github-personal/certificates
1
0
Fork 0
mirror of https://github.com/outbackdingo/certificates.git synced 2026-01-27 10:18:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
5,310 Commits 1 Branch 0 Tags
master
Commit Graph

546 Commits

Author SHA1 Message Date
Mariano Cano
1011f5f540 Improve validation in authorization path 2025-12-02 16:54:44 -08:00
Herman Slatman
69d8dd8d6f Add additional gosec linter exceptions to ACME linker 2025-11-04 00:28:25 +01:00
Herman Slatman
745fb7a68e Remove deprecated +build tags 2025-11-04 00:27:47 +01:00
Herman Slatman
17a37a13bf Fix backdate support for ACME provisioner 
Other provisioners did take into account the authority-wide
certificate backdate configuration already, but the ACME
provisioner did not. This commit adds `authority.GetBackdate`,
so that the ACME provisioner can use it if set.

Fixes: #927
 2025-10-22 16:05:45 +02:00
Herman Slatman
f1092e103a Fix govet non-constant error format string issues 2025-09-09 01:38:33 +02:00
Herman Slatman
eb475e0f7c Refactor searching for serial number into function 2025-09-04 22:32:54 +02:00
Herman Slatman
c5d3578373 Add test case for device attestation with step managed device ID 2025-09-04 15:23:07 +02:00
Herman Slatman
c2e04f4a41 Support managed device ID OID for step attestation format 2025-09-04 00:27:41 +02:00
Mariano Cano
0b3115d80a Apply suggestions from code review 
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
 2025-08-20 12:39:54 -07:00
Mariano Cano
b7e59c97f3 Add support for YubiKeys 5.7.4+ 
This change adds the root certificate used on YubiKeys 5.7.4+. Now the
attestation certificate will be verified using two roots.

