Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
3,987 Commits 37 Branches 223 Tags 44 MiB
de45d66cdb
Commit Graph

1189 Commits

Author SHA1 Message Date
Herman Slatman
de45d66cdb
Add provisionerName to webhook request body 2023-11-08 19:43:13 +01:00
Mariano Cano
49045a1150
Change CommonName validator in JWK 
This commit changes the common name validator in the JWK provisioner to
accept either the token subject or any of the sans in the token.
 2023-10-31 16:44:18 -07:00
Max
9f84f7ce35
Allow for identity certificate signing (in sshSign) by skipping validators (#1572) 
- skip urisValidator for identity certificate signing. Implemented
  by building the validator with the context in a hacky way.
 2023-10-06 14:02:19 -07:00
Mariano Cano
52baf52f84
Change scep password type to string 
This commit changes the type of the decrypter key password to string to
be consistent with other passwords in the ca.json
 2023-09-26 10:36:58 -07:00
Herman Slatman
c0fbace882
Address review remarks 2023-09-26 00:00:08 +02:00
Herman Slatman
4dc5a688fd
Set SCEP authority options once 2023-09-25 22:24:13 +02:00
Herman Slatman
15c46ebbaa
Switch logic for SCEP initialization around 2023-09-25 22:00:30 +02:00
Herman Slatman
f1da256ca4
Change SCEP authority initialization 2023-09-25 21:55:19 +02:00
Herman Slatman
4554f86f16
Make SCEP decrypter properties use omitempty 2023-09-25 19:48:12 +02:00
Herman Slatman
ffe079f31b
Merge branch 'master' into herman/scep-provisioner-decrypter 2023-09-23 00:06:56 +02:00
Mariano Cano
31da66c124
Fix webhooks signature 
This commit fixes the way webhooks signatures are created. Before this
change, the signature of an empty body was prepended by the body itself.
 2023-09-22 13:22:52 -07:00
Herman Slatman
3f3b67e05c
Merge branch 'herman/scep-provisioner-decrypter' into herman/scep-notifying-webhook 2023-09-22 12:44:11 +02:00
Herman Slatman
ba72710e2d
Address code review remarks 2023-09-22 12:40:14 +02:00
Herman Slatman
5f8e0de1c3
Fix duplicate import in SCEP provisioner 2023-09-22 11:46:51 +02:00
Herman Slatman
4fd4227b73
Use shorter SCEP decrypter property names from linkedca 2023-09-22 11:44:49 +02:00
Herman Slatman
5fd70af2c8
Make API responses aware of the new SCEP decrypter properties 2023-09-22 11:38:03 +02:00
Herman Slatman
3ade92f8d5
Support both a decrypter key URI as well as PEM 2023-09-22 11:10:22 +02:00
Herman Slatman
b6c95d7be2
Add additional properties to SCEP notify webhook request body 2023-09-21 18:12:13 +02:00
Herman Slatman
63257e0576
Add full certificate DER bytes to success notification webhook 2023-09-21 12:05:58 +02:00
Herman Slatman
52bc96760b
Add SCEP certificate issuance notification webhook 2023-09-21 12:01:03 +02:00
Herman Slatman
a3c9dd796a
Merge branch 'herman/scep-provisioner-decrypter' of github.com:smallstep/certificates into herman/scep-provisioner-decrypter 2023-09-21 09:55:18 +02:00
Herman Slatman
69a53eec33
Merge branch 'master' into herman/scep-provisioner-decrypter 2023-09-21 09:55:07 +02:00
Dominic Evans
231b5d8406 chore(deps): upgrade github.com/go-chi/chi to v5 
Upgrade chi to the v5 module path to avoid deprecation warning about v4
and earlier on the old module path.

