Commit graph

332 commits

Author SHA1 Message Date
Mariano Cano
c5234e9c61 Refactor tls tunnel connections.
New method will use an identity-like file with the configuration
used to create the (m)TLS connection to the tunnel.
2021-04-21 16:20:53 -07:00
Mariano Cano
e75a9409a5 Add experimental support for a TLS over TLS tunnel. 2021-04-21 16:20:53 -07:00
Herman Slatman
0487686f69
Merge branch 'master' into hs/scep 2021-04-16 13:25:01 +02:00
Mariano Cano
02a5879cfe Specify always a Proxy in all custom transports.
Fixes #535
2021-04-14 19:35:31 -07:00
max furman
93c3c2bf2e Error handle non existent provisioner downstream and disable debug route logging 2021-04-14 15:35:43 -07:00
max furman
b1888fd34d Use different method for unescpaed paths for the router 2021-04-14 15:11:15 -07:00
Max
b724af30ad
Merge pull request #496 from smallstep/max/acme
Convert to ACME DB interface
2021-04-13 15:02:03 -07:00
max furman
672e3f976e Few ACME fixes ...
- always URL escape linker output
- validateJWS should accept RSAPSS
- GetUpdateAccount -> GetOrUpdateAccount
2021-04-12 19:06:07 -07:00
Herman Slatman
2320d0911e
Add sync.WaitGroup for proper error handling in Run() 2021-03-26 16:21:02 +01:00
Herman Slatman
b815478981
Make serving SCEP endpoints optional
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.

The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-03-26 16:05:33 +01:00
Herman Slatman
c5e4ea08b3
Merge branch 'master' into hs/scep 2021-03-26 15:22:41 +01:00
Herman Slatman
b97f024f8a
Remove superfluous call to StoreCertificate 2021-03-26 14:02:52 +01:00
max furman
df05340521 fixing broken unit tests 2021-03-25 12:05:46 -07:00
max furman
f72b2ff2c2 [acme db interface] nosql authz unit tests 2021-03-25 12:05:46 -07:00
max furman
074ab7b221 [acme db interface] add linker tests 2021-03-25 12:05:46 -07:00
max furman
bb8d54e596 [acme db interface] unit tests compiling 2021-03-25 12:05:46 -07:00
max furman
fc395f4d69 [acme db interface] compiles! 2021-03-25 12:05:46 -07:00
max furman
80a6640103 [acme db interface] wip 2021-03-25 12:05:46 -07:00
Mariano Cano
8c8c160c92 Fix method name in comment. 2021-03-25 11:06:37 -07:00
Mariano Cano
bdeb0ccd7c Add support for the flag --issuer-password-file
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
2021-03-24 14:53:19 -07:00
Herman Slatman
583d60dc0d
Address (most) PR comments 2021-03-21 16:42:41 +01:00
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority 2021-03-12 15:49:39 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
2d21b09d41
Remove some duplicate and unnecessary logic 2021-03-06 23:24:49 +01:00
Herman Slatman
3a5f633cdd
Add support for multiple SCEP provisioners
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
2021-03-05 12:40:42 +01:00
Herman Slatman
7948f65ac0
Merge branch 'master' into hs/scep 2021-02-26 00:41:33 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority 2021-02-26 00:32:21 +01:00
Mariano Cano
5be86691c1 Fix unit tests in Go 1.16. 2021-02-23 15:29:56 -08:00
Herman Slatman
78d78580b2
Add note about using a second (unsecured) server 2021-02-19 11:00:52 +01:00
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master 2021-02-19 10:16:39 +01:00
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code 2021-02-12 17:02:39 +01:00
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP 2021-02-12 12:03:08 +01:00
Mariano Cano
b487edbd13 Clarify comment. 2021-02-11 17:38:14 -08:00
Mariano Cano
fbd2208044 Close key manager for safe reloads when a cgo module is used. 2021-02-01 17:14:44 -08:00
Mariano Cano
40d0596b71 Use smallstep/cli-utils instead of smallstep/cli 2020-10-29 13:10:03 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
533ad0ca20 Use always go.step.sm/crypto/x509util 2020-08-11 17:59:33 -07:00
Mariano Cano
4943ae58d8 Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates. 2020-08-10 15:29:18 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
44207523be Add missing tests. 2020-07-21 14:21:54 -07:00
Mariano Cano
0c8376a7f6 Fix existing unit tests. 2020-07-21 14:21:54 -07:00
max furman
1951669e13 wip 2020-06-23 11:10:45 -07:00
max furman
6e69f99310 Always set nbf and naf for new ACME orders ...
- Use the default value from the ACME provisioner if values are not
defined in the request.
2020-05-22 10:31:58 -07:00
Mariano Cano
9f1d95d8bf Fix renew of certificate at the start of the server. 2020-05-07 18:21:11 -07:00
Mariano Cano
1d7ab9145a Avoid lint error. 2020-03-24 14:33:01 -07:00
Mariano Cano
0b62ce9d0e Use go 1.13 to build certificates. 2020-03-24 14:23:02 -07:00
max furman
495e60a44b Extraneous fmt.Sprintf 2020-03-23 12:15:46 -07:00
Mariano Cano
349bca06bb Fix line error due to deprecated DialTLS. 2020-03-05 15:11:03 -08:00
Mariano Cano
f5d2f92099 Load identity certificate from disk in each connection. 2020-03-04 15:02:17 -08:00
Ivan Bertona
9052da66a3 Fix linter, tidy go.mod file. 2020-02-07 14:42:56 -05:00
Mariano Cano
3d6a18180e Fix a couple of race conditions in the renewal of certificates. 2020-01-28 13:29:40 -08:00
max furman
1cb8bb3ae1 Simplify statuscoder error generators. 2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-28 13:29:40 -08:00
Mariano Cano
a025f72af7 Disable backdata on ca tests. 2020-01-28 13:29:39 -08:00
Mariano Cano
a88ba8eb31 Use errs package for HTTP errors. 2020-01-28 13:29:39 -08:00
Mariano Cano
47f4ac1b53 Add method to just write the identity certificate. 2020-01-28 13:29:39 -08:00
Mariano Cano
14e59775bd Add method to renew the identity. 2020-01-28 13:29:39 -08:00
max furman
9aafe265d0 Should be returning nil from applyIdentity if cert expired. 2020-01-28 13:29:39 -08:00
max furman
b9f6aacb0f Move api errors to their own package and modify the typedef 2020-01-28 13:29:39 -08:00
Mariano Cano
65b4dda420 Add wrappers to identity methods in the ca package. 2020-01-28 13:29:39 -08:00
Mariano Cano
524c221c61 Add mTLS test for identity client. 2020-01-28 13:29:39 -08:00
Mariano Cano
25144539f8 Improve identity tests. 2020-01-28 13:29:39 -08:00
Mariano Cano
d85386d0b4 Add identity client and move identity to a new package. 2020-01-28 13:29:39 -08:00
Mariano Cano
9e7b86342b Fix test. 2020-01-28 13:29:39 -08:00
Mariano Cano
c6f6493bb7 Fail silently if the identity fails. 2020-01-28 13:29:39 -08:00
max furman
3ac388612a Use x5cInsecure token for /ssh/check-host endpoint 2020-01-28 13:29:39 -08:00
Mariano Cano
ab126d6405 Add GetTransport to client. 2020-01-28 13:29:39 -08:00
Mariano Cano
2259f62638 Add method to create an ssh token. 2020-01-28 13:29:39 -08:00
Mariano Cano
caa2b8dbb7 Add leeway in identity not before. 2020-01-28 13:29:39 -08:00
max furman
0512f6e3e5 redundant variable type def 2020-01-28 13:29:39 -08:00
Mariano Cano
d2b1f1547f Create a custom client that sends a custom User-Agent. 2020-01-28 13:29:39 -08:00
Mariano Cano
5d7829b198 Replace /ssh/get-hosts to /ssh/hosts 2020-01-28 13:29:39 -08:00
Mariano Cano
2fe07cd79c Fix tests. 2020-01-28 13:29:39 -08:00
Mariano Cano
85d3843968 Add Identity helpers. 2020-01-28 13:29:39 -08:00
Mariano Cano
50188fc901 Add version support to the ca.Client. 2020-01-28 13:28:17 -08:00
Mariano Cano
db3b795eea Fix directory permissions. 2020-01-28 13:28:16 -08:00
Mariano Cano
bbaf8e106e Support for retry and identity files. 2020-01-28 13:28:16 -08:00
Mariano Cano
d555f310dc Add support for identity authentication. 2020-01-28 13:28:16 -08:00
Mariano Cano
f9e5b27e63 Add client method for SSHBastion 2020-01-28 13:28:16 -08:00
max furman
29853ae016 sshpop provisioner + ssh renew | revoke | rekey first pass 2020-01-28 13:28:16 -08:00
max furman
862d704f6b get-hosts fixes 2020-01-28 13:28:16 -08:00
max furman
5616386eed Add SSH getHosts api 2020-01-28 13:28:16 -08:00
Mariano Cano
b8817ad648 Add proxycommand and new lines to templates. 2020-01-28 13:28:16 -08:00
Mariano Cano
37f17213bb Add initial support for check-host endpoint. 2020-01-28 13:28:16 -08:00
Mariano Cano
d08db4df23 Rename SSH methods. 2020-01-28 13:28:16 -08:00
Mariano Cano
b5bc249e1c Add support for multiple ssh roots.
Fixes #125
2020-01-28 13:28:16 -08:00
Mariano Cano
a35988ff08 Add initial support for ssh config.
Related to smallstep/cli#170
2020-01-28 13:28:16 -08:00
Mariano Cano
961be1fbc7 Add endpoint to return the SSH public keys.
Related to smallstep/ca-component#195
2020-01-28 13:28:16 -08:00
Max
0a96062b76
Merge pull request #128 from jkralik/returnCertChain
Change api of functions Authority.Sign, Authority.Renew
2019-10-18 14:00:18 -07:00
max furman
d368791606 Add x5c provisioner capabilities 2019-10-14 14:51:37 -07:00
max furman
7aec7c2612 Create ACME database tables when initializing ACME autority. 2019-10-14 14:51:03 -07:00
Jozef Kralik
bc6074f596 Change api of functions Authority.Sign, Authority.Renew
Returns certificate chain instead of 2 members.

Implements #126
2019-10-09 22:23:00 +02:00
max furman
fe7973c060 wip 2019-09-19 13:17:45 -07:00
max furman
e3826dd1c3 Add ACME CA capabilities 2019-09-13 15:48:33 -07:00
Mariano Cano
10e7b81b9f Merge branch 'master' into ssh-ca 2019-09-05 23:06:01 +02:00
max furman
635c59ed24 Accept emails SANs 2019-08-23 15:59:30 -07:00
Mariano Cano
1c8f610ca9 Add initial implementation of an SSH CA using the JWK provisioner.
Fixes smallstep/ca-component#187
2019-07-23 18:46:43 -07:00
Mariano Cano
44e85b51f2 Add some extra coverage. 2019-06-21 15:12:36 -07:00
Mariano Cano
aa63f8f32c Add missing root certificate to test. 2019-06-21 14:52:06 -07:00
Mariano Cano
f9e2ea9bd6 Revert "Do not depend on config package."
This reverts commit cc1c6f2cb4.
2019-06-18 14:44:19 -07:00
Mariano Cano
cc1c6f2cb4 Do not depend on config package.
Config package will panic if it cannot create the step path folder.
2019-06-18 13:16:23 -07:00
Mariano Cano
01b6aebbf7 Make provisioner more configurable.
The intention of this change is to make it usable from cert-manager.
2019-06-17 19:01:04 -07:00
Mariano Cano
e8498bf612 Add new WithDatabase to test reload. 2019-05-10 17:49:15 -07:00
Mariano Cano
120e2d0caf Fix restart with simple DB. 2019-05-10 16:14:21 -07:00
Mariano Cano
3a1a4c5ea9 Do not allow reload with database configuration changes.
Fixes #smallstep/ca-component#170
2019-05-10 15:58:37 -07:00
Mariano Cano
b595c55f0a Update CA properties on reload.
Fixes #71
2019-05-03 15:40:59 -07:00
max furman
c242602231 reload and shutdown trickery
* Only shutdown the database once.
* Be careful when reloading the CA. Depending on whether the DB has
already been shutdown, and error may be unrecoverable.
