2015-05-15 16:13:05 +00:00
|
|
|
package pki
|
|
|
|
|
|
|
|
|
|
import (
|
2015-06-15 17:33:23 +00:00
|
|
|
"fmt"
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
"github.com/hashicorp/vault/helper/certutil"
|
2016-07-28 19:19:27 +00:00
|
|
|
"github.com/hashicorp/vault/helper/errutil"
|
2015-05-15 16:13:05 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func pathConfigCA(b *backend) *framework.Path {
|
|
|
|
|
return &framework.Path{
|
|
|
|
|
Pattern: "config/ca",
|
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
|
"pem_bundle": &framework.FieldSchema{
|
2015-06-18 14:44:02 +00:00
|
|
|
Type: framework.TypeString,
|
2015-08-29 13:03:02 +00:00
|
|
|
Description: `PEM-format, concatenated unencrypted
|
|
|
|
|
secret key and certificate, or, if a
|
|
|
|
|
CSR was generated with the "generate"
|
|
|
|
|
endpoint, just the signed certificate.`,
|
2015-05-15 16:13:05 +00:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
2016-01-07 15:30:47 +00:00
|
|
|
logical.UpdateOperation: b.pathCAWrite,
|
2015-10-05 17:00:45 +00:00
|
|
|
},
|
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
HelpSynopsis: pathConfigCAHelpSyn,
|
|
|
|
|
HelpDescription: pathConfigCAHelpDesc,
|
2015-11-12 16:24:32 +00:00
|
|
|
}
|
2015-08-29 13:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
func (b *backend) pathCAWrite(
|
2015-10-09 17:45:17 +00:00
|
|
|
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
|
|
|
pemBundle := data.Get("pem_bundle").(string)
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
parsedBundle, err := certutil.ParsePEMBundle(pemBundle)
|
|
|
|
|
if err != nil {
|
|
|
|
|
switch err.(type) {
|
2016-07-28 19:19:27 +00:00
|
|
|
case errutil.InternalError:
|
2015-06-17 16:43:36 +00:00
|
|
|
return nil, err
|
|
|
|
|
default:
|
|
|
|
|
return logical.ErrorResponse(err.Error()), nil
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
2015-06-17 16:43:36 +00:00
|
|
|
}
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
if parsedBundle.PrivateKey == nil ||
|
|
|
|
|
parsedBundle.PrivateKeyType == certutil.UnknownPrivateKey {
|
|
|
|
|
return logical.ErrorResponse("private key not found in the PEM bundle"), nil
|
2015-06-18 14:44:02 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
// Handle the case of a self-signed certificate; the parsing function will
|
|
|
|
|
// see the CA and put it into the issuer
|
|
|
|
|
if parsedBundle.Certificate == nil &&
|
|
|
|
|
parsedBundle.IssuingCA != nil {
|
|
|
|
|
equal, err := certutil.ComparePublicKeys(parsedBundle.IssuingCA.PublicKey, parsedBundle.PrivateKey.Public())
|
2015-08-29 13:03:02 +00:00
|
|
|
if err != nil {
|
2015-11-18 15:16:09 +00:00
|
|
|
return logical.ErrorResponse(fmt.Sprintf(
|
|
|
|
|
"got only a CA and private key but could not verify the public keys match: %v", err)), nil
|
2015-08-29 13:03:02 +00:00
|
|
|
}
|
2015-11-18 15:16:09 +00:00
|
|
|
if !equal {
|
|
|
|
|
return logical.ErrorResponse(
|
|
|
|
|
"got only a CA and private key but keys do not match"), nil
|
2015-08-29 13:03:02 +00:00
|
|
|
}
|
2015-11-18 15:16:09 +00:00
|
|
|
parsedBundle.Certificate = parsedBundle.IssuingCA
|
|
|
|
|
parsedBundle.CertificateBytes = parsedBundle.IssuingCABytes
|
2015-08-29 13:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
if parsedBundle.Certificate == nil {
|
|
|
|
|
return logical.ErrorResponse("no certificate found in the PEM bundle"), nil
|
2015-08-29 13:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2015-06-17 16:43:36 +00:00
|
|
|
if !parsedBundle.Certificate.IsCA {
|
2015-11-18 15:16:09 +00:00
|
|
|
