Mariano Cano
0f651799d0
Reject not enabled attestation formats
2022-09-08 17:38:05 -07:00
Mariano Cano
fd4e96d1f4
Rename method to IsChallengeEnabled
2022-09-08 13:22:35 -07:00
Mariano Cano
c77b4ff9c5
Fix linter errors
2022-09-08 12:49:16 -07:00
Mariano Cano
59c5219a07
Use a type for acme challenges
2022-09-08 12:34:06 -07:00
Mariano Cano
a89bea701d
Format comment
2022-09-08 11:06:17 -07:00
Mariano Cano
5df9434286
Fix old comment, device-attest-01 uses the acme payload
2022-09-08 10:59:51 -07:00
Mariano Cano
c5d3714a63
Fix acme error map
2022-09-08 10:48:17 -07:00
Mariano Cano
08815c5e90
Reneame attestation statement error
2022-09-08 10:46:58 -07:00
Mariano Cano
3cd72ac72a
Remove debug statements
2022-09-08 10:44:48 -07:00
Mariano Cano
e75e7e7cd6
Fix linter warnings
2022-09-01 16:18:13 -07:00
Mariano Cano
54d92095ac
Validate proof of possession signature
...
On the step format, validate proof of possession of the private
key validating the signature in the attestation statement.
2022-09-01 10:45:31 -07:00
Mariano Cano
59b7603d1e
Use a clientAuth only cert for device-attest-01
2022-08-30 16:09:44 -07:00
Mariano Cano
ca412e77cc
Return error on attestation validation
...
The method storeError returns a nil error
2022-08-29 20:03:34 -07:00
Mariano Cano
ab5f916bd3
Define ErrorBadAttestationStatement
2022-08-29 20:02:43 -07:00
Mariano Cano
735c9d49b0
Add support for yubikey attestation
2022-08-29 19:37:30 -07:00
Mariano Cano
df96b126dc
Add AuthorizeChallenge unit tests
2022-08-24 12:31:09 -07:00
Mariano Cano
bca311b05e
Add acme property to enable challenges
...
Fixes #1027
2022-08-23 17:11:40 -07:00
Mariano Cano
ae8d4d8757
Fix unit test
2022-08-23 17:01:15 -07:00
Mariano Cano
693dc39481
Merge branch 'master' into device-attestation
2022-08-22 17:59:17 -07:00
Mariano Cano
23b8f45b37
Address gosec warnings
...
Most if not all false positives
2022-08-18 17:46:20 -07:00
max furman
c040e4b459
Add unit tests
2022-08-16 15:48:23 -07:00
max furman
b7c2f6c482
Check for DNS name validity
2022-08-16 00:12:31 -07:00
Mariano Cano
b62f4d1000
Add lgtm comments on some security warnings
2022-08-11 17:32:57 -07:00
Mariano Cano
2f7cb9225f
Use go.step.sm/crypto to set the permanent identifier
2022-08-10 17:38:18 -07:00
Mariano Cano
2ab1e6658e
Fix nonce validation
...
The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
2022-08-09 15:06:52 -07:00
Mariano Cano
66356cff43
Add attestation certificate validation for Apple devices
2022-07-14 17:10:03 -07:00
Brandon Weeks
274f6ccb41
iOS 16 beta 2 support
2022-06-23 05:43:24 +10:00
Brandon Weeks
7e1b0bebd9
iOS 16 beta 1 support
2022-06-23 05:19:36 +10:00
Brandon Weeks
77c6d10fd6
Verify key authorization is contained within the TPM quote extraData field
2022-06-23 05:19:36 +10:00
Brandon Weeks
e1ec31c0ed
Implement TPM attestation statement verification
2022-06-23 05:19:36 +10:00
Brandon Weeks
2ac8b69da2
Add ACME permanent-identifier identifier type
2022-06-23 05:19:36 +10:00
Brandon Weeks
aacd6f4cc6
Add device-attest-01 challenge type
2022-06-23 05:19:36 +10:00
Brandon Weeks
860baeb1c5
Verbose debug logging
2022-06-23 05:19:36 +10:00
Shulhan
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
...
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2022-06-16 01:28:59 +07:00
Herman Slatman
abfbbc8d49
Merge pull request #946 from smallstep/herman/acme-csr-padding
...
Strip base64-url padding from ACME CSR
2022-05-25 23:25:34 +02:00
Herman Slatman
fd546287ac
Strip base64-url padding from ACME CSR
...
This commit strips the padding from a base64-url encoded CSR
submitted by a client that doesn't use raw base64-url encoding.
2022-05-25 22:46:26 +02:00
Mariano Cano
e7f4eaf6c4
Remove explicit deprecation notice
...
This will avoid linter errors on other projects for now.
