foleyjohnm
d6f9b3336d
Update config.go
2022-11-11 11:52:29 -05:00
foleyjohnm
c79d4e9316
adding CRLIDP config
2022-11-11 11:50:20 -05:00
Mariano Cano
59775fff0c
Merge branch 'master' into crl-support
2022-10-27 10:13:19 -07:00
Mariano Cano
8200d19894
Improve CRL implementation
...
This commit adds some changes to PR #731 , some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL
This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
2022-10-26 18:55:24 -07:00
Herman Slatman
54c560f620
Improve configuration file initialization log output
2022-10-24 15:22:37 +02:00
Herman Slatman
674206320c
Write updated CA configuration after migrating provisioners
2022-10-11 14:12:06 +02:00
Raal Goff
f7df865687
refactor crl config, add some tests
2022-10-07 10:30:00 +08:00
Raal Goff
d0e81af524
Merge branch 'master' into crl-support
2022-09-30 08:45:48 +08:00
Mariano Cano
567d96c771
Revert "Run on plaintext HTTP to support Cloud Run"
...
This reverts commit 09b9673a60
.
2022-09-20 18:57:46 -07:00
Brandon Weeks
f3d2bd7a19
Run on plaintext HTTP to support Cloud Run
2022-09-20 16:43:30 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2022-09-20 16:35:41 -07:00
Mariano Cano
4e19aa4c52
Add cache duration if crl is set
2022-09-14 12:21:52 -07:00
Mariano Cano
0829f37fe8
Define a default crl cache duration
2022-09-14 11:43:58 -07:00
Raal Goff
d2483f3a70
Merge branch 'master' into crl-support
...
# Conflicts:
# authority/config/config.go
2022-09-08 09:45:04 +08:00
Mariano Cano
23b8f45b37
Address gosec warnings
...
Most if not all false positives
2022-08-18 17:46:20 -07:00
Mariano Cano
5e0be92273
Allow option to skip the validation of config
2022-08-16 14:04:04 -07:00
Mariano Cano
b62f4d1000
Add lgtm comments on some security warnings
2022-08-11 17:32:57 -07:00
Mariano Cano
a5439c43cd
Remove ciphersuites without Lucky13 countermeasures
...
SHA-256 variants of the CBC ciphersuites don't implement any Lucky13
countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and
https://www.imperialviolet.org/2013/02/04/luckythirteen.html .
2022-08-11 17:11:04 -07:00
Mariano Cano
369b8f81c3
Use go.step.sm/crypto/kms
...
Fixes #975
2022-08-08 17:58:18 -07:00
max furman
99c9155467
disableSSHHostsListAPI -> disableGetSSHHosts
2022-08-04 18:44:44 -07:00
max furman
fb7f57a8df
Add attribute to disable SSH Hosts list API
2022-07-27 23:30:00 -07:00
Raal Goff
60671b07d7
Merge branch 'master' into crl-support
...
# Conflicts:
# api/api.go
# authority/config/config.go
# cas/softcas/softcas.go
# db/db.go
2022-07-13 08:52:58 +08:00
Herman Slatman
ad2de16299
Merge branch 'master' into herman/allow-deny
2022-04-19 10:26:31 +02:00
Mariano Cano
fe9c3cf753
Merge branch 'master' into ahmet2mir-feat/vault
2022-04-18 15:35:26 -07:00
Herman Slatman
abcad679ff
Merge branch 'master' into herman/allow-deny
2022-04-18 21:54:55 +02:00
Herman Slatman
d6be9450be
Merge branch 'master' into herman/allow-deny
2022-04-15 11:57:05 +02:00
Mariano Cano
d3b6bc3c75
Merge branch 'master' into fix/adminra
2022-04-13 17:44:23 -07:00
Mariano Cano
674dc3c844
Rename unreleased claim to allowRenewalAfterExpiry for consistency.
2022-04-13 15:11:54 -07:00
Mariano Cano
37b521ec6c
Merge branch 'master' into feat/vault
2022-04-11 14:57:45 -07:00
Mariano Cano
c55b27a2fc
Refactor admin token to use with RAs.
2022-04-07 18:14:43 -07:00
Raal Goff
d417ce3232
implement changes from review
2022-04-06 08:23:53 +08:00
Herman Slatman
571b21abbc
Fix (most) PR comments
2022-03-31 16:12:29 +02:00
Herman Slatman
dc23fd23bf
Merge branch 'master' into herman/allow-deny-next
2022-03-24 12:36:12 +01:00
Mariano Cano
c903f00cd4
Rename claim to allowRenewAfterExpiry.
2022-03-14 15:40:01 -07:00
Mariano Cano
616490a9c6
Refactor renew after expiry token authorization
...
This changes adds a new authority method that authorizes the
renew after expiry tokens.
2022-03-10 20:21:01 -08:00
Mariano Cano
fd6a2eeb9c
Add provisioner controller
...
The provisioner controller has the implementation of the identity
function as well as the renew methods with renew after expiry
support.
2022-03-09 18:39:09 -08:00
Herman Slatman
7c541888ad
Refactor configuration of allow/deny on authority level
2022-03-08 13:26:07 +01:00
Mariano Cano
c0525381eb
Merge branch 'master' into feat/vault
2022-02-16 18:19:23 -08:00
Herman Slatman
716b946e7a
Normalize IPv6 hostname addresses
2022-01-19 17:14:45 +01:00
Ahmet DEMIR
68b980d689
feat(authority): avoid hardcoded cn in authority csr
2022-01-13 20:30:54 +01:00
max furman
933b40a02a
Introduce gocritic linter and address warnings
2021-10-08 14:59:57 -04:00
Mariano Cano
da2802504b
Use Default min version if not specified.
2021-08-11 15:33:45 -07:00
Mariano Cano
072ba4227c
Add deployment type to config.
...
This field is ignored except for the start of the ca. If the type
is linked and the token is not passed, it will fail with an error.
2021-08-10 17:07:15 -07:00
Mariano Cano
384be6e205
Do not show provisioners if they are not required.
...
For deployment types like linked ca, the list of provisioners in
the ca.json are not required, so we should tag the json as omitempty.
2021-08-02 15:34:39 -07:00
Mariano Cano
4f27f4b002
Change default ciphersuites to newer names.
2021-07-28 13:56:05 -07:00
Mariano Cano
0730a165fd
Add collection of files and authority template.
2021-07-27 19:19:58 -07:00
Mariano Cano
887423ee6e
Update TLS cipher suites.
2021-07-27 18:29:10 -07:00
Mariano Cano
49c1427d15
Use authorityId instead of authorityID.
...
In json or javascript world authorityId, userId, ... are more common
than authorityID, ...
2021-07-12 15:31:05 +02:00
max furman
9fdef64709
Admin level API for provisioner mgmt v1
2021-07-02 19:05:17 -07:00
max furman
1726076ea2
wip
2021-05-25 16:52:06 -07:00