Skip to content

Latest commit

 

History

History
627 lines (416 loc) · 20.4 KB

CHANGELOG.md

File metadata and controls

627 lines (416 loc) · 20.4 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

TEMPLATE -- do not alter or remove


[x.y.z] - aaaa-bb-cc

Added

Changed

Deprecated

Removed

Fixed

Security


[0.28.1] - 2024-11-19

Added

  • Support for using template data from SCEPCHALLENGE webhooks (#2065)
  • New field to Webhook response that allows for propagation of human readable errors to the client (#2066, #2069)
  • CICD for pushing DEB and RPM packages to packages.smallstep.com on releases (#2076)
  • PKCS11 utilities in HSM container image (#2077)

Changed

  • Artifact names for RPM and DEB packages in conformance with standards (#2076)

[0.28.0] - 2024-10-29

Added

  • Add options to GCP IID provisioner to enable or disable signing of SSH user and host certificates (#2045)

Changed

  • For IID provisioners with disableCustomSANs set to true, validate that the requested DNS names are a subset of the allowed DNS names (based on the IID token), rather than requiring an exact match to the entire list of allowed DNS names. (#2044)

[0.27.5] - 2024-10-17

Added

  • Option to log real IP (x-forwarded-for) in logging middleware (#2002)

Fixed

  • Pulled in updates to smallstep/pkcs7 to fix failing Windows SCEP enrollment certificates (#1994)

[0.27.4] - 2024-09-13

Fixed

  • Release worfklow

[0.27.3] - 2024-09-13

Added

  • AWS auth method for Vault RA mode (#1976)
  • API endpoints for retrieving Intermediate certificates (#1962)
  • Enable use of OIDC provisioner with private identity providers and a certificate from step-ca (#1940)
  • Support for verifying cnf and x5rt#S256 claim when provided in token (#1660)
  • Add Wire integration to ACME provisioner (#1666)

Changed

  • Clarified SSH certificate policy errors (#1951)

Fixed

  • Nebula ECDSA P-256 support (#1662)

[0.27.2] - 2024-07-18

Added

  • --console option to default step-ssh config (#1931)

[0.27.1] - 2024-07-12

Changed

  • Enable use of strict FQDN with a flag (#1926)
    • This reverses a change in 0.27.0 that required the use of strict FQDNs (smallstep/certificate#1910)

[0.27.0] - 2024-07-11

Added

  • Support for validity windows in templates (#1903)
  • Create identity certificate with host URI when using any provisioner (#1922)

Changed

  • Do strict DNS lookup on ACME (#1910)

Fixed

  • Handle bad attestation object in deviceAttest01 validation (#1913)

[0.26.2] - 2024-06-13

Added

  • Add provisionerID to ACME accounts (#1830)
  • Enable verifying ACME provisioner using provisionerID if available (#1844)
  • Add methods to Authority to get intermediate certificates (#1848)
  • Add GetX509Signer method (#1850)

Changed

  • Make ISErrNotFound more flexible (#1819)
  • Log errors using slog.Logger (#1849)
  • Update hardcoded AWS certificates (#1881)

[0.26.1] - 2024-04-22

Added

  • Allow configuration of a custom SCEP key manager (#1797)

Fixed

  • id-scep-failInfoText OID (#1794)
  • CA startup with Vault RA configuration (#1803)

[0.26.0] - 2024-03-28

Added

  • TPM KMS support for CA keys (#1772)
  • Propagation of HTTP request identifier using X-Request-Id header (#1743, #1542)
  • Expires header in CRL response (#1708)
  • Support for providing TLS configuration programmatically (#1685)
  • Support for providing external CAS implementation (#1684)
  • AWS ca-west-1 identity document root certificate (#1715)
  • COSE RS1 as a supported algorithm with ACME device-attest-01 challenge (#1663)

Changed

  • In an RA setup, let the CA decide the RA certificate lifetime (#1764)
  • Use Debian Bookworm in Docker containers (#1615)
  • Error message for CSR validation (#1665)
  • Updated dependencies

Fixed

  • Stop CA when any of the required servers fails to start (#1751). Before the fix, the CA would continue running and only log the server failure when stopped.
  • Configuration loading errors when not using context were not returned. Fixed in cli-utils/109.
  • HTTP_PROXY and HTTPS_PROXY support for ACME validation client (#1658).

