Mariano Cano
5a32401d23
Implement the kms.Decrypter with PKCS#11
...
This interface allows the use of SCEP with PKCS#11 modules.
2021-12-16 18:30:09 -08:00
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
2021-11-13 01:30:03 +01:00
Mariano Cano
7ec1424cb6
Fix help.
2021-10-29 14:47:57 -07:00
Mariano Cano
8366b7ddf1
Revert "Remove extractable from StoreCertificate."
...
This reverts commit 614ee79489
.
2021-10-29 14:45:10 -07:00
Mariano Cano
614ee79489
Remove extractable from StoreCertificate.
2021-10-29 12:02:24 -07:00
Mariano Cano
fa11e82b67
Add tests with extractable property.
2021-10-28 19:45:19 -07:00
Mariano Cano
886b9a1d8d
Store the certificate passed.
2021-10-28 18:16:16 -07:00
Mariano Cano
aa80bf9f07
Merge branch 'smallstep_master' into extractable
2021-10-28 18:11:42 -07:00
Mariano Cano
6be383da34
Refactor pkcs#11 extractable certs and keys.
2021-10-28 18:04:11 -07:00
Mariano Cano
bef50bd7d9
Fix typo in variable name.
2021-10-26 17:57:59 -07:00
Mariano Cano
ead394fba7
Add strategy to retry the sign operation if the key is not yet ready
2021-10-20 18:09:50 -07:00
Mariano Cano
edd475b81b
Allow to configure azurekms using the URI
...
With an URI, azurekms can be configured with client credentials,
and it can define a default vault and protection level.
2021-10-12 18:24:58 -07:00
Mariano Cano
44f0d61354
Fix typo.
2021-10-12 15:41:41 -07:00
Mariano Cano
a2b03083c8
Fix gocritic warnings.
2021-10-12 15:28:08 -07:00
Mariano Cano
2aee71b4c0
Fix typo.
2021-10-12 15:18:17 -07:00
Mariano Cano
e15b5faf7d
Merge branch 'master' into keyvault
2021-10-12 15:15:35 -07:00
Mariano Cano
5d0bd7d155
Fix grammar in comments.
2021-10-12 15:14:01 -07:00
max furman
5fc24c697c
Fix a few more linter warnings and remove GOFLAGS from make lint
2021-10-08 15:26:01 -04:00
max furman
933b40a02a
Introduce gocritic linter and address warnings
2021-10-08 14:59:57 -04:00
Mariano Cano
f6e69bf826
Fix typo.
2021-10-07 17:37:47 -07:00
Mariano Cano
c638c282d8
Add omitempty to KMS options.
2021-10-07 17:30:28 -07:00
Mariano Cano
822a1e3bdb
Add variable with the default implementation.
2021-10-07 17:23:56 -07:00
Mariano Cano
2240ebbadc
Add NameValidator interface and implement it for azurekms.
2021-10-07 17:19:55 -07:00
Mariano Cano
abdb56065d
Allow o specify an hsm using the uri.
2021-10-07 16:18:36 -07:00
Mariano Cano
f1ef3fb351
Add GetBool(s string) bool to URI type.
2021-10-07 15:48:11 -07:00
Mariano Cano
500b540406
Remove unused code.
2021-10-07 15:35:21 -07:00
Mariano Cano
2026787ce4
Add some extra coverage.
2021-10-07 15:01:11 -07:00
Mariano Cano
08c9902f29
Add new alias in the kms package.
2021-10-06 18:42:01 -07:00
Mariano Cano
505b1f3678
Add new test case with a version in the opaque string.
2021-10-06 18:41:31 -07:00
Mariano Cano
d2581489a3
Redefine uris and set proper type.
...
URIs will now have the form:
- azurekms:name=my-key;vault=my-vault
- azurekms:name=my-key;vault=my-vault?version=my-version
2021-10-06 18:39:12 -07:00
Mariano Cano
656099c4f0
Add type for azurekms.
2021-10-06 18:38:32 -07:00
Mariano Cano
56c3559e52
Add some extra coverage.
2021-10-05 20:41:55 -07:00
Mariano Cano
6389100325
Add unit tests for azurekms.
2021-10-05 20:35:52 -07:00
Mariano Cano
97d08a1b61
Fix typos.
2021-10-05 17:11:23 -07:00
Mariano Cano
392a18465f
Add initial implementation of Azure Key Vault KMS.
...
Fixes #462
2021-10-05 17:06:17 -07:00
Mariano Cano
6d644880bd
Allow to kms signers to define the SignatureAlgorithm
...
CloudKMS keys signs data using an specific signature algorithm, in RSA keys,
this can be PKCS#1 RSA or RSA-PSS, if the later is used, x509.CreateCertificate
will fail unless the template SignatureCertificate is properly set.
On contrast, AWSKMS RSA keys, are just RSA keys, and can sign with PKCS#1 or
RSA-PSS schemes, so right now the way to enforce one or the other is to used
templates.
2021-09-08 17:48:50 -07:00
max furman
8ba9013f5d
gofmt linting errors
2021-09-07 11:35:51 -07:00
max furman
8bec473f8e
fix gofmt linting errors
2021-09-07 11:30:35 -07:00
Mariano Cano
abd78e2d2a
Make kms uri compatible with Go 1.17.
...
Go 1.17 introduces a change in the net/url package disallowing the
use of semicolon (;) in URL queries. We used url.ParseQuery to
decode the opaque string that is semicolon separated. This change
replaces the semicolon with ampersands before decoding it.
2021-08-17 13:25:55 -07:00
Mariano Cano
a864f0134d
Fix key version when SHA512WithRSA is used.
...
There was a typo creating RSA keys with SHA256 digests instead of
SHA512
2021-08-16 14:47:38 -07:00
Gary Belvin
22b471acf9
Extractable certs
2021-06-17 09:29:38 -04:00
Gary Belvin
be89459524
Set key export bit
2021-06-17 09:29:32 -04:00
Mariano Cano
c4d0c8a18e
Fix credentials file parameter on awskms
2021-06-11 21:40:04 -07:00
Herman Slatman
877fc9ae8c
Add tests for CreateDecrypter
2021-05-07 15:32:07 +02:00
Herman Slatman
68d5f6d0d2
Merge branch 'master' into hs/scep
2021-04-29 22:18:00 +02:00
Mariano Cano
180b5c3e3c
Fix typo.
2021-04-21 16:20:53 -07:00
Herman Slatman
583d60dc0d
Address (most) PR comments
2021-03-21 16:42:41 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
7948f65ac0
Merge branch 'master' into hs/scep
2021-02-26 00:41:33 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority
2021-02-26 00:32:21 +01:00