mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-17 20:17:00 +02:00
Code Issues Projects Releases Wiki Activity
17,641 Commits 2,844 Branches 445 Tags 454 MiB
a2de4c75cd
Commit Graph

5 Commits

Author SHA1 Message Date
Alexander Scheel
b346b52b62
Correctly validate ACME PoP against public key (#21190) 
* Correctly validate ACME PoP against public key

ACME's proof of possession based revocation uses a signature from the
private key, but only sends the public copy along with the request.
Ensure the public copy matches the certificate, instead of failing to
cast it to a private key.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ACME revocation tests

* Clarify commentary in acmeRevocationByPoP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
 2023-06-14 12:01:16 -04:00
Steven Clark
ef6758222d
Enforce valid ACME accounts in challenge APIS (#20744) 
- Make sure we have an ACME account in a valid state and
   enforce EAB policies on that account for the challenge
   and revocation by account ACME apis.
 2023-05-24 17:28:56 +00:00
Steven Clark
38982a0744
Update ACME endpoint help synopsis and description (#20624) 
- Use generic help synopsis and help description values for the various ACME endpoints defined.
 - Add missing values for the Vault ACME EAB apis
 2023-05-17 13:59:30 +00:00
Steven Clark
21b38abea4
Add a last issued date on ACME accounts (#20534) 
* Add a last issued date on ACME accounts

 - When we issue a new ACME certificate, attempt to update the account's last issued field
 - Within ACME account tidy, use both account creation and last issue date to provide a buffer before we mark the account as revoked.
 - Cleanup the cert serial to account tracker
 - Misc formatting fixes in JSON objects

* Move account max-cert-expiry updates within tidy

 - Perform the account update of max-cert-expiry within
   the tidy operation as it has the account write lock
   and is already iterating over all orders.
 - With this the order path does not need any account
   level locks

* Prefix ACME account status constants with AccountStatusX
 2023-05-15 16:02:40 -04:00
Alexander Scheel
86ab4ef3e7
Add ACME revocation handlers (#20340) 
* Add ACME revocation handlers

This refactors path_revoke to expose Proof of Possession verification,
which is reused by ACME to allow methods 1 and 2:

 1. Revocation of a certificate issued by the account, using account
    signature as sufficient proof.
 2. Revocation of a certificate via proving possession of its private
    key, using this private key to create the JWS signature.

We do not support the third mechanism, completing challenges equivalent
to those on the existing certificate and then performing a revocation
under an account which didn't issue the certificate but which did solve
those challenges.

We additionally create another map account->cert->order, allowing us to
quickly look up if a cert was issued by this particular account. Note
that the inverse lookup of cert->(account, order) lookup isn't yet
possible due to Vault's storage structure.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update ACME pkiext tests to revoke certs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add auth handler checks

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
 2023-04-25 16:48:30 -04:00