forked from TrueCloudLab/certificates
Merge branch 'master' into cas
This commit is contained in:
commit
a332c40530
7 changed files with 31 additions and 19 deletions
7
.dockerignore
Normal file
7
.dockerignore
Normal file
|
@ -0,0 +1,7 @@
|
|||
README.md
|
||||
.gitignore
|
||||
bin
|
||||
coverage.txt
|
||||
*.test
|
||||
*.out
|
||||
.travis-releases
|
|
@ -49,7 +49,7 @@ Setting up a *public key infrastructure* (PKI) is out of reach for many small te
|
|||
- Can operate as [an online intermediate CA](./docs/questions.md#i-already-have-pki-in-place-can-i-use-this-with-my-own-root-certificate) for an existing root CA
|
||||
- [Badger, BoltDB, and MySQL database backends](https://github.com/smallstep/certificates/blob/master/docs/database.md)
|
||||
|
||||
### ⚙️ Many ways to automate
|
||||
### ⚙️ Many ways to automate
|
||||
|
||||
There are several ways to authorize a request with the CA and establish a chain of trust that suits your flow.
|
||||
|
||||
|
@ -165,7 +165,7 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
|
|||
|
||||
1. [Optional] Install `step`.
|
||||
|
||||
Download the Linux tarball from the
|
||||
Download the Linux tarball from the
|
||||
[latest `step` release](https://github.com/smallstep/cli/releases/latest):
|
||||
|
||||
```
|
||||
|
@ -184,7 +184,7 @@ You can use [pacman](https://www.archlinux.org/pacman/) to install the packages.
|
|||
Download the Linux package from the [latest `step-ca` release](https://github.com/smallstep/certificates/releases/latest):
|
||||
|
||||
```
|
||||
$ wget -O step-ca.tar.gz https://github.com/smallstep/cli/releases/download/vX.Y.Z/step_linux_X.Y.Z_amd64.tar.gz
|
||||
$ wget -O step-ca.tar.gz https://github.com/smallstep/certificates/releases/download/vX.Y.Z/step-certificates_linux_X.Y.Z_amd64.tar.gz
|
||||
```
|
||||
|
||||
Install `step-ca` by unzipping and copying the executable over to `/usr/bin`:
|
||||
|
|
|
@ -1,24 +1,27 @@
|
|||
FROM golang:alpine AS builder
|
||||
|
||||
RUN mkdir /src
|
||||
ADD . /src
|
||||
WORKDIR /src
|
||||
COPY . .
|
||||
|
||||
RUN apk add --no-cache make git curl && \
|
||||
cd /src && \
|
||||
make V=1 bin/step-ca
|
||||
RUN apk add --no-cache \
|
||||
curl \
|
||||
git \
|
||||
make && \
|
||||
make V=1 bin/step-ca
|
||||
|
||||
FROM smallstep/step-cli:latest
|
||||
|
||||
COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca
|
||||
|
||||
ENV CONFIGPATH="/home/step/config/ca.json"
|
||||
ENV PWDPATH="/home/step/secrets/password"
|
||||
|
||||
USER root
|
||||
RUN apk add --no-cache libcap && setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/step-ca
|
||||
USER step
|
||||
|
||||
ENV CONFIGPATH="/home/step/config/ca.json"
|
||||
ENV PWDPATH="/home/step/secrets/password"
|
||||
|
||||
VOLUME ["/home/step"]
|
||||
STOPSIGNAL SIGTERM
|
||||
HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null
|
||||
|
||||
CMD exec /bin/sh -c "/usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH"
|
||||
CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH
|
||||
|
|
|
@ -181,7 +181,7 @@ func StatusCodeError(code int, e error, opts ...Option) error {
|
|||
var (
|
||||
seeLogs = "Please see the certificate authority logs for more info."
|
||||
// BadRequestDefaultMsg 400 default msg
|
||||
BadRequestDefaultMsg = "The request could not be completed; malformed or missing data" + seeLogs
|
||||
BadRequestDefaultMsg = "The request could not be completed; malformed or missing data. " + seeLogs
|
||||
// UnauthorizedDefaultMsg 401 default msg
|
||||
UnauthorizedDefaultMsg = "The request lacked necessary authorization to be completed. " + seeLogs
|
||||
// ForbiddenDefaultMsg 403 default msg
|
||||
|
|
7
go.mod
7
go.mod
|
@ -4,11 +4,10 @@ go 1.14
|
|||
|
||||
require (
|
||||
cloud.google.com/go v0.65.1-0.20200904011802-3c2db50b5678
|
||||
|
||||
github.com/Masterminds/sprig/v3 v3.1.0
|
||||
github.com/aws/aws-sdk-go v1.30.29
|
||||
github.com/go-chi/chi v4.0.2+incompatible
|
||||
github.com/go-piv/piv-go v1.5.0
|
||||
github.com/go-piv/piv-go v1.6.0
|
||||
github.com/google/uuid v1.1.2
|
||||
github.com/googleapis/gax-go/v2 v2.0.5
|
||||
github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a // indirect
|
||||
|
@ -29,8 +28,8 @@ require (
|
|||
google.golang.org/grpc v1.32.0
|
||||
google.golang.org/protobuf v1.25.0
|
||||
gopkg.in/square/go-jose.v2 v2.5.1
|
||||
// cloud.google.com/go/security/privateca/apiv1alpha1 v0.0.0
|
||||
// google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1 v0.0.0
|
||||
// cloud.google.com/go/security/privateca/apiv1alpha1 v0.0.0
|
||||
// google.golang.org/genproto/googleapis/cloud/security/privateca/v1alpha1 v0.0.0
|
||||
)
|
||||
|
||||
// replace github.com/smallstep/cli => ../cli
|
||||
|
|
4
go.sum
4
go.sum
|
@ -158,6 +158,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
|
|||
github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
|
||||
github.com/go-piv/piv-go v1.5.0 h1:UtHPfrJsZKY+Z3UIjmJLh6DY+KtmNOl/9b/zt4N81pM=
|
||||
github.com/go-piv/piv-go v1.5.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
|
||||
github.com/go-piv/piv-go v1.6.0 h1:F/z9VJw7SrLZvf5Ql7/vZ2m0xk/EoANfix3+J6HM05A=
|
||||
github.com/go-piv/piv-go v1.6.0/go.mod h1:ON2WvQncm7dIkCQ7kYJs+nc3V4jHGfrrJnSF8HKy7Gk=
|
||||
github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
|
||||
github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
|
||||
github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
|
||||
|
@ -876,6 +878,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
|
|||
google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
|
||||
google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
|
||||
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||
google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
|
||||
google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
|
||||
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||
|
@ -913,7 +916,6 @@ google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6D
|
|||
google.golang.org/genproto v0.0.0-20200831141814-d751682dd103/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d h1:92D1fum1bJLKSdr11OJ+54YeCMCGYIygTA7R/YZxH5M=
|
||||
google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20200910191746-8ad3c7ee2cd1 h1:Oi/dETbxPPblvoi4hgkzJun62A4dwuBsTM0UcZYpN3U=
|
||||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
||||
google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||
|
|
|
@ -141,7 +141,8 @@ func (k *YubiKey) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer, e
|
|||
}
|
||||
|
||||
priv, err := k.yk.PrivateKey(slot, cert.PublicKey, piv.KeyAuth{
|
||||
PIN: k.pin,
|
||||
PIN: k.pin,
|
||||
PINPolicy: piv.PINPolicyAlways,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "error retrieving private key")
|
||||
|
|
Loading…
Reference in a new issue