Commit Graph

200 Commits

Author SHA1 Message Date
Sean Chittenden 087e7c94d3 Add Vault support for the *BSDs, including Darwin
The `syscall` package has been frozen in favor of `x/sys`.  As a result, all of the BSDs are supported and do have `mlockall(2)` support in current versions of Go.
2016-04-05 12:18:19 -07:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell c50276ec17 Fix using wrong var 2016-03-24 10:23:09 -04:00
Jeff Mitchell 4c4a65ebd0 Properly check for policy equivalency during renewal.
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
2016-03-24 09:41:51 -04:00
Jeff Mitchell 786bce24b1 Remove us building Solaris binaries for the moment, as they don't build successfully 2016-03-16 15:47:55 -04:00
Tom Ritter 8901c0b67d Type in kdf.go 2016-02-08 14:39:46 -06:00
Jeff Mitchell 7a59af7d18 Fix lost code after rebase 2016-01-19 19:19:07 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b100c5965 Address most of the review feedback 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 630b2d83a7 Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.
Fixes #940
2016-01-18 17:01:52 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 8d1e5cb50d Add returning which user names could not be looked up 2016-01-04 13:56:45 -05:00
Jeff Mitchell 90ec946dab Address review feedback. 2016-01-04 11:18:04 -05:00
Jeff Mitchell d11509830f Happy New Year everyone! (Add keybase support for PGP keys.)
Keys specified in rekey and init operations can now be sourced from
keybase.io by using "keybase:[username]" as the key.
2015-12-31 20:47:41 -05:00
Jeff Mitchell 4dac5f5a0e Merge pull request #829 from andrewstuart/master
Add parsing of pkcs#8-encoded bundles for pki/config/ca
2015-12-22 10:06:59 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Charles Phillips 4cb2941b77 [helper] support mlock on Solaris/SmartOS 2015-12-15 11:28:16 -08:00
Andrew Stuart c81e5c41d2
Update PrivateKeyType to string, update switch statement. 2015-12-14 11:16:47 -07:00
Andrew Stuart 100465fee8
Remove unnecessary cast 2015-12-14 06:17:20 -07:00
Andrew Stuart 567282170f
Remove printf call from test 2015-12-11 15:47:00 -07:00
Andrew Stuart ae9e842841
Merge branch 'pkcs8' 2015-12-11 15:22:43 -07:00
Andrew Stuart 43bd14a755
Add benchmark for certutil bundle parsing 2015-12-11 15:17:49 -07:00
Andrew Stuart 551591fb70
Remove debugging print statement in compareCertBundleToParsedCertBundle 2015-12-11 15:17:49 -07:00
Andrew Stuart b277eb9f14
Remove flag check before trying pkcs8 parsing. 2015-12-11 15:17:49 -07:00
Andrew Stuart 6f672a9589
Add pkcs8 flag setting in ParsePEMBundle 2015-12-11 15:17:49 -07:00
Andrew Stuart 4da225d39e
Update tests and finish implementation of PKCS8 handling 2015-12-11 15:17:49 -07:00
Andrew Stuart 25667df5f7
Update ParsePEMBundle to properly handle pkcs#8
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-11 15:17:49 -07:00
Andrew Stuart 2861be29a4
Move to pem.Block.Type-based decoding 2015-12-11 14:57:33 -07:00
Andrew Stuart 9d97cc36c9
Add benchmark for certutil bundle parsing 2015-12-11 09:58:49 -07:00
Andrew Stuart e70b0b86e2
Merge branch 'master' into pkcs8 2015-12-10 21:02:59 -07:00
Andrew Stuart 572f587093
Update flag to field with format info 2015-12-10 21:02:31 -07:00
Andrew Stuart 889245c990
Remove debugging print statement in compareCertBundleToParsedCertBundle 2015-12-10 16:33:42 -07:00
Andrew Stuart cdeca4ed92
Remove flag check before trying pkcs8 parsing. 2015-12-09 19:41:32 -07:00
Andrew Stuart ef2be34985 Remove flag check before trying pkcs8 parsing. 2015-12-09 15:33:25 -07:00
Andrew Stuart a3b096e3fe Add pkcs8 flag setting in ParsePEMBundle 2015-12-09 15:33:25 -07:00
Andrew Stuart 7d274cbb0b Update tests and finish implementation of PKCS8 handling 2015-12-09 15:33:25 -07:00
Andrew Stuart db48b7fccf Update ParsePEMBundle to properly handle pkcs#8
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-09 15:29:13 -07:00
Jeff Mitchell 22a6d6fa22 Merge branch 'master' into pki-csrs 2015-11-20 12:48:38 -05:00
Jeff Mitchell 0dbe15cb87 Mostly revert changes to certutil as the embedded struct stuff was being
problematic.
2015-11-19 14:18:39 -05:00
Jeff Mitchell f41a2e562a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell 26c8cf874d Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4681d027c0 Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell 5510a2b16f Add unit tests for CSR bundle conversion 2015-11-19 09:51:18 -05:00
Jeff Mitchell 54fccb2ff4 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell b2df079446 Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell 1cec03d9ca Implement CA cert/CSR generation. CA certs can be self-signed or
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell c66f0918be Add delete method, and ability to delete only one serial as well as an entire set. 2015-11-03 10:52:20 -05:00
Mitchell Hashimoto 2917e6be2f helper/password: interrupt should exit readline 2015-10-16 16:01:19 -07:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Jeff Mitchell ad840233eb Allow base64-encoded keys to be used on the CLI for init/rekey.
