Mariano Cano
8200d19894
Improve CRL implementation
...
This commit adds some changes to PR #731 , some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL
This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
2022-10-26 18:55:24 -07:00
Raal Goff
f7df865687
refactor crl config, add some tests
2022-10-07 10:30:00 +08:00
Raal Goff
d0e81af524
Merge branch 'master' into crl-support
2022-09-30 08:45:48 +08:00
Mariano Cano
c9e7af3722
Use only name constraints in GetTLSCertificate
2022-09-23 11:04:27 -07:00
Mariano Cano
2eba5326db
Remove policy validation on renew
2022-09-22 12:17:16 -07:00
Mariano Cano
d68c765e20
Add context to errors
2022-09-21 18:46:34 -07:00
Mariano Cano
72e2c4eb2e
Render proper policy and constrains errors
2022-09-21 18:35:18 -07:00
Mariano Cano
4b79405dac
Check constraints and policy for leaf certificates too
2022-09-21 15:54:28 -07:00
Mariano Cano
325d8bca4f
Merge branch 'master' into name-constraints
2022-09-21 13:29:44 -07:00
Mariano Cano
debe565e42
Validate constraints on Sign and Renew/Rekey
...
Fixes #1060
2022-09-20 18:52:47 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2022-09-20 16:35:41 -07:00
Mariano Cano
34c6c65671
Pass attestation information to the Sign method
...
Attestation information might be useful in authorizing webhooks
2022-09-16 12:37:41 -07:00
Raal Goff
40baf73dff
remove incorrect check on revoked certificate dates, add mutex lock for generating CRLs,
2022-09-15 15:03:42 +08:00
Raal Goff
924082bb49
fix linter errors
2022-09-08 10:09:37 +08:00
Raal Goff
d2483f3a70
Merge branch 'master' into crl-support
...
# Conflicts:
# authority/config/config.go
2022-09-08 09:45:04 +08:00
Mariano Cano
8bd0174251
Rename field to IsCAServerCert
2022-08-11 15:14:26 -07:00
Mariano Cano
5df1694250
Add endpoint id for the RA certificate
...
In a linked RA mode, send an endpoint id to group the server
certificates.
2022-08-11 14:47:11 -07:00
Mariano Cano
eb091aec54
Simplify field names for ProvisionerInfo
2022-08-10 17:44:14 -07:00
Mariano Cano
6b5d3dca95
Add provisioner name to RA info
2022-08-03 18:44:04 -07:00
Mariano Cano
f9df8ac05f
Remove unused interface
2022-08-03 12:03:49 -07:00
Mariano Cano
9408d0f24b
Send RA provisioner information to the CA
2022-08-02 19:28:49 -07:00
Raal Goff
60671b07d7
Merge branch 'master' into crl-support
...
# Conflicts:
# api/api.go
# authority/config/config.go
# cas/softcas/softcas.go
# db/db.go
2022-07-13 08:52:58 +08:00
Mariano Cano
ce9a23a0f7
Fix SSH certificate revocation
2022-05-25 16:55:22 -07:00
Mariano Cano
c8d7ad7ab9
Fix store certificates methods with new interface
2022-05-18 18:33:22 -07:00
Herman Slatman
6e1f8dd7ab
Refactor policy engines into container
2022-04-26 13:12:16 +02:00
Herman Slatman
76112c2da1
Improve error creation and testing for core policy engine
2022-04-26 01:47:07 +02:00
Herman Slatman
3fa96ebf13
Improve policy errors returned to client
2022-04-24 13:11:32 +02:00
Herman Slatman
ad2de16299
Merge branch 'master' into herman/allow-deny
2022-04-19 10:26:31 +02:00
Mariano Cano
fe9c3cf753
Merge branch 'master' into ahmet2mir-feat/vault
2022-04-18 15:35:26 -07:00
Herman Slatman
abcad679ff
Merge branch 'master' into herman/allow-deny
2022-04-18 21:54:55 +02:00
Mariano Cano
ea5f7f2acc
Fix SANs for step-ca certificate
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2022-04-12 13:57:55 -07:00
Mariano Cano
37b521ec6c
Merge branch 'master' into feat/vault
2022-04-11 14:57:45 -07:00
Herman Slatman
9797b3350e
Merge branch 'master' into herman/allow-deny
2022-04-08 16:01:56 +02:00
Mariano Cano
db337debcd
Load provisioner from the database instead of the extension.
2022-04-05 19:25:47 -07:00
Raal Goff
49c41636cc
implemented some requested changes
2022-04-06 08:31:40 +08:00
Raal Goff
53dbe2309b
implemented some requested changes
2022-04-06 08:24:49 +08:00
Raal Goff
a607ab189a
requested changes
2022-04-06 08:23:55 +08:00
Raal Goff
d417ce3232
implement changes from review
2022-04-06 08:23:53 +08:00
Raal Goff
668cb6f39c
missed some mentions of PEM when changing the returned format to DER regarding CRL generation
2022-04-06 08:22:29 +08:00
Raal Goff
7d024cc4cb
change GenerateCertificateRevocationList to return DER, store DER in db instead of PEM, nicer PEM encoding of CRL, add Mock stubs
2022-04-06 08:22:26 +08:00
Raal Goff
e8fdb703c9
initial support for CRL
2022-04-06 08:19:45 +08:00
Herman Slatman
571b21abbc
Fix (most) PR comments
2022-03-31 16:12:29 +02:00
Herman Slatman
b49307f326
Fix ACME order tests with mock ACME CA
2022-03-24 18:34:04 +01:00
Herman Slatman
9e0edc7b50
Add early authority policy evaluation to ACME order API
2022-03-24 14:55:40 +01:00
Herman Slatman
613c99f00f
Fix linting issues
2022-03-24 13:10:49 +01:00
Mariano Cano
9d027c17d0
Send current provisioner on PostCertificate
2022-03-21 19:24:05 -07:00
Herman Slatman
101ca6a2d3
Check admin subjects before changing policy
2022-03-21 15:53:59 +01:00
Herman Slatman
81b0c6c37c
Add API implementation for authority and provisioner policy
2022-03-15 15:56:04 +01:00
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level
2022-03-08 13:26:07 +01:00
Mariano Cano
c0525381eb
Merge branch 'master' into feat/vault
2022-02-16 18:19:23 -08:00