Herman Slatman
69489480ab
Add more complete tpm
format validation
2023-03-13 17:21:09 +01:00
Herman Slatman
f1724ea8c5
Merge branch 'master' into herman/acme-da-tpm
2023-01-23 22:52:56 +01:00
Herman Slatman
817edcbba5
Remove charset=utf-8
from ACME certificate requests
2022-11-09 19:57:50 +01:00
Herman Slatman
4cf25ede24
Merge branch 'master' into herman/acme-da-tpm
2022-11-08 12:07:46 +01:00
Herman Slatman
3eae04928f
Add tests for ACME Meta object
2022-11-07 15:35:42 +01:00
Herman Slatman
02d679e160
Merge branch 'master' into herman/ignore-empty-acme-meta
2022-11-07 14:03:01 +01:00
Mariano Cano
e27c6c529b
Add support for custom acme ports
...
This change adds the flags --acme-http-port, --acme-tls-port, that
combined with --insecure can be used to set custom ports for ACME
http-01 and tls-alpn-01 challenges. These flags should only be used
for testing purposes.
Fixes #1015
2022-11-03 16:58:25 -07:00
Herman Slatman
b9f238ad4d
Add additional ACME meta
properties to provisioner configuration
2022-10-24 22:37:57 +02:00
Herman Slatman
c9793561ff
Make meta
object optional in ACME directory response
...
Harware appliances from Kemp seem to validate the contents of the
`meta` object, even if none of the properties in the `meta` object
is set. According to the RFC, the `meta` object, as well as its
properties are optional, so technically this should be fixed by
the manufacturer.
This commit is to see if we validation of the `meta` object is
skipped if it's not available in the response.
2022-10-24 14:14:28 +02:00
Mariano Cano
a7e597450a
Update acme/challenge_test.go
...
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2022-10-11 10:04:42 -07:00
Mariano Cano
7a78c76199
Add test simulating YubiKey v5.2.4
...
There are YubiKeys v5.2.4 where the attestation intermediate (f9)
does not have a basic constraint extension, so that certificate
is not marked as a CA. The test and CA in this commit imitates
that use case. Currently the test case returns an error as we
don't support it. But if we change the verification to support
this use case, the test should change accordingly.
2022-10-10 18:27:11 -07:00
Mariano Cano
21666ba887
Revert "Set timestamp when marking an acme challenge invalid"
...
This reverts commit 5f130895f3
.
2022-10-03 12:56:23 -07:00
Mariano Cano
8538ff06b7
Add missing error case.
2022-10-03 12:54:26 -07:00
Mariano Cano
5f130895f3
Set timestamp when marking an acme challenge invalid
2022-10-03 11:35:51 -07:00
Andrew Reed
7101fbb0ee
Provisioner webhooks ( #1001 )
2022-09-29 19:16:26 -05:00
Herman Slatman
a8125846dd
Add TPM attestation
2022-09-21 14:58:03 +02:00
max furman
f3d1863ec6
A few more linter errors
2022-09-20 21:01:55 -07:00
Mariano Cano
99299faeeb
Add AuthorizeChallenge unit tests
2022-09-20 19:03:03 -07:00
Mariano Cano
f0a24bd8ca
Add acme property to enable challenges
...
Fixes #1027
2022-09-20 19:01:53 -07:00
Mariano Cano
191d9e8629
Use go.step.sm/crypto to set the permanent identifier
2022-09-20 18:57:43 -07:00
Mariano Cano
2b3b2c283a
Add attestation certificate validation for Apple devices
2022-09-20 18:51:43 -07:00
Brandon Weeks
5f5315260a
iOS 16 beta 1 support
2022-09-20 16:53:08 -07:00
Brandon Weeks
de5b0ef5c2
Verify key authorization is contained within the TPM quote extraData field
2022-09-20 16:51:55 -07:00
Brandon Weeks
6f2b4d3042
Add ACME permanent-identifier identifier type
2022-09-20 16:48:28 -07:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors
2022-09-20 16:35:41 -07:00
Mariano Cano
7dc2067cb2
Update acme/errors.go
...
Co-authored-by: Max <mx.furman@gmail.com>
2022-09-19 14:24:39 -07:00
Mariano Cano
226d36f66f
Fix unit tests
2022-09-19 14:17:30 -07:00
Mariano Cano
8cf6675ce4
Return the internal error instead of the ACME error
...
For ACME errors, return the internal error string instead of the
ACME one on the "Error() string" function. This way the logs will
have more information about the cause of an error.
Fixes #1057
2022-09-19 12:48:35 -07:00
Mariano Cano
34c6c65671
Pass attestation information to the Sign method
...
Attestation information might be useful in authorizing webhooks
2022-09-16 12:37:41 -07:00
Mariano Cano
498549c95c
Extract common function used in tests
2022-09-16 10:02:10 -07:00
Mariano Cano
829530ae90
Fix linter errors
2022-09-15 18:24:43 -07:00
Mariano Cano
6b73a020e3
Add unit tests for apple and step attestations
2022-09-15 18:19:52 -07:00
Mariano Cano
0f651799d0
Reject not enabled attestation formats
2022-09-08 17:38:05 -07:00
Mariano Cano
fd4e96d1f4
Rename method to IsChallengeEnabled
2022-09-08 13:22:35 -07:00
Mariano Cano
c77b4ff9c5
Fix linter errors
2022-09-08 12:49:16 -07:00
Mariano Cano
59c5219a07
Use a type for acme challenges
2022-09-08 12:34:06 -07:00
Mariano Cano
a89bea701d
Format comment
2022-09-08 11:06:17 -07:00
Mariano Cano
5df9434286
Fix old comment, device-attest-01 uses the acme payload
2022-09-08 10:59:51 -07:00
Mariano Cano
c5d3714a63
Fix acme error map
2022-09-08 10:48:17 -07:00
Mariano Cano
08815c5e90
Reneame attestation statement error
2022-09-08 10:46:58 -07:00
Mariano Cano
3cd72ac72a
Remove debug statements
2022-09-08 10:44:48 -07:00
Mariano Cano
e75e7e7cd6
Fix linter warnings
2022-09-01 16:18:13 -07:00
Mariano Cano
54d92095ac
Validate proof of possession signature
...
On the step format, validate proof of possession of the private
key validating the signature in the attestation statement.
2022-09-01 10:45:31 -07:00
Mariano Cano
59b7603d1e
Use a clientAuth only cert for device-attest-01
2022-08-30 16:09:44 -07:00
Mariano Cano
ca412e77cc
Return error on attestation validation
...
The method storeError returns a nil error
2022-08-29 20:03:34 -07:00
Mariano Cano
ab5f916bd3
Define ErrorBadAttestationStatement
2022-08-29 20:02:43 -07:00
Mariano Cano
735c9d49b0
Add support for yubikey attestation
2022-08-29 19:37:30 -07:00
Mariano Cano
df96b126dc
Add AuthorizeChallenge unit tests
2022-08-24 12:31:09 -07:00
Mariano Cano
bca311b05e
Add acme property to enable challenges
...
Fixes #1027
2022-08-23 17:11:40 -07:00
Mariano Cano
ae8d4d8757
Fix unit test
2022-08-23 17:01:15 -07:00