Commit graph

99 commits

Author SHA1 Message Date
max furman
1df21b9b6a Addressing comments in PR review
- added a bit of validation to admin create and update
- using protojson where possible in admin api
- fixing a few instances of admin -> acme in errors
2021-07-06 17:14:13 -07:00
max furman
77fdfc9fa3 Merge branch 'master' into max/cert-mgr-crud 2021-07-02 20:26:46 -07:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Herman Slatman
13fe7a0121 Make serving SCEP endpoints optional
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.

The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-05-26 16:13:57 -07:00
Herman Slatman
97b88c4d58 Address (most) PR comments 2021-05-26 16:12:57 -07:00
Herman Slatman
be528da709 Make tests green 2021-05-26 16:10:22 -07:00
Herman Slatman
57a62964b1 Make tests not fail hard on ECDSA keys
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-05-26 16:10:22 -07:00
Herman Slatman
491c2b8d93 Improve initialization of SCEP authority 2021-05-26 16:10:21 -07:00
Herman Slatman
2d85d4c1c1 Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-05-26 16:09:38 -07:00
Herman Slatman
e7cb80f880 Fix linter issues 2021-05-26 16:08:24 -07:00
Herman Slatman
2a249d20de Refactor initialization of SCEP authority 2021-05-26 16:04:19 -07:00
Herman Slatman
339039768c Refactor SCEP authority initialization and clean some code 2021-05-26 16:00:08 -07:00
Herman Slatman
48c86716a0 Add rudimentary (and incomplete) support for SCEP 2021-05-26 15:58:04 -07:00
max furman
94ba057f01 wip 2021-05-26 14:55:31 -07:00
max furman
01a4460812 wip 2021-05-25 21:13:01 -07:00
max furman
5929244fda wip 2021-05-20 13:12:02 -07:00
max furman
9bf9bf142d wip 2021-05-20 13:01:58 -07:00
max furman
4f3e5ef64d wip 2021-05-19 15:20:16 -07:00
max furman
5d09d04d14 wip 2021-05-19 15:20:16 -07:00
max furman
4d48072746 wip admin CRUD 2021-05-19 15:20:16 -07:00
max furman
af3cf7dae9 first steps 2021-05-19 15:20:16 -07:00
max furman
2f60f20b0b lots of codes 2021-05-19 15:20:16 -07:00
max furman
7b5d6968a5 first commit 2021-05-19 15:20:16 -07:00
Herman Slatman
b815478981
Make serving SCEP endpoints optional
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.

The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-03-26 16:05:33 +01:00
Herman Slatman
583d60dc0d
Address (most) PR comments 2021-03-21 16:42:41 +01:00
Herman Slatman
a4844fee7b
Make tests green 2021-03-12 16:58:52 +01:00
Herman Slatman
99952080c7
Make tests not fail hard on ECDSA keys
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-03-12 16:27:26 +01:00
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority 2021-03-12 15:49:39 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
538fe8114d
Fix linter issues 2021-03-10 22:39:20 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority 2021-02-26 00:32:21 +01:00
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master 2021-02-19 10:16:39 +01:00
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code 2021-02-12 17:02:39 +01:00
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP 2021-02-12 12:03:08 +01:00
Mariano Cano
fbd2208044 Close key manager for safe reloads when a cgo module is used. 2021-02-01 17:14:44 -08:00
Miclain Keffeler
7545b4a625 leverage intermediate_ca.crt for appending certs. 2020-12-23 22:41:10 -06:00
Anton Lundin
3e6137110b Add support for using ssh-agent as a KMS
This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.

This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.

That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.

This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.

Signed-off-by: Anton Lundin <glance@acc.umu.se>
2020-11-04 09:06:23 +01:00
Mariano Cano
ef92a3a6d7 Move cas options under authority. 2020-10-19 18:08:51 -07:00
Mariano Cano
072adc906e Print root fingerprint for CloudCAS. 2020-09-22 13:23:48 -07:00
Mariano Cano
38fa780775 Add interface to get root certificate from CAS.
This change makes easier the configuration of cloudCAS as it does
not require to configure the root or intermediate certificate
in the ca.json. CloudCAS will get the root certificate using
the configured certificateAuthority.
2020-09-21 15:27:20 -07:00
Mariano Cano
60515d92c5 Remove unnecessary properties. 2020-09-16 13:31:26 -07:00
Mariano Cano
bd8dd9da41 Do not read issuer and signer twice. 2020-09-10 19:13:17 -07:00
Mariano Cano
aad8f9e582 Pass issuer and signer to softCAS options.
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
2020-09-10 19:09:46 -07:00
Mariano Cano
1b1f73dec6 Early attempt to develop a CAS interface. 2020-09-08 19:26:32 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
fcfc4e9b2b Fix ssh federated template variables. 2020-06-23 11:14:26 -07:00
Mariano Cano
e3ae751b57 Use templates from authority instead of config. 2020-06-16 17:57:35 -07:00
Mariano Cano
6c844a0618 Load default templates if no templates are configured. 2020-06-16 17:26:18 -07:00
Mariano Cano
c02fe77998 Close the key manager before shutting down. 2020-05-07 18:59:30 -07:00