Merge branch 'smallstep:master' into master

Author: mishaslavin

.github/workflows/release.yml

@@ -45,7 +45,7 @@ jobs:
           echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -59,7 +59,11 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      packages: write
     uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
+    with:
+      enable-packages-upload: true
+      is-prerelease: ${{ needs.create_release.outputs.is_prerelease == 'true' }}
     secrets: inherit
 
   build_upload_docker:

.gitignore

@@ -22,5 +22,10 @@ go.work.sum
 coverage.txt
 output
 vendor
+dist/
 .idea
 .envrc
+
+# Packages files
+0x889B19391F774443-Certify.key
+gha-creds-*.json

.goreleaser.yml

@@ -1,12 +1,23 @@
 # Documentation: https://goreleaser.com/customization/
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
 project_name: step-ca
 version: 2
 
+variables:
+  packageName: step-ca
+  packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this
+
 before:
   hooks:
     # You may remove this if you don't use go modules.
     - go mod download
 
+after:
+  hooks:
+    # This script depends on IS_PRERELEASE env being set. This is set by CI in the Is Pre-release step.
+    - cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }}
+      output: true
+
 builds:
   -
     id: step-ca
@@ -61,10 +72,16 @@ nfpms:
   # Package metadata: dpkg --info dist/step_....deb
   #
   - &NFPM
+    id: packages
     builds:
       - step-ca
-    package_name: step-ca
-    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    package_name: "{{ .Var.packageName }}"
+    release: "1"
+    file_name_template: >-
+      {{- trimsuffix .ConventionalFileName .ConventionalExtension -}}
+      {{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}}
+      {{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}}
+      {{- .ConventionalExtension -}}
     vendor: Smallstep Labs
     homepage: https://github.com/smallstep/certificates
     maintainer: Smallstep <[email protected]>
@@ -80,6 +97,13 @@ nfpms:
     contents:
       - src: debian/copyright
         dst: /usr/share/doc/step-ca/copyright
+    rpm:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+    deb:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+          type: origin
   -
     << : *NFPM
     id: unversioned
@@ -101,6 +125,12 @@ signs:
   args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
   artifacts: all
 
+publishers:
+- name: Google Cloud Artifact Registry
+  ids:
+  - packages
+  cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}
+
 snapshot:
   name_template: "{{ .Tag }}-next"
 
@@ -140,7 +170,10 @@ release:
     #### Linux
 
     - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
-    - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
+    - 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb)
+    - 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm)
+    - 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb)
+    - 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm)
 
     #### OSX Darwin
 
@@ -164,7 +197,7 @@ release:
 
     ```
     cosign verify-blob \
-      --certificate step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
+      --certificate step-ca_darwin_{{ .Version }}_amd64.tar.gz.pem \
       --signature step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
       --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
       --certificate-oidc-issuer https://token.actions.githubusercontent.com \
@@ -198,7 +231,7 @@ release:
   #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
 
 winget:
-  - 
+  -
     # IDs of the archives to use.
     # Empty means all IDs.
     ids: [ default ]

