* Add new AllowWildcardCertificate field to PKI role
This field allows the PKI role to control whether or not issuance of
wildcard certificates are allowed. We default (both on migration and
new role creation) to the less secure true value for backwards
compatibility with existing Vault versions.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor sanitizedName to reducedName
Per comment, this variable name was confusing during the reproduction
and subsequent fix of the earlier vulnerability and associated bug
report. Because the common name isn't necessarily _sanitized_ in any way
(and indeed must be considered in relation to other parts or the whole),
but portions of the entire name are removed, reducedName appears to make
the most sense.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Enforce AllowWildcardCertificates during issuance
This commit adds the bulk of correctly validating wildcard certificate
Common Names during issuance according to RFC 6125 Section 6.4.3
semantics. As part of this, support for RFC 2818-conforming wildcard
certificates (wherein there are almost no restrictions on issuance) has
been removed.
Note that this flag does take precedence over AllowAnyName, giving a
little more safety in wildcard issuance in this case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update test cases to conform with RFC 6125
Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
should've been rejected under strict conformance. For 70+71 and 83+84,
we previously conditioned around the value of AllowSubdomains (allowing
issuance when true), but they likely should've been rejected either way.
Additionally, update the notes about globs matching wildcard
certificates to notate this is indeed the case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Check AllowWildcardCertifciates in issuance tests
This allows for regression tests to cover the new
AllowWildcardCertificate conditional. We add additional test cases
ensuring that wildcard issuance is properly forbidden in all relevant
scenarios, while allowing the existing test cases to validate that
wildcard status doesn't affect non-wildcard certificates.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add Wildcard allowance during signing operations
When using sign-verbatim, sign-intermediate, or getting certificate
generation parameters, set AllowWildcardCertificates to mirror existing
policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow issuance of wildcard via glob match
From Vault v1.8.0 onwards, we would incorrectly disallow issuance of a
wildcard certificate when allow_glob_domain was enabled with a
multi-part glob domain in allowed_domains (such as *.*.foo) when
attempting to issue a wildcard for a subdomain (such as *.bar.foo).
This fixes that by reverting an errant change in the case insensitivity
patch. Here, when validating against a very powerful glob construct, we
leave the wildcard prefix (*.) from the raw common_name element, to
allow multi-part globs to match wildcard entries.
It is important to note that "sanitizedName" is an incorrect variable
naming here. Wildcard parsing (per RFC 6125 which supercedes RFC 2818)
must be in the left-most segment of the domain, but we lack validation
to ensure no internal wildcards exist. Additionally per item 3 of
section 6.4.3 of RFC 6125, wildcards MAY be internal to a domain
segment, in which case sanitizedName again leaves the wildcard in place.
Resolves: #13530
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove duplicate email address check
As pointed out by Steven Clark (author of the removed conditional in
70012cd865b3dcdab376dba0c0e0abc88c48f508), this is duplicate from the
now-reintroduced comparison against name (versus the erroneous
sanitizedName at the time of his commit).
This is a reversion of the changes to builtin/logical/pki/cert_util.go,
but keeping the additional valuable test cases.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add multi-dimensional PKI role issuance tests
This commit introduces multi-dimensional testing of PKI secrets engine's
role-based certificate issuance with the intent of preventing future
regressions.
Here, dimensions of testing include:
- AllowedDomains to decide which domains are approved for issuance,
- AllowBareDomains to decide if raw entries of AllowedDomains are
permitted,
- AllowGlobDomains to decide if glob patterns in AllowedDomains are
parsed,
- AllowSubdomains to decide if subdomains of AllowedDomains are
permitted,
- AllowLocalhost to decide if localhost identifiers are permitted, and
- CommonName of the certificate to request.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add checks for other error types within the PKI plugin
- The PKI plugin assumes the code it is calling always returns an error
of type errutil.UserError or errutil.InternalError. While I believe
so far this is still true, it would be easy to add a code path that
just returns a generic error and we would completely ignore it.
- This was found within some managed key testing where I forgot to wrap
an error within one of the expected types
* Add changelog
* Allow all other_sans in sign-intermediate and sign-verbatim
/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.
Resolves: #13157
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add duration/count metrics to PKI issue and revoke flows
* docs, changelog
* tidy
* last tidy
* remove err
* Update callsites
* Simple returns
* Handle the fact that test cases don't have namespaces
* Add mount point to the request
* fmt
* Handle empty mount point, and add it to unit tests
* improvement
* Turns out sign-verbatim is tricky, it can take a role but doesn't have to
* Get around the field schema problem
* Use application/pem-certificate-chain for PEMs
As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.
Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Include full chain in /cert/ca_chain response
This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.
Resolves: #13489
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for full CA issuance
We test three main scenarios:
1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
contain only the root,
2. An intermediate CA (with root provide) should contain both the root
and the intermediate.
3. An external (e.g., `/config/ca`-provided) CA with both root and
intermediate should contain both certs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation for new ca_chain field
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about where to find the entire chain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Support Y10K value in notAfter field when signing non-CA certificates
* Add changelog entry for 13736
* Add test for using not_after parameter for non-CA certificates that are being signed
* Fix CA value for test for not_after value when signing non-CA certs
* Address formatting
* Add changelog file
* Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
* CLI changes for new mount tune config parameter allowed_managed_keys
* Correct allowed_managed_keys description in auth and secrets
* Documentation update for secrets and removed changes for auth
* Add changelog and remove documentation changes for auth
* removed changelog
* Correct the field description
* Replace - with : when listing certificate serials
* Add allowed_uri_sans_template
Enables identity templating for the allowed_uri_sans field in PKI cert roles.