Fixes #653.
2015-10-06 12:47:01 -04:00
Jeff Mitchell 8d71601221 Changes to salt to clean up HMAC stuff. 2015-09-18 18:13:10 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 8669a87fdd When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes. 2015-08-26 07:59:50 -07:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Bradley Girardeau aa55d36f03 Clean up naming and add documentation 2015-07-30 17:36:40 -07:00
Bradley Girardeau d26b77b4f4 mfa: code cleanup 2015-07-28 11:55:46 -07:00
Bradley Girardeau 6697012dd3 mfa: improve edge cases and documentation 2015-07-27 21:14:00 -07:00
Bradley Girardeau 15c9e0cfc3 mfa duo: better error messages 2015-07-27 21:14:00 -07:00
Bradley Girardeau e45f957bcc mfa: add test cases for MFA, Duo 2015-07-27 21:14:00 -07:00
Bradley Girardeau 5cf78d8ba2 mfa: add MFA wrapper with Duo second factor 2015-07-27 21:14:00 -07:00
Armon Dadgar 81f39fbc16 helper/kdf: changing argument name for clarity 2015-07-05 14:01:56 -07:00
Armon Dadgar bd347e0430 helper/kdf: adding lib for key derivation from NIST800-108 2015-07-05 14:01:21 -07:00
Armon Dadgar 3084f64e5c helper/salt: track if salt was generated 2015-06-30 16:47:49 -07:00
Armon Dadgar a2eb1210a7 helper/salt: adding little helper for salting 2015-06-30 14:04:18 -07:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Armon Dadgar 3902626163 Merge pull request #310 from jefferai/f-pki
Initial PKI backend implementation
2015-06-21 11:12:22 +01:00
Steve Wills 7244094509 allow building on FreeBSD
Allow this file to build on FreeBSD
2015-06-19 16:59:24 -04:00
Jeff Mitchell 390f769d1a Add unit tests for certutil, and fix a whitespace stripping issue.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 16:06:56 -04:00
Jeff Mitchell a6fc48b854 A few things:
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Jeff Mitchell 34f495a354 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Jeff Mitchell 9e00ca769a Restructure a little bit to make the helper library fully standalone. This makes it easier to move around later if desired, and for use by external programs.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 06:42:57 -04:00
Jeff Mitchell 29e7ec3e21 A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Mitchell Hashimoto 8d39d21ac2 helper/kv-builder: blank values should not panic 2015-06-16 10:00:02 -07:00
Mark Junker 787a4bc4b5 Fixes #83 2015-04-29 10:20:09 +02:00
Mitchell Hashimoto b5f8f3b05a vault: add helper/mlock for doing mlock 2015-04-28 14:59:43 -07:00
Mitchell Hashimoto fa80e90b1a helper/passsword: fix windows compilation 2015-04-28 09:23:48 -07:00
Mitchell Hashimoto 8e3746d347 helper/kv-builder 2015-04-07 22:30:25 -07:00
Mitchell Hashimoto 481628c41f command/auth: framework for supporting more auth methods 2015-04-05 20:50:18 -07:00
Mitchell Hashimoto afc71d2a7b command/server: cleaner output 2015-04-04 12:06:41 -07:00
Mitchell Hashimoto 2e9e4ee93d helper/password: catch ctrl-c if possible 2015-04-01 17:27:29 -07:00
Mitchell Hashimoto 11f8423b4f logical/framework, logical/testing 2015-03-15 16:39:49 -07:00
Mitchell Hashimoto a0232eedd7 helper/backend: use logical package 2015-03-15 14:57:19 -07:00
Mitchell Hashimoto 857e00bcdc helper/backend: start acceptance test framework 2015-03-14 17:18:19 -07:00
Mitchell Hashimoto accd8c29ca helper/backend: auto-generate help route 2015-03-14 10:12:50 -07:00
Mitchell Hashimoto e8e55ef8b1 helper/backend: one callback per operation 2015-03-14 00:19:25 -07:00
Mitchell Hashimoto 7f87d9ea6f helper/backend: HandleRequest works 2015-03-13 23:58:20 -07:00
Mitchell Hashimoto d17c3d87d3 helper/backend: store captures for a path 2015-03-13 23:48:49 -07:00
Mitchell Hashimoto c4e35ffb7d helper/backend: cache route regexps (98% speedup)
benchmark                 old ns/op     new ns/op     delta
BenchmarkBackendRoute     49144         589           -98.80%
2015-03-13 23:25:17 -07:00
Mitchell Hashimoto e5871abf77 helper/backend: benchmark route 2015-03-13 23:22:48 -07:00
Mitchell Hashimoto 0751c5db12 helper/backend: basic path routing (naive) 2015-03-13 23:17:25 -07:00
Mitchell Hashimoto a68eb1a994 helper/backend: add default values 2015-03-13 21:15:20 -07:00
Mitchell Hashimoto 33a08fbfa0 helper/backend: start this thing 2015-03-13 21:11:19 -07:00
Mitchell Hashimoto d88c20e293 command/server: add config loading 2015-03-12 15:21:11 -07:00
Mitchell Hashimoto a524ef6537 helper/password: for reading passwords securely 2015-03-04 00:31:35 -08:00