* Add parsing for NSS-wrapped Ed25519 keys
NSS wraps Ed25519 using the PKCS#8 standard structure. The Go standard
library as of Go 1.18.x doesn't support parsing this key type with the
OID used by NSS; it requires the 1.3.101.112/RFC 8410 format, rather
than the RFC 5915-esque structure supported here.
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add integration test with NSS-created wrapped key
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
* Support for CPS URLs in Custom Policy Identifiers.
* go fmt
* Add Changelog
* Fix panic in test-cases.
* Update builtin/logical/pki/path_roles.go
Fix intial nil identifiers.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Make valid policy OID so don't break ASN parse in test.
* Add test cases.
* go fmt.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
- Do not set the first issuer we attempt to import as the default issuer unless
it has a corresponding key.
- Add the ability to set a default issuer if none exist and we import it's corresponding key after the fact.
- Add a warning to an end-user if we imported multiple issuers with keys and we
choose one of them as the default value.
Update AWS auth method certificates
Add tests that the `rsa2048` document can also be verified using the
`pkcs7` field for AWS auth.
Due to the use of SHA-1-based signatures for the `identity` and `pkcs7`
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html
This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.
Also adds `rsa2048` option to API to fetch the RSA 2048 signature.
I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.
* Add integration tests for aliased PKI paths (root/rotate, root/replace)
- Add tests for the two api endpoints
- Also return the issuer_name field within the generate root api response
* Add key_name to generate root api endpoint response and doc updates
- Since we are now returning issuer_name, we should also return key_name
- Update the api-docs for the generate root endpoint responses and add
missing arguments that we accept.
* WIP replacing lib/pq
* change timezome param to be URI format
* add changelog
* add changelog for redshift
* update changelog
* add test for DSN style connection string
* more parseurl and quoteidentify to sdk; include copyright and license
* call dbutil.ParseURL instead, fix import ordering
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* Allow role-based sign-verbatim with chosen issuer
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add warning with missing requested verbatim role
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update builtin/logical/pki/backend.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Fix handling of username_as_alias during LDAP authentication
There is a bug that was introduced in the LDAP authentication method by https://github.com/hashicorp/vault/pull/11000.
It was thought to be backward compatible but has broken a number of users. Later
a new parameter `username_as_alias` was introduced in https://github.com/hashicorp/vault/pull/14324
to make it possible for operators to restore the previous behavior.
The way it is currently working is not completely backward compatible thought
because when username_as_alias is set, a call to GetUserAliasAttributeValue() will
first be made, then this value is completely discarded in pathLogin() and replaced
by the username as expected.
This is an issue because it makes useless calls to the LDAP server and will break
backward compatibility if one of the constraints in GetUserAliasAttributeValue()
is not respected, even though the resulting value will be discarded anyway.
In order to maintain backward compatibility here we have to only call
GetUserAliasAttributeValue() if necessary.
Since this change of behavior was introduced in 1.9, this fix will need to be
backported to the 1.9, 1.10 and 1.11 branches.
* Add changelog
* Add tests
* Format code
* Update builtin/credential/ldap/backend.go
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* Format and fix declaration
* Reword changelog
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* Add tests for role patching
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent bad issuer names on update
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on PATCH operations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add a warning when Issuing Certificate set on a role does not resolve.
* Ivanka's requests - add a warning on deleting issuer or changing it's name.
* Fix nil checks; reduce number of roles to iterate through; only verify roles after migration.
* Fix semgrep failure, ignore roles deleted behind our back.
* Patch functionality for roles
* Make Patch Roles work again, add back patch issuers.
* Add changelog.
* Fix nil-reversion on empty response.
* Panics are bad. don't do that.
* Return signed ca as part of ca_chain field within sign-intermediate
- When signing a CA certificate we should include it along with the signing CA's CA chain in the response.
* PKI - Add not_before_duration API parameter to:
- Root CA generation
- Intermediate CA generation
- Intermediate CA signing
* Move not_before_duration to addCACommonFields
This gets applied on both root generation and intermediate signing,
which is the correct place to apply this.
Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Resolves: #10631
Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for root/generate, sign-intermediate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update path role description
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new not_before_duration to relevant docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: guysv <sviryguy@gmail.com>
* Add warning on missing AIA info fields
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog:
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add a warning when Issuing Certificate set on a role does not resolve.
* Ivanka's requests - add a warning on deleting issuer or changing it's name.
* reduce number of roles to iterate through; only verify roles after migration. ignore roles deleted behind our back.
* Protect against key and issuer name re-use
- While importing keys and issuers verify that the provided name if any has not been used by another key that we did not match against.
- Validate an assumption within the key import api, that we were provided a single key
- Add additional tests on the new key generation and key import handlers.
* Protect key import api end-users from using "default" as a name
- Do not allow end-users to provide the value of default as a name for key imports
as that would lead to weird and wonderful behaviors to the end-user.
