TrueCloudLab/certificates
15
0
Fork 2
Code Issues 1 Pull requests 1 Releases Activity Actions
2023 commits 34 branches 199 tags 42 MiB
Commit graph

67 commits

Author SHA1 Message Date
Mariano Cano
a0633a6efb
Merge pull request #612 from gdbelvin/kmspin 
Allow reading pin from kms string
 2021-06-15 12:05:34 -07:00
Gary Belvin
1fb4406801 minimize diff 2021-06-15 18:19:42 +01:00
Gary Belvin
c6bb7aa199 Add back UI check, but don't read file 2021-06-15 18:18:29 +01:00
Gary Belvin
a63a1d6482 Don't double read from u.Pin() 2021-06-15 18:13:08 +01:00
Gary Belvin
063a09a521 Allow reading pin from kms string 2021-06-15 13:16:54 +01:00
Mariano Cano
595f12505c
Merge branch 'master' into name 2021-06-01 10:29:40 -07:00
Gary Belvin
c264e8f580 Configurable pkcs11-init output paths 2021-06-01 17:46:00 +01:00
Gary Belvin
623e387fb0 Allow configuration of PKCS11 subject name 2021-06-01 17:35:36 +01:00
Mariano Cano
e727532963 Fix wrong format of the first flag on step-ca --help 2021-03-24 14:55:34 -07:00
Mariano Cano
bdeb0ccd7c Add support for the flag --issuer-password-file 
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
 2021-03-24 14:53:19 -07:00
Mariano Cano
71f59de396
Merge pull request #510 from smallstep/ra-mode 
StepCAS.
 2021-03-24 14:39:27 -07:00
Gary Belvin
341966c30f Check pin flag 2021-03-23 22:13:35 +00:00
Gary Belvin
1ac838628a Add flag for setting the pin 2021-03-23 10:40:13 +00:00
Mariano Cano
a6115e29c2 Add initial implementation of StepCAS. 
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
 2021-03-17 19:33:35 -07:00
Mariano Cano
e446e22520 Remove extra default. 2021-02-11 19:25:16 -08:00
Mariano Cano
3648c3fab6 Fix error message when --kms is not passed. 2021-02-11 19:24:09 -08:00
Mariano Cano
1d2146166b Close key manager. 2021-02-01 15:28:09 -08:00
Mariano Cano
51ac28656e Fix protection level for host keys in cloudkms script. 
Fixes #460
 2021-01-29 16:11:25 -08:00
Mariano Cano
7f9d7eadc9 Attempt to delete key and certificate with the same name. 
Nitrokey will override the label of the key with the certificate one.
If they are stored with the same id.
 2021-01-29 13:31:07 -08:00
Mariano Cano
162c535705 Add option to not store certificates in the pkcs11 module. 2021-01-28 20:13:28 -08:00
Mariano Cano
8dca652bc7 Add support for PKCS #11 KMS. 
The implementation works with YubiHSM2. Unit tests are still pending.

Fixes #301
 2021-01-26 20:03:53 -08:00
Anton Lundin
3e6137110b Add support for using ssh-agent as a KMS 
This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.

This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.

That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.

This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.

Signed-off-by: Anton Lundin <glance@acc.umu.se>
 2020-11-04 09:06:23 +01:00
Mariano Cano
40d0596b71 Use smallstep/cli-utils instead of smallstep/cli 2020-10-29 13:10:03 -07:00
Mariano Cano
647b9b4541
Merge pull request #367 from smallstep/cas 
Support for CAS Interface and CloudCAS
 2020-10-05 18:09:01 -07:00
Carl Tashian
fd07e25e61 Change Gitter links to GH Discussions tab 2020-09-23 16:36:37 -07:00
Mariano Cano
f100b2d0e3 Make the YubiKey management key configurable. 
With this change the default management key is not required as the
user is able to set its own.

Fixes #323
 2020-09-17 16:07:32 -07:00
Mariano Cano
1b1f73dec6 Early attempt to develop a CAS interface. 2020-09-08 19:26:32 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
ddb4ca7a74 Move load of kms to main package. 
With this change packages that import the authority won't load by
default all the supported kms with all its dependencies.

Fixes #228
 2020-06-12 14:55:35 -07:00
Mariano Cano
26c89cf779 Rename method. 2020-05-26 14:34:47 -07:00
Mariano Cano
7a985b1470 Fix usage, remove unsupported flag. 2020-05-26 14:26:05 -07:00
Mariano Cano
5b680b2349 Add initialization script for an AWS KMS. 2020-05-19 17:35:58 -07:00
Mariano Cano
89e164dad6 Add AuthorityKeyId to cloudkms root cert. 2020-05-19 13:15:09 -07:00
Mariano Cano
97508ca215 Add AuthorityKeyId to root certificate. 
Fix error string.
 2020-05-19 13:05:55 -07:00
Mariano Cano
03a6789f0e Fix compile errors without cgo support. 2020-05-15 11:33:22 -07:00
Mariano Cano
025c0aa20f Display the proper yubikey uri. 2020-05-11 19:42:21 -07:00
Mariano Cano
22b86c3fcc Only rewrite keys with --force. 2020-05-11 19:40:12 -07:00
Mariano Cano
6868190fff Add initial support for yubikey. 2020-05-07 18:22:09 -07:00
Mariano Cano
6b01128bcc Reference root.Subject instead of hardcoding it. 2020-02-21 11:14:11 -08:00
Mariano Cano
1535e95d89 Add tool to initialize pki in cloud kms. 2020-02-18 19:07:12 -08:00
Mariano Cano
869ef70211
Merge pull request #172 from 256dpi/master 
Added Resolver Option
 2020-02-12 12:42:08 -08:00
Sebastian Tiedtke
f2b95647f3 Use date range in copyright 2020-02-10 09:55:21 -08:00
Joël Gähwiler
445fcbe621 added resolver 2020-02-01 13:00:39 +02:00
Mariano Cano
4d423137f0 Re-enable profiler. 2020-01-28 13:29:39 -08:00
Mariano Cano
c60641701b Add version endpoint. 2020-01-28 13:28:16 -08:00
Alan Christopher Thomas
8f08b47a9c Rough wiring for basics of connecting to onboarding flow 2020-01-28 13:28:16 -08:00
Mariano Cano
5013f7ffe0 Move ca commands to its own package. 2019-09-12 12:51:07 -07:00
Mariano Cano
0efae31a29 Generate PKI and start server using onboarding. 2019-09-11 19:16:08 -07:00
Mariano Cano
bca5dcc326 Remove url from error message. 2019-09-11 17:36:48 -07:00
Mariano Cano
0c654d93ea Create method for onboard action and clean code. 2019-09-11 17:33:27 -07:00