* Allow creating storageContext with timeout
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add challenge validation engine to ACME
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Initialize the ACME challenge validation engine
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Trigger challenge validation on endpoint submission
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix GetKeyThumbprint to use raw base64
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Point at localhost for testing
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add cleanup of validation engine
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Move all ACME wrappers into a dedicated go file
- Make it easier to figure out where the various wrappers for
ACME exist by locating them inside a dedicated go file instead
of spread out across the various path_acme_xxx files.
* Add missing copyright headers to PKI files
* Distinguish POST-as-GET from POST-with-empty-body
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ACME authorization, identifier, and challenge types
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ability to load and save authorizations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ACME authorizations path handling
This supports two methods: a fetch handler over the authorization, to
expose the underlying challenges, and a deactivate handler to revoke
the authorization and mark its challenges invalid.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ACME challenge path handling
These paths kick off processing and validation of the challenge by the
ACME client.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use a UUID for ACME kid instead of a key fingerprint
* PR feedback
- Calculate thumbprint within CreateAccount instead of passing it in
- Reorder writes within CreateAccount to now write out thumbprint entry
first as we can easily recover/overwrite it if we fail mid-way
- Change back LoadAccount in acme to return an error if it fails to
lookup the entry
* Clearify comment within ACME CreateAccount
* Enable creation of accounts
- Refactors many methods to take an acmeContext, which holds the
storageContext on it.
- Updates the core ACME Handlers to use *acmeContext, to avoid
copying structs.
- Makes JWK exported so the JSON parser can find it.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Finish ACME account creation
- This ensures a Kid is created when one doesn't exist
- Expands the parsed handler capabilities, to format the response and
set required headers.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Squash pki/acme package down to pki folder
Without refactoring most of PKI to export the storage layer, which we
were initially hesitant about, it would be nearly impossible to have the
ACME layer handle its own storage while being in the acme/ subpackage
under the pki package.
Thus, merge the two packages together again.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Properly format errors for missing parameters
When missing required ACME request parameters, don't return Vault-level
errors, but drop into the PKI package to return properly-formatted ACME
error messages.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Error type clarifications
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix GetOk with type conversion calls
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-03-29 21:08:31 +00:00
Renamed from builtin/logical/pki/acme/jws.go (Browse further)