2015-11-18 15:16:09 +00:00
|
|
|
package pki
|
|
|
|
|
|
|
|
import (
|
2022-03-03 21:30:18 +00:00
|
|
|
"context"
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/rsa"
|
2017-08-31 19:46:13 +00:00
|
|
|
"time"
|
|
|
|
|
2022-03-03 21:30:18 +00:00
|
|
|
"golang.org/x/crypto/ed25519"
|
|
|
|
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
2019-05-09 15:43:11 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/certutil"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2015-11-18 15:16:09 +00:00
|
|
|
)
|
|
|
|
|
2022-03-03 21:30:18 +00:00
|
|
|
func (b *backend) getGenerationParams(ctx context.Context,
|
|
|
|
data *framework.FieldData, mountPoint string,
|
2015-11-18 15:16:09 +00:00
|
|
|
) (exported bool, format string, role *roleEntry, errorResp *logical.Response) {
|
|
|
|
exportedStr := data.Get("exported").(string)
|
|
|
|
switch exportedStr {
|
|
|
|
case "exported":
|
|
|
|
exported = true
|
|
|
|
case "internal":
|
2022-01-27 04:06:25 +00:00
|
|
|
case "kms":
|
2015-11-18 15:16:09 +00:00
|
|
|
default:
|
|
|
|
errorResp = logical.ErrorResponse(
|
2017-10-27 16:02:18 +00:00
|
|
|
`the "exported" path parameter must be "internal" or "exported"`)
|
2015-11-18 15:16:09 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
format = getFormat(data)
|
|
|
|
if format == "" {
|
|
|
|
errorResp = logical.ErrorResponse(
|
2017-10-27 16:02:18 +00:00
|
|
|
`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
|
2015-11-18 15:16:09 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-03 21:30:18 +00:00
|
|
|
keyType := data.Get("key_type").(string)
|
|
|
|
keyBits := data.Get("key_bits").(int)
|
2022-01-27 04:06:25 +00:00
|
|
|
if exportedStr == "kms" {
|
|
|
|
_, okKeyType := data.Raw["key_type"]
|
|
|
|
_, okKeyBits := data.Raw["key_bits"]
|
|
|
|
|
|
|
|
if okKeyType || okKeyBits {
|
|
|
|
errorResp = logical.ErrorResponse(
|
|
|
|
`invalid parameter for the kms path parameter, key_type nor key_bits arguments can be set in this mode`)
|
|
|
|
return
|
|
|
|
}
|
2022-03-03 21:30:18 +00:00
|
|
|
|
|
|
|
keyId, err := getManagedKeyId(data)
|
|
|
|
if err != nil {
|
|
|
|
errorResp = logical.ErrorResponse("unable to determine managed key id")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
// Determine key type and key bits from the managed public key
|
|
|
|
withManagedPKIKey(ctx, b, keyId, mountPoint, func(ctx context.Context, key logical.ManagedSigningKey) error {
|
|
|
|
pubKey, err := key.GetPublicKey(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
switch pubKey.(type) {
|
|
|
|
case *rsa.PublicKey:
|
|
|
|
keyType = "rsa"
|
|
|
|
keyBits = pubKey.(*rsa.PublicKey).Size() * 8
|
|
|
|
case *ecdsa.PublicKey:
|
|
|
|
keyType = "ec"
|
|
|
|
case *ed25519.PublicKey:
|
|
|
|
keyType = "ed25519"
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
2022-01-27 04:06:25 +00:00
|
|
|
}
|
|
|
|
|
2015-11-18 15:16:09 +00:00
|
|
|
role = &roleEntry{
|
Add role parameter to restrict issuance of wildcard certificates (#14238)
* Add new AllowWildcardCertificate field to PKI role
This field allows the PKI role to control whether or not issuance of
wildcard certificates are allowed. We default (both on migration and
new role creation) to the less secure true value for backwards
compatibility with existing Vault versions.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor sanitizedName to reducedName
Per comment, this variable name was confusing during the reproduction
and subsequent fix of the earlier vulnerability and associated bug
report. Because the common name isn't necessarily _sanitized_ in any way
(and indeed must be considered in relation to other parts or the whole),
but portions of the entire name are removed, reducedName appears to make
the most sense.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Enforce AllowWildcardCertificates during issuance
This commit adds the bulk of correctly validating wildcard certificate
Common Names during issuance according to RFC 6125 Section 6.4.3
semantics. As part of this, support for RFC 2818-conforming wildcard
certificates (wherein there are almost no restrictions on issuance) has
been removed.
