* Add clarifications on revocation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Talk about rationale for separating roots from intermediates
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Ensure correct write ordering in rebuildIssuersChains
When troubleshooting a recent migration failure from 1.10->1.11, it was
noted that some PKI mounts had bad chain construction despite having
valid, chaining issuers. Due to the cluster's leadership trashing
between nodes, the migration logic was re-executed several times,
partially succeeding each time. While the legacy CA bundle migration
logic was written with this in mind, one shortcoming in the chain
building code lead us to truncate the ca_chain: by sorting the list of
issuers after including non-written issuers (with random IDs), these
issuers would occasionally be persisted prior to storage _prior_ to
existing CAs with modified chains.
The migration code carefully imported the active issuer prior to its
parents. However, due to this bug, there was a chance that, if write to
the pending parent succeeded but updating the active issuer didn't, the
active issuer's ca_chain field would only contain the self-reference and
not the parent's reference as well. Ultimately, a workaround of setting
and subsequently unsetting a manual chain would force a chain
regeneration.
In this patch, we simply fix the write ordering: because we need to
ensure a stable chain sorting, we leave the sort location in the same
place, but delay writing the provided referenceCert to the last
position. This is because the reference is meant to be the user-facing
action: without transactional write capabilities, other chains may
succeed, but if the last user-facing action fails, the user will
hopefully retry the action. This will also correct migration, by
ensuring the subsequent issuer import will be attempted again,
triggering another chain build and only persisting this issuer when
all other issuers have also been updated.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remigrate ca_chains to fix any missing issuers
In the previous commit, we identified an issue that would occur on
legacy issuer migration to the new storage format. This is easy enough
to detect for any given mount (by an operator), but automating scanning
and remediating all PKI mounts in large deployments might be difficult.
Write a new storage migration version to regenerate all chains on
upgrade, once.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add issue to PKI considerations documentation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correct %v -> %w in chain building errs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update signed-ssh-certificates.mdx
Add a pointer to the doc regarding reading back the pub key with the CLI
* Update website/content/docs/secrets/ssh/signed-ssh-certificates.mdx
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify language around PSS CSR issues
Also point out that PKCS#11 tokens have the same problem.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/docs/secrets/pki/considerations.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Allow OCSP to use issuer's RevocationSigAlgo
When an issuer specifies a RevocationSigAlgo, we should largely follow
this for both CRLs and OCSP. However, x/crypto/ocsp lacks support for
PSS signatures, so we drop these down to PKCS#1v1.5 instead.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add warning when issuer has PSS-based RevSigAlgo
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about OCSP and PSS support
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* PKI: Add support for signature_bits param to the intermediate/generate api
- Mainly to work properly with GCP backed managed keys, we need to
issue signatures that would match the GCP key algorithm.
- At this time due to https://github.com/golang/go/issues/45990 we
can't issue PSS signed CSRs, as the libraries in Go always request
a PKCS1v15.
- Add an extra check in intermediate/generate that validates the CSR's
signature before providing it back to the client in case we generated
a bad signature such as if an end-user used a GCP backed managed key
with a RSA PSS algorithm.
- GCP ignores the requested signature type and always signs with the
key's algorithm which can lead to a CSR that says it is signed with
a PKCS1v15 algorithm but is actually a RSA PSS signature
* Add cl
* PR feedback
* docs/api-docs for Redis
* update doc
* add navigation to the docs
* Update website/content/api-docs/secret/databases/redis.mdx
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
* Update website/content/docs/secrets/databases/redis.mdx
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
* update setup list and lang tag for shell code blocks
* update language tag
* update based on suggestions
* update docs to include tls params
* add plugin to the plugin portal doc
* add -
* update api-docs-nav-data.json
* update field name
* Update website/content/docs/secrets/databases/redis.mdx
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* Update website/content/docs/secrets/databases/redis.mdx
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* Update website/content/docs/secrets/databases/redis.mdx
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* Update website/content/docs/secrets/databases/redis.mdx
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* Update website/content/api-docs/secret/databases/redis.mdx
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* update docs
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* add api docs for transform byok endpoints
* add byok description to transform index page
* fix merge conflicts
* remove import_version for FPE
* text edits and add note about convergent tokenization
* add note for convergent tokenization
* Fix interoperability concerns with PSS
When Go parses a certificate with rsaPSS OID, it will accept this
certificate but not parse the SubjectPublicKeyInfo, leaving the
PublicKeyAlgorithm and PublicKey fields blank, but otherwise not erring.
The same behavior occurs with rsaPSS OID CSRs.
