forked from TrueCloudLab/certificates
Mariano Cano
GitHub
commit
85fc837dc3
7 changed files with 74 additions and 14 deletions
15
CHANGELOG.md
15
CHANGELOG.md
|
|
@ -16,10 +16,19 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|||
---
|
||||
|
||||
## [Unreleased]
|
||||
### Added
|
||||
- Added automatic configuration of Linked RAs.
|
||||
- Send provisioner configuration on Linked RAs.
|
||||
### Changed
|
||||
- Certificates signed by an issuer using an RSA key will be signed using the same algorithm as the issuer certificate was signed with. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
|
||||
- Support two latest versions of Go (1.18, 1.19)
|
||||
- Vadlidate revocation serial number (either base 10 or prefixed with an appropriate base)
|
||||
- Certificates signed by an issuer using an RSA key will be signed using the
|
||||
same algorithm used to sign the issuer certificate. The signature will no
|
||||
longer default to PKCS #1. For example, if the issuer certificate was signed
|
||||
using RSA-PSS with SHA-256, a new certificate will also be signed using
|
||||
RSA-PSS with SHA-256.
|
||||
- Support two latest versions of Go (1.18, 1.19).
|
||||
- Validate revocation serial number (either base 10 or prefixed with an
|
||||
appropriate base).
|
||||
- Sanitize TLS options.
|
||||
|
||||
## [0.20.0] - 2022-05-26
|
||||
### Added
|
||||
|
|
|
|||
|
|
@ -339,6 +339,19 @@ func (a *Authority) init() error {
|
|||
Type: conf.RaConfig.Provisioner.Type.String(),
|
||||
Provisioner: conf.RaConfig.Provisioner.Name,
|
||||
}
|
||||
// Configure the RA authority type if needed
|
||||
if options.Type == "" {
|
||||
options.Type = casapi.StepCAS
|
||||
}
|
||||
}
|
||||
// Remote configuration is currently only supported on a linked RA
|
||||
if sc := conf.ServerConfig; sc != nil {
|
||||
if a.config.Address == "" {
|
||||
a.config.Address = sc.Address
|
||||
}
|
||||
if len(a.config.DNSNames) == 0 {
|
||||
a.config.DNSNames = sc.DnsNames
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -72,6 +72,7 @@ type Config struct {
|
|||
Password string `json:"password,omitempty"`
|
||||
Templates *templates.Templates `json:"templates,omitempty"`
|
||||
CommonName string `json:"commonName,omitempty"`
|
||||
SkipValidation bool `json:"-"`
|
||||
}
|
||||
|
||||
// ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer
|
||||
|
|
@ -201,6 +202,8 @@ func (c *Config) Save(filename string) error {
|
|||
// Validate validates the configuration.
|
||||
func (c *Config) Validate() error {
|
||||
switch {
|
||||
case c.SkipValidation:
|
||||
return nil
|
||||
case c.Address == "":
|
||||
return errors.New("address cannot be empty")
|
||||
case len(c.DNSNames) == 0:
|
||||
|
|
|
|||
|
|
@ -35,9 +35,16 @@ func TestConfigValidate(t *testing.T) {
|
|||
type ConfigValidateTest struct {
|
||||
config *Config
|
||||
err error
|
||||
tls TLSOptions
|
||||
tls *TLSOptions
|
||||
}
|
||||
tests := map[string]func(*testing.T) ConfigValidateTest{
|
||||
"skip-validation": func(t *testing.T) ConfigValidateTest {
|
||||
return ConfigValidateTest{
|
||||
config: &Config{
|
||||
SkipValidation: true,
|
||||
},
|
||||
}
|
||||
},
|
||||
"empty-address": func(t *testing.T) ConfigValidateTest {
|
||||
return ConfigValidateTest{
|
||||
config: &Config{
|
||||
|
|
@ -128,7 +135,7 @@ func TestConfigValidate(t *testing.T) {
|
|||
Password: "pass",
|
||||
AuthorityConfig: ac,
|
||||
},
|
||||
tls: DefaultTLSOptions,
|
||||
tls: &DefaultTLSOptions,
|
||||
}
|
||||
},
|
||||
"empty-TLS-values": func(t *testing.T) ConfigValidateTest {
|
||||
|
|
@ -143,7 +150,7 @@ func TestConfigValidate(t *testing.T) {
|
|||
AuthorityConfig: ac,
|
||||
TLS: &TLSOptions{},
|
||||
},
|
||||
tls: DefaultTLSOptions,
|
||||
tls: &DefaultTLSOptions,
|
||||
}
|
||||
},
|
||||
"custom-tls-values": func(t *testing.T) ConfigValidateTest {
|
||||
|
