Commit graph

150 commits

Author SHA1 Message Date
Herman Slatman
5cb23c6029
Merge pull request #804 from smallstep/herman/normalize-ipv6-dns-names
Normalize IPv6 hostname addresses
2022-02-09 11:25:24 +01:00
Herman Slatman
e887ccaa07
Ensure the CA TLS certificate represents IPv6 DNS names as IP in cert
If an IPv6 domain name (i.e. [::1]) is provided manually in the `ca.json`,
this commit will ensure that it's represented as an IP SAN in the TLS
certificate. Before this change, the IPv6 would become a DNS SAN.
2022-02-03 14:21:23 +01:00
Mariano Cano
300c19f8b9 Add a custom enforcer that can be used to modify a cert. 2022-02-02 14:36:58 -08:00
Ahmet DEMIR
68b980d689
feat(authority): avoid hardcoded cn in authority csr 2022-01-13 20:30:54 +01:00
Herman Slatman
50c3bce98d
Change if/if to if/else-if when checking the type of JSON error 2022-01-12 21:34:38 +01:00
Herman Slatman
a3cf6bac36
Add special handling for *json.UnmarshalTypeError 2022-01-12 11:15:39 +01:00
Herman Slatman
0475a4d26f
Refactor extraction of JSON template syntax errors 2022-01-12 10:41:36 +01:00
Herman Slatman
a5455d3572
Improve errors related to template execution failures (slightly) 2022-01-10 15:49:37 +01:00
Herman Slatman
3bc3957b06
Merge branch 'master' into hs/acme-revocation 2021-12-09 09:36:52 +01:00
Herman Slatman
47a8a3c463
Add test case for ACME Revoke to Authority 2021-12-02 17:11:36 +01:00
Herman Slatman
c9cd876a7d
Merge branch 'master' into hs/acme-revocation 2021-11-25 00:40:56 +01:00
Mariano Cano
ff04873a2a Change the default error type to forbidden in Sign.
The errors will also be propagated from sign options.
2021-11-23 18:58:16 -08:00
Mariano Cano
668d3ea6c7 Modify errs.Wrap() with bad request to send messages to users. 2021-11-18 18:44:58 -08:00
Mariano Cano
8ce807a6cb Modify errs.BadRequest() calls to always send an error to the client. 2021-11-18 15:12:44 -08:00
Herman Slatman
3151255a25
Merge branch 'master' into hs/acme-revocation 2021-10-30 15:41:29 +02:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
Mariano Cano
42fde8ba28
Merge branch 'master' into linkedca 2021-08-25 15:56:50 -07:00
Mariano Cano
9e5762fe06 Allow the reuse of azure token if DisableTrustOnFirstUse is true
Azure caches tokens for 24h and we cannot issue a new certificate
for the same instance in that period of time.

The meaning of this parameter is to allow the signing of multiple
certificate in one instance. This is possible in GCP, because we
get a new token, and is possible in AWS because we can generate
a new one. On Azure there was no other way to do it unless you
wait for 24h.

