mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-11 09:07:00 +02:00
Code Issues Projects Releases Wiki Activity
14,920 Commits 2,838 Branches 445 Tags 444 MiB
6f6e901b0a
Commit Graph

144 Commits

Author SHA1 Message Date
Jeff Mitchell
f54832b10a *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10" 
This partially reverts commit 83f6b21d3e.
 2018-02-22 20:15:56 -05:00
Jeff Mitchell
83f6b21d3e Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Jeff Mitchell
fbcad150aa Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Jeff Mitchell
a43a854740
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Jeff Mitchell
07f8ebbbf6
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell
71336d3596 Fix compile 2018-02-09 14:04:05 -05:00
Vishal Nayak
58cab5f59f added a flag to make common name optional if desired (#3940) 
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
 2018-02-09 13:42:19 -05:00
Brian Kassouf
8142b42d95 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Chris Hoffman
3653e4bf1b
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Chris Hoffman
628153979a
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Jeff Mitchell
33cf98026e
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Jeff Mitchell
2c6e64226c Tests were not actually forcing the intermediate to have a longer TTL 
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
 2017-09-14 22:49:04 -04:00
Jeff Mitchell
f970aea9f8 Change behavior of TTL in sign-intermediate (#3325) 
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
 2017-09-13 11:42:45 -04:00
Jeff Mitchell
4ad96d9513 Add pki/root/sign-self-issued. (#3274) 
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
 2017-08-31 23:07:15 -04:00
Jeff Mitchell
f3a3e5ad8f Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Jeff Mitchell
e6b43f7278 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Calvin Leung Huang
207983f526 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman
cf4ef59477 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens 
Change storage of PKI entries from colons to hyphens
 2017-05-03 15:07:15 -04:00
Chris Hoffman
29e5ce66bb Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang
96bcd50de0 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Calvin Leung Huang
8c03765bb5 Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Justin Gerace
2e8e9ed02d Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Vishal Nayak
c947e31d1b Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang
38a01b8e1b Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Chris Hoffman
d6edfc2a25 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Jeff Mitchell
85b92811ab Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Jeff Mitchell
dba2de57de Change storage of entries from colons to hyphens and add a 
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
 2017-04-18 11:14:23 -04:00
Jeff Mitchell
f92b173295 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Jeff Mitchell
cfd522e0f0 Use ParseStringSlice on PKI organization/organizational unit. (#2561) 
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
 2017-04-04 08:54:18 -07:00
Jeff Mitchell
3f67ab489a Ensure CN check is made when exclude_cn_from_sans is used 
Fixes #2363
 2017-03-16 11:41:13 -04:00
Jeff Mitchell
688104e69a Allow roles to specify whether CSR SANs should be used instead of (#2489) 
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
 2017-03-15 14:38:18 -04:00
Jeff Mitchell
799000be20 Set CA chain when intermediate does not have an authority key ID. 
This is essentially an approved review of the code provided in #2465.

Fixes #2465
 2017-03-15 11:52:02 -04:00
Jeff Mitchell
28883acc16 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell
5e5d9baabe Add Organization support to PKI backend. (#2380) 
Fixes #2369
 2017-02-16 01:04:29 -05:00
joe miller
90e32515ea allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
Chris Hoffman
10c8024fa3 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Vincent Batoufflet
38a30a92e3 Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
vishalnayak
ddb6ae18a0 Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
cara marie
8b11798807 removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell
cd41344685 Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell
48bd5db7af Set some basic key usages by default. 
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
 2016-06-22 16:08:24 -04:00
Jeff Mitchell
13a778ab92 Revert "Use x509 package ext key usage instead of custom type" 
This reverts commit 0b2d8ff475.
 2016-06-22 13:07:31 -04:00
Jeff Mitchell
0b2d8ff475 Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell
7ffa7deb92 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
Jeff Mitchell
2bc8cf4583 Remove check for using CSR values with non-CA certificate. 
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
 2016-03-23 10:05:38 -04:00
Jeff Mitchell
5b0d85dbf3 Add ability to exclude adding the CN to SANs. 
Fixes #1220
 2016-03-17 16:28:40 -04:00
Jeff Mitchell
4cdc44bab5 Add revocation information to PKI fetch output (non-raw only). 
Fixes #1180
 2016-03-07 10:57:38 -05:00
Jeff Mitchell
d993993f18 Better handle errors from fetchCertBySerial 2016-02-22 10:36:26 -05:00
Jeff Mitchell
5da2949d45 Check role key type and bits when signing CSR. 
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
 2016-02-19 20:50:49 -05:00
Jeff Mitchell
ac3191ad02 Disallow 1024-bit RSA keys. 
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
 2016-02-19 14:33:02 -05:00
vishalnayak
3bad2a3af0 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
Jeff Mitchell
122773ba71 Add slack on NotBefore value for generated certs. 
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
 2016-02-07 14:00:03 -05:00
Jeff Mitchell
7fb8db2e6c Allow the format to be specified as pem_bundle, which creates a 
concatenated PEM file.

