certificates
certificates copied to clipboard
Published
20 hours ago β’
smallstep
smallstep
Allow CA interface to control validation of Client Identifiers for device-attest-01 acme requests
author Venky Gopal [email protected] 1693934844 -0400 committer mishaslavin [email protected] 1749672251 -0700
Name of feature:
(Duplicate of #1525)
Propagate attested client identifiers (serial and attestation object) to CA interface & allow global API level bypass of a) Client Identitifer to UUID/Serial association b) CSR CN to Client Identifier association. This allows organizations to specify arbitrary values in Apple's ClientIdentifier field as part of the MDM ACME payload and defer validation of that identifier to the Certificate Authority.
The API level global bypass is not great, but I created to add more concreteness to the ask.
Pain or issue this feature alleviates:
Allows us to specify any arbitrary values (such as a one time token like JWT, etc in the ClientIdentifier field in the MDM payload. This is crucial for organizations to be able to use this payload for different types of attested certificates having different user authentication requirements.
Why is this important to the project (if not answered above):
Allows adoption of device-attest-01 in ACME for different types of Attested certificates in Enterprises.
Is there documentation on how to use this feature? If so, where?
In what environments or workflows is this feature supported?
In what environments or workflows is this feature explicitly NOT supported (if any)?
Supporting links/other PRs/issues:
(duplicate of #1525) πThank you!
up-to-date test outputs:
mslavin@mslavin-wsl:~/certificates$ make test
β api/log (7ms) (coverage: 66.7% of statements)
β api/render (9ms) (coverage: 83.7% of statements)
β
authority/admin (10ms) (coverage: 0.0% of statements)
β
api/models (13ms) (coverage: 0.0% of statements)
β acme/wire (15ms) (coverage: 96.0% of statements)
β api/read (19ms) (coverage: 100.0% of statements)
β authority/config (30ms) (coverage: 67.0% of statements)
β
authority/administrator (30ms) (coverage: 0.0% of statements)
β authority/admin/db/nosql (33ms) (coverage: 94.8% of statements)
β authority/admin/api (78ms) (coverage: 88.3% of statements)
β authority/internal/constraints (21ms) (coverage: 81.6% of statements)
β authority/policy (30ms) (coverage: 41.7% of statements)
β acme/db/nosql (695ms) (coverage: 96.7% of statements)
β acme/api (750ms) (coverage: 91.9% of statements)
β authority/provisioner/wire (65ms) (coverage: 90.4% of statements)
β
ca/client (5ms) (coverage: 0.0% of statements)
β cas/apiv1 (6ms) (coverage: 97.6% of statements)
β cas (19ms) (coverage: 95.0% of statements)
β ca/identity (45ms) (coverage: 93.3% of statements)
β cas/cloudcas (185ms) (coverage: 96.4% of statements)
β authority (2.188s) (coverage: 47.5% of statements)
β
cmd/step-ca (6ms) (coverage: 0.0% of statements)
β cas/vaultcas/auth/approle (9ms) (coverage: 86.4% of statements)
β
commands (9ms) (coverage: 0.0% of statements)
β cas/vaultcas/auth/kubernetes (19ms) (coverage: 87.5% of statements)
β cas/vaultcas/auth/aws (25ms) (coverage: 82.8% of statements)
β cas/vaultcas (57ms) (coverage: 79.2% of statements)
β cas/softcas (872ms) (coverage: 91.6% of statements)
β
examples/basic-federation/client (4ms) (coverage: 0.0% of statements)
β
examples/basic-client (5ms) (coverage: 0.0% of statements)
β
internal/metrix (5ms) (coverage: 0.0% of statements)
β
examples/bootstrap-mtls-server (6ms) (coverage: 0.0% of statements)
β
examples/bootstrap-tls-server (6ms) (coverage: 0.0% of statements)
β
examples/bootstrap-client (6ms) (coverage: 0.0% of statements)
β
examples/basic-federation/server (7ms) (coverage: 0.0% of statements)
β internal/cast (6ms) (coverage: 100.0% of statements)
β
internal/httptransport (8ms) (coverage: 0.0% of statements)
β
internal/userid (6ms) (coverage: 0.0% of statements)
β errs (11ms) (coverage: 36.4% of statements)
β db (19ms) (coverage: 26.5% of statements)
β middleware/requestid (4ms) (coverage: 95.2% of statements)
β logging (12ms) (coverage: 45.9% of statements)
β
monitoring (40ms) (coverage: 0.0% of statements)
β api (3.428s) (coverage: 78.5% of statements)
β
server (17ms) (coverage: 0.0% of statements)
β scep/api (17ms) (coverage: 26.8% of statements)
β templates (19ms) (coverage: 93.5% of statements)
β policy (24ms) (coverage: 93.0% of statements)
β
scripts/badger-migration (33ms) (coverage: 0.0% of statements)
β pki (373ms) (coverage: 33.8% of statements)
β webhook (7ms) (coverage: 69.6% of statements)
β
test/integration/scep/internal/x509 (8ms) (coverage: 0.0% of statements)
β scep (1.827s) (coverage: 36.6% of statements)
β test/integration (1.889s)
β acme (7.201s) (coverage: 68.3% of statements)
β cas/stepcas (9.893s) (coverage: 93.9% of statements)
β test/integration/scep (13.531s)
β authority/provisioner (24.883s) (coverage: 82.3% of statements)
β ca (29.187s) (coverage: 43.3% of statements)
=== Skipped
=== SKIP: acme Test_parseAndVerifyWireAccessToken (0.00s)
challenge_wire_test.go:2126: skip until we can retrieve public key from e2e test, so that we can actually verify the token
DONE 4773 tests, 1 skipped in 31.102s
β acme (13.696s) (coverage: 75.1% of statements)
=== Skipped
=== SKIP: acme Test_parseAndVerifyWireAccessToken (0.00s)
challenge_wire_test.go:2126: skip until we can retrieve public key from e2e test, so that we can actually verify the token
DONE 366 tests, 1 skipped in 13.696s
