Commit graph

2469 commits

Author SHA1 Message Date
Herman Slatman
491c2b8d93 Improve initialization of SCEP authority 2021-05-26 16:10:21 -07:00
Herman Slatman
2d85d4c1c1 Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-05-26 16:09:38 -07:00
Herman Slatman
e7cb80f880 Fix linter issues 2021-05-26 16:08:24 -07:00
Herman Slatman
aa2ce0a2a5 Store new certificates in database 2021-05-26 16:08:24 -07:00
Herman Slatman
f0050e5ca9 Add signed failure responses 2021-05-26 16:08:24 -07:00
Herman Slatman
4fe7179b95 Add support for configuring capabilities (cacaps) 2021-05-26 16:08:24 -07:00
Herman Slatman
3b86550dbf Add support for challenge password 2021-05-26 16:08:24 -07:00
Herman Slatman
017e56c9fb Remove some duplicate and unnecessary logic 2021-05-26 16:08:23 -07:00
Herman Slatman
75cd3ab0ac Change to a fixed fork of go.mozilla.org/pkcs7
Hopefully this will be a temporary change until
the fix is merged in the upstream module.
2021-05-26 16:07:37 -07:00
Herman Slatman
5df60c5a9b Add support for multiple SCEP provisioners
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
2021-05-26 16:06:22 -07:00
Herman Slatman
a191319da9 Improve SCEP API logic and error handling 2021-05-26 16:06:21 -07:00
Herman Slatman
30d3a26c20 Remove x509 template from API 2021-05-26 16:04:21 -07:00
Herman Slatman
da65f46d0f Add AuthorizeSign method to SCEP authority 2021-05-26 16:04:21 -07:00
Herman Slatman
812e1c7218 Add handling of options 2021-05-26 16:04:21 -07:00
Herman Slatman
80026e1016 Remove the copy of mozilla/pkcs7
Apparently the existing library works out of the box, after all.

We'll have to see how it works out continuing forward.
2021-05-26 16:04:21 -07:00
Herman Slatman
2a249d20de Refactor initialization of SCEP authority 2021-05-26 16:04:19 -07:00
Herman Slatman
99cd3b74fe Add full copy of mozilla/pkcs7 module as internal dependency
The full contents of the git repository @432b2356ecb...
was copied. Only go.mod was removed from it.
2021-05-26 16:01:20 -07:00
Herman Slatman
393be5b03a Add number of certs to return and fix CR LF in CACaps 2021-05-26 16:01:20 -07:00
Herman Slatman
b905d5fead Improve setup for multiple SCEP providers (slightly) 2021-05-26 16:01:20 -07:00
Herman Slatman
339039768c Refactor SCEP authority initialization and clean some code 2021-05-26 16:00:08 -07:00
Herman Slatman
48c86716a0 Add rudimentary (and incomplete) support for SCEP 2021-05-26 15:58:04 -07:00
max furman
ff7b829aa2 [action] forgot to add default labeler config file 2021-05-26 15:54:45 -07:00
max furman
114627de93 [action] labeler to v3 and use default config path location 2021-05-26 15:54:45 -07:00
Mariano Cano
d7a747b92b Add SCEP in the provisioners proto.
Change provisioner.proto to match protobuf style guide.
2021-05-26 15:49:18 -07:00
max furman
94ba057f01 wip 2021-05-26 14:55:31 -07:00
Mariano Cano
8d7c3d2f08
Merge pull request #506 from hslatman/hs/scep
Add SCEP support
2021-05-26 11:12:32 -07:00
max furman
01a4460812 wip 2021-05-25 21:13:01 -07:00
max furman
1726076ea2 wip 2021-05-25 16:52:06 -07:00
max furman
781e0c4b86 [action] forgot to add default labeler config file 2021-05-25 12:49:03 -07:00
max furman
1be1ed1236 [action] labeler to v3 and use default config path location 2021-05-25 12:45:40 -07:00
max furman
423942da44 wip 2021-05-24 13:38:24 -07:00
Mariano Cano
3f30552b60 Fix package name. 2021-05-24 12:46:16 -07:00
Mariano Cano
35cfa5b8a2 Remove majordomo client and rename administrator to admin. 2021-05-24 12:43:23 -07:00
Mariano Cano
71afc413bf Rename majordomo to linkedca. 2021-05-24 12:36:01 -07:00
Mariano Cano
64ce4e5c91 Add and generate majordomo protos. 2021-05-24 12:14:10 -07:00
max furman
9bfb1c2e7b wip 2021-05-21 13:31:41 -07:00
max furman
d8d5d7332b wip 2021-05-20 16:02:20 -07:00
max furman
5929244fda wip 2021-05-20 13:12:02 -07:00
max furman
9bf9bf142d wip 2021-05-20 13:01:58 -07:00
Herman Slatman
bc2bb53009
Merge branch 'master' into hs/scep 2021-05-20 21:35:44 +02:00
Herman Slatman
375687cd1b
Add setup for Authority tests 2021-05-20 21:31:52 +02:00
max furman
638766c615 wip 2021-05-19 18:23:20 -07:00
max furman
4f3e5ef64d wip 2021-05-19 15:20:16 -07:00
max furman
5d09d04d14 wip 2021-05-19 15:20:16 -07:00
max furman
4d48072746 wip admin CRUD 2021-05-19 15:20:16 -07:00
max furman
98a6e54530 wip 2021-05-19 15:20:16 -07:00
max furman
af3cf7dae9 first steps 2021-05-19 15:20:16 -07:00
max furman
2f60f20b0b lots of codes 2021-05-19 15:20:16 -07:00
max furman
7b5d6968a5 first commit 2021-05-19 15:20:16 -07:00
Mariano Cano
f84c8f846a Upgrade x/crypto
Although this does not affects us the old version had the vulnerability
CVE-2020-29652
2021-05-18 19:16:13 -07:00