2022-05-23 14:04:31 -07:00
Mariano Cano
d461918eb0
Merge branch 'master' into context-authority
2022-05-06 13:21:41 -07:00
Mariano Cano
2ea0c70344
Move acme context middleware to deprecated handler
2022-05-05 12:25:07 -07:00
Mariano Cano
9147356d8a
Fix linter errors
2022-05-02 18:47:47 -07:00
Mariano Cano
2ab7dc6f9d
Fix acme tests.
2022-05-02 18:09:26 -07:00
Mariano Cano
ba499eeb2a
Fix acme/api tests.
2022-05-02 17:40:10 -07:00
Mariano Cano
6f9d847bc6
Fix panic in acme/api tests.
2022-05-02 17:35:35 -07:00
Herman Slatman
d82e51b748
Update AllowWildcardNames configuration name
2022-04-29 15:08:19 +02:00
Mariano Cano
d1f75f1720
Refactor ACME api.
2022-04-28 19:15:18 -07:00
Mariano Cano
fddd6f7d95
Move linker to the acme package.
2022-04-28 15:15:50 -07:00
Mariano Cano
55b0f72821
Add context methods for the acme linker.
2022-04-28 15:14:15 -07:00
Mariano Cano
bb8d85a201
Fix unit tests - work in progress
2022-04-27 19:08:16 -07:00
Mariano Cano
42435ace64
Use scep authority from context
...
This commit also converts all the methods from the handler to
functions.
2022-04-27 18:06:53 -07:00
Mariano Cano
d13537d426
Use context in the acme handlers.
2022-04-27 15:42:26 -07:00
Mariano Cano
bd412c9f42
Add context methods for the acme database
2022-04-27 12:11:00 -07:00
Herman Slatman
6e1f8dd7ab
Refactor policy engines into container
2022-04-26 13:12:16 +02:00
Herman Slatman
2a7620641f
Fix more PR comments
2022-04-26 10:15:17 +02:00
Herman Slatman
fb81407d6f
Fix ACME policy comments
2022-04-21 13:21:06 +02:00
Herman Slatman
7f9034d22a
Add additional policy options
2022-04-19 10:24:52 +02:00
Herman Slatman
a9f033ece5
Fix JSON property name for ACME policy
2022-04-15 10:58:40 +02:00
Herman Slatman
256fe113f7
Improve tests for ACME account policy
2022-04-11 15:25:55 +02:00
Herman Slatman
034b7943fe
Merge branch 'master' into herman/allow-deny
2022-04-07 14:12:20 +02:00
Herman Slatman
7df52dbb76
Add ACME EAB policy
2022-04-07 14:11:53 +02:00
Herman Slatman
479c6d2bf5
Fix ACME IPv6 HTTP-01 challenges
...
Fixes #890
2022-04-07 12:37:34 +02:00
Herman Slatman
2fbdf7d5b0
Merge branch 'master' into herman/allow-deny
2022-03-30 14:50:14 +02:00
Panagiotis Siatras
00634fb648
api/render, api/log: initial implementation of the packages ( #860 )
...
* api/render: initial implementation of the package
* acme/api: refactored to support api/render
* authority/admin: refactored to support api/render
* ca: refactored to support api/render
* api: refactored to support api/render
* api/render: implemented Error
* api: refactored to support api/render.Error
* acme/api: refactored to support api/render.Error
* authority/admin: refactored to support api/render.Error
* ca: refactored to support api/render.Error
* ca: fixed broken tests
* api/render, api/log: moved error logging to this package
* acme: refactored Error so that it implements render.RenderableError
* authority/admin: refactored Error so that it implements render.RenderableError
* api/render: implemented RenderableError
* api/render: added test coverage for Error
* api/render: implemented statusCodeFromError
* api: refactored RootsPEM to work with render.Error
* acme, authority/admin: fixed pointer receiver name for consistency
* api/render, errs: moved StatusCoder & StackTracer to the render package
2022-03-30 11:22:22 +03:00
Herman Slatman
b49307f326
Fix ACME order tests with mock ACME CA
2022-03-24 18:34:04 +01:00
Herman Slatman
9e0edc7b50
Add early authority policy evaluation to ACME order API
2022-03-24 14:55:40 +01:00
Herman Slatman
101ca6a2d3
Check admin subjects before changing policy
2022-03-21 15:53:59 +01:00
Herman Slatman
3ec9a7310c
Fix ACME order identifier allow/deny check
2022-03-08 14:17:59 +01:00
Herman Slatman
af53a17bb4
Merge branch 'master' into herman/allow-deny
2022-03-07 14:13:13 +01:00
Herman Slatman
b6f6bd879c
Fix PR comment and add tests for ACME prerequisites checker
2022-03-03 13:00:20 +01:00
Herman Slatman
e47dd0a666
Add ACME configuration prerequisites check
2022-02-28 16:08:00 +01:00
Herman Slatman
c3c6f3da72
Merge branch 'master' into herman/allow-deny
2022-02-22 17:36:56 +01:00
Herman Slatman
bfa2245abb
Merge branch 'master' into herman/normalize-ipv6-dns-names
2022-02-03 17:24:08 +01:00
Herman Slatman
1fe7362bee
Normalize IPv6 addresses in ACME linker
2022-02-03 13:55:15 +01:00
Herman Slatman
c1424036bf
Merge branch 'master' into herman/allow-deny
2022-01-31 14:24:34 +01:00
Herman Slatman
bf21319e76
Fix PR comments and issue with empty string slices
2022-01-28 13:26:56 +01:00
Herman Slatman
fd9845e9c7
Add cursor and limit to ACME EAB DB interface
2022-01-24 14:03:56 +01:00
Herman Slatman
c3f2fd8ef0
Add RW locks to prevent concurrent updates to the DB
...
