From 6ffc438ed185c419b8183dede81329673184c6fb Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 2 Sep 2020 09:30:45 -0700
Subject: [PATCH 1/8] Update Dockerfile.step-ca to match best practices

- See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
- Added a .dockerignore file to reduce the build context size
- Added a HEALTHCHECK (curl the CA)
---
 .dockerignore             |  7 +++++++
 docker/Dockerfile.step-ca | 19 +++++++++++--------
 2 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 .dockerignore

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..5b671c40
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,7 @@
+README.md
+.gitignore
+bin
+coverage.txt
+*.test
+*.out
+.travis-releases
diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca
index 5d8fdacd..6e902b68 100644
--- a/docker/Dockerfile.step-ca
+++ b/docker/Dockerfile.step-ca
@@ -1,24 +1,27 @@
 FROM golang:alpine AS builder
 
-RUN mkdir /src
-ADD . /src
+WORKDIR /src
+COPY . .
 
-RUN apk add --no-cache make git curl && \
-    cd /src && \
-    make V=1 bin/step-ca 
+RUN apk add --no-cache \
+   curl \
+   git \
+   make && \
+   make V=1 bin/step-ca
 
 FROM smallstep/step-cli:latest
 
 COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca
 
-ENV CONFIGPATH="/home/step/config/ca.json"
-ENV PWDPATH="/home/step/secrets/password"
-
 USER root
 RUN apk add --no-cache libcap && setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/step-ca
 USER step
 
+ENV CONFIGPATH="/home/step/config/ca.json"
+ENV PWDPATH="/home/step/secrets/password"
+
 VOLUME ["/home/step"]
 STOPSIGNAL SIGTERM
+HEALTHCHECK CMD curl --cacert /home/step/certs/root_ca.crt -sSf https://localhost/health >/dev/null || exit 1
 
 CMD exec /bin/sh -c "/usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH"

From 3b31c6d2f59f6e4fe07fd7938d110b485211f85a Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Tue, 8 Sep 2020 09:44:35 -0700
Subject: [PATCH 2/8] Change `HEALTHCHECK` to use `step ca health`. Change
 shell `CMD exec` to skip redundant `/bin/sh -c`

---
 docker/Dockerfile.step-ca | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca
index 6e902b68..4a1908d6 100644
--- a/docker/Dockerfile.step-ca
+++ b/docker/Dockerfile.step-ca
@@ -22,6 +22,6 @@ ENV PWDPATH="/home/step/secrets/password"
 
 VOLUME ["/home/step"]
 STOPSIGNAL SIGTERM
-HEALTHCHECK CMD curl --cacert /home/step/certs/root_ca.crt -sSf https://localhost/health >/dev/null || exit 1
+HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null
 
-CMD exec /bin/sh -c "/usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH"
+CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH

From 4ad6be2680f8327af4c4b22c59c99319600e986a Mon Sep 17 00:00:00 2001
From: gucchisk <gucchi_sk@yahoo.co.jp>
Date: Thu, 10 Sep 2020 23:45:44 +0900
Subject: [PATCH 3/8] Fix error message of bad request

---
 errs/error.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/errs/error.go b/errs/error.go
index 2e49d8c5..ebcf0894 100644
--- a/errs/error.go
+++ b/errs/error.go
@@ -181,7 +181,7 @@ func StatusCodeError(code int, e error, opts ...Option) error {
 var (
 	seeLogs = "Please see the certificate authority logs for more info."
 	// BadRequestDefaultMsg 400 default msg
-	BadRequestDefaultMsg = "The request could not be completed; malformed or missing data" + seeLogs
+	BadRequestDefaultMsg = "The request could not be completed; malformed or missing data. " + seeLogs
 	// UnauthorizedDefaultMsg 401 default msg
 	UnauthorizedDefaultMsg = "The request lacked necessary authorization to be completed. " + seeLogs
 	// ForbiddenDefaultMsg 403 default msg

From 179e793f1aa344fc0452612f6cb619f8e4ec2e10 Mon Sep 17 00:00:00 2001
From: Pierre Laden <pladen@acipia.fr>
Date: Wed, 16 Sep 2020 21:59:48 +0200
Subject: [PATCH 4/8] - provide PINpolicy always to piv-go to avoid trying to
 use attestation cert, which we might not have

