Herman Slatman
ed1a62206e
Add additional verification of AK certificate
2023-04-05 01:02:44 +02:00
Herman Slatman
1c38e252a6
Cast alg
to a valid COSEAlgorithmIdentifier
2023-04-04 12:22:58 +02:00
Herman Slatman
e25acff13c
Simplify alg
validity check
2023-04-03 22:32:26 +02:00
Herman Slatman
9cd4b362f7
Extract the ParseSubjectAlternativeNames
function
2023-04-03 22:21:29 +02:00
Herman Slatman
b6957358fc
Fix PR remarks
...
- Root CA error message improved
- Looping through intermediate certs
- Change checking unhandled extensions to using `if`
2023-04-03 11:54:22 +02:00
Herman Slatman
09bd7705cd
Fix linting issues
2023-03-31 17:41:43 +02:00
Herman Slatman
f88ef6621f
Add PermanentIdentifier
SAN parsing and tests
2023-03-31 17:39:18 +02:00
Herman Slatman
52023d6083
Add tests for doTPMAttestationFormat
2023-03-31 14:57:25 +02:00
Herman Slatman
ae30f6e96b
Add failing TPM simulator test
2023-03-30 13:02:04 +02:00
Herman Slatman
bf53b394a1
Add tpm
format test with simulated TPM
2023-03-29 18:58:50 +02:00
Herman Slatman
094f0521e2
Remove check for PermanentIdentifier
from tpm
format validation
2023-03-24 12:55:42 +01:00
Herman Slatman
589a62df74
Make validation of tpm
format stricter
2023-03-14 13:59:16 +01:00
Herman Slatman
213b31bc2c
Simplify processing logic for unhandled critical extension
2023-03-14 09:48:44 +01:00
Herman Slatman
e1c7e8f00b
Return the CSR public key fingerprint for tpm
format
2023-03-13 23:30:39 +01:00
Herman Slatman
6297bace1a
Merge branch 'master' into herman/acme-da-tpm
2023-03-13 17:27:40 +01:00
Herman Slatman
69489480ab
Add more complete tpm
format validation
2023-03-13 17:21:09 +01:00
Mariano Cano
5ff0dde819
Remove json tag in acme.Authorization fingerprint
2023-02-10 13:58:52 -08:00
Mariano Cano
6ba20209c2
Verify CSR key fingerprint with attestation certificate key
...
This commit makes sure that the attestation certificate key matches the
key used on the CSR on an ACME device attestation flow.
2023-02-09 16:48:43 -08:00
Herman Slatman
3a6fc5e0b4
Remove dependency on smallstep/assert
in ACME challenge tests
2023-01-31 23:49:34 +01:00
Herman Slatman
0f1c509e4b
Remove debug utility
2023-01-31 23:48:53 +01:00
Herman Slatman
0f9128c873
Fix linting issue and order of test SUT
2023-01-27 15:43:57 +01:00
Herman Slatman
2ab9beb7ed
Add tests for deviceAttest01Validate
2023-01-27 15:36:48 +01:00
Herman Slatman
ed61c5df5f
Cleanup some leftover debug statements
2023-01-26 15:36:15 +01:00
Herman Slatman
60a9e41c1c
Remove Identifier
from top level ACME Errors
2023-01-26 14:59:08 +01:00
Herman Slatman
edee01c80c
Refactor debug utility
2023-01-26 13:41:01 +01:00
Herman Slatman
1c38113e44
Add ACME Subproblem
for more detailed ACME client-side errors
...
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.
This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
2023-01-26 13:29:31 +01:00
Herman Slatman
f1724ea8c5
Merge branch 'master' into herman/acme-da-tpm
2023-01-23 22:52:56 +01:00
Herman Slatman
64d9ad7b38
Validate Subject Common Name for Orders with Permanent Identifier
2023-01-20 16:54:55 +01:00
Herman Slatman
817edcbba5
Remove charset=utf-8
from ACME certificate requests
2022-11-09 19:57:50 +01:00
Herman Slatman
4cf25ede24
Merge branch 'master' into herman/acme-da-tpm
2022-11-08 12:07:46 +01:00
Herman Slatman
3eae04928f
Add tests for ACME Meta object
2022-11-07 15:35:42 +01:00
Herman Slatman
02d679e160
Merge branch 'master' into herman/ignore-empty-acme-meta
2022-11-07 14:03:01 +01:00
Mariano Cano
e27c6c529b
Add support for custom acme ports
...
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.
Fixes #1015
2022-11-03 16:58:25 -07:00
Herman Slatman
b9f238ad4d
Add additional ACME meta
properties to provisioner configuration
2022-10-24 22:37:57 +02:00
Herman Slatman
c9793561ff
Make meta
object optional in ACME directory response
...
Harware appliances from Kemp seem to validate the contents of the
`meta` object, even if none of the properties in the `meta` object
is set. According to the RFC, the `meta` object, as well as its
properties are optional, so technically this should be fixed by
the manufacturer.
This commit is to see if we validation of the `meta` object is
skipped if it's not available in the response.
2022-10-24 14:14:28 +02:00
Mariano Cano
a7e597450a
Update acme/challenge_test.go
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2022-10-11 10:04:42 -07:00
Mariano Cano
7a78c76199
Add test simulating YubiKey v5.2.4
...
There are YubiKeys v5.2.4 where the attestation intermediate (f9)
does not have a basic constraint extension, so that certificate
is not marked as a CA. The test and CA in this commit imitates
that use case. Currently the test case returns an error as we
don't support it. But if we change the verification to support
this use case, the test should change accordingly.
2022-10-10 18:27:11 -07:00
Mariano Cano
21666ba887
Revert "Set timestamp when marking an acme challenge invalid"
...
This reverts commit 5f130895f3
.
2022-10-03 12:56:23 -07:00
Mariano Cano
8538ff06b7
Add missing error case.
2022-10-03 12:54:26 -07:00
Mariano Cano
5f130895f3
Set timestamp when marking an acme challenge invalid
2022-10-03 11:35:51 -07:00
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2022-09-29 19:16:26 -05:00
Herman Slatman
a8125846dd
Add TPM attestation
2022-09-21 14:58:03 +02:00
max furman
f3d1863ec6
A few more linter errors
2022-09-20 21:01:55 -07:00
Mariano Cano
99299faeeb
Add AuthorizeChallenge unit tests
2022-09-20 19:03:03 -07:00
Mariano Cano
f0a24bd8ca
Add acme property to enable challenges
...
Fixes #1027
2022-09-20 19:01:53 -07:00
Mariano Cano
191d9e8629
Use go.step.sm/crypto to set the permanent identifier
2022-09-20 18:57:43 -07:00
Mariano Cano
2b3b2c283a
Add attestation certificate validation for Apple devices
2022-09-20 18:51:43 -07:00
Brandon Weeks
5f5315260a
iOS 16 beta 1 support
2022-09-20 16:53:08 -07:00
Brandon Weeks
de5b0ef5c2
Verify key authorization is contained within the TPM quote extraData field
2022-09-20 16:51:55 -07:00
Brandon Weeks
6f2b4d3042
Add ACME permanent-identifier identifier type
2022-09-20 16:48:28 -07:00