741ac64c61
change name of package cli-utils/config to cli-utils/step
2021-11-16 21:47:14 -08:00
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
2021-11-13 01:30:03 +01:00
Herman Slatman
bcd1240a0e
Merge branch 'master' into hs/acme-eab
2021-10-16 13:32:13 +02:00
Mariano Cano
36b622bfc2
Use Golang's default keep-alive.
...
Since Go 1.13 a net.Listen keep-alive is enabled by default if
the protocol and OS supports it. The new one is 15s to match
the net.Dial default one. Previously http.Server ListenAndServe
and ListenAndServeTLS used to add a wrapper with 3m that we
replicated.
See https://github.com/golang/go/issues/31510
2021-10-15 14:12:43 -07:00
Herman Slatman
dd4b4b0435
Fix remaining gocritic remarks
2021-10-11 23:34:23 +02:00
Herman Slatman
e0b495e4c8
Merge branch 'master' into hs/acme-eab
2021-10-09 01:06:49 +02:00
max furman
933b40a02a
Introduce gocritic linter and address warnings
2021-10-08 14:59:57 -04:00
Herman Slatman
f34d68897a
Refactor retrieval of provisioner into middleware
2021-10-08 14:29:44 +02:00
Herman Slatman
9d4cafc4bd
Merge branch 'master' into hs/acme-eab
2021-10-08 10:33:09 +02:00
Herman Slatman
c2bc1351c6
Add provisioner to remove endpoint and clear reference index on delete
2021-09-17 17:48:09 +02:00
Herman Slatman
9c0020352b
Add lookup by reference and make reference optional
2021-09-17 17:08:02 +02:00
Mariano Cano
6729c79253
Add support for setting individual password for ssh and tls keys
...
This change add the following flags:
* --ssh-host-password-file
* --ssh-user-password-file
Fixes #693
2021-09-16 11:55:41 -07:00
Herman Slatman
f11c0cdc0c
Add endpoint for listing ACME EAB keys
2021-08-27 16:58:04 +02:00
Herman Slatman
9d09f5e575
Add support for deleting ACME EAB keys
2021-08-27 14:10:00 +02:00
Herman Slatman
a98fe03e80
Merge branch 'master' into hs/acme-eab
2021-08-27 12:50:19 +02:00
Herman Slatman
1dba8698e3
Use LinkedCA.EABKey type in ACME EAB API
2021-08-27 12:39:37 +02:00
Mariano Cano
e3ef4a7da9
Update test with default tls options.
2021-08-11 15:42:22 -07:00
Herman Slatman
c6a4c4ecba
Change ACME EAB endpoint
2021-07-23 15:16:11 +02:00
Herman Slatman
c6bfc6eac2
Fix PR comments
2021-07-22 23:48:41 +02:00
Herman Slatman
b65a588d5b
Make authentication work for /admin/eak
2021-07-22 22:43:21 +02:00
Mariano Cano
8fb5340dc9
Use a token at start time to configure linkedca.
...
Instead of using `step-ca login` we will use a new token provided
as a flag to configure and start linkedca. Certificates will be kept
in memory and refreshed automatically.
2021-07-19 19:28:06 -07:00
max furman
1df21b9b6a
Addressing comments in PR review
...
