Commit graph

452 commits

Author SHA1 Message Date
Scott Miller 6f18a9b6be
Allow signing self issued certs with a different public key algorithm. (#12514)
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types

* Allow signing self issued certs with a different public key algorithm

* Remove cruft

* Remove stale import

* changelog

* eliminate errwrap

* Add a test to cover the lack of opt-in flag

* Better comment

Co-authored-by: catsby <clint@ctshryock.com>
2021-09-14 10:07:27 -05:00
jhart-cpi fa1611f427
improvement: add signature_bits field to CA and signers (#11245)
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs.  This is a
potentially useful stepping stone for a SHA3 transition down the line.

Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
2021-09-10 14:39:05 -07:00
Scott Miller 653bfef52e
Forward cert signing requests to the primary on perf secondaries as well as perf standbys (#12180) 2021-07-28 10:21:01 -05:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Lars Lehtonen 0196f43cbe
builtin/logical/pki: fix dropped test errors (#12013) 2021-07-08 10:14:38 -04:00
Lars Lehtonen d8f7dd364a
builtin: deprecate errwrap.Wrapf() throughout (#11430)
* audit: deprecate errwrap.Wrapf()

* builtin/audit/file: deprecate errwrap.Wrapf()

* builtin/crediential/app-id: deprecate errwrap.Wrapf()

* builtin/credential/approle: deprecate errwrap.Wrapf()

* builtin/credential/aws: deprecate errwrap.Wrapf()

* builtin/credentials/token: deprecate errwrap.Wrapf()

* builtin/credential/github: deprecate errwrap.Wrapf()

* builtin/credential/cert: deprecate errwrap.Wrapf()

* builtin/logical/transit: deprecate errwrap.Wrapf()

* builtin/logical/totp: deprecate errwrap.Wrapf()

* builtin/logical/ssh: deprecate errwrap.Wrapf()

* builtin/logical/rabbitmq: deprecate errwrap.Wrapf()

* builtin/logical/postgresql: deprecate errwrap.Wrapf()

* builtin/logical/pki: deprecate errwrap.Wrapf()

* builtin/logical/nomad: deprecate errwrap.Wrapf()

* builtin/logical/mssql: deprecate errwrap.Wrapf()

* builtin/logical/database: deprecate errwrap.Wrapf()

* builtin/logical/consul: deprecate errwrap.Wrapf()

* builtin/logical/cassandra: deprecate errwrap.Wrapf()

* builtin/logical/aws: deprecate errwrap.Wrapf()
2021-04-22 11:20:59 -04:00
Calvin Leung Huang a8cafab083
pki: fix tidy removal on revoked entries (#11367)
* pki: fix tidy removal on revoked entries

* add CL entry
2021-04-19 09:40:40 -07:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Scott Miller 7ecbbcd5b9
Make all duplicate removals stable in PKI (#11259) 2021-04-02 10:33:24 -05:00
Liwei Fu 170a0800e6
Make cert domain name validation case insensitive (#10959)
* make cert domain name validation case insensitive

* reafctor TestPki_PermitFQDNs mutliple cases

* TestPki_PermitFQDNS: fail uppercase alt_name

* add change log

* fix tests

* use EqualFold for potential utf-8 string comparison

Co-authored-by: Freyert <Freyert@users.noreply.github.com>
2021-03-09 21:28:27 -08:00
Brian Kassouf 10668331e4
Update go version to 1.15.3 (#10279)
* Update go version to 1.15.3

* Fix OU ordering for go1.15.x testing

* Fix CI version

* Update docker image

* Fix test

* packagespec upgrade -version 0.1.8

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
2020-10-30 16:44:06 -04:00
ncabatoff 27c7a77624
When expiration attempts to revoke a cert that's not in storage (perhaps due to pki tidy), don't treat that as an error. Let the lease get expired. (#9880) 2020-09-17 16:15:03 -04:00
ncabatoff b615da43d7
Run CI tests in docker instead of a machine. (#8948) 2020-09-15 10:01:26 -04:00
Artem Alexandrov 301ea4c0f0
pki: Allow to use not only one variable during templating in allowed_domains #8509 (#9498) 2020-08-17 11:37:00 -07:00
Calvin Leung Huang fbe2a86693
pki: use revocationInfo.RevocationTimeUTC when revoking certs with ti… (#9609)
* pki: use revocationInfo.RevocationTimeUTC when revoking certs with tidy_revoked_certs set to true