See https://github.com/go-chi/chi/blob/v4.1.3/go.mod#L1-L4

Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
 2023-09-20 11:26:32 +01:00
Max
b7c4ed26fb
Use provisioner name in error message (#1524) 2023-09-07 15:06:46 -07:00
Herman Slatman
33e661ce7d
Add a dummy CSR to SCEP request body tests 2023-09-07 20:37:29 +02:00
Herman Slatman
36f1dd70bf
Add CSR to SCEPCHALLENGE webhook request body 2023-09-07 14:11:53 +02:00
Herman Slatman
98d015b5c3
Fix linting issues 2023-09-04 15:36:37 +02:00
Herman Slatman
d9f56cdbdc
Merge branch 'master' into herman/scep-provisioner-decrypter 2023-09-04 15:24:19 +02:00
Herman Slatman
9d3b78ae49
Add excludeIntermediate to SCEP provisioner 2023-09-04 14:55:27 +02:00
Max
e22166c628
provisionerOptionsToLinkedCA missing template and templateData (#1520) 2023-08-29 17:26:02 -07:00
Max
116ff8ed65
bump go.mod to go1.20 and associated linter fixes (#1518) 2023-08-29 11:52:13 -07:00
Remi Vichery
82b8e16d7f
Add all AWS identity document certificates 
* move to use embed instead of a multi-line string
* add test to ensure all certificates are valid
* add test to ensure validity (no expired certificate)
 2023-08-17 10:37:53 -07:00
Herman Slatman
e182c620c8
Merge branch 'master' into herman/scep-provisioner-decrypter 2023-08-04 22:50:37 +02:00
Herman Slatman
645b6ffc18
Ensure no prompt is fired for loading provisioner decrypter 2023-08-04 22:50:22 +02:00
Mariano Cano
30ce9e65f7
Write configuration only if encoding succeeds 
This commit fixes a problem when the ca.json is truncated if the
encoding of the configuration fails. This can happen by adding a new
provisioner with bad template data.

Related to smallstep/cli#994
 2023-08-03 17:54:49 -07:00
Herman Slatman
e2e9bf5494
Clarify some SCEP properties 2023-08-04 01:55:52 +02:00
Herman Slatman
c0a1837cd9
Verify full decrypter/signer configuration at usage time 
When changing the SCEP configuration it is possible that one
or both of the decrypter configurations required are not available
or have been provided in a way that's not usable for actual SCEP
requests.

Instead of failing hard when provisioners are loaded,
which could result in the CA not starting properly, this type of
problematic configuration errors will now be handled at usage
time instead.
 2023-08-03 16:09:51 +02:00
Herman Slatman
fc1fb51854
Improve SCEP authority initialization and reload 2023-08-02 18:35:38 +02:00
Herman Slatman
569a1be12c
Merge branch 'master' into herman/scep-provisioner-decrypter 2023-08-02 15:45:45 +02:00
Mariano Cano
cce7d9e839
Address comments from code review 2023-07-27 15:05:04 -07:00
Mariano Cano
c7c7decd5e
Add support for the disableSmallstepExtensions claim 
This commit adds a new claim to exclude the Smallstep provisioner
extension from the generated certificates.

Fixes #620
 2023-07-27 15:05:01 -07:00
Herman Slatman
1ce80cf740
Merge branch 'master' into herman/scep-provisioner-decrypter 2023-07-27 01:03:26 +02:00
Herman Slatman
567fc25404
Use the RSA decryption configuration for signing responses too 2023-07-27 00:55:39 +02:00
Mariano Cano
7061147885
Use step.Abs to load the certificate templates 
step.Abs has been removed from crypto and they need to be set when those
methods are used
 2023-07-26 15:44:02 -07:00
Herman Slatman
557672bb4b
Add some notes for SCEP provisioners 2023-07-26 19:11:51 +02:00
Mariano Cano
95887ebf40
Merge pull request #1481 from smallstep/remove-user-regex 
Remove OIDC user regexp check
 2023-07-25 10:56:13 -07:00
Josh Drake
ff424fa944
Fix tests. 2023-07-24 15:27:49 -05:00
Josh Drake
904f416d20
Include authorization principal in provisioner webhooks. 2023-07-24 00:30:05 -05:00
Mariano Cano
5bfe96d8c7
Send X5C leaf certificate to webhooks 
This commit adds a new property that will be sent to authorizing and
enriching webhooks when signing certificates using the X5C provisioner.
 2023-07-20 13:03:45 -07:00
Mariano Cano
7fa97bedec
Remove OIDC user regexp check 
This commit removes the regular expression check on OIDC usernames.
Although it is not recommended to use any character in a username,
it is possible to create and use them. The tool useradd has the flag
--badname and adduser has --allow-badname and --allow-all-names to
create new users with any character.

Moreover, it is possible to create any username with the rest of
provisioners.

Fixes #1436
 2023-07-19 11:05:01 -07:00