Commit graph

107 commits

Author SHA1 Message Date
Mariano Cano
f140874e42
Merge pull request #958 from smallstep/rsa-signature-algorithm
Sign certificates with the issuer signature algorithm
2022-06-16 15:08:10 -07:00
Mariano Cano
31af1efa48 Sign certificates with the issuer signature algorithm
An RSA key can sign another certificates using the RSA PKCS#1
and the RSA-PSS scheme, this change will keep the signature
algorithm used in the issuer in the signed certificates instead
of using PKCS#1 by default.
2022-06-15 19:10:58 -07:00
Mariano Cano
34f926804d
Merge pull request #954 from shuLhan/shulhan-gofmt
all: reformat all go files with the next gofmt (Go 1.19)
2022-06-15 18:11:51 -07:00
Shulhan
ee53530d1f
cas/cloudcas: update test on createPublicKey for the next Go release
The next Go release call panic on elliptic.Marshal [1][2], which
affect the test case fail_ec_marshal on createPublicKey.

This changes fix this by initializing the P and B in test case
PublicKey CurveParams to prevent panic.

[1] https://github.com/golang/go/issues/50975
[2] a218b3520a
2022-06-16 03:01:38 +07:00
Shulhan
fe04f93d7f
all: reformat all go files with the next gofmt (Go 1.19)
There are some changes that manually edited, for example using '-' as
default list and grouping imports.
2022-06-16 01:28:59 +07:00
Erik DeLamarter
07984a968f
better error messages
Co-authored-by: Mariano Cano <mariano.cano@gmail.com>
2022-05-21 21:11:52 +02:00
Erik De Lamarter
9ec154aab0
rewrite and improve secret-id config 2022-05-21 21:06:15 +02:00
Erik De Lamarter
6989c7f146
vault auth unit tests 2022-05-21 21:06:15 +02:00
Erik De Lamarter
6c44291d8d
refactor vault auth 2022-05-21 21:06:15 +02:00
Erik De Lamarter
dec1067add
vault kubernetes auth 2022-05-21 21:06:14 +02:00
Mariano Cano
3aebe8d019 Add missing comma in comment. 2022-04-15 12:19:32 -07:00
Mariano Cano
e29c85bbd4 Use errors and fmt instead of pkg/errors. 2022-04-12 14:04:46 -07:00
Mariano Cano
76c483c36f Add missing comments. 2022-04-12 11:15:28 -07:00
Mariano Cano
48bc20c9f3 Unify json parameters. 2022-04-12 11:11:36 -07:00
Mariano Cano
790a19c6f6
make json names uniform
Co-authored-by: Ahmet Demir <ahmet2mir+github@gmail.com>
2022-04-12 10:01:22 -07:00
Mariano Cano
967d9136ca Cleanup Vault CAS integration 2022-04-11 18:44:13 -07:00
Mariano Cano
37b521ec6c
Merge branch 'master' into feat/vault 2022-04-11 14:57:45 -07:00
Mariano Cano
abf5fc32a3 Format comment. 2022-03-29 14:26:17 -07:00
Mariano Cano
c480936ba4 Split comments. 2022-03-29 12:02:17 -07:00
Mariano Cano
955d4cf80d Add authority.WithX509SignerFunc
This change adds a new authority option that allows to pass a callback
that returns the certificate chain and signer used to sign X.509
certificates.

This option will be used by Caddy, they renew the intermediate
certificate weekly and there's no other way to replace it without
re-creating the embedded CA.

