Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation
2021-07-09 11:22:25 +02:00
max furman
9fdef64709
Admin level API for provisioner mgmt v1
2021-07-02 19:05:17 -07:00
Herman Slatman
84e7d468f2
Improve handling of ACME revocation
2021-07-03 00:21:17 +02:00
max furman
7b5d6968a5
first commit
2021-05-19 15:20:16 -07:00
Mariano Cano
2cbaee9c1d
Allow to use an alternative interface to store renewed certs.
...
This can be useful to know if a certificate has been renewed and
link one certificate with the 'parent'.
2021-04-29 15:55:22 -07:00
Mariano Cano
e6833ecee3
Add extension of db.AuthDB to store the fullchain.
...
Add a temporary solution to allow an extension of an db.AuthDB
interface that logs the fullchain of certificates instead of just
the leaf.
2021-04-26 12:28:51 -07:00
Mariano Cano
0b8528ce6b
Allow mTLS revocation without provisioner.
2021-03-22 13:37:31 -07:00
Mariano Cano
bcf70206ac
Add support for revocation using an extra provisioner in the RA.
2021-03-17 19:47:36 -07:00
Mariano Cano
a6115e29c2
Add initial implementation of StepCAS.
...
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
2021-03-17 19:33:35 -07:00
Mariano Cano
3e0ab8fba7
Fix typo.
2020-10-05 18:00:50 -07:00
Mariano Cano
d64427487d
Add comment about the missing error check.
2020-10-05 17:39:44 -07:00
Mariano Cano
e17ce39e3a
Add support for Revoke using CAS.
2020-09-15 18:14:03 -07:00
Mariano Cano
aad8f9e582
Pass issuer and signer to softCAS options.
...
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
2020-09-10 19:09:46 -07:00
Mariano Cano
1b1f73dec6
Early attempt to develop a CAS interface.
2020-09-08 19:26:32 -07:00
Mariano Cano
cef0475e71
Make clear what's a template/unsigned certificate.
2020-08-28 14:33:26 -07:00
Mariano Cano
c94a1c51be
Merge branch 'master' into ssh-cert-templates
2020-08-24 15:08:28 -07:00
Mariano Cano
ba918100d0
Use go.step.sm/crypto/jose
...
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
max furman
81875074e3
tie -> the in comment
2020-08-20 15:15:15 -07:00
max furman
cb594ed2e0
go mod tidy and golang 1.15.0 cleanup ...
...
- cs.NegotiatedProtocolIsMutual has been deprecated but we still build
in travis with 1.14 so for now we'll ignore this linting error
- string(int) was resolving to string of a single rune rather than
string of digits -> use fmt.Sprint
2020-08-17 13:48:37 -07:00
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
2020-08-14 15:33:50 -07:00
Mariano Cano
0a59efd853
Use new x509util to generate the CA certificate.
2020-08-10 16:09:22 -07:00
Mariano Cano
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
2020-08-10 15:29:18 -07:00
Mariano Cano
ce1eb0a01b
Use new x509util for renew/rekey.
2020-08-05 19:09:06 -07:00
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
2020-08-05 16:02:46 -07:00
Mariano Cano
a7b65f1e1e
Add authority.Sign test with custom templates.
2020-07-22 19:18:45 -07:00
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
ccc705cdcd
Use alias x509legacy to cli x509util in tls.go.
2020-07-21 14:20:48 -07:00
Mariano Cano
8f0dd811af
Allow to send errors from template to cli.
2020-07-21 14:18:06 -07:00
Mariano Cano
4795e371bd
Add back the support for ca.json DN template.
2020-07-21 14:18:05 -07:00
Mariano Cano
d1d9ae42d6
Use certificates x509util instead of cli for certificate signing.
2020-07-21 14:18:04 -07:00
max furman
fd05f3249b
A few last fixes and tests added for rekey/renew ...
...
- remove all `renewOrRekey`
- explicitly test difference between renew and rekey (diff pub keys)
- add back tests for renew
2020-07-09 12:11:40 -07:00
Max
ea9bc493b8
Merge pull request #307 from dharanikumar-s/master
...
Add support for rekeying Fixes #292
2020-07-09 11:39:00 -07:00
dharanikumar-s
57fb0c80cf
Removed calculating SubjectKeyIdentifier on Rekey
2020-07-08 12:52:53 +05:30
dharanikumar-s
dfda497929
Renamed RenewOrRekey to Rekey
2020-07-08 11:47:59 +05:30
dharanikumar-s
fe73154a20
Corrected misspelling
2020-07-05 22:50:02 +05:30
dharanikumar-s
2479371c06
Added error check while marshalling public key
2020-07-05 22:37:29 +05:30
dharanikumar-s
c8c3581e2f
SubjectKeyIdentifier extention is calculated from public key passed to this function instead of copying from old certificate
2020-07-05 22:15:01 +05:30
dharanikumar-s
8f504483ce
Added RenewOrRekey function based on @maraino suggestion. RenewOrReky is called from Renew.