On the other hand, when Go parses rsaPSS OID PKCS8 private keys, these
keys will fail to parse completely.
Thus, detect and fail on any empty PublicKey certs and CSRs, warning the
user that we cannot parse these correctly and thus refuse to operate.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Run more PKI tests in parallel
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add notes about PSS shortcomings to considerations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add more notes about issuer revocation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Note BYOC in considerations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about http access to CRLs, OCSP
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Recommend enabling auto-tidy & crl rebuilding
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing paths to personas
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Get import correct
* limits, docs
* changelog
* unit tests
* And fix import for hmac unit test
* typo
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Update builtin/logical/transit/path_keys.go
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Validate key sizes a bit more carefully
* Update sdk/helper/keysutil/policy.go
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* docs: update plugin docs for secrets/auth multiplexing
* update index
* update plugin development
* fix spacing in code snippet
* update links to multiplexing resources
* add note on sdk version and update db example text
* Update website/content/docs/plugins/plugin-architecture.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* reword index intro
* Update website/content/docs/plugins/plugin-development.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/plugins/plugin-development.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* remove word and fix code format
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* updated usage example
* Docs: updated examples with base64 - removed herestring for echo instead that's more simple.
* Docs: updated examples with base64 - removed herestring for echo instead that's more simple.
Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
* Add per-issuer AIA URI information
Per discussion on GitHub with @maxb, this allows issuers to have their
own copy of AIA URIs. Because each issuer has its own URLs (for CA and
CRL access), its necessary to mint their issued certs pointing to the
correct issuer and not to the global default issuer. For anyone using
multiple issuers within a mount, this change allows the issuer to point
back to itself via leaf's AIA info.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on per-issuer AIA info
Also add it to the considerations page as something to watch out for.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for per-issuer AIA information
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor AIA setting on the issuer
This introduces a common helper per Steve's suggestion.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify error messages w.r.t. AIA naming
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify error messages regarding AIA URLs
This clarifies which request parameter the invalid URL is contained
in, disambiguating the sometimes ambiguous usage of AIA, per suggestion
by Max.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rename getURLs -> getGlobalAIAURLs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correct AIA acronym expansion word orders
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix bad comment suggesting re-generating roots
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add two entries to URL tests
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow marking issuers as revoked
This allows PKI's issuers to be considered revoked and appear on each
others' CRLs. We disable issuance (via removing the usage) and prohibit
modifying the usage via the regular issuer management interface.
A separate endpoint is necessary because issuers (especially if signed
by a third-party CA using incremental serial numbers) might share a
serial number (e.g., an intermediate under cross-signing might share the
same number as an external root or an unrelated intermediate).
When the next CRL rebuild happens, this issuer will then appear on
others issuers CRLs, if they validate this issuer's certificate.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on revoking issuers
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for issuer revocation semantics
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Notate that CRLs will be rebuilt
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix timestamp field from _utc -> to _rfc3339
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Ensure serial-based accesses shows as revoked
Thanks Kit!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add warning when revoking default issuer
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow Proof of Possession based revocation
Revocation by proof of possession ensures that we have a private key
matching the (provided or stored) certificate. This allows callers to
revoke certificate they own (as proven by holding the corresponding
private key), without having an admin create innumerable ACLs around
the serial_number parameter for every issuance/user.
We base this on Go TLS stack's verification of certificate<->key
matching, but extend it where applicable to ensure curves match, the
private key is indeed valid, and has the same structure as the
corresponding public key from the certificate.
This endpoint currently is authenticated, allowing operators to disable
the endpoint if it isn't desirable to use, via ACL policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify error message on ParseDERKey
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Leave revoke-with-key authenticated
After some discussion, given the potential for DoS (via submitting a lot
of keys/certs to validate, including invalid pairs), it seems best to
leave this as an authenticated endpoint. Presently in Vault, there's no
way to have an authenticated-but-unauthorized path (i.e., one which
bypasses ACL controls), so it is recommended (but not enforced) to make
this endpoint generally available by permissive ACL policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API documentation on PoP
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add acceptance tests for Proof of Possession
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Exercise negative cases in PoP tests
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add key wrapping guide for transit import
* link to key wrap guide from transit overview
* add new page to nav
* fix formatting
* fix note format
* fix link
* docs(#16222): add documentation for changes in PR hashicorp/vault-plugin-secrets-kubernetes#10
* docs(#16222): add changelog entry
* docs(#16222): improve documentation to make the use case of setting both allowed_kubernetes_namespaces and allowed_kubernetes_namespace_selector parameters for role configuration
* VAULT-6091 Document duration format
* VAULT-6091 Document duration format
* VAULT-6091 Update wording
* VAULT-6091 Update to duration format string, replace everywhere I've found so far
* VAULT-6091 Add the word 'string' to the nav bar
* VAULT-6091 fix link
* VAULT-6091 fix link
* VAULT-6091 Fix time/string, add another reference
* VAULT-6091 add some misses for references to this format
* Overhaul consul docs and api-docs for new 1.11 features
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
This adds a note that manual_chain is required for cross-signed
intermediates, as Vault will not automatically associate the
cross-signed pair during chain construction. During issuance, the chain
is used verbatim from the issuer, so no chain detection will be used
then.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing key_ref parameter to gen root docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API docs section on key generation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about managed key access
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add a little more information about PKI and replicated data sets.
