Commit graph

75 commits

Author SHA1 Message Date
Herman Slatman
583d60dc0d
Address (most) PR comments 2021-03-21 16:42:41 +01:00
Herman Slatman
a4844fee7b
Make tests green 2021-03-12 16:58:52 +01:00
Herman Slatman
99952080c7
Make tests not fail hard on ECDSA keys
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-03-12 16:27:26 +01:00
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority 2021-03-12 15:49:39 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.

This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.

The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.

This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
538fe8114d
Fix linter issues 2021-03-10 22:39:20 +01:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority 2021-02-26 00:32:21 +01:00
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master 2021-02-19 10:16:39 +01:00
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code 2021-02-12 17:02:39 +01:00
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP 2021-02-12 12:03:08 +01:00
Mariano Cano
fbd2208044 Close key manager for safe reloads when a cgo module is used. 2021-02-01 17:14:44 -08:00
Miclain Keffeler
7545b4a625 leverage intermediate_ca.crt for appending certs. 2020-12-23 22:41:10 -06:00
Anton Lundin
3e6137110b Add support for using ssh-agent as a KMS
This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.

This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.

That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.

This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.

Signed-off-by: Anton Lundin <glance@acc.umu.se>
2020-11-04 09:06:23 +01:00
Mariano Cano
ef92a3a6d7 Move cas options under authority. 2020-10-19 18:08:51 -07:00
Mariano Cano
072adc906e Print root fingerprint for CloudCAS. 2020-09-22 13:23:48 -07:00
Mariano Cano
38fa780775 Add interface to get root certificate from CAS.
This change makes easier the configuration of cloudCAS as it does
not require to configure the root or intermediate certificate
in the ca.json. CloudCAS will get the root certificate using
the configured certificateAuthority.
2020-09-21 15:27:20 -07:00
Mariano Cano
60515d92c5 Remove unnecessary properties. 2020-09-16 13:31:26 -07:00
Mariano Cano
bd8dd9da41 Do not read issuer and signer twice. 2020-09-10 19:13:17 -07:00
Mariano Cano
aad8f9e582 Pass issuer and signer to softCAS options.
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
2020-09-10 19:09:46 -07:00
Mariano Cano
1b1f73dec6 Early attempt to develop a CAS interface. 2020-09-08 19:26:32 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
fcfc4e9b2b Fix ssh federated template variables. 2020-06-23 11:14:26 -07:00
Mariano Cano
e3ae751b57 Use templates from authority instead of config. 2020-06-16 17:57:35 -07:00
Mariano Cano
6c844a0618 Load default templates if no templates are configured. 2020-06-16 17:26:18 -07:00
Mariano Cano
c02fe77998 Close the key manager before shutting down. 2020-05-07 18:59:30 -07:00
Mariano Cano
4e544344f9 Initialize the required config fields on embedded authorities.
This change is to make easier the use of embedded authorities. It
can be difficult for third parties to know what fields are required.
The new init methods will define the minimum usable configuration.
2020-05-06 13:00:42 -07:00
Mariano Cano
b5eab009b2 Rename method to NewEmbedded 2020-05-05 17:46:22 -07:00
Mariano Cano
824374bde0 Create a method to initialize the authority without a config file.
When the CA is embedded in a third party product like Caddy, the
config needed to use placeholders to be valid. This change adds
a new method `NewEmbeddedAuthority` that allows to create an
authority with the given options, the minimum options are a root
and intermediate certificate, and the intermediate key.

Fixes #218
2020-05-04 18:52:18 -07:00
Mariano Cano
c49a9d5e33 Add context parameter to all SSH methods. 2020-03-10 19:01:45 -07:00
Mariano Cano
5c8c741fab Fix linting issues. 2020-02-14 11:46:31 -08:00
Mariano Cano
9021951f1a Fix types. 2020-01-14 18:47:05 -08:00
Mariano Cano
e98d7832b9 Add options to read the roots and federated roots from a bundle. 2020-01-10 18:33:48 -08:00
Mariano Cano
c62526b39f Add wip support for kms. 2020-01-09 18:42:26 -08:00
max furman
1e17ec7d33 Use x5cInsecure token for /ssh/check-host endpoint 2019-12-11 14:54:29 -08:00
max furman
c2a3bcfab5 resolving merge 2019-11-20 17:26:04 -08:00
max furman
927784237d Use an actual Hosts type when returning ssh hosts 2019-11-20 17:23:51 -08:00
Mariano Cano
2f18a26d4f Add version endpoint. 2019-11-20 17:01:31 -08:00
max furman
35912cc906 change func def for getSSHHosts
* continue to return all hosts if injection method not specified
2019-11-20 12:59:48 -08:00
max furman
c407a9319b Add getSSHHosts injection func 2019-11-20 11:32:27 -08:00
max furman
8b2105a8f9 Instrument getIdentity func for OIDC ssh provisioner 2019-11-19 13:32:58 -08:00
max furman
6ca1df5081 Add WithGetIdentityFunc option and attr to authority
* Add Identity type to provisioner
2019-11-14 20:38:39 -08:00
Mariano Cano
86a0558587 Add support for /ssh/bastion method. 2019-11-14 18:24:58 -08:00
Mariano Cano
43b663e0c3 Move Option type to a new file. 2019-11-14 15:29:04 -08:00
max furman
a9ea292bd4 sshpop provisioner + ssh renew | revoke | rekey first pass 2019-11-05 16:41:42 -08:00
Mariano Cano
e5da24f269 Fix list of user ssh public keys. 2019-11-05 16:41:17 -08:00
Mariano Cano
91ccc3802c Fix lint error. 2019-11-05 16:41:17 -08:00
Mariano Cano
38d735be6e Add support for federated keys. 2019-11-05 16:41:17 -08:00
Mariano Cano
e84489775b Add support for multiple ssh roots.
Fixes #125
2019-11-05 16:41:17 -08:00
Mariano Cano
caa2174efc Add support for user data in templates. 2019-11-05 16:41:17 -08:00