* update comment

* tidy: use same time snapshot for OR comparison
2020-07-30 15:10:26 -07:00
Andrej van der Zee 8f305b1531
Add option allowed_domains_template enabling identity templating for issuing PKI certs. (#8509) 2020-07-08 12:52:25 -04:00
Peter J. Li 27cf73afa8
fix error message for when an invalid uri_sans is provided via the api (#8772) 2020-06-08 13:43:56 -04:00
Andrew N Golovkov 753b2c135a
More helpful errors when import bundled certificates (#8951)
* helpful errors: print not only CN but also exactly what we are comparing
* helpful errors: return different errors for non-existent and unknown keys
* helpful errors: print error about encrypted key instead of "private key not found"
2020-05-11 17:01:10 -06:00
Lars Lehtonen 85301166fe
builtin/logical/pki: fix JSON tag (#8324) 2020-03-06 18:41:26 -08:00
Denis Subbotin a9e605cc43
fix minor potential nil-pointer panic on line 89 (#8488) 2020-03-06 13:32:36 -08:00
Daniel Spangenberg 415303cc02
Allow FQDNs in DNS Name for PKI Secrets Engine (#8288)
Fixes #4837
2020-02-04 23:46:38 +01:00
Becca Petrin c2894b8d05
Add Kerberos auth agent (#7999)
* add kerberos auth agent

* strip old comment

* changes from feedback

* strip appengine indirect dependency
2020-01-09 14:56:34 -08:00
ncabatoff fde5e55ce9
Handle otherName SANs in CSRs (#6163)
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.

Allow single star in allowed_other_sans to match any OtherName.  Update documentation to clarify globbing behaviour.
2019-12-11 10:16:44 -05:00
Chris Hoffman ea0974b578
if storing the certificate, always generate/sign the certificate on the primary (#7904) 2019-12-05 13:50:28 -05:00
Denis Subbotin e9cdd451d1 Don't allow duplicate SAN names in PKI-issued certs (#7605)
* fix https://github.com/hashicorp/vault/issues/6571

* fix test TestBackend_OID_SANs because now SANs are alphabetic sorted
2019-10-28 12:31:56 -04:00
Jeff Mitchell 4b5572bf35 Don't continue in a few places in pki tidy if value is nil (#7589)
Fixes #7588
2019-10-15 09:55:08 -04:00
Jeff Mitchell 3c03f8d7e0
Don't try to revoke certs from PKI on perf standby (#7173)
It needs to do a write for the CRL and to move to the revoked prefix
2019-07-23 08:40:08 -04:00
Jeff Mitchell 7b8c0b58f1
Call goimports as well as gofmt when doing a make fmt (#7148)
Closes #7147
2019-07-18 21:04:56 -04:00
Madalyn a2606ddccf
update OpenAPI output to use DisplayAttributes struct (#6928) 2019-06-21 11:08:08 -04:00
Nick Cabatoff 7380c2fd9d Fix a test bug I introduced in 1d13290b361314466f76e251826f60c92aa67bb7 by failing to update my PR to the latest master before merging. 2019-05-09 11:59:22 -04:00
ncabatoff c48936c4fd
Refactor cert util (#6676)
Break dataBundle into two pieces: inputBundle, which contains data that
is specific to the pki backend, and creationBundle, which is a more
generic bundle of validated inputs given to certificate creation/signing routines.

Move functions that only take creationBundle to certutil and make them public.
2019-05-09 11:43:11 -04:00
Mark Gritter 4cab0047a1
Fix test to use stable order to generate expected result. (#6692) 2019-05-07 14:01:49 -05:00
mgritter 2d3d6a856b gofmt fixes. 2019-05-02 16:29:41 -07:00
Jim Kalafut 2835131117
Apply suggestions from code review
Co-Authored-By: mgritter <mgritter@gmail.com>
2019-05-02 18:02:15 -05:00
mgritter 4e22fb6704 Ensure OU entries are not reordered. 2019-05-02 14:31:29 -07:00
Jeff Mitchell 213b9fd1cf Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 28e2ce8577 Fix build breakages 2019-04-12 22:01:13 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Matt Greenfield 080d4652f0 Fix uri_sans param being ignored when use_csr_values=false (#6505) 2019-04-01 16:08:22 -04:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
madalynrose 625f0c7546
Update OpenAPI responses to include information the UI can use (#6204) 2019-02-14 12:42:44 -05:00
ncabatoff 3e3498073e Fix #5973 on windows by disregarding errors when querying legacy cert path. (#6013) 2019-01-08 18:08:21 -08:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Lukasz Jagiello 76008b2e1e Remove an empty line for /pki/ca_chain (#5779)
This PR fix #5778.

