Commit graph

122 commits

Author SHA1 Message Date
Mariano Cano
0b8528ce6b Allow mTLS revocation without provisioner. 2021-03-22 13:37:31 -07:00
Mariano Cano
bcf70206ac Add support for revocation using an extra provisioner in the RA. 2021-03-17 19:47:36 -07:00
Mariano Cano
a6115e29c2 Add initial implementation of StepCAS.
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
2021-03-17 19:33:35 -07:00
Mariano Cano
3e0ab8fba7 Fix typo. 2020-10-05 18:00:50 -07:00
Mariano Cano
d64427487d Add comment about the missing error check. 2020-10-05 17:39:44 -07:00
Mariano Cano
e17ce39e3a Add support for Revoke using CAS. 2020-09-15 18:14:03 -07:00
Mariano Cano
aad8f9e582 Pass issuer and signer to softCAS options.
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
2020-09-10 19:09:46 -07:00
Mariano Cano
1b1f73dec6 Early attempt to develop a CAS interface. 2020-09-08 19:26:32 -07:00
Mariano Cano
cef0475e71 Make clear what's a template/unsigned certificate. 2020-08-28 14:33:26 -07:00
Mariano Cano
c94a1c51be Merge branch 'master' into ssh-cert-templates 2020-08-24 15:08:28 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00
max furman
81875074e3 tie -> the in comment 2020-08-20 15:15:15 -07:00
max furman
cb594ed2e0 go mod tidy and golang 1.15.0 cleanup ...
- cs.NegotiatedProtocolIsMutual has been deprecated but we still build
in travis with 1.14 so for now we'll ignore this linting error
- string(int) was resolving to string of a single rune rather than
string of digits -> use fmt.Sprint
2020-08-17 13:48:37 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
0a59efd853 Use new x509util to generate the CA certificate. 2020-08-10 16:09:22 -07:00
Mariano Cano
4943ae58d8 Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates. 2020-08-10 15:29:18 -07:00
Mariano Cano
ce1eb0a01b Use new x509util for renew/rekey. 2020-08-05 19:09:06 -07:00
Mariano Cano
c8d225a763 Use x509util from go.step.sm/crypto/x509util 2020-08-05 16:02:46 -07:00
Mariano Cano
a7b65f1e1e Add authority.Sign test with custom templates. 2020-07-22 19:18:45 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs:
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
2020-07-22 18:24:45 -07:00
Mariano Cano
ccc705cdcd Use alias x509legacy to cli x509util in tls.go. 2020-07-21 14:20:48 -07:00
Mariano Cano
8f0dd811af Allow to send errors from template to cli. 2020-07-21 14:18:06 -07:00
Mariano Cano
4795e371bd Add back the support for ca.json DN template. 2020-07-21 14:18:05 -07:00
Mariano Cano
d1d9ae42d6 Use certificates x509util instead of cli for certificate signing. 2020-07-21 14:18:04 -07:00
max furman
fd05f3249b A few last fixes and tests added for rekey/renew ...
- remove all `renewOrRekey`
- explicitly test difference between renew and rekey (diff pub keys)
- add back tests for renew
2020-07-09 12:11:40 -07:00
Max
ea9bc493b8
Merge pull request #307 from dharanikumar-s/master
Add support for rekeying Fixes #292
2020-07-09 11:39:00 -07:00
dharanikumar-s
57fb0c80cf Removed calculating SubjectKeyIdentifier on Rekey 2020-07-08 12:52:53 +05:30
dharanikumar-s
dfda497929 Renamed RenewOrRekey to Rekey 2020-07-08 11:47:59 +05:30
dharanikumar-s
fe73154a20 Corrected misspelling 2020-07-05 22:50:02 +05:30
dharanikumar-s
2479371c06 Added error check while marshalling public key 2020-07-05 22:37:29 +05:30
dharanikumar-s
c8c3581e2f SubjectKeyIdentifier extention is calculated from public key passed to this function instead of copying from old certificate 2020-07-05 22:15:01 +05:30
dharanikumar-s
8f504483ce Added RenewOrRekey function based on @maraino suggestion. RenewOrReky is called from Renew. 2020-07-03 15:58:15 +05:30
dharanikumar-s
3813f57b1a Add support for rekeying Fixes #292 2020-07-01 19:10:13 +05:30
max furman
d25e7f64c2 wip 2020-06-24 09:58:40 -07:00
max furman
3636ba3228 wip 2020-06-23 17:13:39 -07:00
max furman
1951669e13 wip 2020-06-23 11:10:45 -07:00
Mariano Cano
bfe1f4952d Rename interface to CertificateEnforcer and add tests. 2020-03-31 11:41:36 -07:00
Mariano Cano
64f26c0f40 Enforce a duration for identity certificates. 2020-03-30 17:33:04 -07:00
Mariano Cano
05cc1437b7 Remove unnecessary parse of certificate. 2020-02-13 17:48:43 -08:00
Mariano Cano
43bd8113aa Remove unnecessary comments. 2020-02-11 14:46:18 -08:00
Mariano Cano
69a1b68283 Merge branch 'ssh' into kms 2020-01-27 15:41:14 -08:00
max furman
b265877050 Simplify statuscoder error generators. 2020-01-24 13:46:11 -08:00
max furman
c387b21808 Introduce generalized statusCoder errors and loads of ssh unit tests.
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
2020-01-22 17:25:23 -08:00
Mariano Cano
c62526b39f Add wip support for kms. 2020-01-09 18:42:26 -08:00
Mariano Cano
e67ccd9e3d Add fault tolerance against clock skew accross system on TLS certificates. 2020-01-02 17:48:28 -08:00
Mariano Cano
8eeb82d0ce Store renew certificate in the database. 2019-12-10 13:10:45 -08:00
Mariano Cano
0c3b9ebf45 Fix indentation. 2019-11-13 11:18:05 -08:00
max furman
a9ea292bd4 sshpop provisioner + ssh renew | revoke | rekey first pass 2019-11-05 16:41:42 -08:00
Jozef Kralik
bc6074f596 Change api of functions Authority.Sign, Authority.Renew
Returns certificate chain instead of 2 members.