Note that this flag does take precedence over AllowAnyName, giving a
little more safety in wildcard issuance in this case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update test cases to conform with RFC 6125
Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
should've been rejected under strict conformance. For 70+71 and 83+84,
we previously conditioned around the value of AllowSubdomains (allowing
issuance when true), but they likely should've been rejected either way.
Additionally, update the notes about globs matching wildcard
certificates to notate this is indeed the case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Check AllowWildcardCertifciates in issuance tests
This allows for regression tests to cover the new
AllowWildcardCertificate conditional. We add additional test cases
ensuring that wildcard issuance is properly forbidden in all relevant
scenarios, while allowing the existing test cases to validate that
wildcard status doesn't affect non-wildcard certificates.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add Wildcard allowance during signing operations
When using sign-verbatim, sign-intermediate, or getting certificate
generation parameters, set AllowWildcardCertificates to mirror existing
policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-24 13:41:56 +00:00
|
|
|
TTL: time.Duration(data.Get("ttl").(int)) * time.Second,
|
2022-03-03 21:30:18 +00:00
|
|
|
KeyType: keyType,
|
|
|
|
KeyBits: keyBits,
|
Add role parameter to restrict issuance of wildcard certificates (#14238)
* Add new AllowWildcardCertificate field to PKI role
This field allows the PKI role to control whether or not issuance of
wildcard certificates are allowed. We default (both on migration and
new role creation) to the less secure true value for backwards
compatibility with existing Vault versions.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor sanitizedName to reducedName
Per comment, this variable name was confusing during the reproduction
and subsequent fix of the earlier vulnerability and associated bug
report. Because the common name isn't necessarily _sanitized_ in any way
(and indeed must be considered in relation to other parts or the whole),
but portions of the entire name are removed, reducedName appears to make
the most sense.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Enforce AllowWildcardCertificates during issuance
This commit adds the bulk of correctly validating wildcard certificate
Common Names during issuance according to RFC 6125 Section 6.4.3
semantics. As part of this, support for RFC 2818-conforming wildcard
certificates (wherein there are almost no restrictions on issuance) has
been removed.
Note that this flag does take precedence over AllowAnyName, giving a
little more safety in wildcard issuance in this case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update test cases to conform with RFC 6125
Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
should've been rejected under strict conformance. For 70+71 and 83+84,
we previously conditioned around the value of AllowSubdomains (allowing
issuance when true), but they likely should've been rejected either way.
