Vishal Nayak
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
Jeff Mitchell
05d1da0656
Add comment about the deletions
2016-05-26 10:33:35 -04:00
Jeff Mitchell
ccfa8d0567
Remove deprecated entries from PKI role output.
...
Fixes #1452
2016-05-26 10:32:04 -04:00
vishalnayak
2ca846b401
s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets
2016-05-26 10:04:11 -04:00
Sean Chittenden
b0bba6d271
Store clamped TTLs back in the role's config
2016-05-15 08:13:56 -07:00
Sean Chittenden
539475714d
Set entry's TTL before writing out the storage entry's config
2016-05-15 07:06:33 -07:00
Jeff Mitchell
d899f9d411
Don't revoke CA certificates with leases.
2016-05-09 19:53:28 -04:00
Adam Shannon
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
vishalnayak
06eeaecef6
Skip acceptance tests if VAULT_ACC is not set
2016-04-11 20:00:15 -04:00
vishalnayak
fd8b023655
s/TF_ACC/VAULT_ACC
2016-04-05 15:24:59 -04:00
vishalnayak
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
Jeff Mitchell
dfc5a745ee
Remove check for using CSR values with non-CA certificate.
...
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.
Fixes #1250
2016-03-23 10:05:38 -04:00
Jeff Mitchell
1951a01998
Add ability to exclude adding the CN to SANs.
...
Fixes #1220
2016-03-17 16:28:40 -04:00
Jeff Mitchell
7a9122bbd1
Sanitize serial number in revocation path.
...
Ping #1180
2016-03-08 10:51:59 -05:00
Jeff Mitchell
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
Jeff Mitchell
11dc3f328f
Add revocation information to PKI fetch output (non-raw only).
...
Fixes #1180
2016-03-07 10:57:38 -05:00
Jeff Mitchell
2205133ae4
Only run PKI backend setup functions when TF_ACC is set
2016-02-29 14:41:14 -05:00
Jeff Mitchell
8ca847c9b3
Be more explicit about buffer type
2016-02-24 22:05:39 -05:00
Jeff Mitchell
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
Jeff Mitchell
f56e4a604d
Merge pull request #1114 from hashicorp/dont-delete-certs
...
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
Jeff Mitchell
4514192145
Address review feedback
2016-02-22 16:11:01 -05:00
Jeff Mitchell
f43ab6a25d
Remove extra debugging from PKI tests
2016-02-22 13:39:05 -05:00
Jeff Mitchell
f27eab1d28
Do not delete certs (or revocation information) to avoid potential
...
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
Jeff Mitchell
51ced69bf8
Fix issue where leftover values after cn tests could trigger errors in ipsan tests
2016-02-22 13:35:57 -05:00
Jeff Mitchell
4c327ca4cc
More improvements to PKI tests; allow setting a specific seed, output
...
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
Jeff Mitchell
8d4c6f4c98
Use more fuzziness in PKI backend tests
2016-02-22 10:59:37 -05:00
Jeff Mitchell
392a26e9cd
Better handle errors from fetchCertBySerial
2016-02-22 10:36:26 -05:00
Jeff Mitchell
58432c5d57
Add tests for minimum key size checking. (This will also verify that the
...
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
Jeff Mitchell
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
Jeff Mitchell
7fc4ee1ed7
Disallow 1024-bit RSA keys.
...
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
vishalnayak
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
Jeff Mitchell
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
Tom Ritter
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
Tom Ritter
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
Jeff Mitchell
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
Jeff Mitchell
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
Jeff Mitchell
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell
cb1928451b
Only specify cert sign / CRL sign for CAs and only specify extended key
...
usages for clients.
This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.
Fixes #987
2016-01-29 10:26:35 -05:00
Jeff Mitchell
2015118958
Add listing of roles to PKI
2016-01-28 15:18:07 -05:00
Jeff Mitchell
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
134b4d2a42
Built on GH-890 to add other types
2015-12-29 13:07:24 -05:00
Issac Goldstand
fba756075a
fix CA compatibility with OpenSSL
2015-12-29 18:52:43 +02:00
Jeff Mitchell
dd445a53a5
Update key usage logic
...
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
Windows Crypto API and Go's validation logic
Fixes #846
2015-12-14 14:23:51 -05:00
Jeff Mitchell
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell
b6c49ddf01
Remove token display names from input options as there isn't a viable
...
use-case for it at the moment
2015-11-30 18:07:42 -05:00
Jeff Mitchell
cf366bda9c
Greatly simplify and fix the name validation function, as well as fully
...
comment it.
2015-11-23 14:15:32 -05:00
Jeff Mitchell
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
Jeff Mitchell
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00