Commit graph

31 commits

Author SHA1 Message Date
max furman
8b256f0351
address linter warning for go 1.19 2023-05-09 23:47:28 -07:00
Mariano Cano
8200d19894
Improve CRL implementation
This commit adds some changes to PR #731, some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL

This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
2022-10-26 18:55:24 -07:00
Raal Goff
d0e81af524 Merge branch 'master' into crl-support 2022-09-30 08:45:48 +08:00
max furman
ab0d2503ae
Standardize linting file and fix or ignore lots of linting errors 2022-09-20 16:35:41 -07:00
Raal Goff
924082bb49 fix linter errors 2022-09-08 10:09:37 +08:00
Raal Goff
d2483f3a70 Merge branch 'master' into crl-support
# Conflicts:
#	authority/config/config.go
2022-09-08 09:45:04 +08:00
Mariano Cano
a7fcfe0e4e Verify with roots and intermediates 2022-08-30 17:11:44 -07:00
Mariano Cano
ea8579f3df Fix bad signature algorithm on EC+RSA PKI
When the root certificate has an EC key and he intermediate has an
RSA key, the signature algorithm of the leafs should be the default
one, SHA256WithRSA, instead of the one that the intermediate has.

Fixes #1033
2022-08-30 16:49:56 -07:00
Mariano Cano
369b8f81c3 Use go.step.sm/crypto/kms
Fixes #975
2022-08-08 17:58:18 -07:00
Raal Goff
60671b07d7 Merge branch 'master' into crl-support
# Conflicts:
#	api/api.go
#	authority/config/config.go
#	cas/softcas/softcas.go
#	db/db.go
2022-07-13 08:52:58 +08:00
Mariano Cano
31af1efa48 Sign certificates with the issuer signature algorithm
An RSA key can sign another certificates using the RSA PKCS#1
and the RSA-PSS scheme, this change will keep the signature
algorithm used in the issuer in the signed certificates instead
of using PKCS#1 by default.
2022-06-15 19:10:58 -07:00
Raal Goff
c8b38c0e13 implemented requested changes 2022-04-06 10:50:09 +08:00
Raal Goff
d417ce3232 implement changes from review 2022-04-06 08:23:53 +08:00
Raal Goff
e8fdb703c9 initial support for CRL 2022-04-06 08:19:45 +08:00
Mariano Cano
955d4cf80d Add authority.WithX509SignerFunc
This change adds a new authority option that allows to pass a callback
that returns the certificate chain and signer used to sign X.509
certificates.

This option will be used by Caddy, they renew the intermediate
certificate weekly and there's no other way to replace it without
re-creating the embedded CA.

Fixes #874
2022-03-28 17:54:35 -07:00
Mariano Cano
e15b5faf7d Merge branch 'master' into keyvault 2021-10-12 15:15:35 -07:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
Mariano Cano
52a18e0c2d Add key name to CreateCertificateAuthority 2021-10-07 14:19:39 -07:00
Mariano Cano
e4e799ca85 Fix typos in comment. 2021-09-09 12:45:29 -07:00
Mariano Cano
6d644880bd Allow to kms signers to define the SignatureAlgorithm
CloudKMS keys signs data using an specific signature algorithm, in RSA keys,
this can be PKCS#1 RSA or RSA-PSS, if the later is used, x509.CreateCertificate
will fail unless the template SignatureCertificate is properly set.

On contrast, AWSKMS RSA keys, are just RSA keys, and can sign with PKCS#1 or
RSA-PSS schemes, so right now the way to enforce one or the other is to used
templates.
2021-09-08 17:48:50 -07:00
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority 2021-02-26 00:32:21 +01:00
Miclain Keffeler
ffbfcfb1f2 format. 2020-12-28 18:46:21 -06:00
Miclain K Keffeler
f3396bf964
Update softcas.go 2020-12-28 17:10:44 -06:00
Miclain Keffeler
7545b4a625 leverage intermediate_ca.crt for appending certs. 2020-12-23 22:41:10 -06:00
Mariano Cano
7aa8a8fe1e Complete tests for softCAS. 2020-11-03 12:45:31 -08:00
Mariano Cano
b2ae112dd2 Add initial tests for CreateCertificateAuthority. 2020-11-03 12:44:54 -08:00
Mariano Cano
2b4b902975 Add initial support for step ca init with cloud cas.
Fixes smallstep/cli#363
2020-11-03 12:44:28 -08:00
Mariano Cano
e146b3fe16 Add Unit tests for softcas. 2020-09-15 19:37:02 -07:00
Mariano Cano
1550a21f68 Fix unit tests. 2020-09-15 18:14:21 -07:00
Mariano Cano
aad8f9e582 Pass issuer and signer to softCAS options.
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
2020-09-10 19:09:46 -07:00
Mariano Cano
1b1f73dec6 Early attempt to develop a CAS interface. 2020-09-08 19:26:32 -07:00