* Rename crlConfig to CrlConfig.
Rename defaultCrlConfig to DefaultCrlConfig.
* Move CrlConfig and DefaultCrlConfig to new package pki/revocation.
* Rename revocationInfo to RevocationInfo.
* Move RevocationInfo to pki/revocation.
* Add StorageContext interface to PKI's revocation package.
* Add CrlBuilderType interface to pki_backend package.
The purpose of the interface is to make it possible to gradually move (refactor)
CrlBuilder to the revocation package.
* Move CrlConfig and DefaultCrlConfig to package pki_backend.
* Make StorageContext.CrlBuilder() return a CrlBuilderType.
Add methods SetLastDeltaRebuildCheckTime() and ShouldInvalidate() to
CrlBuilderType.
* Move fetchIssuerMapForRevocationChecking to PKI's revocation package.
* Run make fmt.
* Add method storageContext.Logger().
* Add method storageContext.System().
* Add method storageContext.CrlBuilder().
* Add method storageContext.GetUnifiedTransferStatus().
* Add method storageContext.GetPkiManagedView().
* Add method storageContext.GetCertificateCounter().
* Add method storageContext.UseLegacyBundleCaStorage().
* Add method storageContext.GetRevokeStorageLock().
* Add acmeState to acmeContext.
Make acmeState accessible from acmeContext, so that storageContext doesn't have
to be used for this purpose.
* Decouple getAndValidateAcmeRole() from storageContext.Backend.
* Don't access Backend.ciepsState through storageContext.
* Add method storageContext.GetRole().
* Change signature of getCiepsAcmeSettings for CE compatibility.
* PKI refactoring to start breaking apart monolith into sub-packages
- This was broken down by commit within enterprise for ease of review
but would be too difficult to bring back individual commits back
to the CE repository. (they would be squashed anyways)
- This change was created by exporting a patch of the enterprise PR
and applying it to CE repository
* Fix TestBackend_OID_SANs to not be rely on map ordering
* Adding explicit MPL license for sub-package.
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.
* Adding explicit MPL license for sub-package.
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.
* Updating the license from MPL to Business Source License.
Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl.
* add missing license headers
* Update copyright file headers to BUS-1.1
* Fix test that expected exact offset on hcl file
---------
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
* Replace all time.ParseDurations with testutil.ParseDurationSeconds
* Changelog
* Import formatting
* Import formatting
* Import formatting
* Import formatting
* Semgrep rule that runs as part of CI
* Remove extraneous certificate from OCSP response
Since the issuer used to sign the certificate also signs the OCSP
response, no additional information is added by sending the issuer again
in the certs field of the BasicOCSPResponse structure. Removing it saves
bytes and avoids confusing Go-based OCSP verifiers which cannot handle
the cert issuer being duplicated in the certs field.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- This fix was incorrect as now the tests and program are double
URL encoding the OCSP GET requests, so the base64 + characters
when using Vault proper are becoming space characters.
* Use the unified CRL on legacy CRL paths if UnifiedCRLOnExistingPaths is set
- If the crl configuration option unified_crl_on_existing_paths is set
to true along with the unified_crl feature, provide the unified crl
on the existing CRL paths.
- Added some test helpers to help debugging, they are being used by
the ENT test that validates this feature.
* Rename method to shouldLocalPathsUseUnified
* Apply URL encoding/unencoding to OCSP Get requests
- Missed this during development and sadly the unit tests were written
at a level that did not expose this issue originally, there are
certain combinations of issuer cert + serial that lead to base64
data containing a '/' which will lead to the OCSP handler not getting
the full parameter.
- Do as the spec says, this should be treated as url-encoded data.
* Add cl
* Add higher level PKI OCSP GET/POST tests
* Rename PKI ocsp files to path_ocsp to follow naming conventions
* make fmt