|
@ -165,7 +172,7 @@ func TestConfigValidate(t *testing.T) {
|
|||
Renegotiation: true,
|
||||
},
|
||||
},
|
||||
tls: TLSOptions{
|
||||
tls: &TLSOptions{
|
||||
CipherSuites: CipherSuites{
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
},
|
||||
|
|
@ -209,9 +216,9 @@ func TestConfigValidate(t *testing.T) {
|
|||
}
|
||||
} else {
|
||||
if assert.Nil(t, tc.err) {
|
||||
fmt.Printf("tc.tls = %+v\n", tc.tls)
|
||||
fmt.Printf("*tc.config.TLS = %+v\n", *tc.config.TLS)
|
||||
assert.Equals(t, *tc.config.TLS, tc.tls)
|
||||
fmt.Printf("tc.tls = %v\n", tc.tls)
|
||||
fmt.Printf("*tc.config.TLS = %v\n", tc.config.TLS)
|
||||
assert.Equals(t, tc.config.TLS, tc.tls)
|
||||
}
|
||||
}
|
||||
})
|
||||
|
|
|
|||
|
|
@ -7,12 +7,15 @@ import (
|
|||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"unicode"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/smallstep/certificates/authority/config"
|
||||
"github.com/smallstep/certificates/authority/provisioner"
|
||||
"github.com/smallstep/certificates/ca"
|
||||
"github.com/smallstep/certificates/db"
|
||||
"github.com/smallstep/certificates/pki"
|
||||
"github.com/urfave/cli"
|
||||
"go.step.sm/cli-utils/errs"
|
||||
|
|
@ -99,10 +102,35 @@ func appAction(ctx *cli.Context) error {
|
|||
}
|
||||
|
||||
cfg, err := config.LoadConfiguration(configFile)
|
||||
if err != nil {
|
||||
if err != nil && token == "" {
|
||||
fatal(err)
|
||||
}
|
||||
|
||||
// Initialize a basic configuration to be used with an automatically
|
||||
// configured linked RA. Default configuration includes:
|
||||
// * badgerv2 on $(step path)/db
|
||||
// * JSON logger
|
||||
// * Default TLS options
|
||||
if cfg == nil {
|
||||
cfg = &config.Config{
|
||||
SkipValidation: true,
|
||||
Logger: []byte(`{"format":"json"}`),
|
||||
DB: &db.Config{
|
||||
Type: "badgerv2",
|
||||
DataSource: filepath.Join(step.Path(), "db"),
|
||||
},
|
||||
AuthorityConfig: &config.AuthConfig{
|
||||
DeploymentType: pki.LinkedDeployment.String(),
|
||||
Provisioners: provisioner.List{},
|
||||
Template: &config.ASN1DN{},
|
||||
Backdate: &provisioner.Duration{
|
||||
Duration: config.DefaultBackdate,
|
||||
},
|
||||
},
|
||||
TLS: &config.DefaultTLSOptions,
|
||||
}
|
||||
}
|
||||
|
||||
if cfg.AuthorityConfig != nil {
|
||||
if token == "" && strings.EqualFold(cfg.AuthorityConfig.DeploymentType, pki.LinkedDeployment.String()) {
|
||||
return errors.New(`'step-ca' requires the '--token' flag for linked deploy type.
|
||||
|
|
|
|||
2
go.mod
2
go.mod
|
|
@ -27,7 +27,7 @@ require (
|
|||
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
|
||||
go.step.sm/cli-utils v0.7.3
|
||||
go.step.sm/crypto v0.17.1
|
||||
go.step.sm/linkedca v0.17.1
|
||||
go.step.sm/linkedca v0.18.0
|
||||
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
|
||||
golang.org/x/net v0.0.0-20220607020251-c690dde0001d
|
||||
google.golang.org/api v0.84.0
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -769,8 +769,8 @@ go.step.sm/cli-utils v0.7.3/go.mod h1:RJRwbBLqzs5nrepQLAV9FuT3fVpWz66tKzLIB7Izpf
|
|||
go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0=
|
||||
go.step.sm/crypto v0.17.1 h1:uKpJNvzVy/GKR28hJbW8VCbfcKKBDnGNBYCKhAp2TSg=
|
||||
go.step.sm/crypto v0.17.1/go.mod h1:FXFiLBUsoE0OGz8JTjxhYU1rwKKNgVIb5izZTUMdc/8=
|
||||
go.step.sm/linkedca v0.17.1 h1:LSP3kGGeVkOAoDWoqg89tko6mpvJKTRcOHfrEOnPsNc=
|
||||
go.step.sm/linkedca v0.17.1/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM=
|
||||
go.step.sm/linkedca v0.18.0 h1:uxRBd2WDvJNZ2i0nJm/QmG4lkRxWoebYKJinchX7T7o=
|
||||
go.step.sm/linkedca v0.18.0/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM=
|
||||
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
|
||||
go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
|
||||
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
|
||||
|
|
|
|||
Loading…
Reference in a new issue