Fixes #874
2022-03-28 17:54:35 -07:00
Mariano Cano
ae7b41a12c Fix linter errors. 2022-02-16 18:33:33 -08:00
Mariano Cano
c0525381eb Merge branch 'master' into feat/vault 2022-02-16 18:19:23 -08:00
Mariano Cano
d424159200 Fix certificate type identification 2022-02-16 18:09:20 -08:00
Mariano Cano
b3316c4a56 Refactor json Marshal+Unmarshal in one function. 2022-02-16 17:17:32 -08:00
Ahmet DEMIR
a9550a746f
fix: add back commented tests 2022-02-06 23:35:17 +01:00
Ahmet DEMIR
ab5197500c
fix: a certificat must excldue the root and you should use verified chained intermediate 2022-02-06 23:29:49 +01:00
Ahmet DEMIR
782ff76963
fix: apply suggestion to use cr only 2022-01-27 11:19:31 +01:00
Ahmet DEMIR
b49ac2501b
feat: enhance options and fix revoke plus more tests 2022-01-27 11:14:19 +01:00
Ahmet DEMIR
8ef3abf6d9
fix: minus d on Ed 2022-01-26 11:29:21 +01:00
Herman Slatman
ad041d6bb7
Fix deprecation of grpc.WithInsecure option
With the update of go.step.sm/linkedca grpc.WithInsecure was
deprecated. This commit fixes this by setting up the (insecure)
connection using the new method.
2022-01-21 16:17:40 +01:00
Ahmet DEMIR
d957a57e24
fix: apply mariano suggestions and fixes
* use json.RawMessage to remote mapstructure in options
* use vault secretid structure to support multiple source aka string, file and env
* remove log prefix
* return raw cert on error on newline for cert and csr
* clean sans, commonName in createCertificate (bad copy/paste from StepCAS)
* verify authority fingerprint
* convert serial on revoke to bigint, bytes and vault dashed representation
2022-01-20 10:16:47 +01:00
Ahmet DEMIR
16390694e1
feat(vault): adding hashicorp vault cas 2022-01-14 18:56:17 +01:00
Ahmet DEMIR
26d7b70957
feat(cas): add generic Config parameter to allow more flexible configuration on CAS 2022-01-13 20:31:37 +01:00
Herman Slatman
e7a988b2cd
Pin golangci-lint to v1.43.0 and fix issues 2021-11-13 01:30:03 +01:00
Mariano Cano
e15b5faf7d Merge branch 'master' into keyvault 2021-10-12 15:15:35 -07:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
Mariano Cano
52a18e0c2d Add key name to CreateCertificateAuthority 2021-10-07 14:19:39 -07:00
Mariano Cano
e4e799ca85 Fix typos in comment. 2021-09-09 12:45:29 -07:00
Mariano Cano
6d644880bd Allow to kms signers to define the SignatureAlgorithm
CloudKMS keys signs data using an specific signature algorithm, in RSA keys,
this can be PKCS#1 RSA or RSA-PSS, if the later is used, x509.CreateCertificate
will fail unless the template SignatureCertificate is properly set.

On contrast, AWSKMS RSA keys, are just RSA keys, and can sign with PKCS#1 or
RSA-PSS schemes, so right now the way to enforce one or the other is to used
templates.
2021-09-08 17:48:50 -07:00
Mariano Cano
de719eb6f0 Add an option to avoid password prompts on step cas
When we are using `step ca init` to create a stepcas RA we don't
have access to the password for verify the provisioner.
2021-08-04 16:16:35 -07:00
max furman
77fdfc9fa3 Merge branch 'master' into max/cert-mgr-crud 2021-07-02 20:26:46 -07:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Mariano Cano
35e6cc275a Fix typos in comments. 2021-06-23 09:35:14 +02:00
Mariano Cano
dce1b290bd Remove debug statements. 2021-06-08 17:57:24 -07:00
Mariano Cano
ac3c754a6d Use known CA and add tier and gcs bucket options. 2021-06-08 17:43:52 -07:00
Mariano Cano
529eb4bae9 Rename CAPool to CaPool. 2021-06-07 19:20:23 -07:00
Mariano Cano
9db68db509 Add tests with cloudCAS EnableCertificateAuthority. 2021-06-07 19:17:30 -07:00
Mariano Cano
48bc4e549d Fix cloudcas tests. 2021-06-07 15:53:29 -07:00
Mariano Cano
072bd0dcf4 Add support for Google CAS v1 2021-06-03 19:31:19 -07:00
Herman Slatman
491c2b8d93 Improve initialization of SCEP authority 2021-05-26 16:10:21 -07:00