smallstep-certificates

mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00

Author	SHA1	Message	Date
Mariano Cano	2ca63a9ff5	Merge pull request #267 from smallstep/awskms AWS KMS support	2020-05-26 16:00:34 -07:00
Mariano Cano	26c89cf779	Rename method.	2020-05-26 14:34:47 -07:00
Mariano Cano	7a985b1470	Fix usage, remove unsupported flag.	2020-05-26 14:26:05 -07:00
Mariano Cano	df3e9c0cd6	Add full version of the license.	2020-05-26 12:21:09 -07:00
Mariano Cano	4ac51dd508	Merge pull request #274 from smallstep/oidc-raw-locals Allow dots and other symbols in principals for OIDC	2020-05-26 11:28:30 -07:00
Mariano Cano	6c9cd7050c	Add test with query strings.	2020-05-26 11:13:07 -07:00
Mariano Cano	dfe8e11e44	Remove anchor from link.	2020-05-26 10:55:26 -07:00
Mariano Cano	3246a3e81f	Add missing test case.	2020-05-26 10:22:15 -07:00
David Cowden	b26e6e42b3	acme: Return 501 for the key-change route RFC 8555 § 7.3.5 is not listed as optional but we do not currently support it. Rather than 404, return a 501 to inform clients that this functionality is not yet implemented. The notImplmented error type is not an official error registered in the ietf:params:acme:error namespace, so prefix if with step:acme:error. An ACME server is allowed to return other errors and clients should display the message detail to users. Fixes: https://github.com/smallstep/certificates/issues/209	2020-05-26 01:47:08 -07:00
Max	ab0f2aedcc	Merge pull request #268 from smallstep/max/acme-nbf Set nbf and nbf for ACME orders even when they are not set in the request. Closes #92	2020-05-22 10:38:01 -07:00
max furman	6e69f99310	Always set nbf and naf for new ACME orders ... - Use the default value from the ACME provisioner if values are not defined in the request.	2020-05-22 10:31:58 -07:00
Mariano Cano	0b5fd156e8	Add a third principal on OIDC tokens with the raw local part of the email. For the email first.last@example.com it will create the principals ["firstlast", "first.last", "first.last@example.com"] Fixes #253, #254	2020-05-21 12:09:11 -07:00
Mariano Cano	7104588fcb	Fix linter error.	2020-05-20 17:58:37 -07:00
Mariano Cano	f006cca87a	Use Go 1.14.	2020-05-20 17:45:57 -07:00
Mariano Cano	aaf71ce66a	Add unit tests for awskms.	2020-05-20 17:04:01 -07:00
Mariano Cano	d4cb9f4ac7	Define an interface for kms operations. This interface will be used for unit testing.	2020-05-20 12:43:14 -07:00
Mariano Cano	deac15327f	Add docs for AWS KMS.	2020-05-20 12:30:32 -07:00
Mariano Cano	82fb96588e	Fix unit tests.	2020-05-19 17:45:15 -07:00
Mariano Cano	5b680b2349	Add initialization script for an AWS KMS.	2020-05-19 17:35:58 -07:00
Mariano Cano	c32abb76cd	Add initial implementation to support AWS KMS.	2020-05-19 17:35:36 -07:00
Mariano Cano	b0f768a3fb	Add implementation of URIs for KMS. Implementation is based on the PKCS #11 URI Scheme RFC https://tools.ietf.org/html/rfc7512	2020-05-19 17:32:52 -07:00
Mariano Cano	2bc69d3edd	Merge pull request #252 from smallstep/yubikey Yubikey support	2020-05-19 13:47:33 -07:00
Mariano Cano	89e164dad6	Add AuthorityKeyId to cloudkms root cert.	2020-05-19 13:15:09 -07:00
Mariano Cano	97508ca215	Add AuthorityKeyId to root certificate. Fix error string.	2020-05-19 13:05:55 -07:00
Max	ba91f4ed13	Merge pull request #260 from anxolerd/feat-force-cn-if-empty [Feature] Force CommonName for certificates from ACME provisioner	2020-05-18 14:40:01 -07:00
Oleksandr Kovalchuk	4cd01b6868	Implement tests for forceCNOption modifier Implement unit tests which checks forceCNOption modifier (implemented in `322200b7db`) is not broken and works correctly. Ref: https://github.com/smallstep/certificates/issues/259	2020-05-17 20:29:28 +03:00
Oleksandr Kovalchuk	893a53793a	Modify existing tests to accept forceCNOption modifier Modify existing tests to pass with changes introduced in commit `322200b7db`. This is safe to do as tests assert exact length of modifiers, which has changed.	2020-05-17 20:27:09 +03:00