2020-07-03 15:58:15 +05:30
dharanikumar-s
3813f57b1a
Add support for rekeying Fixes #292
2020-07-01 19:10:13 +05:30
max furman
d25e7f64c2
wip
2020-06-24 09:58:40 -07:00
max furman
3636ba3228
wip
2020-06-23 17:13:39 -07:00
max furman
1951669e13
wip
2020-06-23 11:10:45 -07:00
Mariano Cano
bfe1f4952d
Rename interface to CertificateEnforcer and add tests.
2020-03-31 11:41:36 -07:00
Mariano Cano
64f26c0f40
Enforce a duration for identity certificates.
2020-03-30 17:33:04 -07:00
Mariano Cano
05cc1437b7
Remove unnecessary parse of certificate.
2020-02-13 17:48:43 -08:00
Mariano Cano
43bd8113aa
Remove unnecessary comments.
2020-02-11 14:46:18 -08:00
Mariano Cano
69a1b68283
Merge branch 'ssh' into kms
2020-01-27 15:41:14 -08:00
max furman
b265877050
Simplify statuscoder error generators.
2020-01-24 13:46:11 -08:00
max furman
c387b21808
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-22 17:25:23 -08:00
Mariano Cano
c62526b39f
Add wip support for kms.
2020-01-09 18:42:26 -08:00
Mariano Cano
e67ccd9e3d
Add fault tolerance against clock skew accross system on TLS certificates.
2020-01-02 17:48:28 -08:00
Mariano Cano
8eeb82d0ce
Store renew certificate in the database.
2019-12-10 13:10:45 -08:00
Mariano Cano
0c3b9ebf45
Fix indentation.
2019-11-13 11:18:05 -08:00
max furman
a9ea292bd4
sshpop provisioner + ssh renew | revoke | rekey first pass
2019-11-05 16:41:42 -08:00
Jozef Kralik
bc6074f596
Change api of functions Authority.Sign, Authority.Renew
...
Returns certificate chain instead of 2 members.
Implements #126
2019-10-09 22:23:00 +02:00
max furman
fe7973c060
wip
2019-09-19 13:17:45 -07:00
Mariano Cano
2127d09ef3
Rename context type to apiCtx.
...
It will conflict with the context package.
2019-07-29 11:56:14 -07:00
max furman
ab4d569f36
Add /revoke API with interface db backend
2019-04-10 13:50:35 -07:00
Mariano Cano
8c8547bf65
Remove unnecessary parse and improve tests.
2019-03-20 18:11:45 -07:00
Mariano Cano
a3e2b4a552
Move certificate check to the right place.
2019-03-20 17:36:45 -07:00
Mariano Cano
30a6889d1f
Use standard x509 instead of step one.
2019-03-20 17:12:52 -07:00
Mariano Cano
7fd737cbb1
Fix lint warnings.
2019-03-11 18:47:57 -07:00
Mariano Cano
1f5ff5c899
Fix sign and renew tests.
2019-03-11 18:15:24 -07:00
Mariano Cano
c0ef6f8dc5
Add missing modifier and change return codes.
2019-03-07 16:03:38 -08:00
Mariano Cano
a97ea87caa
Move options to provisioner so we can set the duration of the cert.
2019-03-07 15:14:18 -08:00
Mariano Cano
1671ab2590
Fix some tests.
2019-03-07 12:15:18 -08:00
Mariano Cano
57b705f6cf
Use provisioner sign options.
2019-03-06 17:37:49 -08:00
Mariano Cano
d78febec7a
Fix extensions copy on renew
...
Fixes #36
2019-02-14 16:44:36 -08:00
max furman
7e43402575
bug fix: don't add common name to CSR validation claims in Sign
...
* added unit test for this case
2019-02-06 16:26:25 -08:00
max furman
e6e8443f3c
allow multiple identical SANs in cert
2019-01-31 11:20:21 -06:00
max furman
f0683c2e0a
Enable signing certificates with custom SANs
...
* validate against SANs in token. must be 1:1 equivalent.
2019-01-30 18:21:03 -06:00
Mariano Cano
d6cad2a7f3
Add provisioner option to disable renewal.
...
Fixes smallstep/ca-component#108
2018-11-01 15:43:24 -07:00
Mariano Cano
d574545d94
Format code with gofmt -s
2018-10-26 15:01:02 -07:00
max furman
7fa06643b2
change step provisioner OID and ASN1 representation
2018-10-26 14:24:16 -07:00
max furman
a4a461466b
withProvisionerOID and unit test
2018-10-25 23:49:23 -07:00
max furman
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
2018-10-18 22:26:39 -07:00
max furman
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
2018-10-11 23:03:00 -07:00
max furman
c284a2c0ab
first commit
2018-10-05 21:48:36 +00:00