Fixes #656
2021-08-11 11:50:54 -07:00
Mariano Cano
d72fa953ac Remove debug statements. 2021-08-05 18:50:18 -07:00
Mariano Cano
3f07eb597a Implement revocation using linkedca. 2021-08-05 18:45:50 -07:00
Mariano Cano
0730a165fd Add collection of files and authority template. 2021-07-27 19:19:58 -07:00
Mariano Cano
71f8019243 Store x509 and ssh certificates on linkedca if enabled. 2021-07-20 18:16:24 -07:00
Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation 2021-07-09 11:22:25 +02:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Herman Slatman
84e7d468f2
Improve handling of ACME revocation 2021-07-03 00:21:17 +02:00
max furman
7b5d6968a5 first commit 2021-05-19 15:20:16 -07:00
Mariano Cano
2cbaee9c1d Allow to use an alternative interface to store renewed certs.
This can be useful to know if a certificate has been renewed and
link one certificate with the 'parent'.
2021-04-29 15:55:22 -07:00
Mariano Cano
e6833ecee3 Add extension of db.AuthDB to store the fullchain.
Add a temporary solution to allow an extension of an db.AuthDB
interface that logs the fullchain of certificates instead of just
the leaf.
2021-04-26 12:28:51 -07:00
Mariano Cano
0b8528ce6b Allow mTLS revocation without provisioner. 2021-03-22 13:37:31 -07:00
Mariano Cano
bcf70206ac Add support for revocation using an extra provisioner in the RA. 2021-03-17 19:47:36 -07:00
Mariano Cano
a6115e29c2 Add initial implementation of StepCAS.
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
2021-03-17 19:33:35 -07:00
Mariano Cano
3e0ab8fba7 Fix typo. 2020-10-05 18:00:50 -07:00
Mariano Cano
d64427487d Add comment about the missing error check. 2020-10-05 17:39:44 -07:00
Mariano Cano
e17ce39e3a Add support for Revoke using CAS. 2020-09-15 18:14:03 -07:00
Mariano Cano
aad8f9e582 Pass issuer and signer to softCAS options.
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
2020-09-10 19:09:46 -07:00
Mariano Cano
1b1f73dec6 Early attempt to develop a CAS interface. 2020-09-08 19:26:32 -07:00
Mariano Cano
cef0475e71 Make clear what's a template/unsigned certificate. 2020-08-28 14:33:26 -07:00
Mariano Cano
c94a1c51be Merge branch 'master' into ssh-cert-templates 2020-08-24 15:08:28 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
max furman
81875074e3 tie -> the in comment 2020-08-20 15:15:15 -07:00
max furman
cb594ed2e0 go mod tidy and golang 1.15.0 cleanup ...
- cs.NegotiatedProtocolIsMutual has been deprecated but we still build
in travis with 1.14 so for now we'll ignore this linting error
- string(int) was resolving to string of a single rune rather than
string of digits -> use fmt.Sprint
2020-08-17 13:48:37 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
0a59efd853 Use new x509util to generate the CA certificate. 2020-08-10 16:09:22 -07:00
Mariano Cano
4943ae58d8 Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates. 2020-08-10 15:29:18 -07:00
Mariano Cano
ce1eb0a01b Use new x509util for renew/rekey. 2020-08-05 19:09:06 -07:00
Mariano Cano
c8d225a763 Use x509util from go.step.sm/crypto/x509util 2020-08-05 16:02:46 -07:00
Mariano Cano
a7b65f1e1e Add authority.Sign test with custom templates. 2020-07-22 19:18:45 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
ccc705cdcd Use alias x509legacy to cli x509util in tls.go. 2020-07-21 14:20:48 -07:00
Mariano Cano
8f0dd811af Allow to send errors from template to cli. 2020-07-21 14:18:06 -07:00
Mariano Cano
4795e371bd Add back the support for ca.json DN template. 2020-07-21 14:18:05 -07:00
Mariano Cano
d1d9ae42d6 Use certificates x509util instead of cli for certificate signing. 2020-07-21 14:18:04 -07:00
max furman
fd05f3249b A few last fixes and tests added for rekey/renew ...
- remove all `renewOrRekey`
- explicitly test difference between renew and rekey (diff pub keys)
- add back tests for renew
2020-07-09 12:11:40 -07:00
Max
ea9bc493b8
Merge pull request #307 from dharanikumar-s/master
Add support for rekeying Fixes #292
2020-07-09 11:39:00 -07:00
dharanikumar-s
57fb0c80cf Removed calculating SubjectKeyIdentifier on Rekey 2020-07-08 12:52:53 +05:30
dharanikumar-s
dfda497929 Renamed RenewOrRekey to Rekey 2020-07-08 11:47:59 +05:30
dharanikumar-s
fe73154a20 Corrected misspelling 2020-07-05 22:50:02 +05:30
dharanikumar-s
2479371c06 Added error check while marshalling public key 2020-07-05 22:37:29 +05:30
dharanikumar-s
c8c3581e2f SubjectKeyIdentifier extention is calculated from public key passed to this function instead of copying from old certificate 2020-07-05 22:15:01 +05:30
dharanikumar-s
8f504483ce Added RenewOrRekey function based on @maraino suggestion. RenewOrReky is called from Renew. 2020-07-03 15:58:15 +05:30
dharanikumar-s
3813f57b1a Add support for rekeying Fixes #292 2020-07-01 19:10:13 +05:30
max furman
d25e7f64c2 wip 2020-06-24 09:58:40 -07:00
max furman
3636ba3228 wip 2020-06-23 17:13:39 -07:00
max furman
1951669e13 wip 2020-06-23 11:10:45 -07:00
Mariano Cano
bfe1f4952d Rename interface to CertificateEnforcer and add tests. 2020-03-31 11:41:36 -07:00
Mariano Cano
64f26c0f40 Enforce a duration for identity certificates. 2020-03-30 17:33:04 -07:00
Mariano Cano
05cc1437b7 Remove unnecessary parse of certificate. 2020-02-13 17:48:43 -08:00
Mariano Cano
43bd8113aa Remove unnecessary comments. 2020-02-11 14:46:18 -08:00
Mariano Cano
69a1b68283 Merge branch 'ssh' into kms 2020-01-27 15:41:14 -08:00
max furman
b265877050 Simplify statuscoder error generators. 2020-01-24 13:46:11 -08:00
max furman
c387b21808 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-22 17:25:23 -08:00
Mariano Cano
c62526b39f Add wip support for kms. 2020-01-09 18:42:26 -08:00
Mariano Cano
e67ccd9e3d Add fault tolerance against clock skew accross system on TLS certificates. 2020-01-02 17:48:28 -08:00
Mariano Cano
8eeb82d0ce Store renew certificate in the database. 2019-12-10 13:10:45 -08:00
Mariano Cano
0c3b9ebf45 Fix indentation. 2019-11-13 11:18:05 -08:00
max furman
a9ea292bd4 sshpop provisioner + ssh renew | revoke | rekey first pass 2019-11-05 16:41:42 -08:00
Jozef Kralik
bc6074f596 Change api of functions Authority.Sign, Authority.Renew
Returns certificate chain instead of 2 members.

