* PKI: Add a new leaf_not_after_behavior value to force erroring in all circumstances
- We introduce a new value called `always_enforce_err` for the existing
leaf_not_after_behavior on a PKI issuer. The new value will force we
error out all requests that have a TTL beyond the issuer's NotAfter value.
- This will apply to leaf certificates issued through the API as did err,
but now to CA issuance and ACME requests for which we previously changed
the err configuration to truncate.
* Add cl
* Update UI test
* Fix changelog type
* [transit-pkcs1v15] transit support for the pkcs1v15 padding scheme – without UI tests (yet).
* [transit-pkcs1v15] renamed padding_scheme parameter in transit documentation.
* [transit-pkcs1v15] add changelog file.
* [transit-pkcs1v15] remove the algorithm path as padding_scheme is chosen by parameter.
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add warnings to PKCS1v1.5 usage
* Update transit
* Update transit, including separating encrypt/decrypt paddings for rewrap
* Clean up factory use in the presence of padding
* address review feedback
* remove defaults
* lint
* more lint
* Some fixes for UI issues
- Fix padding scheme dropdown console error by adding values
to the transit-key-actions.hbs
- Populate both padding scheme drop down menus within rewrap,
not just the one padding_scheme
- Do not submit a padding_scheme value through POST for non-rsa keys
* Fix Transit rewrap API to use decrypt_padding_scheme, encrypt_padding_scheme
- Map the appropriate API fields for the RSA padding scheme to the
batch items within the rewrap API
- Add the ability to create RSA keys within the encrypt API endpoint
- Add test case for rewrap api that leverages the padding_scheme fields
* Fix code linting issues
* simply padding scheme enum
* Apply suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Fix padding_scheme processing on data key api
- The data key api was using the incorrect parameter name for
the padding scheme
- Enforce that padding_scheme is only used on RSA keys, we
are punting on supporting it for managed keys at the moment.
* Add tests for parsePaddingSchemeArg
* Add missing copywrite headers
* Some small UI fixes
* Add missing param to datakey in api-docs
* Do not send padding_scheme for non-RSA key types within UI
* add UI tests for transit key actions form
---------
Co-authored-by: Marcel Lanz <marcellanz@n-1.ch>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* Ferry ocsp_ca_certificates over the OCSP ValidationConf
* changelog
* First check issuer, then check extraCAS
* Use the correct cert when the signature validation from issuer succeeds
* Validate via extraCas in the cert missing case as well
* dedupe logic
* remove CA test
* Add ENVs using NewTestDockerCluster
Currently NewTestDockerCluster had no means for setting any
environment variables. This makes it tricky to create test
for functionality that require thems, like having to set
AWS environment variables.
DockerClusterOptions now exposes an option to pass extra
enviroment variables to the containers, which are appended
to the existing ones.
* adding changelog
* added test case for setting env variables to containers
* fix changelog typo; env name
* Update changelog/27457.txt
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
* adding the missing copyright
---------
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
* adds sslinline option to postgres conn string
* for database secrets type postgres, inspects the connection string for sslinline and generates a tlsconfig from the connection string.
* support fallback hosts
* remove broken multihost test
* bootstrap container with cert material
* overwrite pg config and set key file perms
* add feature flag check
* add tests
* add license and comments
* test all ssl modes
* add test cases for dsn (key/value) connection strings
* add fallback test cases
* fix error formatting
* add test for multi-host when using pgx native conn url parsing
---------
Co-authored-by: Branden Horiuchi <Branden.Horiuchi@blackline.com>
* Return the proper serial number in OCSP verification errors
- We returned the issuer's certificate number instead of the serial
number of the actual certificate we validated from an OCSP request.
- The problematic serial number within the error are never shown
currently in Vault. The only user of this library is cert-auth
which swallows errors around revoked certificates and returns
a boolean false instead of the actual error message.
