Merge pull request smallstep#1903 from smallstep/mariano/validity

Add support for validities in templates
hm-edu · Jul 1, 2024 · 8829b42 · 8829b42
2 parents 1704ab9 + f8bda96
commit 8829b42
Show file tree

Hide file tree

Showing 5 changed files with 210 additions and 48 deletions.
diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go
@@ -299,14 +299,19 @@ func (v defaultSANsValidator) Valid(req *x509.CertificateRequest) (err error) {
 // duration.
 type profileDefaultDuration time.Duration
 
+// Modify sets the certificate NotBefore and NotAfter using the following order:
+//   - From the SignOptions that we get from flags.
+//   - From x509.Certificate that we get from the template.
+//   - NotBefore from the current time with a backdate.
+//   - NotAfter from NotBefore plus the duration in v.
 func (v profileDefaultDuration) Modify(cert *x509.Certificate, so SignOptions) error {
 	var backdate time.Duration
-	notBefore := so.NotBefore.Time()
+	notBefore := timeOr(so.NotBefore.Time(), cert.NotBefore)
 	if notBefore.IsZero() {
 		notBefore = now()
 		backdate = -1 * so.Backdate
 	}
-	notAfter := so.NotAfter.RelativeTime(notBefore)
+	notAfter := timeOr(so.NotAfter.RelativeTime(notBefore), cert.NotAfter)
 	if notAfter.IsZero() {
 		if v != 0 {
 			notAfter = notBefore.Add(time.Duration(v))
@@ -327,11 +332,17 @@ type profileLimitDuration struct {
 	notBefore, notAfter time.Time
 }
 
-// Option returns an x509util option that limits the validity period of a
-// certificate to one that is superficially imposed.
+// Modify sets the certificate NotBefore and NotAfter but limits the validity
+// period to the certificate to one that is superficially imposed.
+//
+// The expected NotBefore and NotAfter are set using the following order:
+//   - From the SignOptions that we get from flags.
+//   - From x509.Certificate that we get from the template.
+//   - NotBefore from the current time with a backdate.
+//   - NotAfter from NotBefore plus the duration v or the notAfter in v if lower.
 func (v profileLimitDuration) Modify(cert *x509.Certificate, so SignOptions) error {
 	var backdate time.Duration
-	notBefore := so.NotBefore.Time()
+	notBefore := timeOr(so.NotBefore.Time(), cert.NotBefore)
 	if notBefore.IsZero() {
 		notBefore = now()
 		backdate = -1 * so.Backdate
@@ -342,7 +353,7 @@ func (v profileLimitDuration) Modify(cert *x509.Certificate, so SignOptions) err
 			notBefore, v.notBefore)
 	}
 
-	notAfter := so.NotAfter.RelativeTime(notBefore)
+	notAfter := timeOr(so.NotAfter.RelativeTime(notBefore), cert.NotAfter)
 	if notAfter.After(v.notAfter) {
 		return errs.Forbidden(
 			"requested certificate notAfter (%s) is after the expiration of the provisioning credential (%s)",