return logical.ErrorResponse("the given certificate is not marked for CA use and cannot be used with this backend"), nil
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
cb, err := parsedBundle.ToCertBundle()
|
2015-06-15 17:33:23 +00:00
|
|
|
if err != nil {
|
2015-11-18 15:16:09 +00:00
|
|
|
return nil, fmt.Errorf("error converting raw values into cert bundle: %s", err)
|
2015-06-15 17:33:23 +00:00
|
|
|
}
|
2015-06-17 16:43:36 +00:00
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
entry, err := logical.StorageEntryJSON("config/ca_bundle", cb)
|
2015-05-15 16:13:05 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
err = req.Storage.Put(entry)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-09 17:45:17 +00:00
|
|
|
// For ease of later use, also store just the certificate at a known
|
|
|
|
|
// location, plus a fresh CRL
|
|
|
|
|
entry.Key = "ca"
|
|
|
|
|
entry.Value = parsedBundle.CertificateBytes
|
2015-05-15 16:13:05 +00:00
|
|
|
err = req.Storage.Put(entry)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-09 17:45:17 +00:00
|
|
|
err = buildCRL(b, req)
|
|
|
|
|
|
|
|
|
|
return nil, err
|
2015-05-15 16:13:05 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
const pathConfigCAHelpSyn = `
|
2015-08-29 13:03:02 +00:00
|
|
|
Set the CA certificate and private key used for generated credentials.
|
|
|
|
|
`
|
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
const pathConfigCAHelpDesc = `
|
2015-08-29 13:03:02 +00:00
|
|
|
This sets the CA information used for credentials generated by this
|
|
|
|
|
by this mount. This must be a PEM-format, concatenated unencrypted
|
|
|
|
|
secret key and certificate.
|
|
|
|
|
|
|
|
|
|
For security reasons, the secret key cannot be retrieved later.
|
|
|
|
|
`
|
|
|
|
|
|
|
|
|
|
const pathConfigCAGenerateHelpSyn = `
|
|
|
|
|
Generate a new CA certificate and private key used for signing.
|
|
|
|
|
`
|
|
|
|
|
|
|
|
|
|
const pathConfigCAGenerateHelpDesc = `
|
|
|
|
|
This path generates a CA certificate and private key to be used for
|
|
|
|
|
credentials generated by this mount. The path can either
|
|
|
|
|
end in "internal" or "exported"; this controls whether the
|
|
|
|
|
unencrypted private key is exported after generation. This will
|
|
|
|
|
be your only chance to export the private key; for security reasons
|
|
|
|
|
it cannot be read or exported later.
|
|
|
|
|
|
|
|
|
|
If the "type" option is set to "self-signed", the generated
|
|
|
|
|
certificate will be a self-signed root CA. Otherwise, this mount
|
|
|
|
|
will act as an intermediate CA; a CSR will be returned, to be signed
|
|
|
|
|
by your chosen CA (which could be another mount of this backend).
|
|
|
|
|
Note that the CRL path will be set to this mount's CRL path; if you
|
|
|
|
|
need further customization it is recommended that you create a CSR
|
|
|
|
|
separately and get it signed. Either way, use the "config/ca/set"
|
|
|
|
|
endpoint to load the signed certificate into Vault.
|
|
|
|
|
`
|
|
|
|
|
|
|
|
|
|
const pathConfigCASignHelpSyn = `
|
|
|
|
|
Generate a signed CA certificate from a CSR.
|
2015-05-15 16:13:05 +00:00
|
|
|
`
|
|
|
|
|
|
2015-08-29 13:03:02 +00:00
|
|
|
const pathConfigCASignHelpDesc = `
|
|
|
|
|
This path generates a CA certificate to be used for credentials
|
|
|
|
|
generated by the certificate's destination mount.
|
2015-05-15 16:13:05 +00:00
|
|
|
|
2015-08-29 13:03:02 +00:00
|
|
|
Use the "config/ca/set" endpoint to load the signed certificate
|
|
|
|
|
into Vault another Vault mount.
|
2015-05-15 16:13:05 +00:00
|
|
|
`
|