Security

  • Upgrade to using cosign v2 for signing artifacts

[0.25.1] - 2023-11-28

Added

  • Provisioner name in SCEP webhook request body in (#1617)
  • Support for ASN1 boolean encoding in (#1590)

Changed

  • Generation of first provisioner name on step ca init in (#1566)
  • Processing of SCEP Get PKIOperation requests in (#1570)
  • Support for signing identity certificate during SSH sign by skipping URI validation in (#1572)
  • Dependency on micromdm/scep and go.mozilla.org/pkcs7 to use Smallstep forks in (#1600)
  • Make the Common Name validator for JWK provisioners accept values from SANs too in (#1609)

Fixed

  • Registration Authority token creation relied on values from CSR. Fixed to rely on template in (#1608)
  • Use same glibc version for running the CA when built using CGo in (#1616)

[0.25.0] - 2023-09-26

Added

  • Added support for configuring SCEP decrypters in the provisioner (#1414)
  • Added support for TPM KMS (smallstep/crypto#253)
  • Added support for disableSmallstepExtensions provisioner claim (#1484)
  • Added script to migrate a badger DB to MySQL or PostgreSQL (#1477)
  • Added AWS public certificates for me-central-1 and ap-southeast-3 (#1404)
  • Added namespace field to VaultCAS JSON config (#1424)
  • Added AWS public certificates for me-central-1 and ap-southeast-3 (#1404)
  • Added unversioned filenames to Github release assets (#1435)
  • Send X5C leaf certificate to webhooks (#1485)
  • Added support for disableSmallstepExtensions claim (#1484)
  • Added all AWS Identity Document Certificates (#1404, #1510)
  • Added Winget release automation (#1519)
  • Added CSR to SCEPCHALLENGE webhook request body (#1523)
  • Added SCEP issuance notification webhook (#1544)
  • Added ability to disable color in the log text formatter (smallstep/certificates(#1559)

Changed

  • Changed the Makefile to produce cgo-enabled builds running make build GO_ENVS="CGO_ENABLED=1" (#1446)
  • Return more detailed errors to ACME clients using device-attest-01 (#1495)
  • Change SCEP password type to string (#1555)

Removed

  • Removed OIDC user regexp check (#1481)
  • Removed automatic initialization of $STEPPATH (#1493)
  • Removed db datasource from error msg to prevent leaking of secrets to logs (#1528)

Fixed

  • Improved authentication for ACME requests using kid and provisioner name (#1386).
  • Fixed indentation of KMS configuration in helm charts (#1405)
  • Fixed simultaneous sign or decrypt operation on a YubiKey (#1476, smallstep/crypto#288)
  • Fixed adding certificate templates with ASN.1 functions (#1500, smallstep/crypto#302)
  • Fixed a problem when the ca.json is truncated if the encoding of the configuration fails (e.g., new provisioner with bad template data) (smallstep/cli#994, #1501)
  • Fixed provisionerOptionsToLinkedCA missing template and templateData (#1520)
  • Fix calculation of webhook signature (#1546)

[v0.24.2] - 2023-05-11

Added

  • Log SSH certificates (#1374)
  • CRL endpoints on the HTTP server (#1372)
  • Dynamic SCEP challenge validation using webhooks (#1366)
  • For Docker deployments, added DOCKER_STEPCA_INIT_PASSWORD_FILE. Useful for pointing to a Docker Secret in the container (#1384)

Changed

Fixed

  • VaultCAS certificate lifetime (#1376)

[v0.24.1] - 2023-04-14

Fixed

  • Docker image name for HSM support (#1348)

[v0.24.0] - 2023-04-12

Added

Fixed

  • Fix support for PKCS #7 RSA-OAEP decryption through smallstep/pkcs7#4, as used in SCEP.
  • Fix RA installation using scripts/install-step-ra.sh (#1255).
  • Clarify error messages on policy errors (#1287, #1278).
  • Clarify error message on OIDC email validation (#1290).
  • Mark the IDP critical in the generated CRL data (#1293).
  • Disable database if CA is initialized with the --no-db flag (#1294).