- Add a TOC to the PKI considerations page
- Merge in the existing certificate storage into a new Replicated DataSets
section
- Move the existing Cluster Scalability section from the api-docs into the
considerations page.
* Add recommendations on key types and PKI performance
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/docs/secrets/pki/considerations.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add note about cross-cluster CRL URIs
As suggested by Ricardo Oliveira, thanks!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note that short TTLs are relative to quantity
As suggested by Ricardo Oliveira, thanks!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note to make sure default is configured
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about automating certificate renewal
As suggested by Ricardo Oliveira, thanks!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add leaf not after best practice
Also suggest concrete recommendations for lifetimes of various issuers.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add advice to use a proper CA hierarchy
Also mention name constraints and HSM backing.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add section on safer usage of Roles
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial RBAC example for PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Begin restructuring FIPS documentation
This creates a new FIPS category under Enterprise and copies the
FIPS-specific seal wrap documentation into it.
We leave the existing Seal Wrap page at the old path, but document that
the FIPS-specific portions of it have moved.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial FIPS 140-2 inside documentation
This documents the new FIPS 140-2 Inside binary and how to use and
validate it. This also documents which algorithms are certified for
use in the BoringCrypto distribution.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add notes about FIPS algorithm restrictions
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rename pki.mdx -> pki/index.mdx
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off quick-start document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off considerations document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off intermediate CA setup document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Split off setup and usage document
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Consistent quick-start doc naming
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add table of contents to index
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add explanation to help text and flag usage text
* KV get with new mount flag
* Clearer naming
* KV Put, Patch, Metadata Get + corresponding tests
* KV Delete, Destroy, Rollback, Undelete, MetadataDelete, MetadataPatch, MetadataPut
* Update KV-v2 docs to use mount flag syntax
* Add changelog
* Run make fmt
* Clarify deprecation message in help string
* Address style comments
* docs/multiplexing: overhaul plugin documentation
* update nav data
* remove dupe nav data
* add external plugin section to index
* move custom plugin backends under internals/plugins
* remove ref to moved page
* revert moving custom plugin backends
* add building plugins from source section to plug dev
* add mux section to plugin arch
* add mux section to custom plugin page
* reorder custom database page
* use 'external plugin' where appropriate
* add link to plugin multiplexing
* fix example serve multiplex func call
* address review comments
* address review comments
* Minor format updates (#14590)
* mv Plugins to top-level; update upgrading plugins
* update links after changing paths
* add section on external plugin scaling characteristics
* add updates on plugin registration in plugin management page
* add plugin learn resource
* be more explicit about mux upgrade steps; add notes on when to avoid db muxing
* add plugin upgrade built-in section
* add caveats to built-in plugin upgrade
* improvements to built-in plugin override
* formatting, add redirects, correct multiplexing use case
* fix go-plugin link
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* remove single item list; add link to Database interface
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
The operations are handled identically, but ~85% of the references were
POST, and having a mix of PUT and POST was a source of questions.
A subsequent commit will update the internal use of "PUT" such as by
the API client and -output-curl-string.
* Explicitly call out SSH algorithm_signer default
Related: #11608
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use rsa-sha2-256 as the default SSH CA hash algo
As mentioned in the OpenSSH 8.2 release notes, OpenSSH will no longer be
accepting ssh-rsa signatures by default as these use the insecure SHA-1
algorithm.
For roles in which an explicit signature type wasn't specified, we
should change the default from SHA-1 to SHA-256 for security and
compatibility with modern OpenSSH releases.
See also: https://www.openssh.com/txt/release-8.2
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update docs mentioning new algorithm change
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix missing parenthesis, clarify new default value
* Add to side bar
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update repository links to point to main
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken link in relatedtools.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
