Commit graph

1233 commits

Author SHA1 Message Date
David Cowden
a26b5f322d acme/api: Brush up documentation on key-change
Add more specific wording describing what a 501 means and add more color
explaining how official vs unofficial error types should be handled.
2020-05-28 11:22:37 -07:00
Mariano Cano
2ca63a9ff5
Merge pull request #267 from smallstep/awskms
AWS KMS support
2020-05-26 16:00:34 -07:00
Mariano Cano
26c89cf779 Rename method. 2020-05-26 14:34:47 -07:00
Mariano Cano
7a985b1470 Fix usage, remove unsupported flag. 2020-05-26 14:26:05 -07:00
Mariano Cano
df3e9c0cd6 Add full version of the license. 2020-05-26 12:21:09 -07:00
Mariano Cano
4ac51dd508
Merge pull request #274 from smallstep/oidc-raw-locals
Allow dots and other symbols in principals for OIDC
2020-05-26 11:28:30 -07:00
Mariano Cano
6c9cd7050c Add test with query strings. 2020-05-26 11:13:07 -07:00
Mariano Cano
dfe8e11e44 Remove anchor from link. 2020-05-26 10:55:26 -07:00
Mariano Cano
3246a3e81f Add missing test case. 2020-05-26 10:22:15 -07:00
David Cowden
b26e6e42b3 acme: Return 501 for the key-change route
RFC 8555 § 7.3.5 is not listed as optional but we do not currently
support it. Rather than 404, return a 501 to inform clients that this
functionality is not yet implemented.

The notImplmented error type is not an official error registered in the
ietf:params:acme:error namespace, so prefix if with step:acme:error. An
ACME server is allowed to return other errors and clients should display
the message detail to users.

Fixes: https://github.com/smallstep/certificates/issues/209
2020-05-26 01:47:08 -07:00
Max
ab0f2aedcc
Merge pull request #268 from smallstep/max/acme-nbf
Set nbf and nbf for ACME orders even when they are not set in the request.

Closes #92
2020-05-22 10:38:01 -07:00
max furman
6e69f99310 Always set nbf and naf for new ACME orders ...
- Use the default value from the ACME provisioner if values are not
defined in the request.
2020-05-22 10:31:58 -07:00
Mariano Cano
0b5fd156e8 Add a third principal on OIDC tokens with the raw local part of the email.
For the email first.last@example.com it will create the principals
  ["firstlast", "first.last", "first.last@example.com"]

Fixes #253, #254
2020-05-21 12:09:11 -07:00
Mariano Cano
7104588fcb Fix linter error. 2020-05-20 17:58:37 -07:00
Mariano Cano
f006cca87a Use Go 1.14. 2020-05-20 17:45:57 -07:00
Mariano Cano
aaf71ce66a Add unit tests for awskms. 2020-05-20 17:04:01 -07:00
Mariano Cano
d4cb9f4ac7 Define an interface for kms operations.
This interface will be used for unit testing.
2020-05-20 12:43:14 -07:00
Mariano Cano
deac15327f Add docs for AWS KMS. 2020-05-20 12:30:32 -07:00
Josh Hogle
e9b500daf2 Updated error message 2020-05-20 14:43:25 -04:00
Josh Hogle
044d00045a Fixed missing initialization of IMDS versions 2020-05-20 13:24:45 -04:00
Josh Hogle
18ac5c07e2 Added support for specifying IMDS version preference 2020-05-20 13:15:51 -04:00
Josh Hogle
8c6a46887b Added token URL fixes to tests 2020-05-20 09:39:19 -04:00
Josh Hogle
226cc6ab48 reverted 2020-05-20 09:32:04 -04:00
Josh Hogle
dd27901b12 Moved token URL and TTL to config values 2020-05-20 09:03:35 -04:00
Josh Hogle
bbbe4738c7 Added status code checking 2020-05-19 23:57:09 -04:00
Mariano Cano
82fb96588e Fix unit tests. 2020-05-19 17:45:15 -07:00
Mariano Cano
5b680b2349 Add initialization script for an AWS KMS. 2020-05-19 17:35:58 -07:00
Mariano Cano
c32abb76cd Add initial implementation to support AWS KMS. 2020-05-19 17:35:36 -07:00
Mariano Cano
b0f768a3fb Add implementation of URIs for KMS.
Implementation is based on the PKCS #11 URI Scheme RFC
https://tools.ietf.org/html/rfc7512
2020-05-19 17:32:52 -07:00
Josh Hogle
af0f21d744 added support for IMDSv2 API 2020-05-19 18:42:12 -04:00
Mariano Cano
2bc69d3edd
Merge pull request #252 from smallstep/yubikey
Yubikey support
2020-05-19 13:47:33 -07:00
Mariano Cano
89e164dad6 Add AuthorityKeyId to cloudkms root cert. 2020-05-19 13:15:09 -07:00
Mariano Cano
97508ca215 Add AuthorityKeyId to root certificate.
Fix error string.
2020-05-19 13:05:55 -07:00
Max
ba91f4ed13
Merge pull request #260 from anxolerd/feat-force-cn-if-empty
[Feature] Force CommonName for certificates from ACME provisioner
2020-05-18 14:40:01 -07:00
Oleksandr Kovalchuk
4cd01b6868
Implement tests for forceCNOption modifier
Implement unit tests which checks forceCNOption modifier (implemented
in 322200b7db) is not broken and works
correctly.

