Commit graph

74 commits

Author SHA1 Message Date
Jeff Mitchell 7fc4ee1ed7 Disallow 1024-bit RSA keys.
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
vishalnayak d9536043e7 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
Jeff Mitchell 3378db0166 Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
Fix some typos
2016-02-11 15:12:09 -05:00
Tom Ritter a10dc14625 Fix AllowedBaseDomain Migration
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.

//untested
2016-02-09 15:42:15 -06:00
Tom Ritter 940a58cb9d Typo in error message in path_intermediate.go 2016-02-09 15:08:30 -06:00
Jeff Mitchell 4771884c78 Add slack on NotBefore value for generated certs.
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
2016-02-07 14:00:03 -05:00
Jeff Mitchell 20f45678e6 Fix comment text 2016-02-01 17:20:16 -05:00
Jeff Mitchell fc6d23a54e Allow the format to be specified as pem_bundle, which creates a
concatenated PEM file.

Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell d3a705f17b Make backends much more consistent:
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell cb1928451b Only specify cert sign / CRL sign for CAs and only specify extended key
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
2016-01-29 10:26:35 -05:00
Jeff Mitchell 2015118958 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell 12c00b97ef Allow backends to see taint status.
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.

Fixes #946
2016-01-22 17:01:22 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 134b4d2a42 Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand fba756075a fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell dd445a53a5 Update key usage logic
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
2015-12-14 14:23:51 -05:00
Jeff Mitchell 4eec9d69e8 Change allowed_base_domain to allowed_domains and allow_base_domain to
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell b6c49ddf01 Remove token display names from input options as there isn't a viable
use-case for it at the moment
2015-11-30 18:07:42 -05:00
Jeff Mitchell cf366bda9c Greatly simplify and fix the name validation function, as well as fully
comment it.
2015-11-23 14:15:32 -05:00
Jeff Mitchell 25e359084c Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell 0dbe15cb87 Mostly revert changes to certutil as the embedded struct stuff was being
problematic.
2015-11-19 14:18:39 -05:00
Jeff Mitchell af3d6ced8e Update validator function for URIs. Change example of entering a CA to a
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
Jeff Mitchell f41a2e562a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 26c8cf874d Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4681d027c0 Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell c6ba4f24bc Add URL validation 2015-11-19 09:51:18 -05:00
Jeff Mitchell b14050bebc Fix zero path length handling, and move common field defs elsewhere 2015-11-19 09:51:18 -05:00
Jeff Mitchell 8008451fb5 Fix logic around zero path length -- only restrict issuing intermediate CAs in this case 2015-11-19 09:51:18 -05:00
Jeff Mitchell c461652b40 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell ed62afec14 Large documentation updates, remove the pathlength path in favor of
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell 5970cb76b6 Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell ca844b1dc1 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4cb10abcc0 Add tests for using raw CSR values 2015-11-19 09:51:18 -05:00
Jeff Mitchell 83975314c7 Change a few checks on names:
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).

- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.

Also, fix a nil pointer issue.
2015-11-19 09:51:17 -05:00
Jeff Mitchell deb5131cd3 Add config/urls CRUD operations to get and set the URLs encoded into
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
Jeff Mitchell 779efbbbc3 Change use_csr_subject to use_csr_values; copy not only the subject, but
also the alternate names and the extensions over as well.
2015-11-19 09:51:17 -05:00
Jeff Mitchell 76af733ee2 Remove setting serial number in the pkix Subject 2015-11-19 09:51:17 -05:00
Jeff Mitchell 54c5c232fd Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR 2015-11-19 09:51:17 -05:00
Jeff Mitchell 7c5a174493 Add capability to use the CSR's common name (by default for CA CSRs if
no common_name parameter is given, role-controlled for non-CA CSRs).

Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
Jeff Mitchell 54fccb2ff4 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell 4261e594af Address some minor PR feedback 2015-11-19 09:51:17 -05:00
Jeff Mitchell 69794c7078 Fix otto import of uuid 2015-11-19 09:51:17 -05:00
Jeff Mitchell f16d8b8cd2 Cleanup, and add ability to sign CA CSRs that aren't destined for Vault 2015-11-19 09:51:17 -05:00
Jeff Mitchell ea676ad4cc Add tests for intermediate signing and CRL, and fix a couple things
Completes extra functionality.
2015-11-19 09:51:17 -05:00
Jeff Mitchell b2df079446 Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell fe7dbfaada Handle email address alternative names, fix up tests, fix up logic around name verification 2015-11-19 09:51:17 -05:00
Jeff Mitchell aa3d6dc85b Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00
Jeff Mitchell 7d2730d370 Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored 2015-11-19 09:51:17 -05:00
Jeff Mitchell b3eb5c4957 Add sign method (untested) 2015-11-19 09:51:17 -05:00