Attestation statements must contain all intermediates, see
smallstep/crypto#831

Fixes #2355
 2025-08-20 12:14:37 -07:00
Herman Slatman
2bb1896db3 Change OIDC signature algorithm to RS256 to match JWT 
In https://github.com/coreos/go-oidc/compare/v3.14.1...v3.15.0, the
JWT signature algorithm verification is moved earlier into the
process, resulting in our existing test failing. The JWT has
algorithm `RS256` set, whereas the verifier had `ES256`. It needs
to have `RS256` to validate the token.
 2025-08-05 13:16:36 +02:00
Herman Slatman
acf4387180 Fix new golangci-lint v2 linter issues 2025-05-21 12:21:47 +02:00
Peter Siman
44f505c341 Add wire subject test coverage 2025-04-02 16:32:52 +02:00
Herman Slatman
27944b4eae Fix linter issues 2025-02-18 11:04:54 +01:00
Mariano Cano
ba9e08243a Add attestation format to challenge 
This commit adds the format of the payload to the challenge object.
 2024-12-30 12:55:32 -08:00
Mariano Cano
f812cf26c4 Allow storing the attestation payload (#2114) 
This commit allows storing the attestation payload using a custom database
implementation.
 2024-12-27 10:29:02 -08:00
Mariano Cano
1a2e64724a Change URN for acme errors 
This commit changes the urn suffix for acme errors to urn:smallstep:acme:error
 2024-11-15 15:53:31 -08:00
Max
73f97e244c Ignore non-constant format string linting error (#2068) 2024-11-15 10:42:50 -08:00
Mariano Cano
05295d9c6a Propagate human errors from webhooks 
This commit adds a new field error in the webhook response that allows
to propagate errors to the client. With ACME, webhook errors are as
a new subproblem.
 2024-11-14 18:29:36 -08:00
Herman Slatman
aeb5e1b366 Address linter issues 2024-08-20 16:54:29 +02:00
Herman Slatman
25f674cf6e Move WireDB interface assertion up a level 2024-08-13 21:20:34 +02:00
Herman Slatman
bb512e76c3 Change Wire DB operations into using a runtime type assertion 2024-08-13 11:11:08 +02:00
Herman Slatman
09e26d93d4 Fix linter issues 2024-08-02 23:05:01 +02:00
Herman Slatman
cae47aa690 Merge branch 'master' into wire-acme-extensions 2024-08-02 22:58:56 +02:00
Mariano Cano
3e61796df4 Add a flag to enable strict DNS resolution 
This commit adds a flag to enable strict DNS resolution on ACME
challenges.
 2024-07-12 12:58:44 -07:00
Mariano Cano
8ac876df3a Fix HTTP01 challenge url when --acme-http-host is used 
This commit fixes an issue whith the HTTP-01 challenge URL not having
the insecure port.
 2024-07-09 13:28:39 -07:00
Herman Slatman
5fecc2bd87 Fix HTTP internal server error when bad attestation object is provided 2024-07-05 15:43:40 +02:00
Mariano Cano
2b30ae5087 Show clean URL on HTTP-01 errors 2024-07-03 11:14:28 -07:00
Mariano Cano
5c07d20ade Do strict DNS lookup on ACME 
This commit changes the ACME challenges to perform a strict DNS lookup
without taking into account the search list in a resolv.conf
 2024-07-02 15:52:00 -07:00
Mariano Cano
c8e65abfb1 Fix linter warnings 2024-06-12 16:03:01 -07:00
Mariano Cano
b4616ee8f1 Upgrade linkedca 
This commit upgrades go.step.sm/linkedca with dependencies required by
smallstep/certificates#1802. It also fixes some linter warnings.
 2024-06-12 15:54:17 -07:00
Mariano Cano
192e90eea7 Merge branch 'master' into mariano/account-provisioner 2024-05-16 14:25:57 -07:00
Mariano Cano
8673818980 Split provisioner check in two cases 2024-05-15 16:12:15 -07:00
Mariano Cano
f3f484cee2 Log errors using slog.Logger 
This commit allows logging errors in a slog.Logger injected in the
context. This type of logger is not currently used directly in step-ca,
but this will change in the future.
 2024-05-15 15:40:40 -07:00
Mariano Cano
5fa5a63de8 Verify provisioner with id if available 
This commit allows verifying the account provisioner with the request
provisioner using the ID instead of the name. When the provisioner are
stored in the DB, the provisioner ID is not mutable but the name is.
 2024-05-13 17:07:33 -07:00
Mariano Cano
b1e31b1726 Use always acme.IsErrNotFound 
This commit replaces the comparisons with acme.ErrNotFound and always
uses acme.IsErrNotFound.
 2024-05-06 15:11:58 -07:00
Mariano Cano
d037ed6ff2 Add provisioner id to acme accounts 
This commit adds a new field that allows to have a reference to
a provisioner id in the acme account.
 2024-05-06 11:58:22 -07:00
Mariano Cano
296ac4e207 Make ISErrNotFound more flexible 
This commit allows to use the standard error sql.ErrNoRows for not found
errors.
 2024-04-29 16:15:08 -07:00
Herman Slatman
7426edb6d7 Merge branch 'master' into wire-acme-extensions 2024-04-22 20:36:25 +02:00
verytrap
db92404342 chore: fix function names in comment 
Signed-off-by: verytrap <wangqiuyue@outlook.com>
 2024-04-10 10:35:39 +08:00
Herman Slatman
6646af6efd Merge branch 'master' into wire-acme-extensions 2024-03-27 18:27:59 +01:00
Mariano Cano
10f6a901ec Let the CA determine the RA lifetime 
When the RA mode with StepCAS is used, let the CA decide which lifetime
the RA should get instead of requiring always 24h.

This commit also fixes linter warnings.

Related to #1094
 2024-03-12 14:29:55 -07:00
Herman Slatman
c6c2c4a80e Fix ACME Wire Order tests 2024-03-06 16:30:43 +01:00
Herman Slatman
6eb4662120 Improve token validation error messages and use net/url 2024-03-06 15:16:23 +01:00
Herman Slatman
755ae0b7fa Fix Wire mock CA interface implementation 2024-03-04 14:47:33 +01:00
Herman Slatman
364566bb01 Merge branch 'master' into wire-acme-extensions 2024-03-04 14:36:07 +01:00
Herman Slatman
041b486c55 Remove usages of Sign without context 2024-02-27 14:16:21 +01:00
Herman Slatman
2a8b80a3e1 Merge branch 'master' into herman/webhook-request-id 2024-02-27 12:17:10 +01:00
Herman Slatman
194341e520 Address review comments 2024-02-07 00:54:29 +01:00
Herman Slatman
138c1013f6 Add validation for Wire UserID + DeviceID identifiers 2024-02-06 22:02:59 +01:00