Implements #126
2019-10-09 22:23:00 +02:00
max furman
fe7973c060 wip 2019-09-19 13:17:45 -07:00
Mariano Cano
2127d09ef3 Rename context type to apiCtx.
It will conflict with the context package.
2019-07-29 11:56:14 -07:00
max furman
ab4d569f36 Add /revoke API with interface db backend 2019-04-10 13:50:35 -07:00
Mariano Cano
8c8547bf65 Remove unnecessary parse and improve tests. 2019-03-20 18:11:45 -07:00
Mariano Cano
a3e2b4a552 Move certificate check to the right place. 2019-03-20 17:36:45 -07:00
Mariano Cano
30a6889d1f Use standard x509 instead of step one. 2019-03-20 17:12:52 -07:00
Mariano Cano
7fd737cbb1 Fix lint warnings. 2019-03-11 18:47:57 -07:00
Mariano Cano
1f5ff5c899 Fix sign and renew tests. 2019-03-11 18:15:24 -07:00
Mariano Cano
c0ef6f8dc5 Add missing modifier and change return codes. 2019-03-07 16:03:38 -08:00
Mariano Cano
a97ea87caa Move options to provisioner so we can set the duration of the cert. 2019-03-07 15:14:18 -08:00
Mariano Cano
1671ab2590 Fix some tests. 2019-03-07 12:15:18 -08:00
Mariano Cano
57b705f6cf Use provisioner sign options. 2019-03-06 17:37:49 -08:00
Mariano Cano
d78febec7a Fix extensions copy on renew
Fixes #36
2019-02-14 16:44:36 -08:00
max furman
7e43402575 bug fix: don't add common name to CSR validation claims in Sign
* added unit test for this case
2019-02-06 16:26:25 -08:00
max furman
e6e8443f3c allow multiple identical SANs in cert 2019-01-31 11:20:21 -06:00
max furman
f0683c2e0a Enable signing certificates with custom SANs
* validate against SANs in token. must be 1:1 equivalent.
2019-01-30 18:21:03 -06:00
Mariano Cano
d6cad2a7f3 Add provisioner option to disable renewal.
Fixes smallstep/ca-component#108
2018-11-01 15:43:24 -07:00
Mariano Cano
d574545d94 Format code with gofmt -s 2018-10-26 15:01:02 -07:00
max furman
7fa06643b2 change step provisioner OID and ASN1 representation 2018-10-26 14:24:16 -07:00
max furman
a4a461466b withProvisionerOID and unit test 2018-10-25 23:49:23 -07:00
max furman
ee7db4006a change sign + authorize authority api | add provisioners
* authorize returns []interface{}
 - operators in this list can conform to any interface the user decides
 - our implementation has a combination of certificate claim validators
 and certificate template modifiers.
* provisioners can set and enforce tls cert options
2018-10-18 22:26:39 -07:00
max furman
0b5f6487e1 change provisioners api
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
2018-10-11 23:03:00 -07:00
max furman
c284a2c0ab first commit 2018-10-05 21:48:36 +00:00