* Allow universal default for key_bits
This allows the key_bits field to take a universal default value, 0,
which, depending on key_type, gets adjusted appropriately into a
specific default value (rsa->2048, ec->256, ignored under ed25519).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Handle universal default key size in certutil
Also move RSA < 2048 error message into certutil directly, instead of in
ca_util/path_roles.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing RSA key sizes to pki/backend_test.go
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to returning updated values
When determining the default, don't pass in pointer types, but instead
return the newly updated value.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Re-add fix for ed25519 from #13254
Ed25519 internally specifies a hash length; by changing the default from
256 to 0, we fail validation in ValidateSignatureLength(...) unless we
specify the key algorithm.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Support clearing an identity alias' custom_metadata
Previously, an update to an entity alias supported updating the
custom_metadata as long as the update was not empty, which makes it
impossible to clear the metadata values completely.
Fixes:
- empty custom_metadata parameters are honoured on entity alias update
- update related tests
- drop dependency on mapstructure
- reformat with gofumpt
* VAULT-1564 report in-flight requests
* adding a changelog
* Changing some variable names and fixing comments
* minor style change
* adding unauthenticated support for in-flight-req
* adding documentation for the listener.profiling stanza
* adding an atomic counter for the inflight requests
addressing comments
* addressing comments
* logging completed requests
* fixing a test
* providing log_requests_info as a config option to determine at which level requests should be logged
* removing a member and a method from the StatusHeaderResponseWriter struct
* adding api docks
* revert changes in NewHTTPResponseWriter
* Fix logging invalid log_requests_info value
* Addressing comments
* Fixing a test
* use an tomic value for logRequestsInfo, and moving the CreateClientID function to Core
* fixing go.sum
* minor refactoring
* protecting InFlightRequests from data race
* another try on fixing a data race
* another try to fix a data race
* addressing comments
* fixing couple of tests
* changing log_requests_info to log_requests_level
* minor style change
* fixing a test
* removing the lock in InFlightRequests
* use single-argument form for interface assertion
* adding doc for the new configuration paramter
* adding the new doc to the nav data file
* minor fix
* Adding support for SHA3 in the transit backend.
* Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing.
* Adds changelog entry.
Co-authored-by: robison jacka <robison@packetized.io>
* adds ember-flight-icons dependecy
* adds inline-json-import babel plugin
* adds flight icon styling
* updates Icon component to support flight icons
* updates Icon component usages to new api and updates name values to flight icon set when available
* fixes tests
* updates icon story with flight mappings and fixes issue with flight icons not rendering in storybook
* adds changelog
* fixes typo in sign action glyph name in transit-key model
* adds comments to icon-map
* updates Icon component to use only supported flight icon sizes
* adds icon transform codemod
* updates icon transform formatting to handle edge case
* runs icon transform on templates
* updates Icon usage in toolbar-filter md and story
* updates tests
* See what it looks like to replace "master key" with "root key". There are two places that would require more challenging code changes: the storage path `core/master`, and its contents (the JSON-serialized EncodedKeyringtructure.)
* Restore accidentally deleted line
* Add changelog
* Update root->recovery
* Fix test
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* staying with jsondiff
* routing setup
* send compare against data to component after using new adapater method to return the version data.
* functionality
* fix issue on route transition not calling model hook
* formatting
* update version
* changelog
* glimmerize the json-editor component
* catch up
* passing tracked property from child to parent
* pull out of jsonEditor
* fix issue with message
* icon
* fix some issues with right selection
* changes and convert to component
* integration test
* tests
* fixes
* cleanup
* cleanup 2
* fixes
* fix test by spread attributes
* remove log
* remove
* Add client side pagination to namespaces
* Update namespace list after delete operation
* Added changelog
* Added tests
* Clean up
* Added comment for test
* Try ember run loop
* Run test only in enterprise
* Fixed test
* upgrade aerospike-client-go to v5.2.0
* use strings.Contains to check an error
* add changelog file
* go mod tidy
* go mod tidy
* update the changelog
* revert .gitignore update
* go mod tidy
* return pkcs8 format for ed25519 curve
convertRespToPKCS8 does not recognize the ed25519 key. Changes
to recognize ed25519 key and return its PKCS8 format
* converts secret-v2-version model to native class -- fixes issues with cached values for deleted prop
* adds changelog entry
* adds disabled state to ToolbarLink component and disables create new version action when users cannot read metadata
* updates secret-edit acceptance test
* skip hash bits verification for ed25519 #13253
The default value or *hashBits is 0 and will fail
at ValidateSignatureLength for ed25519. ed25519
specifies its own hash, so avoid hashBits validation for
ed25519 curve.
* Unify NewHTTPResponseWriter ant NewStatusHeaderResponseWriter to fix ResponseWriter issues
* adding changelog
* removing unnecessary function from the WrappingResponseWriter interface
* changing logical requests responseWriter type
* reverting change to HTTPResponseWriter
* add catch for node-forge error handling
* update comment
* adds changelog
* alphabetize attrs and add canParse attr
* show alert banner if unable to parse metadata
* add test to check info banner renders
* fixes issue with ttl picker not initially enabling in form field component
* adds changelog entry
* updates test
* updates initial ttl toggle state for default 0s value
* fixes issue with oidc auth method when MetaMask chrome extenstion is used
* adds changelog entry
* updates auth-jwt integration tests
* fixes race condition in runCommands ui-panel helper method where running multiple commands would not always result in the same output order
* Add native Login method for GCP auth backend
* Add native Login method for Azure auth backend
* Add changelog entry
* Use official azure library Environment struct rather than passing string, add timeouts
* Use v1.3.0 which now has interface definition
* Don't throw away error and close resp body
* Back to WithResource so we can support non-Azure URLs for aud
* Restrict ECDSA signatures with NIST P-Curve hashes
When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.
Related: #11245
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to certutil.ValidateKeyTypeSignatureLength(...)
Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to autodetection of signature_bits
This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Select hash function length automatically
Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent invalid Curve size lookups
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch from -1 to 0 as default SignatureBits
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Alexander Scheel