Implemented as suggested in #8509
* changelog++
* Update docs with URI SAN templating
* Allow universal default for key_bits
This allows the key_bits field to take a universal default value, 0,
which, depending on key_type, gets adjusted appropriately into a
specific default value (rsa->2048, ec->256, ignored under ed25519).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Handle universal default key size in certutil
Also move RSA < 2048 error message into certutil directly, instead of in
ca_util/path_roles.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing RSA key sizes to pki/backend_test.go
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to returning updated values
When determining the default, don't pass in pointer types, but instead
return the newly updated value.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Re-add fix for ed25519 from #13254
Ed25519 internally specifies a hash length; by changing the default from
256 to 0, we fail validation in ValidateSignatureLength(...) unless we
specify the key algorithm.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* return pkcs8 format for ed25519 curve
convertRespToPKCS8 does not recognize the ed25519 key. Changes
to recognize ed25519 key and return its PKCS8 format
* Restrict ECDSA signatures with NIST P-Curve hashes
When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.
Related: #11245
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to certutil.ValidateKeyTypeSignatureLength(...)
Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to autodetection of signature_bits
This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Select hash function length automatically
Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent invalid Curve size lookups
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch from -1 to 0 as default SignatureBits
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
VAULT-444: Add PKI tidy-status endpoint.
Add metrics so that the PKI tidy status can be monitored using telemetry as well.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Document allow_different_signature_algorithm param
* Flip the semantics of different key types for sign self issued
* More language tweaks
* Fix the field definition description
* Rework differenttype test for the new flag
* typo
* Native Login method, userpass and approle interfaces to implement it
* Add AWS auth interface for Login, unexported struct fields for now
* Add Kubernetes client login
* Add changelog
* Add a test for approle client login
* Return errors from LoginOptions, use limited reader for secret ID
* Fix auth comment length
* Return actual type not interface, check for client token in tests
* Require specification of secret ID location using SecretID struct as AppRole arg
* Allow password from env, file, or plaintext
* Add flexibility in how to fetch k8s service token, but still with default
* Avoid passing strings that need to be validated by just having different login options
* Try a couple real tests with approle and userpass login
* Fix method name in comment
* Add context to Login methods, remove comments about certain sources being inherently insecure
* Perform read of secret ID at login time
* Read password from file at login time
* Pass context in integ tests
* Read env var values in at login time, add extra tests
* Update api version
* Revert "Update api version"
This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679.
* Update api version in all go.mod files
* update azure instructions
Update instructions in regards to azure AD Authentication and OIDC
* Initial pass of ed25519
* Fix typos on marshal function
* test wip
* typo
* fix tests
* missef changelog
* fix mismatch between signature and algo
* added test coverage for ed25519
* remove pkcs1 since does not exist for ed25519
* add ed25519 support to getsigner
* pull request feedback
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* typo on key
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* cast mistake
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types
* Allow signing self issued certs with a different public key algorithm
* Remove cruft
* Remove stale import
* changelog
* eliminate errwrap
* Add a test to cover the lack of opt-in flag
* Better comment
Co-authored-by: catsby <clint@ctshryock.com>
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs. This is a
potentially useful stepping stone for a SHA3 transition down the line.
Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
* Update go version to 1.15.3
* Fix OU ordering for go1.15.x testing
* Fix CI version
* Update docker image
* Fix test
* packagespec upgrade -version 0.1.8
Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
* pki: use revocationInfo.RevocationTimeUTC when revoking certs with tidy_revoked_certs set to true
* update comment
* tidy: use same time snapshot for OR comparison
* helpful errors: print not only CN but also exactly what we are comparing
* helpful errors: return different errors for non-existent and unknown keys
* helpful errors: print error about encrypted key instead of "private key not found"
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.
Allow single star in allowed_other_sans to match any OtherName. Update documentation to clarify globbing behaviour.
Break dataBundle into two pieces: inputBundle, which contains data that
is specific to the pki backend, and creationBundle, which is a more
generic bundle of validated inputs given to certificate creation/signing routines.
Move functions that only take creationBundle to certutil and make them public.
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
This PR fix#5778.
Easy test case to reproduce the problem:
https://play.golang.org/p/CAMdrOHT7C1
Since `certStr` is empty string during first iteration `strings.Join()`
will merge empty line with first CA cert.
Extra `strings.TrimSpace` call will remove that empty line, before
certificate will be return.
This endpoint eventually goes through generateCreationBundle where we
already have the right checks.
Also add expiration to returned value to match output when using root
generation.
Fixes#5549
* Set allowed OIDs to any value when generaing a CA.
Also, allow utf-8 in addition to utf8 as the OID type specifier, and
allow `*` to specify any OID of a supported type.
* Update PKI docs
* Add ability to configure the NotBefore property of certificates in role api
* Update index.html.md
* converting field to time.Duration
* setting default back to 30s
* renaming the parameter not_before_duration to differentiate between the NotBefore datetime on the cert
* Update description
This will cause them to be removed even if they have not expired yet,
whereas before it would simply leave them in the store until they were
expired, but remove from revocation info.
* Disallow adding CA's serial to revocation list
* Allow disabling revocation list generation. This returns an empty (but
signed) list, but does not affect tracking of revocations so turning it
back on will populate the list properly.