* Add cl
* Use previously formatted serial in error msg
The previous logic would consider not normalize casing before comparing
the policy names which meant that a token associated to a policy with
an uppercase could not be renewed for the following auth methods:
- AppID
- Cert
- GitHub
- LDAP
- Okta
- Radius
- Userpass
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Do not generate HMAC keys for CMAC keys on calls to Upgrade
- Missed during the initial development of the Transit CMAC feature,
on initial key creation we did not generate HMAC keys when the key
type was CMAC. The call to the policy's Upgrade function though
would treat this key as requiring an upgrade and add one back.
- Fix this by adding an HMACSupported argument and verifying
on upgrade for HMAC creation that the key type supports HMAC
- Add generic test that verifies we aren't changing a key type iota
value, string it defined and the proper operation of HMACSupported
and CMACSupported functions
* Add warning to test variable
* add key types for cmac for transit key creation
* add test for key creation
* fix test logic and add cases
* fix logic for hmac
* add go doc
* fix key size and add check for HMAC key
We have many hand-written String() methods (and similar) for enums.
These require more maintenance and are more error-prone than using
automatically generated methods. In addition, the auto-generated
versions can be more efficient.
Here, we switch to using https://github.com/loggerhead/enumer, itself
a fork of https://github.com/diegostamigni/enumer, no longer maintained,
and a fork of the mostly standard tool
https://pkg.go.dev/golang.org/x/tools/cmd/stringer.
We use this fork of enumer for Go 1.20+ compatibility and because
we require the `-transform` flag to be able to generate
constants that match our current code base.
Some enums were not targeted for this change:
* auth/ldap: fix login errors
This fixes 2 ldap auth login errors
* Missing entity alias attribute value
* Vault relies on case insensitive user attribute keys for mapping user
attributes to entity alias metadata. This sets the appropriate
configs in the cap library.
* ldap group search anonymous bind regression
* Anonymous group searches can be rejected by some LDAP servers if
they contain a userDN. This sets the configs in the cap library to
specify unauthenticated binds for anonymous group searches should
exclude a DN.
Closes https://github.com/hashicorp/vault/issues/26171
Closes https://github.com/hashicorp/vault/issues/26183
* changelog
* go mod tidy
* go get cap/ldap@latest and go mod tidy
* Validate OCSP response is signed by expected issuer and serial number matches request
- There was a bug in the OCSP response signature logic, it properly
verified but kept around the ocspRes object around so we ignored
the errors found and passed the response object back up the stack.
- Now extract the verification logic into a dedicated function, if
it returns an error, blank the ocspRes response as we can't trust it.
- Address an issue that the OCSP requests from multiple servers were
clobbering each others responses as the index loop variable was not
properly captured.
- Add a missing validation that the response was for the serial number
we requested
* Add cl
* Support OCSP responses without a NextUpdate value set
- Validate that the ThisUpdate value is
properly prior to our current time and
if NextUpdate is set that, ThisUpdate is
before NextUpdate.
- If we don't have a value for NextUpdate just compare against ThisUpdate.
* Add ocsp_this_update_max_ttl support to cert auth
- Allow configuring a maximum TTL of the OCSP response based on the
ThisUpdate time like OpenSSL does
- Add test to validate that we don't cache OCSP responses with no NextUpdate
* Add cl
* Add missing ` in docs
* Rename ocsp_this_update_max_ttl to ocsp_this_update_max_age
* Missed a few TTL references
* Fix error message
* Address OCSP client caching issue
- The OCSP cache built into the client that is used by cert-auth
would cache the responses but when pulling out a cached value the
response wasn't validating properly and was then thrown away.
- The issue was around a confusion of the client's internal status
vs the Go SDK OCSP status integer values.
- Add a test that validates the cache is now used
* Add cl
* Fix PKI test failing now due to the OCSP cache working
- Remove the previous lookup before revocation as now the OCSP
cache works so we don't see the new revocation as we are actually
leveraging the cache
