github-personal/certificates
1
0
Fork 0
mirror of https://github.com/outbackdingo/certificates.git synced 2026-01-27 10:18:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
5,310 Commits 1 Branch 0 Tags
master
Commit Graph

61 Commits

Author SHA1 Message Date
Mariano Cano
1011f5f540 Improve validation in authorization path 2025-12-02 16:54:44 -08:00
Mariano Cano
ccce670504 Merge branch 'master' into fix-1637 2024-07-23 11:37:00 -07:00
Mariano Cano
343e7308a8 Remove Disabled provisioner add add an Uninitialized state 
This commit renames the Disabled provisioner to Uninitialized and adds
an state instead of just a boolean. It also adds tests.
 2024-07-11 15:18:52 -07:00
Mariano Cano
73b31585c4 Merge branch 'master' into fix-1637 2024-03-26 11:20:52 -07:00
Herman Slatman
041b486c55 Remove usages of Sign without context 2024-02-27 14:16:21 +01:00
Panagiotis Siatras
dd1ff9c15b Implementation of the Prometheus endpoint (#1669) 
Implementation of the http://{metricsAddress}/metrics Prometheus endpoint.
 2024-01-25 23:47:27 -08:00
Mariano Cano
508b6e8668 Check cnf claim with CSR or SSH public key fingerprint 
This commit allows tying tokens with the provided  CSR or SSH public
key. Tokens with a confirmation claim kid (cnf.kid) will validate that
the provided fingerprint (kid) matches the CSR or SSH public key.

This check will only be present in JWK and X5C provisioners.

Fixes #1637
 2024-01-05 15:46:16 -08:00
Mariano Cano
c7f226bcec Add support for renew when using stepcas 
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.

The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.

Fixes #1021 for stepcas
 2022-11-04 16:42:07 -07:00
Andrew Reed
7101fbb0ee Provisioner webhooks (#1001) 2022-09-29 19:16:26 -05:00
max furman
4c7a2ce3eb Fix errors.As linter warnings 2022-09-22 00:04:31 -07:00
max furman
7c5e5b2b87 Even more linter fixes 2022-09-20 21:48:04 -07:00
max furman
ab0d2503ae Standardize linting file and fix or ignore lots of linting errors 2022-09-20 16:35:41 -07:00
Mariano Cano
6b3a8f22f3 Add provisioner to SSH renewals 
This commit allows to report the provisioner to the linkedca when
a SSH certificate is renewed.
 2022-05-20 14:41:44 -07:00
Mariano Cano
a627f21440 Fix AuthorizeSSHSign tests with extra SignOption 2022-05-18 18:51:36 -07:00
Herman Slatman
abcad679ff Merge branch 'master' into herman/allow-deny 2022-04-18 21:54:55 +02:00
Mariano Cano
c066694c0c Allow renew token issuer to be the provisioner name. 
For consistency with AuthorizeAdminToken, AuthorizeRenewToken will
allow the issuer to be either the fixed string 'step-ca-client/1.0'
or the provisioner name.
 2022-04-18 12:38:09 -07:00
Mariano Cano
5f714f2485 Fix tests for AuthorizeRenewToken 2022-04-13 15:59:37 -07:00
Mariano Cano
af8fcf5b01 Use always LoadProvisionerByCertificate on authority package 2022-04-08 14:18:24 -07:00
Herman Slatman
9797b3350e Merge branch 'master' into herman/allow-deny 2022-04-08 16:01:56 +02:00
Mariano Cano
b7e11da480 Merge branch 'master' into feat/linkedra 2022-04-07 18:19:04 -07:00
Herman Slatman
2fbdf7d5b0 Merge branch 'master' into herman/allow-deny 2022-03-30 14:50:14 +02:00
Panagiotis Siatras
00634fb648 api/render, api/log: initial implementation of the packages (#860) 
* api/render: initial implementation of the package