[v0.23.2] - 2023-02-02

Added

  • Added step-kms-plugin to docker images, and a new image, smallstep/step-ca-hsm, compiled with cgo (#1243).
  • Added scoop packages back to the release (#1250).
  • Added optional flag --pidfile which allows passing a filename where step-ca will write its process id (#1251).
  • Added helpful message on CA startup when config can't be opened (#1252).
  • Improved validation and error messages on device-attest-01 orders (#1235).

Removed

  • The deprecated CLI utils step-awskms-init, step-cloudkms-init, step-pkcs11-init, step-yubikey-init have been removed. step and step-kms-plugin should be used instead (#1240).

Fixed

  • Fixed remote management flags in docker images (#1228).

[v0.23.1] - 2023-01-10

Added

  • Added configuration property .crl.idpURL to be able to set a custom Issuing Distribution Point in the CRL (#1178).
  • Added WithContext methods to the CA client (#1211).
  • Docker: Added environment variables for enabling Remote Management and ACME provisioner (#1201).
  • Docker: The entrypoint script now generates and displays an initial JWK provisioner password by default when the CA is being initialized (#1223).

Changed

  • Ignore SSH principals validation when using an OIDC provisioner. The provisioner will ignore the principals passed and set the defaults or the ones including using WebHooks or templates (#1206).

[v0.23.0] - 2022-11-11

Added

  • Added support for ACME device-attest-01 challenge on iOS, iPadOS, tvOS and YubiKey.
  • Ability to disable ACME challenges and attestation formats.
  • Added flags to change ACME challenge ports for testing purposes.
  • Added name constraints evaluation and enforcement when issuing or renewing X.509 certificates.
  • Added provisioner webhooks for augmenting template data and authorizing certificate requests before signing.
  • Added automatic migration of provisioners when enabling remote management.
  • Added experimental support for CRLs.
  • Add certificate renewal support on RA mode. The step ca renew command must use the flag --mtls=false to use the token renewal flow.
  • Added support for initializing remote management using step ca init.
  • Added support for renewing X.509 certificates on RAs.
  • Added support for using SCEP with keys in a KMS.
  • Added client support to set the dialer's local address with the environment variable STEP_CLIENT_ADDR.

Changed

  • Remove the email requirement for issuing SSH certificates with an OIDC provisioner.
  • Root files can contain more than one certificate.

Fixed

Deprecated

  • The CLIs step-awskms-init, step-cloudkms-init, step-pkcs11-init, step-yubikey-init are deprecated. Now you can use step-kms-plugin in combination with step certificates create to initialize your PKI.

[0.22.1] - 2022-08-31

Fixed

  • Fixed signature algorithm on EC (root) + RSA (intermediate) PKIs.

[0.22.0] - 2022-08-26

Added

  • Added automatic configuration of Linked RAs.
  • Send provisioner configuration on Linked RAs.

Changed

  • Certificates signed by an issuer using an RSA key will be signed using the same algorithm used to sign the issuer certificate. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
  • Support two latest versions of Go (1.18, 1.19).
  • Validate revocation serial number (either base 10 or prefixed with an appropriate base).
  • Sanitize TLS options.

[0.20.0] - 2022-05-26

Added

  • Added Kubernetes auth method for Vault RAs.
  • Added support for reporting provisioners to linkedca.
  • Added support for certificate policies on authority level.
  • Added a Dockerfile with a step-ca build with HSM support.
  • A few new WithXX methods for instantiating authorities

Changed

  • Context usage in HTTP APIs.
  • Changed authentication for Vault RAs.
  • Error message returned to client when authenticating with expired certificate.
  • Strip padding from ACME CSRs.

Deprecated

  • HTTP API handler types.

Fixed

  • Fixed SSH revocation.
  • CA client dial context for js/wasm target.
  • Incomplete extraNames support in templates.
  • SCEP GET request support.
  • Large SCEP request handling.