Fixes #992
 2016-02-01 13:19:41 -05:00
Jeff Mitchell
99f193811a Only specify cert sign / CRL sign for CAs and only specify extended key 
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
 2016-01-29 10:26:35 -05:00
Jeff Mitchell
29f04250ff Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand
6149e1256e fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell
555d621a2f Update key usage logic 
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
 2015-12-14 14:23:51 -05:00
Jeff Mitchell
bd03d3c422 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell
6342699da3 Greatly simplify and fix the name validation function, as well as fully 
comment it.
 2015-11-23 14:15:32 -05:00
Jeff Mitchell
7eed5db86f Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell
4f2f7a0e3b Mostly revert changes to certutil as the embedded struct stuff was being 
problematic.
 2015-11-19 14:18:39 -05:00
Jeff Mitchell
3437af0711 Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
b5423493ca Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell
129235ba2e Fix zero path length handling, and move common field defs elsewhere 2015-11-19 09:51:18 -05:00
Jeff Mitchell
636fad0180 Fix logic around zero path length -- only restrict issuing intermediate CAs in this case 2015-11-19 09:51:18 -05:00
Jeff Mitchell
237285e822 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell
cf148d8cc6 Large documentation updates, remove the pathlength path in favor of 
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell
29d1f5030e Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
7f12ac0026 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
a763391615 Change a few checks on names: 
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).

- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.

Also, fix a nil pointer issue.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f8deb998ed Add config/urls CRUD operations to get and set the URLs encoded into 
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
aae434576f Change use_csr_subject to use_csr_values; copy not only the subject, but 
also the alternate names and the extensions over as well.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e8f1e8eb98 Remove setting serial number in the pkix Subject 2015-11-19 09:51:17 -05:00
Jeff Mitchell
a093508ceb Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR 2015-11-19 09:51:17 -05:00
Jeff Mitchell
03e4ab785d Add capability to use the CSR's common name (by default for CA CSRs if 
no common_name parameter is given, role-controlled for non-CA CSRs).

Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4e73187837 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f46b5b90c7 Fix otto import of uuid 2015-11-19 09:51:17 -05:00
Jeff Mitchell
76f94fe49b Cleanup, and add ability to sign CA CSRs that aren't destined for Vault 2015-11-19 09:51:17 -05:00
Jeff Mitchell
c33c43620f Add tests for intermediate signing and CRL, and fix a couple things 
Completes extra functionality.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e45af0a17b Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell
10c2b9f76b Handle email address alternative names, fix up tests, fix up logic around name verification 2015-11-19 09:51:17 -05:00
Jeff Mitchell
41799529f7 Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4cf1508898 Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored 2015-11-19 09:51:17 -05:00
Jeff Mitchell
62049cd059 Add sign method (untested) 2015-11-19 09:51:17 -05:00
Jeff Mitchell
667d5cafd3 Don't show field names when not needed 2015-11-19 09:51:17 -05:00
Jeff Mitchell
55fc4ba898 Implement CA cert/CSR generation. CA certs can be self-signed or 
generate an intermediate CSR, which can be signed.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f84c8b8681 Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470. 2015-08-27 12:24:37 -07:00
Jeff Mitchell
b8a72cfd47 Allow enforcement of hostnames to be toggleable for certificates. Fixes #451. 2015-08-20 14:33:37 -07:00
Jeff Mitchell
435aefc072 A few things: 
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-19 12:48:18 -04:00
Jeff Mitchell
31e680048e A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth. 
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-17 16:07:20 -04:00
Jeff Mitchell
a2b3e1302a A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions 
useful for other parts of Vault (including the API) to take advantage of.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-16 13:43:12 -04:00
Jeff Mitchell
722eca1367 Address most of Armon's initial feedback. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-11 21:57:05 -04:00
Jeff Mitchell
20ac7a46f7 Add acceptance tests 
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00
Jeff Mitchell
530b67bbb9 Initial PKI backend implementation. 
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint

Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00