- bump piv-go version to 1.6.0
---
 go.mod                 | 2 +-
 kms/yubikey/yubikey.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index a71d716c..9a58d7ce 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.1.0
 	github.com/aws/aws-sdk-go v1.30.29
 	github.com/go-chi/chi v4.0.2+incompatible
-	github.com/go-piv/piv-go v1.5.0
+	github.com/go-piv/piv-go v1.6.0
 	github.com/googleapis/gax-go/v2 v2.0.5
 	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a // indirect
 	github.com/lunixbochs/vtclean v1.0.0 // indirect
diff --git a/kms/yubikey/yubikey.go b/kms/yubikey/yubikey.go
index 28c41f95..acb94b81 100644
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@@ -142,6 +142,7 @@ func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 
 	priv, err := k.yk.PrivateKey(slot, cert.PublicKey, piv.KeyAuth{
 		PIN: k.pin,
+		PINPolicy:   piv.PINPolicyAlways,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "error retrieving private key")

From 290d5ee97988501fbc8406d66e2404dab81b850c Mon Sep 17 00:00:00 2001
From: Pierre Laden <pladen@acipia.fr>
Date: Wed, 16 Sep 2020 22:15:42 +0200
Subject: [PATCH 5/8] fix gofmt complain

---
 kms/yubikey/yubikey.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kms/yubikey/yubikey.go b/kms/yubikey/yubikey.go
index acb94b81..732921c8 100644
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@@ -142,7 +142,7 @@ func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 
 	priv, err := k.yk.PrivateKey(slot, cert.PublicKey, piv.KeyAuth{
 		PIN: k.pin,
-		PINPolicy:   piv.PINPolicyAlways,
+		PINPolicy: piv.PINPolicyAlways,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "error retrieving private key")

From 692f7692a272933712b4e82b225dcff97839cae1 Mon Sep 17 00:00:00 2001
From: Pierre Laden <pladen@acipia.fr>
Date: Wed, 16 Sep 2020 22:26:53 +0200
Subject: [PATCH 6/8] fix #2 indentation

---
 kms/yubikey/yubikey.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kms/yubikey/yubikey.go b/kms/yubikey/yubikey.go
index 732921c8..6f2a5c18 100644
--- a/kms/yubikey/yubikey.go
+++ b/kms/yubikey/yubikey.go
@@ -141,7 +141,7 @@ func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
 	}
 
 	priv, err := k.yk.PrivateKey(slot, cert.PublicKey, piv.KeyAuth{
-		PIN: k.pin,
+		PIN:       k.pin,
 		PINPolicy: piv.PINPolicyAlways,
 	})
 	if err != nil {

From 3e874a1e725fab04abbc4ccd9a6dd274ae1de43b Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Wed, 16 Sep 2020 20:53:58 -0700
Subject: [PATCH 7/8] Fix RHEL/CentOS install docs

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 05574c7c..80b1798c 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te
 - Can operate as [an online intermediate CA](./docs/questions.md#i-already-have-pki-in-place-can-i-use-this-with-my-own-root-certificate) for an existing root CA
 - [Badger, BoltDB, and MySQL database backends](https://github.com/smallstep/certificates/blob/master/docs/database.md)
 
-### ⚙️ Many ways to automate 
+### ⚙️ Many ways to automate
 
 There are several ways to authorize a request with the CA and establish a chain of trust that suits your flow.
 
@@ -165,7 +165,7 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
 
 1. [Optional] Install `step`.
 
-    Download the Linux tarball from the 
+    Download the Linux tarball from the
     [latest `step` release](https://github.com/smallstep/cli/releases/latest):
 
     ```
@@ -184,7 +184,7 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
     Download the Linux package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest):
 
     ```
-    $ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
+    $ wget -O step-ca.tar.gz https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-certificates_linux_X.Y.Z_amd64.tar.gz
     ```
 
     Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:

From 87bbcee23960b9628d24c6724d7d625cd825b7dd Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Thu, 17 Sep 2020 11:17:46 -0700
Subject: [PATCH 8/8] Update go.sum

---
 go.sum | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/go.sum b/go.sum
index 8b390caa..71e693fa 100644
--- a/go.sum
+++ b/go.sum
@@ -129,6 +129,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
 github.com/go-piv/piv-go v1.5.0 h1:UtHPfrJsZKY+Z3UIjmJLh6DY+KtmNOl/9b/zt4N81pM=
 github.com/go-piv/piv-go v1.5.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
+github.com/go-piv/piv-go v1.6.0 h1:F/z9VJw7SrLZvf5Ql7/vZ2m0xk/EoANfix3+J6HM05A=
+github.com/go-piv/piv-go v1.6.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=