mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-14 10:37:00 +02:00
Code Issues Projects Releases Wiki Activity
16,298 Commits 2,842 Branches 445 Tags 448 MiB
3d794050ff
Commit Graph

166 Commits

Author SHA1 Message Date
ncabatoff
04fa50cc0a Fix #5973 on windows by disregarding errors when querying legacy cert path. (#6013) 2019-01-08 18:08:21 -08:00
Jim Kalafut
a54603039d Run goimports across the repository (#6010) 
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
 2019-01-08 16:48:57 -08:00
Jeff Mitchell
1200c98b59
Re-add default NotBefore duration in PKI (#5482) 
Fixes #5481
 2018-10-10 09:42:37 -04:00
Jeff Mitchell
a9dd2d3996
Set allowed OIDs to any value when generaing a CA. (#5462) 
* Set allowed OIDs to any value when generaing a CA.

Also, allow utf-8 in addition to utf8 as the OID type specifier, and
allow `*` to specify any OID of a supported type.

* Update PKI docs
 2018-10-08 09:51:43 -04:00
sk4ry
58c6c03398 Add ability to configure the NotBefore property of certificates in role api (#5325) 
* Add ability to configure the NotBefore property of certificates in role api

* Update index.html.md

* converting field to time.Duration

* setting default back to 30s

* renaming the parameter not_before_duration to differentiate between the NotBefore datetime on the cert

* Update description
 2018-10-02 11:10:43 -04:00
Jim Kalafut
71473405f0
Switch to strings.EqualFold (#5284) 2018-09-11 16:22:29 -07:00
Jeff Mitchell
4c1e0ca102
Fix sign-verbatim PKI endpoint not honoring extra subject names (#5245) 
Related to #2394
 2018-09-01 09:08:45 -07:00
Jeff Mitchell
96800455df
Use Go's in-built permitted DNS domain logic (#4908) 
Fixes #4863
 2018-07-11 17:35:46 -04:00
Jeff Mitchell
0883dc3e0b
Fix permitted dns domain handling (#4905) 
It should not require a period to indicate subdomains being allowed

Fixes #4863
 2018-07-11 12:44:49 -04:00
Mr Talbot
042b9d4715 pki: add ext_key_usage to mirror key_usage and add to sign-verbatim (#4777) 
* pki: add ext_key_usage parameter to role

* pki: add key_usage and ext_key_usage parameter to sign-verbatim

* pki: cleanup code as per comments
 2018-06-15 18:20:43 -04:00
Jeff Mitchell
6951b70dd9
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Marcin Wielgoszewski
a8f343c32e Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-04 23:18:39 -04:00
Alex Ionescu
33ec066278 Custom extended key usage for PKI. (#4667) 
Custom extended key usage for PKI
 2018-06-01 09:13:54 -04:00
Jeff Mitchell
157a14e7f9
Fix role writing not allowing key_type of any (#4596) 
Fixes #4595
 2018-05-19 10:24:43 -07:00
Jeff Mitchell
187c051ef3
Update PKI to natively use time.Duration (#4493) 
* Update PKI to natively use time.Duration

Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.

* Add a warning when refusing to blow away an existing root instead of just returning success

* Fix another issue found while debugging this...

The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
 2018-05-09 10:29:54 -04:00
Robison Jacka
c642eb5856 Iterating over CSR extensions, and skipping BasicConstraints, since those should be defined by the endpoint that's performing the signing. (#4469) 2018-05-01 11:22:49 -04:00
Jeff Mitchell
b6513c1ddc
1.10 Updates (#4218) 2018-03-29 15:32:16 -04:00
Josh Soref
e43b76ef97 Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell
904a3a1bab
Add ability to set CA:true when generating intermediate CSR. (#4163) 
Fixes #3883
 2018-03-20 10:09:59 -04:00
Rémi Pauchet
6cd5f1d0cc Support certificate policies in the pki backend (#4125) 2018-03-19 22:05:21 -04:00
Jeff Mitchell
07e32b8136
More cleanup of TTL handling in PKI (#4158) 
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
 2018-03-19 21:01:41 -04:00
Jeff Mitchell
a4a6758942
Codify using strings.Join and strings.TrimSpace around PEM handling to ensure newline sanity (#4148) 
Fixes #4136
 2018-03-18 16:00:51 -04:00
Jeff Mitchell
f54832b10a *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10" 
This partially reverts commit 83f6b21d3e.
 2018-02-22 20:15:56 -05:00
Jeff Mitchell
83f6b21d3e Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Jeff Mitchell
fbcad150aa Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Jeff Mitchell
a43a854740
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Jeff Mitchell
07f8ebbbf6
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell
71336d3596 Fix compile 2018-02-09 14:04:05 -05:00
Vishal Nayak
58cab5f59f added a flag to make common name optional if desired (#3940) 
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
 2018-02-09 13:42:19 -05:00
Brian Kassouf
8142b42d95 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Chris Hoffman
3653e4bf1b
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Chris Hoffman
628153979a
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Jeff Mitchell
33cf98026e
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Jeff Mitchell
2c6e64226c Tests were not actually forcing the intermediate to have a longer TTL 
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
 2017-09-14 22:49:04 -04:00
Jeff Mitchell
f970aea9f8 Change behavior of TTL in sign-intermediate (#3325) 
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
 2017-09-13 11:42:45 -04:00
Jeff Mitchell
4ad96d9513 Add pki/root/sign-self-issued. (#3274) 
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
 2017-08-31 23:07:15 -04:00
Jeff Mitchell
f3a3e5ad8f Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Jeff Mitchell
e6b43f7278 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Calvin Leung Huang
207983f526 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman
cf4ef59477 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens 
Change storage of PKI entries from colons to hyphens
 2017-05-03 15:07:15 -04:00
Chris Hoffman
29e5ce66bb Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang
96bcd50de0 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Calvin Leung Huang
8c03765bb5 Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Justin Gerace
2e8e9ed02d Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Vishal Nayak
c947e31d1b Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang
38a01b8e1b Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Chris Hoffman
d6edfc2a25 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Jeff Mitchell
85b92811ab Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Jeff Mitchell
dba2de57de Change storage of entries from colons to hyphens and add a 
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
 2017-04-18 11:14:23 -04:00
Jeff Mitchell
f92b173295 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Jeff Mitchell
cfd522e0f0 Use ParseStringSlice on PKI organization/organizational unit. (#2561) 
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
 2017-04-04 08:54:18 -07:00
Jeff Mitchell
3f67ab489a Ensure CN check is made when exclude_cn_from_sans is used 
Fixes #2363
 2017-03-16 11:41:13 -04:00
Jeff Mitchell
688104e69a Allow roles to specify whether CSR SANs should be used instead of (#2489) 
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
 2017-03-15 14:38:18 -04:00
Jeff Mitchell
799000be20 Set CA chain when intermediate does not have an authority key ID. 
This is essentially an approved review of the code provided in #2465.