Implements #126
2019-10-09 22:23:00 +02:00
max furman
fe7973c060 wip 2019-09-19 13:17:45 -07:00
Mariano Cano
2127d09ef3 Rename context type to apiCtx.
It will conflict with the context package.
2019-07-29 11:56:14 -07:00
max furman
ab4d569f36 Add /revoke API with interface db backend 2019-04-10 13:50:35 -07:00
Mariano Cano
8c8547bf65 Remove unnecessary parse and improve tests. 2019-03-20 18:11:45 -07:00
Mariano Cano
a3e2b4a552 Move certificate check to the right place. 2019-03-20 17:36:45 -07:00
Mariano Cano
30a6889d1f Use standard x509 instead of step one. 2019-03-20 17:12:52 -07:00
Mariano Cano
7fd737cbb1 Fix lint warnings. 2019-03-11 18:47:57 -07:00
Mariano Cano
1f5ff5c899 Fix sign and renew tests. 2019-03-11 18:15:24 -07:00
Mariano Cano
c0ef6f8dc5 Add missing modifier and change return codes. 2019-03-07 16:03:38 -08:00
Mariano Cano
a97ea87caa Move options to provisioner so we can set the duration of the cert. 2019-03-07 15:14:18 -08:00
Mariano Cano
1671ab2590 Fix some tests. 2019-03-07 12:15:18 -08:00
Mariano Cano
57b705f6cf Use provisioner sign options. 2019-03-06 17:37:49 -08:00
Mariano Cano
d78febec7a Fix extensions copy on renew
Fixes #36
2019-02-14 16:44:36 -08:00
max furman
7e43402575 bug fix: don't add common name to CSR validation claims in Sign
* added unit test for this case
2019-02-06 16:26:25 -08:00
max furman
e6e8443f3c allow multiple identical SANs in cert 2019-01-31 11:20:21 -06:00
max furman
f0683c2e0a Enable signing certificates with custom SANs
* validate against SANs in token. must be 1:1 equivalent.
2019-01-30 18:21:03 -06:00
Mariano Cano
d6cad2a7f3 Add provisioner option to disable renewal.
Fixes smallstep/ca-component#108
2018-11-01 15:43:24 -07:00
Mariano Cano
d574545d94 Format code with gofmt -s 2018-10-26 15:01:02 -07:00
max furman
7fa06643b2 change step provisioner OID and ASN1 representation 2018-10-26 14:24:16 -07:00
max furman
a4a461466b withProvisionerOID and unit test 2018-10-25 23:49:23 -07:00
max furman
ee7db4006a change sign + authorize authority api | add provisioners
* authorize returns []interface{}
 - operators in this list can conform to any interface the user decides
 - our implementation has a combination of certificate claim validators
 and certificate template modifiers.
* provisioners can set and enforce tls cert options
2018-10-18 22:26:39 -07:00
max furman
0b5f6487e1 change provisioners api
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
2018-10-11 23:03:00 -07:00
max furman
c284a2c0ab first commit 2018-10-05 21:48:36 +00:00