Additionally, update the notes about globs matching wildcard
certificates to notate this is indeed the case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Check AllowWildcardCertifciates in issuance tests
This allows for regression tests to cover the new
AllowWildcardCertificate conditional. We add additional test cases
ensuring that wildcard issuance is properly forbidden in all relevant
scenarios, while allowing the existing test cases to validate that
wildcard status doesn't affect non-wildcard certificates.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add Wildcard allowance during signing operations
When using sign-verbatim, sign-intermediate, or getting certificate
generation parameters, set AllowWildcardCertificates to mirror existing
policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-24 13:41:56 +00:00
|
|
|
SignatureBits: data.Get("signature_bits").(int),
|
|
|
|
AllowLocalhost: true,
|
|
|
|
AllowAnyName: true,
|
|
|
|
AllowIPSANs: true,
|
|
|
|
AllowWildcardCertificates: new(bool),
|
|
|
|
EnforceHostnames: false,
|
|
|
|
AllowedURISANs: []string{"*"},
|
|
|
|
AllowedOtherSANs: []string{"*"},
|
|
|
|
AllowedSerialNumbers: []string{"*"},
|
|
|
|
OU: data.Get("ou").([]string),
|
|
|
|
Organization: data.Get("organization").([]string),
|
|
|
|
Country: data.Get("country").([]string),
|
|
|
|
Locality: data.Get("locality").([]string),
|
|
|
|
Province: data.Get("province").([]string),
|
|
|
|
StreetAddress: data.Get("street_address").([]string),
|
|
|
|
PostalCode: data.Get("postal_code").([]string),
|
2015-11-18 15:16:09 +00:00
|
|
|
}
|
Add role parameter to restrict issuance of wildcard certificates (#14238)
* Add new AllowWildcardCertificate field to PKI role
This field allows the PKI role to control whether or not issuance of
wildcard certificates are allowed. We default (both on migration and
new role creation) to the less secure true value for backwards
compatibility with existing Vault versions.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor sanitizedName to reducedName
Per comment, this variable name was confusing during the reproduction
and subsequent fix of the earlier vulnerability and associated bug
report. Because the common name isn't necessarily _sanitized_ in any way
(and indeed must be considered in relation to other parts or the whole),
but portions of the entire name are removed, reducedName appears to make
the most sense.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Enforce AllowWildcardCertificates during issuance
This commit adds the bulk of correctly validating wildcard certificate
Common Names during issuance according to RFC 6125 Section 6.4.3
semantics. As part of this, support for RFC 2818-conforming wildcard
certificates (wherein there are almost no restrictions on issuance) has
been removed.
Note that this flag does take precedence over AllowAnyName, giving a
little more safety in wildcard issuance in this case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update test cases to conform with RFC 6125
Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
should've been rejected under strict conformance. For 70+71 and 83+84,
we previously conditioned around the value of AllowSubdomains (allowing
issuance when true), but they likely should've been rejected either way.
Additionally, update the notes about globs matching wildcard
certificates to notate this is indeed the case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Check AllowWildcardCertifciates in issuance tests
This allows for regression tests to cover the new
AllowWildcardCertificate conditional. We add additional test cases
ensuring that wildcard issuance is properly forbidden in all relevant
scenarios, while allowing the existing test cases to validate that
wildcard status doesn't affect non-wildcard certificates.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add Wildcard allowance during signing operations
When using sign-verbatim, sign-intermediate, or getting certificate
generation parameters, set AllowWildcardCertificates to mirror existing
policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-24 13:41:56 +00:00
|
|
|
*role.AllowWildcardCertificates = true
|
2015-11-18 15:16:09 +00:00
|
|
|
|
Add universal default key_bits value for PKI endpoints (#13080)
* Allow universal default for key_bits
This allows the key_bits field to take a universal default value, 0,
which, depending on key_type, gets adjusted appropriately into a
specific default value (rsa->2048, ec->256, ignored under ed25519).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Handle universal default key size in certutil
Also move RSA < 2048 error message into certutil directly, instead of in
ca_util/path_roles.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing RSA key sizes to pki/backend_test.go
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to returning updated values
When determining the default, don't pass in pointer types, but instead
return the newly updated value.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Re-add fix for ed25519 from #13254
Ed25519 internally specifies a hash length; by changing the default from
256 to 0, we fail validation in ValidateSignatureLength(...) unless we
specify the key algorithm.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-12-13 20:26:42 +00:00
|
|
|
var err error
|
|
|
|
if role.KeyBits, role.SignatureBits, err = certutil.ValidateDefaultOrValueKeyTypeSignatureLength(role.KeyType, role.KeyBits, role.SignatureBits); err != nil {
|
2019-05-09 15:43:11 +00:00
|
|
|
errorResp = logical.ErrorResponse(err.Error())
|
|
|
|
}
|
2015-11-18 15:16:09 +00:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|