134b4d2a42
Built on GH-890 to add other types
2015-12-29 13:07:24 -05:00
b85c29349f
Merge pull request #890 from ironSource/pki-fix
...
fix CA compatibility with OpenSSL
2015-12-29 12:04:03 -06:00
fba756075a
fix CA compatibility with OpenSSL
2015-12-29 18:52:43 +02:00
1a324cf347
Make TokenHelper an interface and split exisiting functionality
...
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.
Fixes #850 among others
2015-12-22 10:23:30 -05:00
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
dd445a53a5
Update key usage logic
...
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
Windows Crypto API and Go's validation logic
Fixes #846
2015-12-14 14:23:51 -05:00
6ad1b75caf
Merge branch 'master' into pki-csrs
2015-12-01 00:09:23 -05:00
64cd58463b
Fix AWS tests
2015-12-01 00:05:04 -05:00
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
b6c49ddf01
Remove token display names from input options as there isn't a viable
...
use-case for it at the moment
2015-11-30 18:07:42 -05:00
cf366bda9c
Greatly simplify and fix the name validation function, as well as fully
...
comment it.
2015-11-23 14:15:32 -05:00
22a6d6fa22
Merge branch 'master' into pki-csrs
2015-11-20 12:48:38 -05:00
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
af3d6ced8e
Update validator function for URIs. Change example of entering a CA to a
...
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
a95228e4ee
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint.
2015-11-19 09:51:18 -05:00
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
c6ba4f24bc
Add URL validation
2015-11-19 09:51:18 -05:00
b14050bebc
Fix zero path length handling, and move common field defs elsewhere
2015-11-19 09:51:18 -05:00
8008451fb5
Fix logic around zero path length -- only restrict issuing intermediate CAs in this case
2015-11-19 09:51:18 -05:00
c461652b40
Address some feedback from review
2015-11-19 09:51:18 -05:00
ed62afec14
Large documentation updates, remove the pathlength path in favor of
...
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
5970cb76b6
Add path length paths and unit tests to verify same.
2015-11-19 09:51:18 -05:00
ca844b1dc1
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests.
2015-11-19 09:51:18 -05:00
4cb10abcc0
Add tests for using raw CSR values
2015-11-19 09:51:18 -05:00
83975314c7
Change a few checks on names:
...
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).
- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.
Also, fix a nil pointer issue.
2015-11-19 09:51:17 -05:00
deb5131cd3
Add config/urls CRUD operations to get and set the URLs encoded into
...
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
779efbbbc3
Change use_csr_subject to use_csr_values; copy not only the subject, but
...
also the alternate names and the extensions over as well.
2015-11-19 09:51:17 -05:00
76af733ee2
Remove setting serial number in the pkix Subject
2015-11-19 09:51:17 -05:00
54c5c232fd
Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR
2015-11-19 09:51:17 -05:00
7c5a174493
Add capability to use the CSR's common name (by default for CA CSRs if
...
no common_name parameter is given, role-controlled for non-CA CSRs).
Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
4261e594af
Address some minor PR feedback
2015-11-19 09:51:17 -05:00
69794c7078
Fix otto import of uuid
2015-11-19 09:51:17 -05:00
f16d8b8cd2
Cleanup, and add ability to sign CA CSRs that aren't destined for Vault
2015-11-19 09:51:17 -05:00
ea676ad4cc
Add tests for intermediate signing and CRL, and fix a couple things
...
Completes extra functionality.
2015-11-19 09:51:17 -05:00
b2df079446
Add unit tests to test signing logic, fix up test logic for names
2015-11-19 09:51:17 -05:00
fe7dbfaada
Handle email address alternative names, fix up tests, fix up logic around name verification
2015-11-19 09:51:17 -05:00
aa3d6dc85b
Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN
2015-11-19 09:51:17 -05:00
7d2730d370
Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored
2015-11-19 09:51:17 -05:00
b3eb5c4957
Add sign method (untested)
2015-11-19 09:51:17 -05:00
6ea626e9ad
Don't show field names when not needed
2015-11-19 09:51:17 -05:00
1cec03d9ca
Implement CA cert/CSR generation. CA certs can be self-signed or
...
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
54d47957b5
Allow creating Consul management tokens
...
Fixes #714
2015-11-03 15:29:58 -05:00
5e72453b49
Use TypeDurationSecond instead of TypeString
2015-11-03 10:52:20 -05:00
154fc24777
Address first round of feedback from review
2015-11-03 10:52:20 -05:00
59cc61cc79
Add documentation for CRLs and some minor cleanup.
2015-11-03 10:52:20 -05:00
Jeff Mitchell