Oleksandr Kovalchuk	322200b7db	Implement modifier to set CommonName Implement modifier which sets CommonName to the certificate if CommonName is empty and forceCN is set in the config. Replace previous implementation introduced in `0218018cee` with new modifier. Closes https://github.com/smallstep/certificates/issues/259 Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322	2020-05-17 20:23:13 +03:00
Mariano Cano	3e40cb89a7	Add some docs for YubiKey configuration.	2020-05-15 12:24:25 -07:00
Mariano Cano	d95c055163	piv-go requires libpcsclite-dev on linux.	2020-05-15 11:40:26 -07:00
Mariano Cano	03a6789f0e	Fix compile errors without cgo support.	2020-05-15 11:33:22 -07:00
Mariano Cano	012a4734bf	Add better messaging when yubikey is not detected.	2020-05-15 11:33:04 -07:00
Mariano Cano	7d61c0003c	Enable softkms and cloudkms.	2020-05-15 11:32:12 -07:00
Max	ae15573f93	Merge pull request #249 from smallstep/clive-jevons/dynamic-host-detection-for-acme-directory dynamic host detection for acme directory Closes #235, #193	2020-05-14 17:40:01 -07:00
max furman	e1409349f3	Allow relative URL for all links in ACME api ... * Pass the request context all the way down the ACME stack. * Save baseURL in context and use when generating ACME urls.	2020-05-14 17:32:54 -07:00
Oleksandr Kovalchuk	0218018cee	Generate Subject if `forceCN` and Subject is empty When `forceCN` is set in provisioner configuration and Subject.CommonName is empty, set Subject.CommonName to the first SAN from the CSR to follow the letsencrypt's boulder behavior. This is done in order to support system which require certificate's Subject field to be non-empty. N.B. certbot does not send Subject in its certificate request and relies on similar behavior of letsencrypt. Closes https://github.com/smallstep/certificates/issues/259	2020-05-14 13:23:42 +03:00
Oleksandr Kovalchuk	503c9f6101	Add config option to force CN Add configuration option `forceCN` to ACME provisioner. When this option is set to `true`, provisioner should generate Subject.CommonName for certificate if it was not present in the request. Default value of `false` should keep the existing behavior (do not modify CSR and certificate). Ref: https://github.com/smallstep/certificates/issues/259	2020-05-14 13:20:55 +03:00
Clive Jevons	639993bd09	Read host and protocol information from request for links When constructing links we want to read the required host and protocol information in a dynamic manner from the request for constructing ACME links such as the directory information. This way, if the server is running behind a proxy, and we don't know what the exposed URL should be at runtime, we can construct the required information from the host, tls and X-Forwarded-Proto fields in the HTTP request. Inspired by the LetsEncrypt Boulder project (web/relative.go).	2020-05-12 16:58:12 -07:00
Mariano Cano	025c0aa20f	Display the proper yubikey uri.	2020-05-11 19:42:21 -07:00
Mariano Cano	22b86c3fcc	Only rewrite keys with --force.	2020-05-11 19:40:12 -07:00
Mariano Cano	63e36ecd7a	Refactor the initialization of KeyManagers.	2020-05-11 18:47:22 -07:00
Max	f126962f3f	Merge pull request #257 from smallstep/max/accUpd ACME accountUpdate ignore fields not recognized by the server.	2020-05-11 14:18:08 -07:00
max furman	4cb777bdc1	ACME accountUpdate ignore fields not recognized by the server.	2020-05-08 11:52:30 -07:00
Mariano Cano	c02fe77998	Close the key manager before shutting down.	2020-05-07 18:59:30 -07:00
Mariano Cano	029483463b	Remove extra +build statement.	2020-05-07 18:51:41 -07:00
Mariano Cano	ef2b13b163	Add step-yubikey-init as a target.	2020-05-07 18:40:36 -07:00
Mariano Cano	677e99793e	Create alternative yubikey file when cgo is not enabled. This yubikey will always fail.	2020-05-07 18:35:10 -07:00
Mariano Cano	6868190fff	Add initial support for yubikey.	2020-05-07 18:22:09 -07:00
Mariano Cano	9f1d95d8bf	Fix renew of certificate at the start of the server.	2020-05-07 18:21:11 -07:00
Mariano Cano	e855707dc2	Merge pull request #248 from smallstep/embedded-config-init Initialize the required config fields on embedded authorities	2020-05-06 14:29:53 -07:00

... 2 3 4 5 6 ...

1274 Commits