Although this may slow certain API calls down and may not be, strictly
necessary, I think it's best to put all the ACME EAB operations behind
RW locks to prevent concurrent updates to the DB and guarantee
consistent result sets.
2022-01-20 17:25:15 +01:00
Herman Slatman
868cc4ad7f
Increase test coverage for additional indexes
2022-01-20 17:06:23 +01:00
Herman Slatman
c0eb420806
Remove special case for empty slices
2022-01-20 11:03:49 +01:00
Herman Slatman
6440870a80
Clean up, improve test cases and coverage
2022-01-18 14:39:21 +01:00
Herman Slatman
ef16febf40
Refactor ACME EAB queries
...
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
2022-01-07 16:59:55 +01:00
Herman Slatman
30859d3c83
Remove server-side paging logic for ExternalAccountKeys
2022-01-06 14:09:35 +01:00
Herman Slatman
9539729bd9
Add initial implementation of x509 and SSH allow/deny policy engine
2022-01-03 12:25:24 +01:00
Herman Slatman
11a7f01177
Simplify lookup cursor logic for ExternalAccountKeys
2021-12-22 15:42:49 +01:00
Herman Slatman
22ff90f655
Merge branch 'master' into hs/acme-eab
2021-12-22 12:54:41 +01:00
Herman Slatman
a5f2f004e3
Change name of IP Common Name test for clarity
2021-12-20 18:55:23 +01:00
Herman Slatman
f9ae875f9d
Use short if-style statements
2021-12-20 14:30:01 +01:00
Herman Slatman
80bebda69c
Fix code style issue
2021-12-20 13:40:17 +01:00
Herman Slatman
bc0875bd7b
Disallow email address and URLs in the CSR
...
Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.
2021-12-13 16:14:39 +01:00
Herman Slatman
13a31fd862
Merge branch 'master' into herman/ip-sans-improvements
2021-12-13 16:04:53 +01:00
Herman Slatman
ca707cbe05
Fix linting
2021-12-13 16:01:40 +01:00
Herman Slatman
a5d33512fe
Fix test
2021-12-13 15:59:01 +01:00
Herman Slatman
a2c9b5cd7e
Allow IP identifiers in subject, including authorization enforcement
...
To support IPs in the subject using `step-cli`, this PR ensures that
Subject Common Names that can be parsed as an IP are also checked
to have been authorized before.
The PR for `step-cli` is here: github.com/smallstep/cli/pull/576.
2021-12-13 15:34:56 +01:00
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab
2021-12-09 13:58:40 +01:00
Herman Slatman
63371a8fb6
Add additional tests for ACME EAB Admin
2021-12-09 13:46:47 +01:00
Herman Slatman
0524122191
Remove authorization flow for different Account private keys
...
As discussed in https://github.com/smallstep/certificates/issues/767 ,
we opted for not including this authorization flow to prevent users
from getting OOMs. We can add the functionality back when the
underlying data store can provide access to a long list of
Authorizations more efficiently, for example when a callback is
implemented.
2021-12-08 16:28:14 +01:00
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
...
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.
At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
2021-12-08 15:19:38 +01:00
Herman Slatman
9885d42711
Fix linting issues
2021-12-07 16:28:06 +01:00
Herman Slatman
6e11657204
Refactor creation of (raw) EAB JWS contents
2021-12-07 14:57:39 +01:00
Herman Slatman
23898e9b76
Improve EAB JWS validation and increase test coverage
2021-12-07 12:17:41 +01:00
Herman Slatman
d0c23973cc
Merge branch 'master' into hs/acme-eab
2021-12-06 13:01:23 +01:00