Commit graph

92 commits

Author SHA1 Message Date
Herman Slatman
ef16febf40
Refactor ACME EAB queries
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
2022-01-07 16:59:55 +01:00
Herman Slatman
f9ae875f9d
Use short if-style statements 2021-12-20 14:30:01 +01:00
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab 2021-12-09 13:58:40 +01:00
Herman Slatman
0524122191
Remove authorization flow for different Account private keys
As discussed in https://github.com/smallstep/certificates/issues/767,
we opted for not including this authorization flow to prevent users
from getting OOMs. We can add the functionality back when the
underlying data store can provide access to a long list of
Authorizations more efficiently, for example when a callback is
implemented.
2021-12-08 16:28:14 +01:00
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.

At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
2021-12-08 15:19:38 +01:00
Herman Slatman
9885d42711
Fix linting issues 2021-12-07 16:28:06 +01:00
Herman Slatman
6e11657204
Refactor creation of (raw) EAB JWS contents 2021-12-07 14:57:39 +01:00
Herman Slatman
23898e9b76
Improve EAB JWS validation and increase test coverage 2021-12-07 12:17:41 +01:00
Herman Slatman
d0c23973cc
Merge branch 'master' into hs/acme-eab 2021-12-06 13:01:23 +01:00
Herman Slatman
004fc054d5
Fix PR comments 2021-12-03 15:06:28 +01:00
Herman Slatman
06bb97c91e
Add logic for Account authorizations and improve tests 2021-12-02 16:25:35 +01:00
Herman Slatman
bae1d256ee
Improve tests for JWK vs. KID revoke auth flow
The logic for both test cases is fairly similar, but with some
small differences. Made those clearer by means of some comments.
Also added some comments to the middleware logic that decided
whether to extract JWK or lookup by KID.
2021-12-02 10:59:56 +01:00
Herman Slatman
a7fbbc4748
Add tests for GetCertificateBySerial 2021-11-28 21:20:57 +01:00
Herman Slatman
4d01cf8135
Increase test code coverage 2021-11-28 20:30:36 +01:00
Herman Slatman
2d357da99b
Add tests for ACME revocation 2021-11-26 17:27:42 +01:00
Herman Slatman
ed295ca15d
Fix linting issue 2021-11-25 00:44:21 +01:00
Herman Slatman
2d50c96d99
Merge branch 'master' into hs/acme-revocation 2021-11-19 17:00:18 +01:00
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues 2021-11-13 01:30:03 +01:00
Herman Slatman
c7a9c13060
Add tests for extractOrLookupJWK middleware 2021-11-12 16:37:44 +01:00
Herman Slatman
3151255a25
Merge branch 'master' into hs/acme-revocation 2021-10-30 15:41:29 +02:00
Herman Slatman
dd4b4b0435
Fix remaining gocritic remarks 2021-10-11 23:34:23 +02:00
Herman Slatman
e0b495e4c8
Merge branch 'master' into hs/acme-eab 2021-10-09 01:06:49 +02:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
Herman Slatman
0afea2e957
Improve tests for already bound EAB keys 2021-10-08 13:19:35 +02:00
Herman Slatman
02cd3b6b3b
Fix PR comments 2021-09-16 23:09:24 +02:00
Herman Slatman
a98fe03e80
Merge branch 'master' into hs/acme-eab 2021-08-27 12:50:19 +02:00
Herman Slatman
1dba8698e3
Use LinkedCA.EABKey type in ACME EAB API 2021-08-27 12:39:37 +02:00
Mariano Cano
470b546d59
Merge pull request #557 from joejulian/http01-isv
use InsecureSkipVerify for validation
2021-08-26 18:06:57 -07:00
Herman Slatman
f31ca4f6a4
Add tests for validateExternalAccountBinding 2021-08-10 12:39:44 +02:00
Herman Slatman
492256f2d7
Add first test cases for EAB and make provisioner unique per EAB
Before this commit, EAB keys could be used CA-wide, meaning that
an EAB credential could be used at any ACME provisioner. This
commit changes that behavior, so that EAB credentials are now
intended to be used with a specific ACME provisioner. I think
that makes sense, because from the perspective of an ACME client
the provisioner is like a distinct CA.

Besides that this commit also includes the first tests for EAB.
The logic for creating the EAB JWS as a client has been taken
from github.com/mholt/acmez. This logic may be moved or otherwise
sourced (i.e. from a vendor) as soon as the step client also
(needs to) support(s) EAB with ACME.
2021-08-09 10:37:32 +02:00
Herman Slatman
c6bfc6eac2
Fix PR comments 2021-07-22 23:48:41 +02:00
Herman Slatman
d669f3cb14
Fix misspelling 2021-07-17 20:39:12 +02:00
Herman Slatman
540d5fbbdc
Fix marshaling -> marshalling 2021-07-17 20:35:44 +02:00
Herman Slatman
2110c7722f
Fix JWK payload key equality check 2021-07-17 20:29:12 +02:00
Herman Slatman
d44cd18b96
Add External Accounting Binding key "BoundAt" marking 2021-07-17 19:02:47 +02:00
Herman Slatman
f81d49d963
Add first working version of External Account Binding 2021-07-17 17:35:44 +02:00
Herman Slatman
258efca0fa
Improve revocation authorization 2021-07-10 00:28:31 +02:00
Herman Slatman
2b15230aa4
Add Serial to Cert ID ACME table and lookup 2021-07-09 17:51:31 +02:00
Herman Slatman
8f7e700f09
Merge branch 'master' into hs/acme-revocation 2021-07-09 11:22:25 +02:00
max furman
857a50434c Merge branch 'master' into max/cert-mgr-crud 2021-07-08 16:25:52 -07:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Herman Slatman
0e56932e76
Add support for revocation using JWK 2021-07-03 01:57:27 +02:00
Herman Slatman
84e7d468f2
Improve handling of ACME revocation 2021-07-03 00:21:17 +02:00
Herman Slatman
d53bcaf830
Add base logic for ACME revoke-cert 2021-07-02 22:51:15 +02:00
Herman Slatman
64c15fde7e
Add tests for canonicalize function 2021-06-25 14:07:40 +02:00
Herman Slatman
523ae96749
Change identifier and challenge types to consts 2021-06-18 12:39:36 +02:00
Herman Slatman
84ea8bd67a
Fix PR comments 2021-06-18 12:03:46 +02:00
Herman Slatman
76dcf542d4
Fix mixed DNS and IP SANs in Order 2021-06-03 22:45:24 +02:00
Herman Slatman
a0e92f8e99
Verify IP identifier contains valid IP 2021-06-03 22:02:13 +02:00
Herman Slatman
6486e6016b
Make logic for which challenge types to use clearer 2021-05-29 00:37:22 +02:00