Easy test case to reproduce the problem:
https://play.golang.org/p/CAMdrOHT7C1

Since `certStr` is empty string during first iteration `strings.Join()`
will merge empty line with first CA cert.

Extra `strings.TrimSpace` call will remove that empty line, before
certificate will be return.
2018-12-12 15:38:35 -05:00
Jeff Mitchell c178d05e07
Properly continue if cert entry is nil when tidying (#5933)
Fixes #5931
2018-12-11 11:28:14 -05:00
Calvin Leung Huang e6ec67fb8f
Use inclusive range on cert role diff comparison (#5737) 2018-11-08 12:15:12 -08:00
Jeff Mitchell fa26beeaed fmt 2018-11-07 16:52:01 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang 20faa90ee3 Use Truncate instead of Round on duration diff (#5691) 2018-11-05 17:32:33 -05:00
Calvin Leung Huang 1a4e8fe53d Round time diff to nearest second to reduce flakiness (#5688) 2018-11-05 16:49:25 -05:00
Jeff Mitchell 6c488921ff Fix website/path-help docs around pki/tidy 2018-10-30 21:33:30 -04:00
Balazs Nagy ca5c60642e Use tidy_revoked_certs instead of tidy_revocation_list (#5608) 2018-10-29 19:29:35 -04:00
Jeff Mitchell 5e2cc31cb6
Remove now-spurious ttl check and logic from sign-verbatim. (#5552)
This endpoint eventually goes through generateCreationBundle where we
already have the right checks.

Also add expiration to returned value to match output when using root
generation.

Fixes #5549
2018-10-19 11:13:59 -04:00
Jeff Mitchell 4217ced72d
Re-add default NotBefore duration in PKI (#5482)
Fixes #5481
2018-10-10 09:42:37 -04:00
Calvin Leung Huang b47e648ddf
Logger cleanup (#5480) 2018-10-09 09:43:17 -07:00
Becca Petrin 937cfff21a
Make builtin auth and secret plugins buildable (#5456) 2018-10-09 09:29:20 -07:00
Jeff Mitchell ff57c14bc2
Set allowed OIDs to any value when generaing a CA. (#5462)
* Set allowed OIDs to any value when generaing a CA.

Also, allow utf-8 in addition to utf8 as the OID type specifier, and
allow `*` to specify any OID of a supported type.

* Update PKI docs
2018-10-08 09:51:43 -04:00
Jeff Mitchell ec2ab502fc make fmt 2018-10-02 14:30:10 -04:00
sk4ry 0fab335eec Add ability to configure the NotBefore property of certificates in role api (#5325)
* Add ability to configure the NotBefore property of certificates in role api

* Update index.html.md

* converting field to time.Duration

* setting default back to 30s

* renaming the parameter not_before_duration to differentiate between the NotBefore datetime on the cert

* Update description
2018-10-02 11:10:43 -04:00
Brian Kassouf a2608a3b61
Fix approle tidy on performance standbys (#5338)
* Fix approle tidy on performance standbys

* Forward PKI and AWS also
2018-09-17 09:53:23 -07:00
Jim Kalafut e1a326152d
Switch to strings.EqualFold (#5284) 2018-09-11 16:22:29 -07:00
Jeff Mitchell c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly (#5280)
* Allow most parts of Vault's logging to have its level changed on-the-fly

