This installs stuff in the right places to run anchor from the
included startup scripts. The config is installed into /etc/anchor
This will work from within a venv or without.
The anchor config.py file has been moved into the project package
so that it will install with the other stuff. Eventually we should
strip it out as much as possible and move the details into the JSON
file.
Change-Id: Iffaa7669ce8118fbd41011f9e965704c2ad51b44
Original validator checked for domain labels as defined by RFC1034, however real
internet deals with other domains as well - starting with digits or symbols.
This change allows modifying the pattern to allow custom / relaxed rules.
Validation has been removed from adding a domain to a new extension, since it's
only used in fixups and the domain should be already validated. (or not, if not
configured)
Closes-bug: 1592489
Change-Id: Ib453054ba5f554bab28cff392c539e713fa28918
For known, but deprecated algorithms (md{2,4,5}, sha1), log a better message
rather than just the OID of the rejected algorithm.
Change-Id: I004cbfe486657a80f482e506e4e1fc9396564391
The olso_utils library already contains a constant_time_compare
function and the Anchor version is nearly identical. Might as
well use the global util rather than have a copy of its own.
Change-Id: Iaf02c20560ca244d244a88127996139f8abcce9b
Move signature validation to standards validators. Remove old validator entries
from the setup.cfg.
Partial-Bug: #1548610
Change-Id: I667b0ad1a49766c2df09489ea3a11e0e77bc4333
Prepare for new signing backend implementations which reuse the existing
functionality. This abstracts most of the current signing function, so that the
signature generation itself can be replaced.
Change-Id: I99a28f4bcb08f010f397faf49e23276672977bc1
Don't return a name which points back to the certificate internals anymore. Use
copies of the name everywhere.
Change-Id: I578df2de4128f5865c6c2363fee6f75a219bf9c7
Closes-bug: 1491083
If the subjectAlternativeKey is available in the CA, use it as authority key on
the new certificate. Otherwise embed the serial number.
The key id is included in the signed certificates according to
RFC5280 section-4.2.1.1. Anchor uses the first recommended method of keyid
generation. The behaviour matches openssl.
Change-Id: I883f8d5d9dc3430443aa08fdf2448bf385575557
Incoming CMC requests should be stripped of all wrappers, then the internal
pkcs10 request is processed as usual. No verification is done on the SignedData
wrapper, because there's no known certificate to trust.
Response is just the bare certificate for now.
Change-Id: I92c76df775e5f339ac2fae95582097e3afe138af
Replace assertEqual(None, *) with assertIsNone in tests to have
more clear messages in case of failure.
Change-Id: I33b61064ec957a79bec4c6deef7ce5e4c8e8d141
Closes-bug: #1280522
Previous name validators have multiple issues. They do not prevent
unknown entires from passing through. They require repeating rules for
various name locations (cn, san). They also disregard wildcards when
matching only the suffix. The inflexible configuration also makes
specific validators like server_group required.
The new validator whitelist_names solves all those issues and allows to
deprecate old validators.
Implements: blueprint validator-improvement
Change-Id: Id31889f735eb34323f21a91d68a50602351f6611
Add a validator for the public key sizes. This allows to reject a
request with a 512b long RSA key for example.
Change-Id: Ib4988e595c4c5cdc643af56e9529e8c0de31d993
Remove a validator which has been marked for an update for some time.
CA certificate signing should not be handled by Anchor at all.
Change-Id: Ib13a0ca3445956e35c23c559f59f37e6721c1a33
Closes-bug: 1508776
Make sure all test cases use only one certificate request so that it's
easier to manage/update. Also use the example.com domain for that
certificate.
Change-Id: If7104d07d98a96a4f0760087b2dbce71302f060d
Partial-bug: 1491054
This breaks out the validation logic so it can be re-used by a 3rd
party. The validate_csr method has been moved into a new file and
pecan specific stuff has beem removed. This method now returns a
dict of true/false results rather than bailing on the first fail.
The certificate ops version of validate_csr now wraps the generic
one, it adds back in the pecan specific errors and failes as before
if all validators do not report success. Validator errors propogate
out of the generic method but are captured by the certificate_ops
version.
The error message returned to the caller upon validation error (not
validation failure) is now less detailed, we were reporting to much
info before anyway.
Change-Id: Id10a892cc55be9b3665a05510cb72df0a5f29416