* acme/api: refactored to support api/render

* authority/admin: refactored to support api/render

* ca: refactored to support api/render

* api: refactored to support api/render

* api/render: implemented Error

* api: refactored to support api/render.Error

* acme/api: refactored to support api/render.Error

* authority/admin: refactored to support api/render.Error

* ca: refactored to support api/render.Error

* ca: fixed broken tests

* api/render, api/log: moved error logging to this package

* acme: refactored Error so that it implements render.RenderableError

* authority/admin: refactored Error so that it implements render.RenderableError

* api/render: implemented RenderableError

* api/render: added test coverage for Error

* api/render: implemented statusCodeFromError

* api: refactored RootsPEM to work with render.Error

* acme, authority/admin: fixed pointer receiver name for consistency

* api/render, errs: moved StatusCoder & StackTracer to the render package
 2022-03-30 11:22:22 +03:00
Mariano Cano
6851842841 Fix unit tests. 2022-03-28 15:06:56 -07:00
Herman Slatman
dc23fd23bf Merge branch 'master' into herman/allow-deny-next 2022-03-24 12:36:12 +01:00
Mariano Cano
616490a9c6 Refactor renew after expiry token authorization 
This changes adds a new authority method that authorizes the
renew after expiry tokens.
 2022-03-10 20:21:01 -08:00
Mariano Cano
79349b4d7c Add options to use custom renewal methods. 2022-03-10 13:01:08 -08:00
Mariano Cano
259e95947c Add support for the provisioner controller 
The claimer, audiences and custom callback methods are now managed
by the provisioner controller in an uniform way.
 2022-03-09 18:43:45 -08:00
Herman Slatman
9539729bd9 Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 12:25:24 +01:00
max furman
933b40a02a Introduce gocritic linter and address warnings 2021-10-08 14:59:57 -04:00
max furman
9fdef64709 Admin level API for provisioner mgmt v1 2021-07-02 19:05:17 -07:00
Mariano Cano
d79b4e709e Create a hash of a token if a token id is empty. 2020-09-18 16:25:08 -07:00
Mariano Cano
ba918100d0 Use go.step.sm/crypto/jose 
Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.
 2020-08-24 14:44:11 -07:00
Mariano Cano
d30a95236d Use always go.step.sm/crypto 2020-08-14 15:33:50 -07:00
Mariano Cano
e83e47a91e Use sshutil and randutil from go.step.sm/crypto. 2020-08-10 11:26:51 -07:00
Mariano Cano
c4bbc81d9f Fix authority tests. 2020-08-03 18:36:05 -07:00
Mariano Cano
6c64fb3ed2 Rename provisioner options structs: 
* provisioner.ProvisionerOptions => provisioner.Options
* provisioner.Options => provisioner.SignOptions
* provisioner.SSHOptions => provisioner.SingSSHOptions
 2020-07-22 18:24:45 -07:00
Mariano Cano
d64cb99a22 Fix authority package tests. 2020-07-21 14:21:48 -07:00
max furman
71d87b4e61 wip 2020-06-24 23:25:15 -07:00
max furman
1cb8bb3ae1 Simplify statuscoder error generators. 2020-01-28 13:29:40 -08:00
max furman
dccbdf3a90 Introduce generalized statusCoder errors and loads of ssh unit tests. 
* StatusCoder api errors that have friendly user messages.
* Unit tests for SSH sign/renew/rekey/revoke across all provisioners.
 2020-01-28 13:29:40 -08:00
Mariano Cano
f26103d150 Make test compilable. 2020-01-28 13:29:39 -08:00
Mariano Cano
a6edcd0a3d Make test to compile, they still fail. 2020-01-28 13:28:16 -08:00
Mariano Cano
10e7b81b9f Merge branch 'master' into ssh-ca 2019-09-05 23:06:01 +02:00
max furman
2b41faa9cf Enforce >= 2048 bit rsa keys at the provisioner layer 
* Fixes #94
* In the future this should be configurable by provisioner
 2019-08-27 14:44:59 -07:00
max furman
635c59ed24 Accept emails SANs 2019-08-23 15:59:30 -07:00
Mariano Cano
e1cd5ee8c3 Add context to the Authorize method. 
Fix tests.
 2019-07-29 12:34:27 -07:00
max furman
81db527f12 NoopDB -> SimpleDB 2019-05-07 12:26:30 -07:00
max furman
b73fe8c157 Add used OTT to DB during authToken step 2019-05-06 15:52:02 -07:00
max furman
ab4d569f36 Add /revoke API with interface db backend 2019-04-10 13:50:35 -07:00
Mariano Cano
1f5ff5c899 Fix sign and renew tests. 2019-03-11 18:15:24 -07:00