CHANGELOG.md

@@ -25,6 +25,87 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
+## [0.28.3] - 2025-03-17
+
+- dependabot updates
+
+
+## [0.28.2] - 2025-02-20
+
+### Added
+
+- Added support for imported keys on YubiKey (smallstep/certificates#2113)
+- Enable storing ACME attestation payload (smallstep/certificates#2114)
+- Add ACME attestation format field to ACME challenge (smallstep/certificates#2124)
+
+### Changed
+
+- Added internal httptransport package to replace cloning of http.DefaultTransport (smallstep/certificates#2098, smallstep/certificates#2103, smallstep/certificates#2104)
+  - For example, replacing http.DefaultTransport clone in provisioner webhook business logic.
+
+
+## [0.28.1] - 2024-11-19
+
+### Added
+
+- Support for using template data from SCEPCHALLENGE webhooks (smallstep/certificates#2065)
+- New field to Webhook response that allows for propagation of human readable errors to the client (smallstep/certificates#2066, smallstep/certificates#2069)
+- CICD for pushing DEB and RPM packages to packages.smallstep.com on releases (smallstep/certificates#2076)
+- PKCS11 utilities in HSM container image (smallstep/certificates#2077)
+
+### Changed
+
+- Artifact names for RPM and DEB packages in conformance with standards (smallstep/certificates#2076)
+
+
+## [0.28.0] - 2024-10-29
+
+### Added
+
+- Add options to GCP IID provisioner to enable or disable signing of SSH user and host certificates (smallstep/certificates#2045)
+
+### Changed
+
+- For IID provisioners with disableCustomSANs set to true, validate that the
+  requested DNS names are a subset of the allowed DNS names (based on the IID token),
+  rather than requiring an exact match to the entire list of allowed DNS names. (smallstep/certificates#2044)
+
+
+## [0.27.5] - 2024-10-17
+
+### Added
+
+- Option to log real IP (x-forwarded-for) in logging middleware (smallstep/certificates#2002)
+
+### Fixed
+
+- Pulled in updates to smallstep/pkcs7 to fix failing Windows SCEP enrollment certificates (smallstep/certificates#1994)
+
+
+## [0.27.4] - 2024-09-13
+
+### Fixed
+
+- Release worfklow
+
+## [0.27.3] - 2024-09-13
+
+### Added
+
+- AWS auth method for Vault RA mode (smallstep/certificates#1976)
+- API endpoints for retrieving Intermediate certificates (smallstep/certificates#1962)
+- Enable use of OIDC provisioner with private identity providers and a certificate from step-ca (smallstep/certificates#1940)
+- Support for verifying `cnf` and `x5rt#S256` claim when provided in token (smallstep/certificates#1660)
+- Add Wire integration to ACME provisioner (smallstep/certificates#1666)
+
+### Changed
+
+- Clarified SSH certificate policy errors (smallstep/certificates#1951)
+
+### Fixed
+
+- Nebula ECDSA P-256 support (smallstep/certificates#1662)
+
 ## [0.27.2] - 2024-07-18
 
 ### Added
@@ -86,7 +167,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [0.26.0] - 2024-03-28
 
-### Added 
+### Added
 
 - [TPM KMS](https://github.com/smallstep/crypto/tree/master/kms/tpmkms) support for CA keys (smallstep/certificates#1772)
 - Propagation of HTTP request identifier using X-Request-Id header (smallstep/certificates#1743, smallstep/certificates#1542)
@@ -96,7 +177,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - AWS `ca-west-1` identity document root certificate (smallstep/certificates#1715)
 - [COSE RS1](https://www.rfc-editor.org/rfc/rfc8812.html#section-2) as a supported algorithm with ACME `device-attest-01` challenge (smallstep/certificates#1663)
 
-### Changed 
+### Changed
 
 - In an RA setup, let the CA decide the RA certificate lifetime (smallstep/certificates#1764)
 - Use Debian Bookworm in Docker containers (smallstep/certificates#1615)
@@ -146,17 +227,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added AWS public certificates for me-central-1 and ap-southeast-3
   (smallstep/certificates#1404)
 - Added namespace field to VaultCAS JSON config (smallstep/certificates#1424)
-- Added AWS public certificates for me-central-1 and ap-southeast-3 
+- Added AWS public certificates for me-central-1 and ap-southeast-3
   (smallstep/certificates#1404)
-- Added unversioned filenames to Github release assets 
+- Added unversioned filenames to Github release assets
   (smallstep/certificates#1435)
 - Send X5C leaf certificate to webhooks (smallstep/certificates#1485)
 - Added support for disableSmallstepExtensions claim (smallstep/certificates#1484)
 - Added all AWS Identity Document Certificates (smallstep/certificates#1404, smallstep/certificates#1510)
 - Added Winget release automation (smallstep/certificates#1519)
 - Added CSR to SCEPCHALLENGE webhook request body (smallstep/certificates#1523)
 - Added SCEP issuance notification webhook (smallstep/certificates#1544)
-- Added ability to disable color in the log text formatter 
+- Added ability to disable color in the log text formatter
   (smallstep/certificates(#1559)
 
