open-vault/changelog/16566.txt

4 lines
114 B
Plaintext
Raw Normal View History

Add proof possession revocation for PKI secrets engine (#16566) * Allow Proof of Possession based revocation Revocation by proof of possession ensures that we have a private key matching the (provided or stored) certificate. This allows callers to revoke certificate they own (as proven by holding the corresponding private key), without having an admin create innumerable ACLs around the serial_number parameter for every issuance/user. We base this on Go TLS stack's verification of certificate<->key matching, but extend it where applicable to ensure curves match, the private key is indeed valid, and has the same structure as the corresponding public key from the certificate. This endpoint currently is authenticated, allowing operators to disable the endpoint if it isn't desirable to use, via ACL policies. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Clarify error message on ParseDERKey Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Leave revoke-with-key authenticated After some discussion, given the potential for DoS (via submitting a lot of keys/certs to validate, including invalid pairs), it seems best to leave this as an authenticated endpoint. Presently in Vault, there's no way to have an authenticated-but-unauthorized path (i.e., one which bypasses ACL controls), so it is recommended (but not enforced) to make this endpoint generally available by permissive ACL policies. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add API documentation on PoP Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add acceptance tests for Proof of Possession Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Exercise negative cases in PoP tests Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 18:01:26 +00:00
```release-note:improvement
secrets/pki: Allow revocation via proving possession of certificate's private key
```