Herman Slatman
1c38113e44
Add ACME Subproblem
for more detailed ACME client-side errors
...
When validating an ACME challenge (`device-attest-01` in this case,
but it's also true for others), and validation fails, the CA didn't
return a lot of information about why the challenge had failed. By
introducing the ACME `Subproblem` type, an ACME `Error` can include
some additional information about what went wrong when validating
the challenge.
This is a WIP commit. The `Subproblem` isn't created in many code
paths yet, just for the `step` format at the moment. Will probably
follow up with some more improvements to how the ACME error is
handled. Also need to cleanup some debug things (q.Q)
2023-01-26 13:29:31 +01:00
Mariano Cano
e27c6c529b
Add support for custom acme ports
...
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.
Fixes #1015
2022-11-03 16:58:25 -07:00
Mariano Cano
21666ba887
Revert "Set timestamp when marking an acme challenge invalid"
...
This reverts commit 5f130895f3
.
2022-10-03 12:56:23 -07:00
Mariano Cano
5f130895f3
Set timestamp when marking an acme challenge invalid
2022-10-03 11:35:51 -07:00
max furman
f3d1863ec6
A few more linter errors
2022-09-20 21:01:55 -07:00
Mariano Cano
2b3b2c283a
Add attestation certificate validation for Apple devices
2022-09-20 18:51:43 -07:00
Brandon Weeks
5f5315260a
iOS 16 beta 1 support
2022-09-20 16:53:08 -07:00
Brandon Weeks
de5b0ef5c2
Verify key authorization is contained within the TPM quote extraData field
2022-09-20 16:51:55 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2022-09-20 16:35:41 -07:00
Mariano Cano
6b73a020e3
Add unit tests for apple and step attestations
2022-09-15 18:19:52 -07:00
Mariano Cano
0f651799d0
Reject not enabled attestation formats
2022-09-08 17:38:05 -07:00
Mariano Cano
08815c5e90
Reneame attestation statement error
2022-09-08 10:46:58 -07:00
Mariano Cano
3cd72ac72a
Remove debug statements
2022-09-08 10:44:48 -07:00
Mariano Cano
e75e7e7cd6
Fix linter warnings
2022-09-01 16:18:13 -07:00
Mariano Cano
54d92095ac
Validate proof of possession signature
...
On the step format, validate proof of possession of the private
key validating the signature in the attestation statement.
2022-09-01 10:45:31 -07:00
Mariano Cano
ca412e77cc
Return error on attestation validation
...
The method storeError returns a nil error
2022-08-29 20:03:34 -07:00
Mariano Cano
735c9d49b0
Add support for yubikey attestation
2022-08-29 19:37:30 -07:00
Mariano Cano
693dc39481
Merge branch 'master' into device-attestation
2022-08-22 17:59:17 -07:00
Mariano Cano
23b8f45b37
Address gosec warnings
...
Most if not all false positives
2022-08-18 17:46:20 -07:00
Mariano Cano
2ab1e6658e
Fix nonce validation
...
The attestation certificate contains the nonce as raw bytes in the
extension 1.2.840.113635.100.8.11.1
2022-08-09 15:06:52 -07:00
Mariano Cano
66356cff43
Add attestation certificate validation for Apple devices
2022-07-14 17:10:03 -07:00
Brandon Weeks
274f6ccb41
iOS 16 beta 2 support
2022-06-23 05:43:24 +10:00
Brandon Weeks
7e1b0bebd9
iOS 16 beta 1 support
2022-06-23 05:19:36 +10:00
Brandon Weeks
77c6d10fd6
Verify key authorization is contained within the TPM quote extraData field
2022-06-23 05:19:36 +10:00
Brandon Weeks
e1ec31c0ed
Implement TPM attestation statement verification
2022-06-23 05:19:36 +10:00
Brandon Weeks
aacd6f4cc6
Add device-attest-01 challenge type
2022-06-23 05:19:36 +10:00
Mariano Cano
d1f75f1720
Refactor ACME api.
2022-04-28 19:15:18 -07:00
Herman Slatman
479c6d2bf5
Fix ACME IPv6 HTTP-01 challenges
...
Fixes #890
2022-04-07 12:37:34 +02:00
Herman Slatman
2d50c96d99
Merge branch 'master' into hs/acme-revocation
2021-11-19 17:00:18 +01:00
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues
2021-11-13 01:30:03 +01:00
Herman Slatman
29f9730485
Satisfy golangci-lint
2021-11-12 17:13:10 +01:00
max furman
933b40a02a
Introduce gocritic linter and address warnings
2021-10-08 14:59:57 -04:00
Mariano Cano
dc5205cc72
Extract the tls error code and fail accordingly.
2021-08-17 17:06:25 -07:00
Mariano Cano
ae58a0ee4e
Make tests compatible with Go 1.17.
...
With Go 1.17 tls.Dial will fail if the client and server configured
protocols do not overlap. See https://golang.org/doc/go1.17#ALPN
2021-08-17 16:31:53 -07:00
Herman Slatman
64c15fde7e
Add tests for canonicalize function
2021-06-25 14:07:40 +02:00
Herman Slatman
135e912ac8
Improve coverage for TLS-ALPN-01 challenge
2021-06-18 17:27:35 +02:00
Herman Slatman
523ae96749
Change identifier and challenge types to consts
2021-06-18 12:39:36 +02:00
Herman Slatman
af4803b8b8
Fix tests
2021-06-04 11:14:59 +02:00
Herman Slatman
0c79914d0d
Improve check for single IP in TLS-ALPN-01 challenge
2021-06-04 00:18:26 +02:00
Herman Slatman
a6405e98a9
Remove fmt.
2021-06-04 00:06:15 +02:00
Herman Slatman
2f40011da8
Add support for TLS-ALPN-01 challenge
2021-06-04 00:01:43 +02:00
Herman Slatman
3e36522329
Add preliminary support for TLS-ALPN-01 challenge for IP identifiers
2021-05-29 00:19:14 +02:00
max furman
6cfb9b790c
Remove check of deprecated value
...
- NegotiatedProtocolIsMutual is always true: Deprecated according to
golang docs
2021-04-13 14:53:05 -07:00
max furman
440678cb62
Add markInvalid arg to storeError for invalidating challenge
2021-03-29 22:58:26 -07:00
max furman
6b8585c702
PR review fixes / updates
2021-03-29 12:04:14 -07:00
max furman
b6ebc0fd25
more unit tests
2021-03-25 12:05:46 -07:00
max furman
206909b12e
[acme db interface] unit tests for challenge nosql db
2021-03-25 12:05:46 -07:00
max furman
20b9785d20
[acme db interface] continuing unit test work
2021-03-25 12:05:46 -07:00
max furman
80a6640103
[acme db interface] wip
2021-03-25 12:05:46 -07:00
max furman
1135ae04fc
[acme db interface] wip
2021-03-25 12:05:46 -07:00