mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-16 11:37:04 +02:00
Code Issues Projects Releases Wiki Activity
6,740 Commits 2,843 Branches 445 Tags 454 MiB
d3a2844a75
Commit Graph

84 Commits

Author SHA1 Message Date
Jeff Mitchell
33cf98026e
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Jeff Mitchell
2c6e64226c Tests were not actually forcing the intermediate to have a longer TTL 
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
 2017-09-14 22:49:04 -04:00
Jeff Mitchell
f970aea9f8 Change behavior of TTL in sign-intermediate (#3325) 
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
 2017-09-13 11:42:45 -04:00
Jeff Mitchell
4ad96d9513 Add pki/root/sign-self-issued. (#3274) 
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
 2017-08-31 23:07:15 -04:00
Jeff Mitchell
f3a3e5ad8f Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Jeff Mitchell
e6b43f7278 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Calvin Leung Huang
207983f526 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman
cf4ef59477 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens 
Change storage of PKI entries from colons to hyphens
 2017-05-03 15:07:15 -04:00
Chris Hoffman
29e5ce66bb Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang
96bcd50de0 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Calvin Leung Huang
8c03765bb5 Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Justin Gerace
2e8e9ed02d Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Vishal Nayak
c947e31d1b Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang
38a01b8e1b Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Chris Hoffman
d6edfc2a25 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Jeff Mitchell
85b92811ab Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Jeff Mitchell
dba2de57de Change storage of entries from colons to hyphens and add a 
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
 2017-04-18 11:14:23 -04:00
Jeff Mitchell
f92b173295 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Jeff Mitchell
cfd522e0f0 Use ParseStringSlice on PKI organization/organizational unit. (#2561) 
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
 2017-04-04 08:54:18 -07:00
Jeff Mitchell
3f67ab489a Ensure CN check is made when exclude_cn_from_sans is used 
Fixes #2363
 2017-03-16 11:41:13 -04:00
Jeff Mitchell
688104e69a Allow roles to specify whether CSR SANs should be used instead of (#2489) 
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
 2017-03-15 14:38:18 -04:00
Jeff Mitchell
799000be20 Set CA chain when intermediate does not have an authority key ID. 
This is essentially an approved review of the code provided in #2465.

Fixes #2465
 2017-03-15 11:52:02 -04:00
Jeff Mitchell
28883acc16 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell
5e5d9baabe Add Organization support to PKI backend. (#2380) 
Fixes #2369
 2017-02-16 01:04:29 -05:00
joe miller
90e32515ea allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
Chris Hoffman
10c8024fa3 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Vincent Batoufflet
38a30a92e3 Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
vishalnayak
ddb6ae18a0 Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
cara marie
8b11798807 removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell
cd41344685 Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell
48bd5db7af Set some basic key usages by default. 
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
 2016-06-22 16:08:24 -04:00
Jeff Mitchell
13a778ab92 Revert "Use x509 package ext key usage instead of custom type" 
This reverts commit 0b2d8ff475.
 2016-06-22 13:07:31 -04:00
Jeff Mitchell
0b2d8ff475 Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell
7ffa7deb92 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
Jeff Mitchell
2bc8cf4583 Remove check for using CSR values with non-CA certificate. 
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
 2016-03-23 10:05:38 -04:00
Jeff Mitchell
5b0d85dbf3 Add ability to exclude adding the CN to SANs. 
Fixes #1220
 2016-03-17 16:28:40 -04:00
Jeff Mitchell
4cdc44bab5 Add revocation information to PKI fetch output (non-raw only). 
Fixes #1180
 2016-03-07 10:57:38 -05:00
Jeff Mitchell
d993993f18 Better handle errors from fetchCertBySerial 2016-02-22 10:36:26 -05:00
Jeff Mitchell
5da2949d45 Check role key type and bits when signing CSR. 
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
 2016-02-19 20:50:49 -05:00
Jeff Mitchell
ac3191ad02 Disallow 1024-bit RSA keys. 
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
 2016-02-19 14:33:02 -05:00
vishalnayak
3bad2a3af0 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
Jeff Mitchell
122773ba71 Add slack on NotBefore value for generated certs. 
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
 2016-02-07 14:00:03 -05:00
Jeff Mitchell
7fb8db2e6c Allow the format to be specified as pem_bundle, which creates a 
concatenated PEM file.

Fixes #992
 2016-02-01 13:19:41 -05:00
Jeff Mitchell
99f193811a Only specify cert sign / CRL sign for CAs and only specify extended key 
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
 2016-01-29 10:26:35 -05:00
Jeff Mitchell
29f04250ff Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand
6149e1256e fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell
555d621a2f Update key usage logic 
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
 2015-12-14 14:23:51 -05:00
Jeff Mitchell
bd03d3c422 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell
6342699da3 Greatly simplify and fix the name validation function, as well as fully 
comment it.
 2015-11-23 14:15:32 -05:00
Jeff Mitchell
7eed5db86f Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00