* Add a last issued date on ACME accounts
- When we issue a new ACME certificate, attempt to update the account's last issued field
- Within ACME account tidy, use both account creation and last issue date to provide a buffer before we mark the account as revoked.
- Cleanup the cert serial to account tracker
- Misc formatting fixes in JSON objects
* Move account max-cert-expiry updates within tidy
- Perform the account update of max-cert-expiry within
the tidy operation as it has the account write lock
and is already iterating over all orders.
- With this the order path does not need any account
level locks
* Prefix ACME account status constants with AccountStatusX
* Add Vault APIS to create, list, delete ACME EAB keys
- Add Vault authenticated APIs to create, list and delete ACME
EAB keys.
- Add supporting tests for all new apis
* Add require_eab to acme configuration
* Add EAB support to ACME
* Add EAB support to ACME
* PR feedback 1
- Address missing err return within DeleteEab
- Move verifyEabPayload to acme_jws.go no code changes in this PR
- Update error message returned for error on account storage with EAB.
* PR feedback 2
- Verify JWK signature payload after signature verification
* Introduce an ACME eab_policy in configuration
- Instead of a boolean on/off for require_eab, introduce named policies for ACME behaviour enforcing eab.
- The default policy of always-required, will force new accounts to have an EAB, and all operations in the future, will make sure the account has an EAB associated with it.
- Two other policies, not-required will allow any anonymous users to use ACME within PKI and 'new-account-required' will enforce new accounts going forward to require an EAB, but existing accounts will still be allowed to use ACME if they don't have an EAB associated with the account.
- Having 'always-required' as a policy, will override the environment variable to disable public acme as well.
* Add missing go-docs to new tests.
* Add valid eab_policy values in error message.
* Structure of ACME Tidy.
* The tidy endpoints/call information.
* Counts for status plumbing.
* Update typo calls, add information saving date of account creation.
* Missed some field locations.
* Set-up of Tidy command.
* Proper tidy function; lock to work with
* Remove order safety buffer.
* Missed a field.
* Read lock for account creation; Write lock for tidy (account deletion)
* Type issues fixed.
* fix range operator.
* Fix path_tidy read.
* Add fields to auto-tidy config.
* Add (and standardize) Tidy Config Response
* Test pass, consistent fields
* Changes from PR-Reviews.
* Update test to updated default due to PR-Review.
* Enforce ACME accounts to a specific directory path
- Accounts and correspondingly orders, authz should not cross
the path boundaries. So we now tag an ACME account with a specific
directory based on the requested role/issuer values in the path.
- If an operation occurs on a different acme directory path it will
cause a failure of the request.
- Add some go doc to a few places and reorder the methods in the
acme_wrappers.go class to highlight the wrappers and not intertwine
the helper functions
- Rename path_acme_new_account.go to path_acme_account.go as it has
several account related methods now.
* Get rid of bad test case
- The previous commit contained a bug fix for us properly
loading issuers within the ACME path, that exposed
this broken/bad test case. Simply remove it.