diff --git a/authority/provisioner/sign_options_test.go b/authority/provisioner/sign_options_test.go
@@ -598,9 +598,61 @@ func Test_profileDefaultDuration_Option(t *testing.T) {
 			na := time.Now().Add(10 * time.Minute).UTC()
 			d := 4 * time.Hour
 			return test{
-				pdd:  profileDefaultDuration(d),
-				so:   SignOptions{NotBefore: NewTimeDuration(nb), NotAfter: NewTimeDuration(na)},
-				cert: new(x509.Certificate),
+				pdd: profileDefaultDuration(d),
+				so:  SignOptions{NotBefore: NewTimeDuration(nb), NotAfter: NewTimeDuration(na)},
+				cert: &x509.Certificate{
+					NotBefore: time.Now(),
+					NotAfter:  time.Now().Add(time.Hour),
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, nb, cert.NotBefore)
+					assert.Equals(t, na, cert.NotAfter)
+				},
+			}
+		},
+		"ok/cert-with-validity": func() test {
+			nb := time.Now().Add(5 * time.Minute).UTC()
+			na := time.Now().Add(10 * time.Minute).UTC()
+			d := 4 * time.Hour
+			return test{
+				pdd: profileDefaultDuration(d),
+				so:  SignOptions{},
+				cert: &x509.Certificate{
+					NotBefore: nb,
+					NotAfter:  na,
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, nb, cert.NotBefore)
+					assert.Equals(t, na, cert.NotAfter)
+				},
+			}
+		},
+		"ok/cert-notBefore-option-notafter": func() test {
+			nb := time.Now().Add(5 * time.Minute).UTC()
+			na := time.Now().Add(10 * time.Minute).UTC()
+			d := 4 * time.Hour
+			return test{
+				pdd: profileDefaultDuration(d),
+				so:  SignOptions{NotAfter: NewTimeDuration(na)},
+				cert: &x509.Certificate{
+					NotBefore: nb,
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, nb, cert.NotBefore)
+					assert.Equals(t, na, cert.NotAfter)
+				},
+			}
+		},
+		"ok/cert-notAfter-option-notBefore": func() test {
+			nb := time.Now().Add(5 * time.Minute).UTC()
+			na := time.Now().Add(10 * time.Minute).UTC()
+			d := 4 * time.Hour
+			return test{
+				pdd: profileDefaultDuration(d),
+				so:  SignOptions{NotBefore: NewTimeDuration(nb)},
+				cert: &x509.Certificate{
+					NotAfter: na,
+				},
 				valid: func(cert *x509.Certificate) {
 					assert.Equals(t, cert.NotBefore, nb)
 					assert.Equals(t, cert.NotAfter, na)
@@ -725,6 +777,28 @@ func Test_profileLimitDuration_Option(t *testing.T) {
 				err:  errors.New("requested certificate notAfter ("),
 			}
 		},
+		"fail/cert-validity-notBefore": func() test {
+			return test{
+				pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n, notAfter: n.Add(6 * time.Hour)},
+				so:  SignOptions{},
+				cert: &x509.Certificate{
+					NotBefore: n.Add(-time.Second),
+					NotAfter:  n.Add(5 * time.Hour),
+				},
+				err: errors.New("requested certificate notBefore ("),
+			}
+		},
+		"fail/cert-validity-notAfter": func() test {
+			return test{
+				pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n, notAfter: n.Add(6 * time.Hour)},
+				so:  SignOptions{},
+				cert: &x509.Certificate{
+					NotBefore: n,
+					NotAfter:  n.Add(6*time.Hour + time.Second),
+				},
+				err: errors.New("requested certificate notAfter ("),
+			}
+		},
 		"ok/valid-notAfter-requested": func() test {
 			d, err := ParseTimeDuration("2h")
 			assert.FatalError(t, err)
@@ -782,6 +856,72 @@ func Test_profileLimitDuration_Option(t *testing.T) {
 				},
 			}
 		},
+		"ok/cert-validity": func() test {
+			return test{
+				pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n, notAfter: n.Add(6 * time.Hour)},
+				so:  SignOptions{},
+				cert: &x509.Certificate{
+					NotBefore: n,
+					NotAfter:  n.Add(5 * time.Hour),
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, n, cert.NotBefore)
+					assert.Equals(t, n.Add(5*time.Hour), cert.NotAfter)
+				},
+			}
+		},
+		"ok/cert-notBefore-default": func() test {
+			return test{
+				pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n, notAfter: n.Add(6 * time.Hour)},
+				so:  SignOptions{},
+				cert: &x509.Certificate{
+					NotBefore: n,
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, n, cert.NotBefore)
+					assert.Equals(t, n.Add(4*time.Hour), cert.NotAfter)
+				},
+			}
+		},
+		"ok/cert-notAfter-default": func() test {
+			return test{
+				pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n, notAfter: n.Add(6 * time.Hour)},
+				so:  SignOptions{},
+				cert: &x509.Certificate{
+					NotAfter: n.Add(5 * time.Hour),
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, n, cert.NotBefore)
+					assert.Equals(t, n.Add(5*time.Hour), cert.NotAfter)
+				},
+			}
+		},
+		"ok/cert-notBefore-option": func() test {
+			return test{
+				pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n, notAfter: n.Add(6 * time.Hour)},
+				so:  SignOptions{NotAfter: NewTimeDuration(n.Add(5 * time.Hour))},
+				cert: &x509.Certificate{
+					NotBefore: n,
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, n, cert.NotBefore)
+					assert.Equals(t, n.Add(5*time.Hour), cert.NotAfter)
+				},
+			}
+		},
+		"ok/cert-notAfter-option": func() test {
+			return test{
+				pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n, notAfter: n.Add(6 * time.Hour)},
+				so:  SignOptions{NotBefore: NewTimeDuration(n.Add(4 * time.Hour))},
+				cert: &x509.Certificate{
+					NotAfter: n.Add(5 * time.Hour),
+				},
+				valid: func(cert *x509.Certificate) {
+					assert.Equals(t, n.Add(4*time.Hour), cert.NotBefore)
+					assert.Equals(t, n.Add(5*time.Hour), cert.NotAfter)
+				},
+			}
+		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {

diff --git a/authority/provisioner/timeduration.go b/authority/provisioner/timeduration.go
@@ -11,6 +11,17 @@ var now = func() time.Time {
 	return time.Now().UTC()
 }
 
+// timeOr returns the first of its arguments that is not equal to the zero time.
+// This method can be replaced with cmp.Or when step-ca requires Go 1.22.
+func timeOr(ts ...time.Time) time.Time {
+	for _, t := range ts {
+		if !t.IsZero() {
+			return t
+		}
+	}
+	return time.Time{}
+}
+
 // TimeDuration is a type that represents a time but the JSON unmarshaling can
 // use a time using the RFC 3339 format or a time.Duration string. If a duration
 // is used, the time will be set on the first call to TimeDuration.Time.

diff --git a/go.mod b/go.mod
@@ -33,7 +33,7 @@ require (
 	github.com/stretchr/testify v1.9.0
 	github.com/urfave/cli v1.22.15
 	go.step.sm/cli-utils v0.9.0
-	go.step.sm/crypto v0.47.1
+	go.step.sm/crypto v0.48.0
 	go.step.sm/linkedca v0.21.1
 	golang.org/x/crypto v0.24.0
 	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81
@@ -53,27 +53,27 @@ require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.27.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.17 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.17 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.21 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.32.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect

diff --git a/go.sum b/go.sum
@@ -21,8 +21,8 @@ github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIo
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 h1:1nGuui+4POelzDwI7RG56yfQJHCnKvwfMoU7VsEp+Zg=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0/go.mod h1:99EvauvlcJ1U06amZiksfYz/3aFGyIhWGHVyiZXtBAI=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 h1:H+U3Gk9zY56G3u872L82bk4thcsy2Gghb9ExT4Zvm1o=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0/go.mod h1:mgrmMSgaLp9hmax62XQTd0N4aAqSE5E0DulSpVYK7vc=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM=
@@ -46,32 +46,32 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aws/aws-sdk-go-v2 v1.27.1 h1:xypCL2owhog46iFxBKKpBcw+bPTX/RJzwNj8uSilENw=
-github.com/aws/aws-sdk-go-v2 v1.27.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
-github.com/aws/aws-sdk-go-v2/config v1.27.17 h1:L0JZN7Gh7pT6u5CJReKsLhGKparqNKui+mcpxMXjDZc=
-github.com/aws/aws-sdk-go-v2/config v1.27.17/go.mod h1:MzM3balLZeaafYcPz8IihAmam/aCz6niPQI0FdprxW0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.17 h1:b3Dk9uxQByS9sc6r0sc2jmxsJKO75eOcb9nNEiaUBLM=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.17/go.mod h1:e4khg9iY08LnFK/HXQDWMf9GDaiMari7jWPnXvKAuBU=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4 h1:0cSfTYYL9qiRcdi4Dvz+8s3JUgNR2qvbgZkXcwPEEEk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4/go.mod h1:Wjn5O9eS7uSi7vlPKt/v0MLTncANn9EMmoDvnzJli6o=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8 h1:RnLB7p6aaFMRfyQkD6ckxR7myCC9SABIqSz4czYUUbU=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.8/go.mod h1:XH7dQJd+56wEbP1I4e4Duo+QhSMxNArE8VP7NuUOTeM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8 h1:jzApk2f58L9yW9q1GEab3BMMFWUkkiZhyrRUtbwUbKU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.8/go.mod h1:WqO+FftfO3tGePUtQxPXM6iODVfqMwsVMgTbG/ZXIdQ=
+github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA=
+github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/config v1.27.21 h1:yPX3pjGCe2hJsetlmGNB4Mngu7UPmvWPzzWCv1+boeM=
+github.com/aws/aws-sdk-go-v2/config v1.27.21/go.mod h1:4XtlEU6DzNai8RMbjSF5MgGZtYvrhBP/aKZcRtZAVdM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.21 h1:pjAqgzfgFhTv5grc7xPHtXCAaMapzmwA7aU+c/SZQGw=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.21/go.mod h1:nhK6PtBlfHTUDVmBLr1dg+WHCOCK+1Fu/WQyVHPsgNQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 h1:FR+oWPFb/8qMVYMWN98bUZAGqPvLHiyqg1wqQGfUAXY=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8/go.mod h1:EgSKcHiuuakEIxJcKGzVNWh5srVAQ3jKaSrBGRYvM48=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10 h1:7kZqP7akv0enu6ykJhb9OYlw16oOrSy+Epus8o/VqMY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.10/go.mod h1:gYVF3nM1ApfTRDj9pvdhootBb8WbiIejuqn4w8ruMes=
-github.com/aws/aws-sdk-go-v2/service/kms v1.32.2 h1:WuwRxTSPc+E4dwDRmxh4TILJsnYoqm41KTb11pRkzBA=
-github.com/aws/aws-sdk-go-v2/service/kms v1.32.2/go.mod h1:qEy625xFxrw6hA+eOAD030wmLERPa7LNCArh+gAC+8o=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.10 h1:ItKVmFwbyb/ZnCWf+nu3XBVmUirpO9eGEQd7urnBA0s=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.10/go.mod h1:5XKooCTi9VB/xZmJDvh7uZ+v3uQ7QdX6diOyhvPA+/w=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4 h1:QMSCYDg3Iyls0KZc/dk3JtS2c1lFfqbmYO10qBPPkJk=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.4/go.mod h1:MZ/PVYU/mRbmSF6WK3ybCYHjA2mig8utVokDEVLDgE0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.11 h1:HYS0csS7UJxdYRoG+bGgUYrSwVnV3/ece/wHm90TApM=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.11/go.mod h1:QXnthRM35zI92048MMwfFChjFmoufTdhtHmouwNfhhU=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI=
+github.com/aws/aws-sdk-go-v2/service/kms v1.34.1 h1:VsKBn6WADI3Nn3WjBMzeRww9WHXeVLi7zyuSrqjRCBQ=
+github.com/aws/aws-sdk-go-v2/service/kms v1.34.1/go.mod h1:5F6kXrPBxv0l1t8EO44GuG4W82jGJwaRE0B+suEGnNY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 h1:sd0BsnAvLH8gsp2e3cbaIr+9D7T1xugueQ7V/zUAsS4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.21.1/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 h1:1uEFNNskK/I1KoZ9Q8wJxMz5V9jyBlsiaNrM7vA3YUQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1/go.mod h1:z0P8K+cBIsFXUr5rzo/psUeJ20XjPN0+Nn8067Nd+E4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE=
 github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
 github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -492,8 +492,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.step.sm/cli-utils v0.9.0 h1:55jYcsQbnArNqepZyAwcato6Zy2MoZDRkWW+jF+aPfQ=
 go.step.sm/cli-utils v0.9.0/go.mod h1:Y/CRoWl1FVR9j+7PnAewufAwKmBOTzR6l9+7EYGAnp8=
-go.step.sm/crypto v0.47.1 h1:XvqgWLA1OTJXkmkmD6QSDZrmGKP4flv3PEoau60htcU=
-go.step.sm/crypto v0.47.1/go.mod h1:0fz8+Am8oIwfOJgr9HHf7MwTa7Gffliv35VxDrQqU0Y=
+go.step.sm/crypto v0.48.0 h1:flzqX/YuoAZu45gZ6nRzXoWDJTt9xEsipeY282TV67Q=
+go.step.sm/crypto v0.48.0/go.mod h1:rVdNkA8YiPnflJF6Y+zT+0q1lEL1mOQV4kq6CvANQqU=
 go.step.sm/linkedca v0.21.1 h1:2pM0qk48Rd8mre5V/Zch3AsaXUpyZAxsICKYB/gV2kc=
 go.step.sm/linkedca v0.21.1/go.mod h1:dOKdF4HSn73YUEkfS5/FECngZmBtj2Il5DTKWXY4S6Y=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=