* Use a const for not set
2018-09-05 15:52:54 -04:00
Jeff Mitchell f8da8a556f Fix PKI test; add deprecated parameter as synonym 2018-09-05 12:33:31 -04:00
Jeff Mitchell c9b06f3b62
Remove certificates from store if tidying revoked certificates (#5231)
This will cause them to be removed even if they have not expired yet,
whereas before it would simply leave them in the store until they were
expired, but remove from revocation info.
2018-09-05 11:47:27 -04:00
Becca Petrin 7a8c116fb1
undo make fmt (#5265) 2018-09-04 09:29:18 -07:00
Becca Petrin ed7639b0ec
run make fmt (#5261) 2018-09-04 09:12:59 -07:00
Jeff Mitchell 5d408afec2
Fix sign-verbatim PKI endpoint not honoring extra subject names (#5245)
Related to #2394
2018-09-01 09:08:45 -07:00
Calvin Leung Huang 9988ace85e gofmt files (#5233) 2018-08-31 09:15:40 -07:00
Jeff Mitchell 051bb9fc13
Two PKI improvements: (#5134)
* Disallow adding CA's serial to revocation list
* Allow disabling revocation list generation. This returns an empty (but
signed) list, but does not affect tracking of revocations so turning it
back on will populate the list properly.
2018-08-21 11:20:57 -04:00
Jeff Mitchell 8b966f7027 Remove some unnecessary default statements 2018-07-13 09:33:26 -04:00
dmicanzerofox a3d067c00b PKI Tidy Revocation List optionally Tidy Revoked Certs that are Unexpired (#4916) 2018-07-13 09:32:32 -04:00
Jeff Mitchell 4d1a6690f5
Use Go's in-built permitted DNS domain logic (#4908)
Fixes #4863
2018-07-11 17:35:46 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 935c045cfa
Fix permitted dns domain handling (#4905)
It should not require a period to indicate subdomains being allowed

Fixes #4863
2018-07-11 12:44:49 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Mr Talbot 5551a63221 pki: add ext_key_usage to mirror key_usage and add to sign-verbatim (#4777)
* pki: add ext_key_usage parameter to role

* pki: add key_usage and ext_key_usage parameter to sign-verbatim

* pki: cleanup code as per comments
2018-06-15 18:20:43 -04:00
Jeff Mitchell 91ca3d4b7f
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Marcin Wielgoszewski 9316c96364 Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-04 23:18:39 -04:00
Alex Ionescu 7c31dacea2 Custom extended key usage for PKI. (#4667)
Custom extended key usage for PKI
2018-06-01 09:13:54 -04:00
Jeff Mitchell 244cb0bf9a
Ensure safety_buffer in PKI is greater than zero (#4643)
Fixes #4641
2018-05-28 12:08:22 -04:00
Jeff Mitchell 72200603c6
Fix role writing not allowing key_type of any (#4596)
Fixes #4595
2018-05-19 10:24:43 -07:00
Jeff Mitchell 072cd783b5 Fix another PKI test 2018-05-09 12:51:34 -04:00
Jeff Mitchell 573b403b5e Fix PKI test 2018-05-09 12:47:00 -04:00
Jeff Mitchell e5f4ca83a0
Update PKI to natively use time.Duration (#4493)
* Update PKI to natively use time.Duration

Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.

* Add a warning when refusing to blow away an existing root instead of just returning success

* Fix another issue found while debugging this...

The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
2018-05-09 10:29:54 -04:00
Robison Jacka b78b9c7ebf Iterating over CSR extensions, and skipping BasicConstraints, since those should be defined by the endpoint that's performing the signing. (#4469) 2018-05-01 11:22:49 -04:00
Calvin Leung Huang bacf136785 Fix pki tests (#4318) 2018-04-09 15:19:05 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Matthew Irish cff34e983f
UI - pki updates (#4291)
* add require_cn to pki roles
* add policy_identifiers and basic_constraints_valid_for_non_ca to pki role form
* add new fields to the PKI docs
* add add_basic_constraints field
2018-04-08 21:09:29 -05:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell 7a6f582168
1.10 Updates (#4218) 2018-03-29 15:32:16 -04:00
Jeff Mitchell 6484b9b164
Continue and warn when tidying in pki if an entry or value is nil (#4214)
Ref #4177
2018-03-29 15:27:51 -04:00
Jeff Mitchell e4d277fc0b Sanitizize some error capitalization 2018-03-29 10:14:42 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 48a6ce618a
Add ability to set CA:true when generating intermediate CSR. (#4163)
Fixes #3883
2018-03-20 10:09:59 -04:00
Jeff Mitchell 414097018a Add a check on incoming policy identifiers
cc #4125
2018-03-19 22:10:18 -04:00
Rémi Pauchet 40e226184b Support certificate policies in the pki backend (#4125) 2018-03-19 22:05:21 -04:00
Jeff Mitchell 8697d80d2e
More cleanup of TTL handling in PKI (#4158)
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
2018-03-19 21:01:41 -04:00
Jeff Mitchell 2e50667b12
Codify using strings.Join and strings.TrimSpace around PEM handling to ensure newline sanity (#4148)
Fixes #4136
2018-03-18 16:00:51 -04:00
Jeff Mitchell cf7c86e0f8 *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10"
This partially reverts commit 83f6b21d3ef930df0352a4ae7b1e971790e3eb22.
2018-02-22 20:15:56 -05:00
Jeff Mitchell 0f26cb9b8d Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Jeff Mitchell ce8f652ef9 Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Robison Jacka 9541e8f643 Adding path roles test coverage for storing PKIX fields (#4003) 2018-02-18 16:22:35 -05:00
Robison Jacka 71d939894b Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell a408a03495 Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Jeff Mitchell f29bde0052
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Jeff Mitchell 8655a1c135
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell bd3cdd8095 Fix compile 2018-02-09 14:04:05 -05:00
Vishal Nayak 80ffd07b8b added a flag to make common name optional if desired (#3940)
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Chris Hoffman 5b2b168e97
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Chris Hoffman 3b0ba609b2
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Mohsen 2aa576149c Small typo relating to no_store in pki secret backend (#3662)
* Removed typo :)

