Mariano Cano
ac35f3489c
Remove unused certificate validators and modifiers
...
With the introduction of certificate templates some certificate
validators and modifiers are not used anymore. This commit deletes the
ones that are not used.
2023-03-31 14:54:49 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2022-09-20 16:35:41 -07:00
Mariano Cano
34c6c65671
Pass attestation information to the Sign method
...
Attestation information might be useful in authorizing webhooks
2022-09-16 12:37:41 -07:00
Mariano Cano
21427d5d65
Replace instead of prepend provisioner extension
...
With non standard SANs this will generate the SAN and provisioner
extension in the same order.
2022-08-09 16:48:00 -07:00
Herman Slatman
6e1f8dd7ab
Refactor policy engines into container
2022-04-26 13:12:16 +02:00
Herman Slatman
571b21abbc
Fix (most) PR comments
2022-03-31 16:12:29 +02:00
Herman Slatman
613c99f00f
Fix linting issues
2022-03-24 13:10:49 +01:00
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
2022-03-24 12:36:12 +01:00
Mariano Cano
4690fa64ed
Add public methods to retrieve the provisioner extensions.
2022-03-11 14:59:42 -08:00
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level
2022-03-08 13:26:07 +01:00
Herman Slatman
88c7b63c9d
Split SSH user and cert policy configuration and execution
2022-02-01 15:18:39 +01:00
Herman Slatman
066bf32086
Fix part of PR comments
2022-01-25 15:00:07 +01:00
Herman Slatman
6440870a80
Clean up, improve test cases and coverage
2022-01-18 14:39:21 +01:00
Herman Slatman
1e808b61e5
Merge logic for X509 and SSH policy
2022-01-17 23:36:13 +01:00
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
2022-01-03 12:25:24 +01:00
Mariano Cano
c3f98fd04d
Change some bad requests to forbidded.
...
Change in the sign options bad requests to forbidded if is the
provisioner the one adding a restriction, e.g. list of dns names,
validity, ...
2021-11-24 11:32:35 -08:00
Mariano Cano
507a272b4d
Return always http errors in sign options.
2021-11-23 18:32:33 -08:00
Mariano Cano
b6ebd118fc
Update temporal solution for sending message to users
2021-11-18 18:47:55 -08:00
Mariano Cano
acd0bac025
Remove extra and in comment.
2021-11-17 12:03:29 -08:00
Mariano Cano
1aadd63cef
Use always badRequest on duration errors.
2021-11-17 12:00:54 -08:00
Mariano Cano
41fec1577d
Report duration errors directly to the cli.
2021-11-17 11:46:57 -08:00
Herman Slatman
d0a9cbc797
Change fmt to errors package for formatting errors
2021-05-07 00:22:06 +02:00
Herman Slatman
ff1b46c95d
Add configuration option for specifying the minimum public key length
...
Instead of using the defaultPublicKeyValidator a new validator called
publicKeyMinimumLengthValidator has been implemented that uses a
configurable minimum length for public keys in CSRs.
It's also an option to alter the defaultPublicKeyValidator to also
take a parameter, but that would touch quite some lines of code. This
might be a viable option after merging SCEP support.
2021-05-06 22:56:28 +02:00
max furman
16665c97f0
Allow empty SAN in CSR for validation ...
...
- The default template will always use the SANs from the token.
- If there are any SANs they must be validated against the token.
2021-01-14 15:26:46 -06:00
max furman
46fc922afd
Remove unused code; fix usage wrong word; add gap time for unit test
2020-08-20 18:48:17 -07:00
Mariano Cano
c8d225a763
Use x509util from go.step.sm/crypto/x509util
2020-08-05 16:02:46 -07:00
Mariano Cano
6c64fb3ed2
Rename provisioner options structs:
...
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
0c8376a7f6
Fix existing unit tests.
2020-07-21 14:21:54 -07:00
Mariano Cano
4795e371bd
Add back the support for ca.json DN template.
2020-07-21 14:18:05 -07:00
Mariano Cano
95c3a41bf0
Rename UserData to TemplateData and fix unmarshaling.
2020-07-21 14:18:04 -07:00
Mariano Cano
9032018cf2
Convert x509util.WithOptions to new modifiers.
2020-07-21 14:18:04 -07:00
max furman
accf1be7e9
wip
2020-06-25 14:02:24 -07:00
max furman
71d87b4e61
wip
2020-06-24 23:25:15 -07:00
max furman
d25e7f64c2
wip
2020-06-24 09:58:40 -07:00
max furman
3636ba3228
wip
2020-06-23 17:13:39 -07:00
max furman
1951669e13
wip
2020-06-23 11:10:45 -07:00
max furman
7d5cf34ce5
Update profileLimitDuration validator ...
...
- respect notBefore of the provisioner
- modify/fix the reported errors
2020-06-16 12:16:43 -07:00
Oleksandr Kovalchuk
322200b7db
Implement modifier to set CommonName
...
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.
Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
2020-05-17 20:23:13 +03:00
Mariano Cano
13507efb35
Remove the requirement for CSR to have a common name.
...
Fixes #226
2020-04-20 10:43:33 -07:00
Mariano Cano
bfe1f4952d
Rename interface to CertificateEnforcer and add tests.
2020-03-31 11:41:36 -07:00
Mariano Cano
64f26c0f40
Enforce a duration for identity certificates.
2020-03-30 17:33:04 -07:00
max furman
397a181d10
Add backdate validation to sshCertValidityValidator.
2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90
Introduce generalized statusCoder errors and loads of ssh unit tests.
...
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
93b65bee7c
Add unit test for profileDefaultDuration.
2020-01-28 13:29:39 -08:00
Mariano Cano
84ff172093
Add support for backdate to SSH certificates.
2020-01-28 13:29:39 -08:00
Mariano Cano
5565d61bf3
Add fault tolerance against clock skew accross system on TLS certificates.
2020-01-28 13:29:39 -08:00
max furman
d368791606
Add x5c provisioner capabilities
2019-10-14 14:51:37 -07:00
max furman
2b41faa9cf
Enforce >= 2048 bit rsa keys at the provisioner layer
...
* Fixes #94
* In the future this should be configurable by provisioner
2019-08-27 14:44:59 -07:00
max furman
635c59ed24
Accept emails SANs
2019-08-23 15:59:30 -07:00
Mariano Cano
900ab9cc12
Allow custom common names in cloud identity provisioners.
2019-07-15 15:52:36 -07:00