 ### Changed
@@ -184,7 +265,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   (smallstep/certificates#1476, smallstep/crypto#288)
 - Fixed adding certificate templates with ASN.1 functions
   (smallstep/certificates#1500, smallstep/crypto#302)
-- Fixed a problem when the ca.json is truncated if the encoding of the 
+- Fixed a problem when the ca.json is truncated if the encoding of the
   configuration fails (e.g., new provisioner with bad template data)
   (smallstep/cli#994, smallstep/certificates#1501)
 - Fixed provisionerOptionsToLinkedCA missing template and templateData

acme/api/eab.go

@@ -129,7 +129,7 @@ func validateEABJWS(ctx context.Context, jws *jose.JSONWebSignature) (string, *a
 	keyID := header.KeyID
 	nonce := header.Nonce
 
-	if !(algorithm == jose.HS256 || algorithm == jose.HS384 || algorithm == jose.HS512) {
+	if algorithm != jose.HS256 && algorithm != jose.HS384 && algorithm != jose.HS512 {
 		return "", acme.NewError(acme.ErrorMalformedType, "'alg' field set to invalid algorithm '%s'", algorithm)
 	}
 

acme/api/revoke.go

@@ -180,7 +180,7 @@ func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRe
 func wrapRevokeErr(err error) *acme.Error {
 	t := err.Error()
 	if strings.Contains(t, "is already revoked") {
-		return acme.NewError(acme.ErrorAlreadyRevokedType, t) //nolint:govet // allow non-constant error messages
+		return acme.NewError(acme.ErrorAlreadyRevokedType, t)
 	}
 	return acme.WrapErrorISE(err, "error when revoking certificate")
 }
@@ -190,9 +190,9 @@ func wrapRevokeErr(err error) *acme.Error {
 func wrapUnauthorizedError(cert *x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) *acme.Error {
 	var acmeErr *acme.Error
 	if err == nil {
-		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg) //nolint:govet // allow non-constant error messages
+		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg)
 	} else {
-		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg) //nolint:govet // allow non-constant error messages
+		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg)
 	}
 	acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403
 

acme/challenge.go

@@ -39,6 +39,7 @@ import (
 	"github.com/smallstep/certificates/acme/wire"
 	"github.com/smallstep/certificates/authority/provisioner"
 	wireprovisioner "github.com/smallstep/certificates/authority/provisioner/wire"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 type ChallengeType string
@@ -88,6 +89,8 @@ type Challenge struct {
 	URL             string        `json:"url"`
 	Target          string        `json:"target,omitempty"`
 	Error           *Error        `json:"error,omitempty"`
+	Payload         []byte        `json:"-"`
+	PayloadFormat   string        `json:"-"`
 }
 
 // ToLog enables response logging.
@@ -227,7 +230,7 @@ func tlsAlert(err error) uint8 {
 	if errors.As(err, &opErr) {
 		v := reflect.ValueOf(opErr.Err)
 		if v.Kind() == reflect.Uint8 {
-			return uint8(v.Uint())
+			return uint8(v.Uint()) //nolint:gosec // handled by checking its type
 		}
 	}
 	return 0
@@ -942,6 +945,8 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 	ch.Status = StatusValid
 	ch.Error = nil
 	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
+	ch.Payload = payload
+	ch.PayloadFormat = format
 
 	// Store the fingerprint in the authorization.
 	//
@@ -974,9 +979,9 @@ type tpmAttestationData struct {
 type coseAlgorithmIdentifier int32
 
 const (
-	coseAlgES256 coseAlgorithmIdentifier = -7
-	coseAlgRS256 coseAlgorithmIdentifier = -257
-	coseAlgRS1   coseAlgorithmIdentifier = -65535 // deprecated, but (still) often used in TPMs
+	coseAlgES256 = coseAlgorithmIdentifier(-7)
+	coseAlgRS256 = coseAlgorithmIdentifier(-257)
+	coseAlgRS1   = coseAlgorithmIdentifier(-65535) // deprecated, but (still) often used in TPMs
 )
 
 func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) {
@@ -1101,8 +1106,13 @@ func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 		return nil, NewDetailedError(ErrorBadAttestationStatementType, "invalid alg in attestation statement")
 	}
 
+	algI32, err := cast.SafeInt32(alg)
+	if err != nil {
+		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "invalid alg %d in attestation statement", alg)
+	}
+
 	var hash crypto.Hash
-	switch coseAlgorithmIdentifier(alg) {
+	switch coseAlgorithmIdentifier(algI32) {
 	case coseAlgRS256, coseAlgES256:
 		hash = crypto.SHA256
 	case coseAlgRS1: