a244ef8a00
Refactor AWS credential code into a function that returns a static->env->instance chain
2016-05-03 15:10:35 -04:00
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
09ad6317ea
Merge pull request #1297 from hashicorp/f-bsd-mlock
...
F bsd mlock
2016-04-06 13:57:34 -07:00
b178bfabd9
Fix the build targets
...
I'm not entirely sure why this didn't work, but explicitly list the unsupported platforms as identified by `go tool dist list`
2016-04-05 22:24:53 -07:00
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
2374129c33
Consolidate mlock calls into one place
...
In theory Android and NaCL could build Vault now, too.
List of targets derived from: `go tool dist list`
2016-04-05 13:57:29 -07:00
308057a4a9
Switch Linux over to using the `x/sys/unix` package
...
Same syscall interface, but the `x/sys/unix` package is not frozen. No functional change from this commit.
2016-04-05 12:19:46 -07:00
dcde117bcb
`go fmt` was here, no functional change
2016-04-05 12:18:45 -07:00
087e7c94d3
Add Vault support for the *BSDs, including Darwin
...
The `syscall` package has been frozen in favor of `x/sys`. As a result, all of the BSDs are supported and do have `mlockall(2)` support in current versions of Go.
2016-04-05 12:18:19 -07:00
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
c50276ec17
Fix using wrong var
2016-03-24 10:23:09 -04:00
4c4a65ebd0
Properly check for policy equivalency during renewal.
...
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.
Fixes #1256
2016-03-24 09:41:51 -04:00
786bce24b1
Remove us building Solaris binaries for the moment, as they don't build successfully
2016-03-16 15:47:55 -04:00
8901c0b67d
Type in kdf.go
2016-02-08 14:39:46 -06:00
7a59af7d18
Fix lost code after rebase
2016-01-19 19:19:07 -05:00
973c888833
RootGeneration->GenerateRoot
2016-01-19 18:28:10 -05:00
3b100c5965
Address most of the review feedback
2016-01-19 18:28:10 -05:00
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
630b2d83a7
Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.
...
Fixes #940
2016-01-18 17:01:52 -05:00
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
a094eedce2
Add rekey nonce/backup.
2016-01-06 09:54:35 -05:00
8d1e5cb50d
Add returning which user names could not be looked up
2016-01-04 13:56:45 -05:00
90ec946dab
Address review feedback.
2016-01-04 11:18:04 -05:00
d11509830f
Happy New Year everyone! (Add keybase support for PGP keys.)
...
Keys specified in rekey and init operations can now be sourced from
keybase.io by using "keybase:[username]" as the key.
2015-12-31 20:47:41 -05:00
4dac5f5a0e
Merge pull request #829 from andrewstuart/master
...
Add parsing of pkcs#8-encoded bundles for pki/config/ca
2015-12-22 10:06:59 -05:00
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
4cb2941b77
[helper] support mlock on Solaris/SmartOS
2015-12-15 11:28:16 -08:00
c81e5c41d2
Update PrivateKeyType to string, update switch statement.
2015-12-14 11:16:47 -07:00
100465fee8
Remove unnecessary cast
2015-12-14 06:17:20 -07:00
567282170f
Remove printf call from test
2015-12-11 15:47:00 -07:00
ae9e842841
Merge branch 'pkcs8'
2015-12-11 15:22:43 -07:00
43bd14a755
Add benchmark for certutil bundle parsing
2015-12-11 15:17:49 -07:00
551591fb70
Remove debugging print statement in compareCertBundleToParsedCertBundle
2015-12-11 15:17:49 -07:00
b277eb9f14
Remove flag check before trying pkcs8 parsing.
2015-12-11 15:17:49 -07:00
6f672a9589
Add pkcs8 flag setting in ParsePEMBundle
2015-12-11 15:17:49 -07:00
4da225d39e
Update tests and finish implementation of PKCS8 handling
2015-12-11 15:17:49 -07:00
25667df5f7
Update ParsePEMBundle to properly handle pkcs#8
...
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-11 15:17:49 -07:00
2861be29a4
Move to pem.Block.Type-based decoding
2015-12-11 14:57:33 -07:00
9d97cc36c9
Add benchmark for certutil bundle parsing
2015-12-11 09:58:49 -07:00
e70b0b86e2
Merge branch 'master' into pkcs8
2015-12-10 21:02:59 -07:00
572f587093
Update flag to field with format info
2015-12-10 21:02:31 -07:00
889245c990
Remove debugging print statement in compareCertBundleToParsedCertBundle
2015-12-10 16:33:42 -07:00
cdeca4ed92
Remove flag check before trying pkcs8 parsing.
2015-12-09 19:41:32 -07:00
ef2be34985
Remove flag check before trying pkcs8 parsing.
2015-12-09 15:33:25 -07:00
a3b096e3fe
Add pkcs8 flag setting in ParsePEMBundle
2015-12-09 15:33:25 -07:00
7d274cbb0b
Update tests and finish implementation of PKCS8 handling
2015-12-09 15:33:25 -07:00
db48b7fccf
Update ParsePEMBundle to properly handle pkcs#8
...
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-09 15:29:13 -07:00
22a6d6fa22
Merge branch 'master' into pki-csrs
2015-11-20 12:48:38 -05:00
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
5510a2b16f
Add unit tests for CSR bundle conversion
2015-11-19 09:51:18 -05:00
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
b2df079446
Add unit tests to test signing logic, fix up test logic for names
2015-11-19 09:51:17 -05:00
1cec03d9ca
Implement CA cert/CSR generation. CA certs can be self-signed or
...
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
c66f0918be
Add delete method, and ability to delete only one serial as well as an entire set.
2015-11-03 10:52:20 -05:00
2917e6be2f
helper/password: interrupt should exit readline
2015-10-16 16:01:19 -07:00
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
ad840233eb
Allow base64-encoded keys to be used on the CLI for init/rekey.
...
Fixes #653 .
2015-10-06 12:47:01 -04:00
8d71601221
Changes to salt to clean up HMAC stuff.
2015-09-18 18:13:10 -04:00
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
8669a87fdd
When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes.
2015-08-26 07:59:50 -07:00
cc232e6f79
Address comments from review.
2015-08-25 15:33:58 -07:00
c887df93cc
Add support for pgp-keys argument to rekey, as well as tests, plus
...
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
aa55d36f03
Clean up naming and add documentation
2015-07-30 17:36:40 -07:00
d26b77b4f4
mfa: code cleanup
2015-07-28 11:55:46 -07:00
6697012dd3
mfa: improve edge cases and documentation
2015-07-27 21:14:00 -07:00
15c9e0cfc3
mfa duo: better error messages
2015-07-27 21:14:00 -07:00
e45f957bcc
mfa: add test cases for MFA, Duo
2015-07-27 21:14:00 -07:00
5cf78d8ba2
mfa: add MFA wrapper with Duo second factor
2015-07-27 21:14:00 -07:00
81f39fbc16
helper/kdf: changing argument name for clarity
2015-07-05 14:01:56 -07:00
bd347e0430
helper/kdf: adding lib for key derivation from NIST800-108
2015-07-05 14:01:21 -07:00
3084f64e5c
helper/salt: track if salt was generated
2015-06-30 16:47:49 -07:00
a2eb1210a7
helper/salt: adding little helper for salting
2015-06-30 14:04:18 -07:00
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
3902626163
Merge pull request #310 from jefferai/f-pki
...
Initial PKI backend implementation
2015-06-21 11:12:22 +01:00
7244094509
allow building on FreeBSD
...
Allow this file to build on FreeBSD
2015-06-19 16:59:24 -04:00
390f769d1a
Add unit tests for certutil, and fix a whitespace stripping issue.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 16:06:56 -04:00
a6fc48b854
A few things:
...
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
34f495a354
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
9e00ca769a
Restructure a little bit to make the helper library fully standalone. This makes it easier to move around later if desired, and for use by external programs.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 06:42:57 -04:00
29e7ec3e21
A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
...
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.
More refactoring could be done within the PKI backend itself, but that can wait.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
8d39d21ac2
helper/kv-builder: blank values should not panic
2015-06-16 10:00:02 -07:00
787a4bc4b5
Fixes #83
2015-04-29 10:20:09 +02:00
b5f8f3b05a
vault: add helper/mlock for doing mlock
2015-04-28 14:59:43 -07:00
fa80e90b1a
helper/passsword: fix windows compilation
2015-04-28 09:23:48 -07:00
8e3746d347
helper/kv-builder
2015-04-07 22:30:25 -07:00
481628c41f
command/auth: framework for supporting more auth methods
2015-04-05 20:50:18 -07:00
afc71d2a7b
command/server: cleaner output
2015-04-04 12:06:41 -07:00
2e9e4ee93d
helper/password: catch ctrl-c if possible
2015-04-01 17:27:29 -07:00
11f8423b4f
logical/framework, logical/testing
2015-03-15 16:39:49 -07:00
a0232eedd7
helper/backend: use logical package
2015-03-15 14:57:19 -07:00
857e00bcdc
helper/backend: start acceptance test framework
2015-03-14 17:18:19 -07:00
accd8c29ca
helper/backend: auto-generate help route
2015-03-14 10:12:50 -07:00
e8e55ef8b1
helper/backend: one callback per operation
2015-03-14 00:19:25 -07:00
7f87d9ea6f
helper/backend: HandleRequest works
2015-03-13 23:58:20 -07:00
d17c3d87d3
helper/backend: store captures for a path
2015-03-13 23:48:49 -07:00
c4e35ffb7d
helper/backend: cache route regexps (98% speedup)
...
benchmark old ns/op new ns/op delta
BenchmarkBackendRoute 49144 589 -98.80%
2015-03-13 23:25:17 -07:00
e5871abf77
helper/backend: benchmark route
2015-03-13 23:22:48 -07:00
0751c5db12
helper/backend: basic path routing (naive)
2015-03-13 23:17:25 -07:00
a68eb1a994
helper/backend: add default values
2015-03-13 21:15:20 -07:00
33a08fbfa0
helper/backend: start this thing
2015-03-13 21:11:19 -07:00
d88c20e293
command/server: add config loading
2015-03-12 15:21:11 -07:00
a524ef6537
helper/password: for reading passwords securely
2015-03-04 00:31:35 -08:00
Jeff Mitchell