- added a bit of validation to admin create and update
- using protojson where possible in admin api
- fixing a few instances of admin -> acme in errors
2021-07-06 17:14:13 -07:00
max furman
77fdfc9fa3
Merge branch 'master' into max/cert-mgr-crud
2021-07-02 20:26:46 -07:00
max furman
9fdef64709
Admin level API for provisioner mgmt v1
2021-07-02 19:05:17 -07:00
Herman Slatman
03c472359c
Add sync.WaitGroup for proper error handling in Run()
2021-05-26 16:14:57 -07:00
Herman Slatman
13fe7a0121
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-05-26 16:13:57 -07:00
Herman Slatman
97b88c4d58
Address (most) PR comments
2021-05-26 16:12:57 -07:00
Herman Slatman
5df60c5a9b
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
2021-05-26 16:06:22 -07:00
Herman Slatman
339039768c
Refactor SCEP authority initialization and clean some code
2021-05-26 16:00:08 -07:00
Herman Slatman
48c86716a0
Add rudimentary (and incomplete) support for SCEP
2021-05-26 15:58:04 -07:00
max furman
94ba057f01
wip
2021-05-26 14:55:31 -07:00
max furman
01a4460812
wip
2021-05-25 21:13:01 -07:00
max furman
9bfb1c2e7b
wip
2021-05-21 13:31:41 -07:00
max furman
d8d5d7332b
wip
2021-05-20 16:02:20 -07:00
max furman
9bf9bf142d
wip
2021-05-20 13:01:58 -07:00
Herman Slatman
bc2bb53009
Merge branch 'master' into hs/scep
2021-05-20 21:35:44 +02:00
max furman
4f3e5ef64d
wip
2021-05-19 15:20:16 -07:00
max furman
5d09d04d14
wip
2021-05-19 15:20:16 -07:00
max furman
4d48072746
wip admin CRUD
2021-05-19 15:20:16 -07:00
max furman
98a6e54530
wip
2021-05-19 15:20:16 -07:00
max furman
af3cf7dae9
first steps
2021-05-19 15:20:16 -07:00
max furman
7b5d6968a5
first commit
2021-05-19 15:20:16 -07:00
Mariano Cano
26e7cc6177
Allow to use the SDK with ed25519 keys.
2021-05-06 18:10:12 -07:00
Herman Slatman
c04f556dc2
Merge branch 'master' into hs/scep
2021-05-06 22:00:29 +02:00
max furman
8c709fe3c2
Init config on load | Add wrapper for cli
2021-05-04 14:45:11 -07:00
Mariano Cano
5846314f88
Add missing Rekey method to the ca.Client
...
Fixes #315
2021-04-29 16:06:45 -07:00
Herman Slatman
68d5f6d0d2
Merge branch 'master' into hs/scep
2021-04-29 22:18:00 +02:00
Mariano Cano
1328aa3e47
Fix review comments.
2021-04-26 18:45:46 -07:00
Mariano Cano
50b9aaec57
Add new identity tests.
2021-04-21 18:07:59 -07:00
Mariano Cano
e414d0c8ea
Fix unit tests.
2021-04-21 16:20:53 -07:00
Mariano Cano
c5234e9c61
Refactor tls tunnel connections.
...
New method will use an identity-like file with the configuration
used to create the (m)TLS connection to the tunnel.
2021-04-21 16:20:53 -07:00
Mariano Cano
e75a9409a5
Add experimental support for a TLS over TLS tunnel.
2021-04-21 16:20:53 -07:00
Herman Slatman
0487686f69
Merge branch 'master' into hs/scep
2021-04-16 13:25:01 +02:00
Mariano Cano
02a5879cfe
Specify always a Proxy in all custom transports.
...
Fixes #535
2021-04-14 19:35:31 -07:00
max furman
93c3c2bf2e
Error handle non existent provisioner downstream and disable debug route logging
2021-04-14 15:35:43 -07:00
max furman
b1888fd34d
Use different method for unescpaed paths for the router
2021-04-14 15:11:15 -07:00
Max
b724af30ad
Merge pull request #496 from smallstep/max/acme
...
Convert to ACME DB interface
2021-04-13 15:02:03 -07:00
max furman
672e3f976e
Few ACME fixes ...