[0.19.0] - 2022-04-19

Added

  • Added support for certificate renewals after expiry using the claim allowRenewalAfterExpiry.
  • Added support for extraNames in X.509 templates.
  • Added armv5 builds.
  • Added RA support using a Vault instance as the CA.
  • Added WithX509SignerFunc authority option.
  • Added a new /roots.pem endpoint to download the CA roots in PEM format.
  • Added support for Azure Managed Identity tokens.
  • Added support for automatic configuration of linked RAs.
  • Added support for the --context flag. It's now possible to start the CA with step-ca --context=abc to use the configuration from context abc. When a context has been configured and no configuration file is provided on startup, the configuration for the current context is used.
  • Added startup info logging and option to skip it (--quiet).
  • Added support for renaming the CA (Common Name).

Changed

  • Made SCEP CA URL paths dynamic.
  • Support two latest versions of Go (1.17, 1.18).
  • Upgrade go.step.sm/crypto to v0.16.1.
  • Upgrade go.step.sm/linkedca to v0.15.0.

Deprecated

  • Go 1.16 support.

Removed

Fixed

  • Fixed admin credentials on RAs.
  • Fixed ACME HTTP-01 challenges for IPv6 identifiers.
  • Various improvements under the hood.

Security

[0.18.2] - 2022-03-01

Added

  • Added subscriptionIDs and objectIDs filters to the Azure provisioner.
  • NoSQL package allows filtering out database drivers using Go tags. For example, using the Go flag --tags=nobadger,nobbolt,nomysql will only compile step-ca with the pgx driver for PostgreSQL.

Changed

  • IPv6 addresses are normalized as IP addresses instead of hostnames.
  • More descriptive JWK decryption error message.
  • Make the X5C leaf certificate available to the templates using {{ .AuthorizationCrt }}.

Fixed

  • During provisioner add - validate provisioner configuration before storing to DB.

[0.18.1] - 2022-02-03

Added

  • Support for ACME revocation.
  • Replace hash function with an RSA SSH CA to "rsa-sha2-256".
  • Support Nebula provisioners.
  • Example Ansible configurations.
  • Support PKCS#11 as a decrypter, as used by SCEP.

Changed

  • Automatically create database directory on step ca init.
  • Slightly improve errors reported when a template has invalid content.
  • Error reporting in logs and to clients.

Fixed

  • SCEP renewal using HTTPS on macOS.

[0.18.0] - 2021-11-17

Added

  • Support for multiple certificate authority contexts.
  • Support for generating extractable keys and certificates on a pkcs#11 module.

Changed

  • Support two latest versions of Go (1.16, 1.17)

Deprecated

  • go 1.15 support

[0.17.6] - 2021-10-20

Notes

  • 0.17.5 failed in CI/CD

[0.17.5] - 2021-10-20

Added

  • Support for Azure Key Vault as a KMS.
  • Adapt pki package to support key managers.
  • gocritic linter

Fixed

  • gocritic warnings

[0.17.4] - 2021-09-28

Fixed

  • Support host-only or user-only SSH CA.

[0.17.3] - 2021-09-24

Added

  • go 1.17 to github action test matrix
  • Support for CloudKMS RSA-PSS signers without using templates.
  • Add flags to support individual passwords for the intermediate and SSH keys.
  • Global support for group admins in the OIDC provisioner.

Changed

  • Using go 1.17 for binaries

Fixed

  • Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.

Security

  • Use cosign to sign and upload signatures for multi-arch Docker container.
  • Add debian checksum

[0.17.2] - 2021-08-30

Added

  • Additional way to distinguish Azure IID and Azure OIDC tokens.

Security

  • Sign over all goreleaser github artifacts using cosign

[0.17.1] - 2021-08-26

[0.17.0] - 2021-08-25

Added

  • Add support for Linked CAs using protocol buffers and gRPC
  • step-ca init adds support for
    • configuring a StepCAS RA
    • configuring a Linked CA
    • congifuring a step-ca using Helm

Changed

  • Update badger driver to use v2 by default
  • Update TLS cipher suites to include 1.3

Security

  • Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.