* Corrected typo in the website related to no_store
2017-12-07 10:40:21 -05:00
Jeff Mitchell 6b72b90efa Remove allow_base_domain from PKI role output.
It was never used in a release, in favor of allow_bare_domains.

Fixes #1452 (again)
2017-11-09 10:24:36 -05:00
Jeff Mitchell 3555a17d52 Don't read out an internal role member in PKI 2017-11-08 18:20:53 -05:00
Jeff Mitchell 17310654a1
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Jeff Mitchell d8e2179a42 Rejig some error messages in pki 2017-10-27 12:02:18 -04:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Jeff Mitchell e3ce60eb1f Allow entering PKI URLs as arrays. (#3409)
Fixes #3407
2017-10-03 16:13:57 -04:00
Jeff Mitchell 1076cea5d1 Tests were not actually forcing the intermediate to have a longer TTL
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
Jeff Mitchell cb6ac1e926 Change behavior of TTL in sign-intermediate (#3325)
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Jeff Mitchell 7be6905eb0 Add a bit more delay to backend test in case Travis is loaded 2017-09-04 14:45:12 -04:00
Jeff Mitchell abb2ab2918 Add pki/root/sign-self-issued. (#3274)
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
2017-08-31 23:07:15 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Lars Lehtonen 13901b1346 fix swallowed errors in pki package tests (#3215) 2017-08-29 13:15:36 -04:00
Jeff Mitchell 340fe4e609 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Jeff Mitchell e4eb6e9020 Make PKI root generation idempotent-ish and add delete endpoint. (#3165) 2017-08-15 14:00:40 -04:00
Chris Hoffman 77336f4ca2 adding warning for conflicting role and request parameters (#3083) 2017-08-02 10:02:40 -04:00
Calvin Leung Huang 3e8aecc7d5 Add BackendType to existing backends (#3078) 2017-07-28 14:04:46 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Seth Rutner 3874b63af3 Fix typos in error message (#2692) 2017-05-10 10:28:35 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Calvin Leung Huang 26cf09ab15 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman 1c14d207b5 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens
Change storage of PKI entries from colons to hyphens
2017-05-03 15:07:15 -04:00
Chris Hoffman e34a45fdcd Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang a00a7815f6 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Calvin Leung Huang 2b7a66e23b Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Justin Gerace 403efeb5ae Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Calvin Leung Huang ff4cf41ebb Add test for ca and crl case 2017-04-28 08:55:28 -04:00
Vishal Nayak 8bb6c8caef Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang 802d030506 Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Calvin Leung Huang b5990321bf Verify update operation was performed on revokeCert 2017-04-27 12:30:44 -04:00
Calvin Leung Huang 3b27a9c12c Rename tests, use HandleRequest() for existing paths 2017-04-27 09:47:56 -04:00
Calvin Leung Huang 628e5d594b Add remaining tests 2017-04-26 16:05:58 -04:00
Calvin Leung Huang d24757f2e0 Fix crl_util test 2017-04-26 09:58:34 -04:00
Calvin Leung Huang 18ed2d6097 Tests for cert and crl util 2017-04-26 02:46:01 -04:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Jeff Mitchell 4995c69763 Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Jeff Mitchell 822d86ad90 Change storage of entries from colons to hyphens and add a
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
2017-04-18 11:14:23 -04:00
Jeff Mitchell 79fb8bdf69 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Shivaram Lingamneni 2117dfd717 implement a no_store option for pki roles (#2565) 2017-04-07 11:25:47 -07:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561)
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
2017-04-04 08:54:18 -07:00
Jeff Mitchell 24886c1006 Ensure CN check is made when exclude_cn_from_sans is used
Fixes #2363
2017-03-16 11:41:13 -04:00
Jeff Mitchell 12e5132779 Allow roles to specify whether CSR SANs should be used instead of (#2489)
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
Jeff Mitchell 7ab6844eb4 Set CA chain when intermediate does not have an authority key ID.
This is essentially an approved review of the code provided in #2465.