...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
2021-04-12 19:06:07 -07:00
Herman Slatman
2320d0911e
Add sync.WaitGroup for proper error handling in Run()
2021-03-26 16:21:02 +01:00
Herman Slatman
b815478981
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-03-26 16:05:33 +01:00
Herman Slatman
c5e4ea08b3
Merge branch 'master' into hs/scep
2021-03-26 15:22:41 +01:00
Herman Slatman
b97f024f8a
Remove superfluous call to StoreCertificate
2021-03-26 14:02:52 +01:00
max furman
df05340521
fixing broken unit tests
2021-03-25 12:05:46 -07:00
max furman
f72b2ff2c2
[acme db interface] nosql authz unit tests
2021-03-25 12:05:46 -07:00
max furman
074ab7b221
[acme db interface] add linker tests
2021-03-25 12:05:46 -07:00
max furman
bb8d54e596
[acme db interface] unit tests compiling
2021-03-25 12:05:46 -07:00
max furman
fc395f4d69
[acme db interface] compiles!
2021-03-25 12:05:46 -07:00
max furman
80a6640103
[acme db interface] wip
2021-03-25 12:05:46 -07:00
Mariano Cano
8c8c160c92
Fix method name in comment.
2021-03-25 11:06:37 -07:00
Mariano Cano
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
2021-03-24 14:53:19 -07:00
Herman Slatman
583d60dc0d
Address (most) PR comments
2021-03-21 16:42:41 +01:00
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority
2021-03-12 15:49:39 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
2d21b09d41
Remove some duplicate and unnecessary logic
2021-03-06 23:24:49 +01:00
Herman Slatman
3a5f633cdd
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
2021-03-05 12:40:42 +01:00
Herman Slatman
7948f65ac0
Merge branch 'master' into hs/scep
2021-02-26 00:41:33 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority
2021-02-26 00:32:21 +01:00
Mariano Cano
5be86691c1
Fix unit tests in Go 1.16.
2021-02-23 15:29:56 -08:00
Herman Slatman
78d78580b2
Add note about using a second (unsecured) server
2021-02-19 11:00:52 +01:00
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master
2021-02-19 10:16:39 +01:00
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code
2021-02-12 17:02:39 +01:00
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP
2021-02-12 12:03:08 +01:00
Mariano Cano
b487edbd13
Clarify comment.
2021-02-11 17:38:14 -08:00
Mariano Cano
fbd2208044
Close key manager for safe reloads when a cgo module is used.
2021-02-01 17:14:44 -08:00
Mariano Cano
40d0596b71
Use smallstep/cli-utils instead of smallstep/cli
2020-10-29 13:10:03 -07:00
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
2020-08-14 15:33:50 -07:00
Mariano Cano
533ad0ca20
Use always go.step.sm/crypto/x509util
2020-08-11 17:59:33 -07:00
Mariano Cano
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
2020-08-10 15:29:18 -07:00
Mariano Cano
e83e47a91e
Use sshutil and randutil from go.step.sm/crypto.
2020-08-10 11:26:51 -07:00
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
44207523be
Add missing tests.
2020-07-21 14:21:54 -07:00
Mariano Cano
0c8376a7f6
Fix existing unit tests.
2020-07-21 14:21:54 -07:00
max furman
1951669e13
wip
2020-06-23 11:10:45 -07:00
max furman
6e69f99310
Always set nbf and naf for new ACME orders ...
...
- Use the default value from the ACME provisioner if values are not
defined in the request.
2020-05-22 10:31:58 -07:00
Mariano Cano
9f1d95d8bf
Fix renew of certificate at the start of the server.
2020-05-07 18:21:11 -07:00
Mariano Cano
1d7ab9145a
Avoid lint error.
2020-03-24 14:33:01 -07:00
Mariano Cano
0b62ce9d0e
Use go 1.13 to build certificates.
2020-03-24 14:23:02 -07:00
max furman
495e60a44b
Extraneous fmt.Sprintf
2020-03-23 12:15:46 -07:00
Mariano Cano
349bca06bb
Fix line error due to deprecated DialTLS.
2020-03-05 15:11:03 -08:00
Mariano Cano
f5d2f92099
Load identity certificate from disk in each connection.
