Refactor encryption funcs for the StoredBarrierKeysPath (root key).
Add new file seal_util.go to hold functions that perform seal wrapping and
unwrapping.
* Add ACME TLS-ALPN-01 Challenge validator to PKI
This adds support for verifying the last missing challenge type,
TLS-ALPN-01 challenges, using Go's TLS library. We wish to add this as
many servers (such as Caddy) support transparently renewing certificates
via this protocol, without influencing the contents of sites served.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Enable suggesting, validating tls-alpn-01 in PKI
Notably, while RFC 8737 is somewhat vague about what identifier types
can be validated with this protocol, it does restrict SANs to be only
DNSSans; from this, we can infer that it is not applicable for IP
typed identifiers. Additionally, since this must resolve to a specific
domain name, we cannot provision it for wildcard identifiers either.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix test expectations to allow ALPN challenges
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tls-alpn-01 as a supported challenge to docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test for tls-alpn-01 challenge verifier
This hacks the challenge engine to allow non-standard (non-443) ports,
letting us use a local server listener with custom implementation.
In addition to the standard test cases, we run:
- A test with a longer chain (bad),
- A test without a DNSSan (bad),
- A test with a bad DNSSan (bad),
- A test with some other SANs (bad),
- A test without a CN (good),
- A test without any leaf (bad), and
- A test without the extension (bad).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update builtin/logical/pki/acme_challenges.go
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Kit Haines <khaines@mit.edu>
* Allow not specifying CN on CSR
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case validating behavior
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add notice about failure to validate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
When writing DNS configs, make sure to push the zone file prior to
writing the reference to the zone in the named.conf.options file.
Otherwise, when adding the initial domain (or any subsequent domains,
which isn't really used by these tests), a race occurs between Docker,
writing the updated config files, and the bind daemon, detecting that
mtime has changed on the named.conf.options file and reloading it
and any referenced zone files.
This should fix the error seen in some tests:
> /etc/bind/named.conf:9: parsing failed: file not found
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix autopilot scenario failures
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
Signed-off-by: Mike Baum <mike.baum@hashicorp.com>
* use bash instead of sh in create logs dir shell script
* ensure to only enable the file audit device in the upgrade cluster of the autopilot scenario if the variable is enabled
---------
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
Signed-off-by: Mike Baum <mike.baum@hashicorp.com>
Co-authored-by: Mike Baum <mike.baum@hashicorp.com>
* Limit ACME issued certificates to a max of 90 days
- If the normal NotAfter date that is calculated from the mount/issuer/role TTL values is greater than 90 days, override the TTL value to a 90-day value.
* Add changelog
* clean up go compiler warnings
* remove unused field from backendEntry struct
remove function argument no longer needed
* add changelog record
* use context.Background instead of context.TODO
* Generate ACME EAB tokens that do not start with -
- To avoid people having issues copying EAB tokens and using them on command lines when they start with - from the base64 encoded values, append a prefix.
- Remove the key_bits data from the eab api, not really useful and now technically wrong
- Fix up some issues with tests not running in parallel.
- Update docs to reflect new EAB apis.
* Add ACME directory to the various EAB output APIs
* Update EAB token prefix to be divisable by 3
- Our decoded prefix was not divisable by 3, which meant the last
character might be tweaked by the rest of the input
* Attempt to resolve flaky test TestAcmeBasicWorkflow test
- Since we can't control the challenge engine, flush the validation records it leverages prior to manually updating the authorization/challenge statuses
```
path_acme_test.go:261: csr: &{[] [] [] [] 0 [] 0 0 <nil> CN=*.localdomain [] [] [] [localhost.localdomain *.localdomain] [] [] []}
path_acme_test.go:300:
Error Trace: /home/runner/actions-runner/_work/vault-enterprise/vault-enterprise/builtin/logical/pki/path_acme_test.go:300
Error: Received unexpected error:
403 urn:ietf:params:acme:error:orderNotReady: The request attempted to finalize an order that is not ready to be finalized: order is status pending, needs to be in ready state
Test: TestAcmeBasicWorkflow/role
Messages: failed finalizing order
```
* make fmt
* fix cluster/config actually saving doh
* add mkdown copy
* add acme config to edit form
* fix tests
* add empty state capabilities test
* add acceptance test for mixed permission save
* swap order to match form
* update copy
* make markdown changes
* fix y
* Change from default_role to default_directory_policy to allow future improvements.
* Helper functions
* Use the helper function and make fmt.
* Do not allow the zero-length role "".
* Semgrep doesn't like shadowing errors that are impossible to hit, so fix that.
* Add default to switch branches.
* Add/fix docs.
* Fix wrong requestedRole
* Fix ACME computed order status
* Return validation errors and status updates for authorizations
- We now populate the error field within challenges with the error results from the challenge
- Update the status of the challenge and authorizations to invalid when we give up on the challenge
- Verify that only a single challenge within a given authorization can be accepted to avoid race conditions.
- Saw a test failure when we generated an EAB key that started with -
```
acme_test.go:249: Certbot Issue Command: [certbot certonly
--no-eff-email --email certbot.client@dadgarcorp.com --eab-kid
0246913b-4382-10fc-bf57-b05f2dad0f13 --eab-hmac-key
-Avt5q_KUWWWL8slYJn_MdmiCA-jzvif6Tpt45gQNR0 --agree-tos --no-verify-ssl
--standalone --non-interactive --server
...
certbot: error: argument --eab-hmac-key: expected one argument
```