Fixes #2465
2017-03-15 11:52:02 -04:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell eca68d5913 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
vishalnayak 2e911fc650 Fix broken build caused due to resolve merge conflicts 2017-02-24 12:41:20 -05:00
Vishal Nayak c6f138bb9a PKI: Role switch to control lease generation (#2403)
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
2017-02-24 12:12:40 -05:00
Saj Goonatilleke 01f3056b8b pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell c96fe56d44 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell 817bec0955 Add Organization support to PKI backend. (#2380)
Fixes #2369
2017-02-16 01:04:29 -05:00
Jeff Mitchell f43a041bf2 Revert "Disable PKI OU tests to fix the build"
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
vishalnayak c8b6ab7223 Disable PKI OU tests to fix the build 2017-01-24 06:25:56 -05:00
joe miller 98df700495 allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
joe miller 78dacc154a sign-verbatim should set use_csr_common_name to true (#2243) 2017-01-10 09:47:59 -05:00
vishalnayak 1816446f46 Address review feedback 2016-12-20 11:19:47 -05:00
vishalnayak b3e323bbcc pki: Avoiding a storage read 2016-12-20 11:07:20 -05:00
vishalnayak 2e23f1a992 pki: Appended error to error message 2016-12-19 10:49:32 -05:00
vishalnayak ba1cc709bd PKI: Added error to the error message 2016-12-19 10:47:29 -05:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Chris Hoffman d235acf809 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Jeff Mitchell 6bf871995b Don't use time.Time in responses. (#1912)
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
Jeff Mitchell 897d3c6d2c Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop. 2016-09-16 11:05:43 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
Jeff Mitchell 86874def5c Parameter change
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
Jeff Mitchell 39cfd116b6 Cleanup 2016-08-13 11:52:09 -04:00
Jeff Mitchell 1b8711e7b7 Ensure utc value is not zero before adding 2016-08-13 11:50:57 -04:00
Jeff Mitchell d6d08250ff Ensure values to be encoded in a CRL are in UTC. This aligns with the
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.

Fixes #1727
2016-08-13 08:40:09 -04:00
Vincent Batoufflet 0b73c2ff9a Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Jeff Mitchell 3334b22993 Some minor linting 2016-07-19 13:54:18 -04:00
Jeff Mitchell 4a8d9eb942 Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time. 2016-07-01 17:28:48 -04:00
cara marie 11c205e19b removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell 9dc0599a30 Address review feedback 2016-06-23 10:18:03 -04:00
Jeff Mitchell d7029fc49a Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell 45a442e593 Set some basic key usages by default.
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
2016-06-22 16:08:24 -04:00
Jeff Mitchell 407373df5d Revert "Use x509 package ext key usage instead of custom type"
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
2016-06-22 13:07:31 -04:00
Jeff Mitchell c0dee06aab Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell 62f66dc4d8 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
Vishal Nayak 711c05a319 Merge pull request #1546 from hashicorp/secret-aws-roles
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
vishalnayak 8b490e44a1 Added list functionality to logical aws backend's roles 2016-06-20 19:51:04 -04:00
vishalnayak 0760a89eb4 Backend() functions should return 'backend' objects.
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
LLBennett 3795b65d19 Updates to the test based on feedback. 2016-06-08 16:49:10 +00:00
Laura Bennett 2f2a80e2be Add PKI listing 2016-06-08 11:50:59 -04:00
Vishal Nayak 644ac5f5e8 Merge pull request #1456 from hashicorp/consul-lease-renewal
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00