Fixes #2465
 2017-03-15 11:52:02 -04:00
Jeff Mitchell
28883acc16 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell
5e5d9baabe Add Organization support to PKI backend. (#2380) 
Fixes #2369
 2017-02-16 01:04:29 -05:00
joe miller
90e32515ea allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
Chris Hoffman
10c8024fa3 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Vincent Batoufflet
38a30a92e3 Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
vishalnayak
ddb6ae18a0 Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
cara marie
8b11798807 removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell
cd41344685 Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell
48bd5db7af Set some basic key usages by default. 
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
 2016-06-22 16:08:24 -04:00
Jeff Mitchell
13a778ab92 Revert "Use x509 package ext key usage instead of custom type" 
This reverts commit 0b2d8ff475.
 2016-06-22 13:07:31 -04:00
Jeff Mitchell
0b2d8ff475 Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell
7ffa7deb92 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
Jeff Mitchell
2bc8cf4583 Remove check for using CSR values with non-CA certificate. 
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
 2016-03-23 10:05:38 -04:00
Jeff Mitchell
5b0d85dbf3 Add ability to exclude adding the CN to SANs. 
Fixes #1220
 2016-03-17 16:28:40 -04:00
Jeff Mitchell
4cdc44bab5 Add revocation information to PKI fetch output (non-raw only). 
Fixes #1180
 2016-03-07 10:57:38 -05:00
Jeff Mitchell
d993993f18 Better handle errors from fetchCertBySerial 2016-02-22 10:36:26 -05:00
Jeff Mitchell
5da2949d45 Check role key type and bits when signing CSR. 
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
 2016-02-19 20:50:49 -05:00
Jeff Mitchell
ac3191ad02 Disallow 1024-bit RSA keys. 
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
 2016-02-19 14:33:02 -05:00
vishalnayak
3bad2a3af0 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
Jeff Mitchell
122773ba71 Add slack on NotBefore value for generated certs. 
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
 2016-02-07 14:00:03 -05:00
Jeff Mitchell
7fb8db2e6c Allow the format to be specified as pem_bundle, which creates a 
concatenated PEM file.

Fixes #992
 2016-02-01 13:19:41 -05:00
Jeff Mitchell
99f193811a Only specify cert sign / CRL sign for CAs and only specify extended key 
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
 2016-01-29 10:26:35 -05:00
Jeff Mitchell
29f04250ff Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand
6149e1256e fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell
555d621a2f Update key usage logic 
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
 2015-12-14 14:23:51 -05:00
Jeff Mitchell
bd03d3c422 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell
6342699da3 Greatly simplify and fix the name validation function, as well as fully 
comment it.
 2015-11-23 14:15:32 -05:00
Jeff Mitchell
7eed5db86f Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell
4f2f7a0e3b Mostly revert changes to certutil as the embedded struct stuff was being 
problematic.
 2015-11-19 14:18:39 -05:00
Jeff Mitchell
3437af0711 Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
b5423493ca Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell
129235ba2e Fix zero path length handling, and move common field defs elsewhere 2015-11-19 09:51:18 -05:00
Jeff Mitchell
636fad0180 Fix logic around zero path length -- only restrict issuing intermediate CAs in this case 2015-11-19 09:51:18 -05:00
Jeff Mitchell
237285e822 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell
cf148d8cc6 Large documentation updates, remove the pathlength path in favor of 
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell
29d1f5030e Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
7f12ac0026 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
a763391615 Change a few checks on names: 
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).

- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.

Also, fix a nil pointer issue.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f8deb998ed Add config/urls CRUD operations to get and set the URLs encoded into 
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
aae434576f Change use_csr_subject to use_csr_values; copy not only the subject, but 
also the alternate names and the extensions over as well.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e8f1e8eb98 Remove setting serial number in the pkix Subject 2015-11-19 09:51:17 -05:00
Jeff Mitchell
a093508ceb Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR 2015-11-19 09:51:17 -05:00
Jeff Mitchell
03e4ab785d Add capability to use the CSR's common name (by default for CA CSRs if 
no common_name parameter is given, role-controlled for non-CA CSRs).

Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4e73187837 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f46b5b90c7 Fix otto import of uuid 2015-11-19 09:51:17 -05:00
Jeff Mitchell
76f94fe49b Cleanup, and add ability to sign CA CSRs that aren't destined for Vault 2015-11-19 09:51:17 -05:00