2019-04-25 13:25:41 -07:00
max furman
cbeca9383b Update nosql integration
* shutdown and reload database on SIGHUP
2019-04-24 18:00:59 -07:00
Mariano Cano
c2c9798149 Fix review issues. 2019-04-12 14:59:55 -07:00
Mariano Cano
46b9b117e3 Add test for provisioner type. 2019-04-12 13:05:56 -07:00
Mariano Cano
13783301ce Remove test for unnecessary method. 2019-04-12 11:22:49 -07:00
Mariano Cano
b4739c185d Remove unnecessary method GetCertificateRenewer. 2019-04-12 11:10:56 -07:00
Mariano Cano
fa216ccaad Use SetTransport method. 2019-04-12 11:06:38 -07:00
Mariano Cano
43c5831582 Merge branch 'master' into step-sds 2019-04-11 11:47:20 -07:00
max furman
ab4d569f36 Add /revoke API with interface db backend 2019-04-10 13:50:35 -07:00
Mariano Cano
888ef147fa Expose a way to update the transport. 2019-04-03 19:37:12 -07:00
Mariano Cano
c42265972a Add the autocert provisioner to the ca package. 2019-04-03 12:37:17 -07:00
Mariano Cano
7800f5960a Add test for GetCertificateRenewer 2019-04-03 11:53:04 -07:00
Mariano Cano
8d2de64811 Add method to get a certificate renewer. 2019-04-03 11:08:09 -07:00
Mariano Cano
27b6ac0a58 Add INT and TERM signal handler. 2019-04-03 11:07:11 -07:00
Mariano Cano
64f2615864 Fix tests. 2019-03-25 12:35:21 -07:00
Mariano Cano
b07fe546fd Fix types in tests. 2019-03-07 15:58:56 -08:00
Mariano Cano
5ce5a891f7 Add email SAN with email parameter in the JWK 2019-03-06 17:01:12 -08:00
Mariano Cano
262a9d0978
Merge pull request #27 from smallstep/mariano/renew-pool
SDK should update certificate pools safely
2019-02-06 16:56:38 -08:00
Mariano Cano
e0fff4d80b Fix typo. 2019-02-06 16:52:44 -08:00
Mariano Cano
f1f6c548ad Fix typo. 2019-02-06 16:48:20 -08:00
Mariano Cano
758d829355 Fix tests. 2019-02-05 20:27:29 -08:00
max furman
3415a1fef8 move SplitSANs to cli 2019-02-05 19:32:01 -08:00
Mariano Cano
975cb75fbd Fix typo. 2019-02-05 17:33:16 -08:00
Mariano Cano
3c06d6f9bc Fix comment. 2019-02-05 17:30:10 -08:00
Mariano Cano
e330ac547c Fix comment. 2019-02-05 17:29:28 -08:00
Mariano Cano
cd934bbede Remove println 2019-02-05 17:27:10 -08:00
max furman
6937bfea7b claims.SANS -> claims.SANs 2019-02-04 20:22:02 -08:00
Mariano Cano
4c9dccd3f6 Allow multiple certificates in the root pem. 2019-02-04 10:29:52 -08:00
max furman
ab78534b08 add test for SAN backwards compatibility with CLI
* new provisioner tokens always contain the crt.Subject.CommonName
in the SANS attribute of the token claims. added tests that verifies
backwards compatibility still works in cases where the token does not
contain the subject as a SAN claim.
2019-02-01 12:24:21 -06:00
max furman
e6e8443f3c allow multiple identical SANs in cert 2019-01-31 11:20:21 -06:00
max furman
f0683c2e0a Enable signing certificates with custom SANs
* validate against SANs in token. must be 1:1 equivalent.
2019-01-30 18:21:03 -06:00
Mariano Cano
d394dd233a Initiate default RootCAs/ClientCAs when no options are passed. 2019-01-23 14:33:16 -08:00
Mariano Cano
25eba1a96c WIP on the safely rotate of root and federated certificates.