Ref: https://github.com/smallstep/certificates/issues/259
2020-05-17 20:29:28 +03:00
Oleksandr Kovalchuk
893a53793a
Modify existing tests to accept forceCNOption modifier
Modify existing tests to pass with changes introduced in commit
322200b7db. This is safe to do as
tests assert exact length of modifiers, which has changed.
2020-05-17 20:27:09 +03:00
Oleksandr Kovalchuk
322200b7db
Implement modifier to set CommonName
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.

Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
2020-05-17 20:23:13 +03:00
Mariano Cano
3e40cb89a7 Add some docs for YubiKey configuration. 2020-05-15 12:24:25 -07:00
Mariano Cano
d95c055163 piv-go requires libpcsclite-dev on linux. 2020-05-15 11:40:26 -07:00
Mariano Cano
03a6789f0e Fix compile errors without cgo support. 2020-05-15 11:33:22 -07:00
Mariano Cano
012a4734bf Add better messaging when yubikey is not detected. 2020-05-15 11:33:04 -07:00
Mariano Cano
7d61c0003c Enable softkms and cloudkms. 2020-05-15 11:32:12 -07:00
Max
ae15573f93
Merge pull request #249 from smallstep/clive-jevons/dynamic-host-detection-for-acme-directory
dynamic host detection for acme directory

Closes #235, #193
2020-05-14 17:40:01 -07:00
max furman
e1409349f3 Allow relative URL for all links in ACME api ...
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
2020-05-14 17:32:54 -07:00
Oleksandr Kovalchuk
0218018cee
Generate Subject if forceCN and Subject is empty
When `forceCN` is set in provisioner configuration and
Subject.CommonName is empty, set Subject.CommonName to the first SAN
from the CSR to follow the letsencrypt's boulder behavior. This is done
in order to support system which require certificate's Subject field to
be non-empty.

N.B. certbot does not send Subject in its certificate request and relies
on similar behavior of letsencrypt.

Closes https://github.com/smallstep/certificates/issues/259
2020-05-14 13:23:42 +03:00
Oleksandr Kovalchuk
503c9f6101
Add config option to force CN
Add configuration option `forceCN` to ACME provisioner. When this option
is set to `true`, provisioner should generate Subject.CommonName for
certificate if it was not present in the request. Default value of
`false` should keep the existing behavior (do not modify CSR and
certificate).

Ref: https://github.com/smallstep/certificates/issues/259
2020-05-14 13:20:55 +03:00
Clive Jevons
639993bd09 Read host and protocol information from request for links
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
2020-05-12 16:58:12 -07:00
Mariano Cano
025c0aa20f Display the proper yubikey uri. 2020-05-11 19:42:21 -07:00
Mariano Cano
22b86c3fcc Only rewrite keys with --force. 2020-05-11 19:40:12 -07:00
Mariano Cano
63e36ecd7a Refactor the initialization of KeyManagers. 2020-05-11 18:47:22 -07:00