open-vault/builtin/logical/pki/ca_util.go

package pki

import (
	"time"

	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/certutil"
	"github.com/hashicorp/vault/sdk/logical"
)

func (b *backend) getGenerationParams(
	data *framework.FieldData,
) (exported bool, format string, role *roleEntry, errorResp *logical.Response) {
	exportedStr := data.Get("exported").(string)
	switch exportedStr {
	case "exported":
		exported = true
	case "internal":
	default:
		errorResp = logical.ErrorResponse(
			`the "exported" path parameter must be "internal" or "exported"`)
		return
	}

	format = getFormat(data)
	if format == "" {
		errorResp = logical.ErrorResponse(
			`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
		return
	}

	role = &roleEntry{
		TTL:                  time.Duration(data.Get("ttl").(int)) * time.Second,
		KeyType:              data.Get("key_type").(string),
		KeyBits:              data.Get("key_bits").(int),
		SignatureBits:        data.Get("signature_bits").(int),
		AllowLocalhost:       true,
		AllowAnyName:         true,
		AllowIPSANs:          true,
		EnforceHostnames:     false,
		AllowedURISANs:       []string{"*"},
		AllowedOtherSANs:     []string{"*"},
		AllowedSerialNumbers: []string{"*"},
		OU:                   data.Get("ou").([]string),
		Organization:         data.Get("organization").([]string),
		Country:              data.Get("country").([]string),
		Locality:             data.Get("locality").([]string),
		Province:             data.Get("province").([]string),
		StreetAddress:        data.Get("street_address").([]string),
		PostalCode:           data.Get("postal_code").([]string),
	}

	if role.KeyType == "rsa" && role.KeyBits < 2048 {
		errorResp = logical.ErrorResponse("RSA keys < 2048 bits are unsafe and not supported")
		return
	}

	if err := certutil.ValidateKeyTypeSignatureLength(role.KeyType, role.KeyBits, &role.SignatureBits); err != nil {
		errorResp = logical.ErrorResponse(err.Error())
	}

	return
}
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-18 15:16:09 +00:00			`package pki`

			`import (`
Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 19:46:13 +00:00			`"time"`

Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Refactor cert util (#6676) Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public. 2019-05-09 15:43:11 +00:00			`"github.com/hashicorp/vault/sdk/helper/certutil"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-18 15:16:09 +00:00			`)`

			`func (b *backend) getGenerationParams(`
			`data *framework.FieldData,`
			`) (exported bool, format string, role roleEntry, errorResp logical.Response) {`
			`exportedStr := data.Get("exported").(string)`
			`switch exportedStr {`
			`case "exported":`
			`exported = true`
			`case "internal":`
			`default:`
			`errorResp = logical.ErrorResponse(`
Rejig some error messages in pki 2017-10-27 16:02:18 +00:00			`the "exported" path parameter must be "internal" or "exported"`)
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-18 15:16:09 +00:00			`return`
			`}`

			`format = getFormat(data)`
			`if format == "" {`
			`errorResp = logical.ErrorResponse(`
Rejig some error messages in pki 2017-10-27 16:02:18 +00:00			`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-18 15:16:09 +00:00			`return`
			`}`

			`role = &roleEntry{`
Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-05 03:18:39 +00:00			`TTL: time.Duration(data.Get("ttl").(int)) * time.Second,`
			`KeyType: data.Get("key_type").(string),`
			`KeyBits: data.Get("key_bits").(int),`
improvement: add signature_bits field to CA and signers (#11245) This change adds the ability to set the signature algorithm of the CAs that Vault generates and any certificates it signs. This is a potentially useful stepping stone for a SHA3 transition down the line. Summary: * Adds the field "signature_bits" to CA and Sign endpoints * Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA keytypes. 2021-09-10 21:39:05 +00:00			`SignatureBits: data.Get("signature_bits").(int),`
Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-05 03:18:39 +00:00			`AllowLocalhost: true,`
			`AllowAnyName: true,`
			`AllowIPSANs: true,`
			`EnforceHostnames: false,`
Add URI SANs (#4767) 2018-06-15 19:32:25 +00:00			`AllowedURISANs: []string{"*"},`
Set allowed OIDs to any value when generaing a CA. (#5462) * Set allowed OIDs to any value when generaing a CA. Also, allow utf-8 in addition to utf8 as the OID type specifier, and allow `` to specify any OID of a supported type. Update PKI docs 2018-10-08 13:51:43 +00:00			`AllowedOtherSANs: []string{"*"},`
Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-05 03:18:39 +00:00			`AllowedSerialNumbers: []string{"*"},`
			`OU: data.Get("ou").([]string),`
			`Organization: data.Get("organization").([]string),`
			`Country: data.Get("country").([]string),`
			`Locality: data.Get("locality").([]string),`
			`Province: data.Get("province").([]string),`
			`StreetAddress: data.Get("street_address").([]string),`
			`PostalCode: data.Get("postal_code").([]string),`
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-18 15:16:09 +00:00			`}`

Disallow 1024-bit RSA keys. Existing certificates are kept but roles with key bits < 2048 will need to be updated as the signing/issuing functions now enforce this. 2016-02-18 22:55:47 +00:00			`if role.KeyType == "rsa" && role.KeyBits < 2048 {`
			`errorResp = logical.ErrorResponse("RSA keys < 2048 bits are unsafe and not supported")`
			`return`
			`}`

Restrict ECDSA/NIST P-Curve hash function sizes for cert signing (#12872) * Restrict ECDSA signatures with NIST P-Curve hashes When using an ECDSA signature with a NIST P-Curve, we should follow recommendations from BIS (Section 4.2) and Mozilla's root store policy (section 5.1.2) to ensure that arbitrary selection of signature_bits does not exceed what the curve is capable of signing. Related: #11245 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Switch to certutil.ValidateKeyTypeSignatureLength(...) Replaces previous calls to certutil.ValidateKeyTypeLength(...) and certutil.ValidateSignatureLength(...) with a single call, allowing for curve<->hash validation. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Switch to autodetection of signature_bits This enables detection of whether the caller manually specified a value for signature_bits or not; when not manually specified, we can provision a value that complies with new NIST P-Curve policy. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Select hash function length automatically Due to our change in behavior (to default to -1 as the value to signature_bits to allow for automatic hash selection), switch ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and provision it with valid default values. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Prevent invalid Curve size lookups Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Switch from -1 to 0 as default SignatureBits Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2021-11-12 17:18:38 +00:00			`if err := certutil.ValidateKeyTypeSignatureLength(role.KeyType, role.KeyBits, &role.SignatureBits); err != nil {`
Refactor cert util (#6676) Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public. 2019-05-09 15:43:11 +00:00			`errorResp = logical.ErrorResponse(err.Error())`
			`}`
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-18 15:16:09 +00:00
			`return`
			`}`