2020-03-04 15:02:17 -08:00
Ivan Bertona
9052da66a3
Fix linter, tidy go.mod file.
2020-02-07 14:42:56 -05:00
Mariano Cano
3d6a18180e
Fix a couple of race conditions in the renewal of certificates.
2020-01-28 13:29:40 -08:00
max furman
1cb8bb3ae1
Simplify statuscoder error generators.
2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
a025f72af7
Disable backdata on ca tests.
2020-01-28 13:29:39 -08:00
Mariano Cano
a88ba8eb31
Use errs package for HTTP errors.
2020-01-28 13:29:39 -08:00
Mariano Cano
47f4ac1b53
Add method to just write the identity certificate.
2020-01-28 13:29:39 -08:00
Mariano Cano
14e59775bd
Add method to renew the identity.
2020-01-28 13:29:39 -08:00
max furman
9aafe265d0
Should be returning nil from applyIdentity if cert expired.
2020-01-28 13:29:39 -08:00
max furman
b9f6aacb0f
Move api errors to their own package and modify the typedef
2020-01-28 13:29:39 -08:00
Mariano Cano
65b4dda420
Add wrappers to identity methods in the ca package.
2020-01-28 13:29:39 -08:00
Mariano Cano
524c221c61
Add mTLS test for identity client.
2020-01-28 13:29:39 -08:00
Mariano Cano
25144539f8
Improve identity tests.
2020-01-28 13:29:39 -08:00
Mariano Cano
d85386d0b4
Add identity client and move identity to a new package.
2020-01-28 13:29:39 -08:00
Mariano Cano
9e7b86342b
Fix test.
2020-01-28 13:29:39 -08:00
Mariano Cano
c6f6493bb7
Fail silently if the identity fails.
2020-01-28 13:29:39 -08:00
max furman
3ac388612a
Use x5cInsecure token for /ssh/check-host endpoint
2020-01-28 13:29:39 -08:00
Mariano Cano
ab126d6405
Add GetTransport to client.
2020-01-28 13:29:39 -08:00
Mariano Cano
2259f62638
Add method to create an ssh token.
2020-01-28 13:29:39 -08:00
Mariano Cano
caa2b8dbb7
Add leeway in identity not before.
2020-01-28 13:29:39 -08:00
max furman
0512f6e3e5
redundant variable type def
2020-01-28 13:29:39 -08:00
Mariano Cano
d2b1f1547f
Create a custom client that sends a custom User-Agent.
2020-01-28 13:29:39 -08:00
Mariano Cano
5d7829b198
Replace /ssh/get-hosts to /ssh/hosts
2020-01-28 13:29:39 -08:00
Mariano Cano
2fe07cd79c
Fix tests.
2020-01-28 13:29:39 -08:00
Mariano Cano
85d3843968
Add Identity helpers.
2020-01-28 13:29:39 -08:00
Mariano Cano
50188fc901
Add version support to the ca.Client.
2020-01-28 13:28:17 -08:00
Mariano Cano
db3b795eea
Fix directory permissions.
2020-01-28 13:28:16 -08:00
Mariano Cano
bbaf8e106e
Support for retry and identity files.
2020-01-28 13:28:16 -08:00
Mariano Cano
d555f310dc
Add support for identity authentication.
2020-01-28 13:28:16 -08:00
Mariano Cano
f9e5b27e63
Add client method for SSHBastion
2020-01-28 13:28:16 -08:00
max furman
29853ae016
sshpop provisioner + ssh renew | revoke | rekey first pass
2020-01-28 13:28:16 -08:00
max furman
862d704f6b
get-hosts fixes
2020-01-28 13:28:16 -08:00
max furman
5616386eed
Add SSH getHosts api
2020-01-28 13:28:16 -08:00
Mariano Cano
b8817ad648
Add proxycommand and new lines to templates.
2020-01-28 13:28:16 -08:00