Fixes #23
2019-01-22 19:54:12 -08:00
Mariano Cano
bacbf85aa3 Add new bootstrap method that creates a listener. 2019-01-17 14:48:33 -08:00
Mariano Cano
984bf8d38c Add missing file. 2019-01-16 19:06:21 -08:00
Mariano Cano
1cc5e94666 Add simple test for federation. 2019-01-16 19:03:41 -08:00
Mariano Cano
dbd1bf11f1 Rename variable. 2019-01-14 17:35:38 -08:00
Mariano Cano
7dc61bf233 Remove deprecated code 2019-01-11 19:13:06 -08:00
Mariano Cano
518b597535 Remove mTLS client requirement in /roots and /federation 2019-01-11 19:08:08 -08:00
Mariano Cano
9adc65febf Add test for newTLSOptionCtx 2019-01-10 15:31:40 -08:00
Mariano Cano
6116523055 Fix random order in tests. 2019-01-10 10:57:06 -08:00
Mariano Cano
8510e25b3b Add test with bootstrap server. 2019-01-09 18:48:15 -08:00
Mariano Cano
f99ae9da93 Add root rotation test. 2019-01-09 17:55:32 -08:00
Mariano Cano
af9e6488fc Make the renew test shorter. 2019-01-09 17:35:00 -08:00
Mariano Cano
25ddbaedff Allow to customize the minimal cert duration for tests. 2019-01-09 17:24:11 -08:00
Mariano Cano
10aaece1b0 Update root certificates on renew. 2019-01-09 13:20:28 -08:00
Mariano Cano
6d3e8ed93c Add all root certificates by default on bootstrap methods. 2019-01-07 18:55:40 -08:00
Mariano Cano
d296cf95a9 Add mTLS request to get all the root CAs, not the federated ones. 2019-01-07 17:48:56 -08:00
Mariano Cano
98cc243a37 Add support for multiple roots. 2019-01-07 15:30:28 -08:00
Mariano Cano
722bcb7e7a Add initial support for federated root certificates. 2019-01-04 17:51:32 -08:00
Mariano Cano
7e2f80ac30 Fix grammar error 2018-11-27 16:29:14 -08:00
max furman
c0107ab5b9 Fix ca renew documentation 2018-11-27 16:25:01 -08:00
Mariano Cano
f7a5be3942 Force the renew of the CA server. 2018-11-27 15:57:13 -08:00
Mariano Cano
b0a410066b Add support for parsing endpoints without schema.
Fixes smallstep/ca-component#117
2018-11-26 18:29:45 -08:00
Mariano Cano
d872f09910 Use mTLS by default on SDK methods.
Add options to modify the tls.Config for different configurations.
Fixes #7
2018-11-21 13:31:09 -08:00
Mariano Cano
9c64dbda9a Add helpers to add direct support for mTLS. 2018-11-07 16:07:35 -08:00
Mariano Cano
b23e3bec7f Remove comment of removed arguments. 2018-11-06 17:45:41 -08:00
max furman
5f2d998584 change documentation for bootstrap Server|Client
* provide documentation for default and non-default invocation.
2018-11-06 17:39:00 -08:00
Mariano Cano
ba88c8c5cb Add context to bootstrap methods. 2018-11-06 17:16:33 -08:00
Mariano Cano
7eb8aeb1f1 Add tests for bootstrap functions. 2018-11-05 12:22:10 -08:00
Mariano Cano
091506a994 Add bootstrap helpers that uses just a token. 2018-11-02 18:54:49 -07:00
max furman
c74fcd57a7 ca-component -> certificates
* fix redundant error check
* add README
2018-10-31 21:36:01 -07:00
max furman
0d9dd2d14b provisioner issuer -> name 2018-10-29 18:00:30 -07:00
Mariano Cano
71a3587b76 Add client support for provisioner cursor and limit options.
Fixes #83
2018-10-26 11:35:15 -07:00
Mariano Cano
99cab73360 Remove unused import /provisioners/jwk-set-by-issuer 2018-10-25 18:55:18 -07:00
max furman
ee7db4006a change sign + authorize authority api | add provisioners
* authorize returns []interface{}
 - operators in this list can conform to any interface the user decides
 - our implementation has a combination of certificate claim validators
 and certificate template modifiers.
* provisioners can set and enforce tls cert options
2018-10-18 22:26:39 -07:00
Mariano Cano
d7c31c3133 Properly fill CSR DNSNames or IPAddresses 2018-10-24 19:49:16 -07:00
Mariano Cano
2b2598c695 Fix audience to fix ca tests. 2018-10-24 12:50:42 -07:00
Mariano Cano
511e1a9e23 Fix getting transport from root fingerprint. 2018-10-24 12:42:37 -07:00
max furman
0b5f6487e1 change provisioners api
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
2018-10-11 23:03:00 -07:00
Mariano Cano
7b6a3ea427 Add client methods for provisioning endpoints. 2018-10-09 14:54:29 -07:00
max furman
378166a3b2 add full stack tests for multiple provisioners api
* /provisioners and /provisioners/<key-id>/encrypted-key
2018-10-09 13:37:47 -07:00
max furman
d773770a44 add authority.New unit tests 2018-10-08 21:48:44 -07:00
max furman
c284a2c0ab first commit 2018-10-05 21:48:36 +00:00