Commit graph

2673 commits

Author SHA1 Message Date
Herman Slatman
ef16febf40
Refactor ACME EAB queries
The ACME EAB keys are now also indexed by the provisioner. This
solves part of the issue in which too many EAB keys may be in
memory at a given time.
2022-01-07 16:59:55 +01:00
Mariano Cano
01a76445ea Upgrade go.step.sm/crypto 2022-01-06 12:50:26 -08:00
Mariano Cano
98044cf08d Use a tagged version of linkedca 2022-01-06 12:04:57 -08:00
Mariano Cano
449a9fdfd6 Address review comments. 2022-01-06 12:00:58 -08:00
Mariano Cano
b424aa3dc1 Add nebula header and use der version of certificate. 2022-01-06 11:19:46 -08:00
Herman Slatman
30859d3c83
Remove server-side paging logic for ExternalAccountKeys 2022-01-06 14:09:35 +01:00
Mariano Cano
f49a4b326f Add missing comments. 2022-01-05 10:54:09 -08:00
Mariano Cano
6600f1253e Fix error messages after review. 2022-01-05 10:12:49 -08:00
Mariano Cano
6a1d0cb9f8 Add linkedca conversions. 2022-01-04 18:42:57 -08:00
Mariano Cano
de51c2edfb More unit tests for nebula. 2022-01-04 18:16:41 -08:00
Mariano Cano
99845d38bb Add some extra unit tests for nebula. 2022-01-04 12:06:44 -08:00
Mariano Cano
76794ce613 Use default SANs without sans in the token.
Fix step claim condition in SSH
2022-01-04 12:05:58 -08:00
Herman Slatman
6929e31fe0
Merge branch 'master' into hs/acme-eab 2022-01-04 16:41:36 +01:00
Mariano Cano
9ec0276887 Update certificate set with new api. 2022-01-03 18:54:01 -08:00
Mariano Cano
cb72796a2d Fix decoding of certificate. 2021-12-29 16:07:05 -08:00
Mariano Cano
32390a2964 Add initial implementation of a nebula provisioner.
A nebula provisioner will generate a X509 or SSH certificate with
the identities in the nebula certificate embedded in the token.
The token is signed with the private key of the nebula certificate.
2021-12-29 14:12:03 -08:00
Herman Slatman
8fee970297
Merge pull request #779 from smallstep/herman/acme-cli-user-agent 2021-12-29 20:51:09 +01:00
Herman Slatman
11a7f01177
Simplify lookup cursor logic for ExternalAccountKeys 2021-12-22 15:42:49 +01:00
Herman Slatman
5fe9909174
Refactor AdminAuthority interface 2021-12-22 15:30:40 +01:00
Herman Slatman
22ff90f655
Merge branch 'master' into hs/acme-eab 2021-12-22 12:54:41 +01:00
Herman Slatman
07addd0cac
Fix linting issue 2021-12-22 11:58:00 +01:00
Herman Slatman
a68208a3ba
Set Step CLI User-Agent when performing ACME requests 2021-12-22 11:54:01 +01:00
Herman Slatman
8473164b41
Merge pull request #773 from smallstep/herman/ip-sans-improvements
Improve IP SANS support
2021-12-20 19:56:55 +01:00
Herman Slatman
a5f2f004e3
Change name of IP Common Name test for clarity 2021-12-20 18:55:23 +01:00
Herman Slatman
f9ae875f9d
Use short if-style statements 2021-12-20 14:30:01 +01:00
Herman Slatman
80bebda69c
Fix code style issue 2021-12-20 13:40:17 +01:00
Mariano Cano
f7c1a328ed
Merge pull request #777 from smallstep/pkcs11-decrypter
Implement the kms.Decrypter with PKCS#11
2021-12-17 11:10:56 -08:00
Mariano Cano
d5c6572da4 Fix typo. 2021-12-17 10:55:23 -08:00
Mariano Cano
5a32401d23 Implement the kms.Decrypter with PKCS#11
This interface allows the use of SCEP with PKCS#11 modules.
2021-12-16 18:30:09 -08:00
Mariano Cano
ab44fbfb3f
Merge pull request #774 from smallstep/cm-roots
Avoid doing unauthenticated requests on the SDK
2021-12-15 12:22:36 -08:00
Mariano Cano
2c63abcf52 fix grammar 2021-12-15 12:16:21 -08:00
Mariano Cano
7c4e6dcc96 Remove duplicated code in bootstrap methods 2021-12-15 11:24:46 -08:00
Mariano Cano
64c19d4264 Fix subject in test, use ip 2021-12-14 15:27:18 -08:00
Mariano Cano
b0b2e77b0e Avoid doing unauthenticated requests on the SDK
When step-ca runs with mTLS required on some endpoints, the SDK
used in autocert will fail to start because the identity certificate
is missing. This certificate is only required to retrieve all roots,
in most cases there's only one, and the SDK has access to it.
2021-12-14 14:42:38 -08:00
Herman Slatman
bc0875bd7b
Disallow email address and URLs in the CSR
Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.
2021-12-13 16:14:39 +01:00
Herman Slatman
13a31fd862
Merge branch 'master' into herman/ip-sans-improvements 2021-12-13 16:04:53 +01:00
Herman Slatman
ca707cbe05
Fix linting 2021-12-13 16:01:40 +01:00
Herman Slatman
a5d33512fe
Fix test 2021-12-13 15:59:01 +01:00
Herman Slatman
a2c9b5cd7e
Allow IP identifiers in subject, including authorization enforcement
To support IPs in the subject using `step-cli`, this PR ensures that
Subject Common Names that can be parsed as an IP are also checked
to have been authorized before.

The PR for `step-cli` is here: github.com/smallstep/cli/pull/576.
2021-12-13 15:34:56 +01:00
Herman Slatman
5f224b729e
Add tests for Provisioner Admin API 2021-12-09 23:15:38 +01:00
Herman Slatman
43a78f495f
Add tests for Admin API 2021-12-09 17:29:23 +01:00
Herman Slatman
bd169f505f
Add Admin API Middleware tests 2021-12-09 15:26:18 +01:00
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab 2021-12-09 13:58:40 +01:00
Herman Slatman
63371a8fb6
Add additional tests for ACME EAB Admin 2021-12-09 13:46:47 +01:00
Herman Slatman
fbd3fd2145
Merge pull request #625 from hslatman/hs/acme-revocation
ACME Certificate Revocation
2021-12-09 09:48:02 +01:00
Herman Slatman
00539d07c9
Add changelog entry for ACME revocation 2021-12-09 09:42:38 +01:00
Herman Slatman
3bc3957b06
Merge branch 'master' into hs/acme-revocation 2021-12-09 09:36:52 +01:00
Herman Slatman
0524122191
Remove authorization flow for different Account private keys
As discussed in https://github.com/smallstep/certificates/issues/767,
we opted for not including this authorization flow to prevent users
from getting OOMs. We can add the functionality back when the
underlying data store can provide access to a long list of
Authorizations more efficiently, for example when a callback is
implemented.
2021-12-08 16:28:14 +01:00
Herman Slatman
2215a05c28
Add tests for ACME EAB Admin
Refactored some of the existing bits for testing the Authority
API by creation of a new LinkedAuthority interface and changing
visibility of the MockAuthority to be usable by other packages.

At this time, not all of the functions of MockAuthority it usable
yet. Will refactor when needed or requested.
2021-12-08 15:19:38 +01:00
Carl Tashian
53ebd85327 Update star gif size 2021-12-07 10:17:48 -08:00