Commit graph

36 commits

Author SHA1 Message Date
Jeff Mitchell 11dc3f328f Add revocation information to PKI fetch output (non-raw only).
Fixes #1180
2016-03-07 10:57:38 -05:00
Jeff Mitchell 2205133ae4 Only run PKI backend setup functions when TF_ACC is set 2016-02-29 14:41:14 -05:00
Jeff Mitchell 7d41607b6e Add "tidy/" which allows removing expired certificates.
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
Jeff Mitchell f43ab6a25d Remove extra debugging from PKI tests 2016-02-22 13:39:05 -05:00
Jeff Mitchell 51ced69bf8 Fix issue where leftover values after cn tests could trigger errors in ipsan tests 2016-02-22 13:35:57 -05:00
Jeff Mitchell 4c327ca4cc More improvements to PKI tests; allow setting a specific seed, output
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
Jeff Mitchell 8d4c6f4c98 Use more fuzziness in PKI backend tests 2016-02-22 10:59:37 -05:00
Jeff Mitchell 58432c5d57 Add tests for minimum key size checking. (This will also verify that the
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
Jeff Mitchell 7fc4ee1ed7 Disallow 1024-bit RSA keys.
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
Jeff Mitchell 4771884c78 Add slack on NotBefore value for generated certs.
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
2016-02-07 14:00:03 -05:00
Jeff Mitchell 2015118958 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 4eec9d69e8 Change allowed_base_domain to allowed_domains and allow_base_domain to
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell cf366bda9c Greatly simplify and fix the name validation function, as well as fully
comment it.
2015-11-23 14:15:32 -05:00
Jeff Mitchell f41a2e562a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 26c8cf874d Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell ed62afec14 Large documentation updates, remove the pathlength path in favor of
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell 5970cb76b6 Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell ca844b1dc1 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4cb10abcc0 Add tests for using raw CSR values 2015-11-19 09:51:18 -05:00
Jeff Mitchell 54fccb2ff4 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell ea676ad4cc Add tests for intermediate signing and CRL, and fix a couple things
Completes extra functionality.
2015-11-19 09:51:17 -05:00
Jeff Mitchell b2df079446 Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell fe7dbfaada Handle email address alternative names, fix up tests, fix up logic around name verification 2015-11-19 09:51:17 -05:00
Jeff Mitchell aa3d6dc85b Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00
Jeff Mitchell 7d2730d370 Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored 2015-11-19 09:51:17 -05:00
Jeff Mitchell 1cec03d9ca Implement CA cert/CSR generation. CA certs can be self-signed or
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
Jeff Mitchell 4239f9d243 Add DynamicSystemView. This uses a pointer to a pointer to always have
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell d435048d9e Switch StaticSystemView values to pointers, to support updating 2015-09-10 15:09:54 -04:00
Jeff Mitchell a4fc4a8e90 Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470. 2015-08-27 12:24:37 -07:00
Jeff Mitchell 41b85a1c83 Allow enforcement of hostnames to be toggleable for certificates. Fixes #451. 2015-08-20 14:33:37 -07:00
Jeff Mitchell a6fc48b854 A few things:
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Jeff Mitchell 29e7ec3e21 A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Jeff Mitchell 03b0675350 A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
useful for other parts of Vault (including the API) to take advantage of.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
Jeff Mitchell 1513e2baa4 Add acceptance tests
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00