* Add missing api-docs for PKI key import
* Warn on empty Subject field for issuers
When generating a root or signing an intermediate certificate, it is
possible to have Vault generate a certificate with an empty Subject.
These don't validate in most TLS implementations well, so add a warning.
Note that non-Common Name fields could be present to make a non-empty
subject, so simply requiring a CommonName isn't strictly the best.
For example:
$ vault write pki/root/generate/exported common_name=""
WARNING! The following warnings were returned from Vault:
* This issuer certificate was generated without a Subject; this makes
it likely that issuing leaf certs with this certificate will cause TLS
validation libraries to reject this certificate.
....
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove signature_bits on intermediate generate
This extraneous field wasn't respected during intermediate generation
and it isn't clear that it should be. Strictly, this field, if it were
to exist, would control the CSR's internal signature algorithm (certutil
defaults to the sane SHA-256 here). However, there's little value in
changing this as the signing authority can and probably will override
the final certificate's signature bits value, completely ignoring
whatever was in the provided CSR.
Removing this field will now cause warnings for those providing the
parameter (which already wasn't respected), which is the desired
behavior. No breakage should occur as a result of this change.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Always return non-nil CRL configuration
When using the default CRL configuration (as none has been set), return
the default configuration rather than inferring it in buildCRL. This
additionally allows us to return the default configuration on GET
operations to /config/crl.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Always return non-nil URL configuration
When using the default (empty) URL configuration as none has been set,
return the default configuration rather than inferring it inside of
fetchCAInfoByIssuerId or generateCert. This additionally allows us to
return the default configuration on GET operations to /config/urls.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* secret/pki: Return correct algorithm type from key fetch api for managed keys
- fix an issue that key_type field returned from the key fetch api had
the ManagedPrivateKey type instead of the real algorithm of the managed key.
* Remove key_type from key list PKI operation. Partial revert of #15435
- The key_type field should be used solely for the key algorithm but as implemented
we would be returning the value ManagedPrivateKey for managed keys which is not
in sync with the rest of the apis. We also did not want to take the performance
hit if many managed keys existed so we will simply remove the field from the list
operation
- No point in writing any logs if no previous bundle exists
- Only log output and schedule a CRL rebuild is we actually migration something
- Do not log on PKI storage version set/checks.
* Use "not_before_duration" fiueld from role if above 0
* 'test' and update docs
* changelog file
* Requested changes - improved test and better description to changelog
* changelog description:
* update to ttl and not_before_duration API docs
* Use new parseutil helper: Safe variants
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update parseutil to v0.1.5
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix additional integer overflow in command/server
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add import endpoint
* fix unlock
* add import_version
* refactor import endpoints and add tests
* add descriptions
* Update dependencies to include tink for Transit import operations. Convert Transit wrapping key endpoint to use shared wrapping key retrieval method. Disallow import of convergent keys to Transit via BYOK process.
* Include new 'hash_function' parameter on Transit import endpoints to specify OAEP random oracle hash function used to wrap ephemeral AES key.
* Add default values for Transit import endpoint fields. Prevent an OOB panic in Transit import. Proactively zero out ephemeral AES key used in Transit imports.
* Rename some Transit BYOK import variables. Ensure Transit BYOK ephemeral key is of the size specified byt the RFC.
* Add unit tests for Transit BYOK import endpoint.
* Simplify Transit BYOK import tests. Add a conditional on auto rotation to avoid errors on BYOK keys with allow_rotation=false.
* Added hash_function field to Transit import_version endpoint. Reworked Transit import unit tests. Added unit tests for Transit import_version endpoint.
* Add changelog entry for Transit BYOK.
* Transit BYOK formatting fixes.
* Omit 'convergent_encryption' field from Transit BYOK import endpoint, but reject with an error when the field is provided.
* Minor formatting fix in Transit import.
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
* Add default timeout to legacy ssh.ClientConfig
When using the deprecated Dynamic SSH Keys method, Vault will make an
outbound SSH connection to an arbitrary remote host to place SSH keys.
We now set a timeout of 1 minute for this connection.
It is strongly recommended consumers of this SSH secrets engine feature
migrate to the more secure, and otherwise equivalent, SSH certificates
method.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This shows whether the specified key or issuer is default, along with
the private key type in the case of a LIST /keys (authenticated) call.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* POC of Okta Auth Number Challenge verification
* switch from callbacks to operations, forward validate to primary
* cleanup and nonce description update
* add changelog
* error on empty nonce, no forwarding, return correct_answer instead
* properly clean up verify goroutine
* add docs on new endpoint and parameters
* change polling frequency when WAITING to 1s
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* Add CRL checking to chain building tests
This should ensure that, with our complex issuer setups, we can revoke
the issued certificates correctly and they'll show up on the correct
CRLs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix related issuer detection in CRL building
When building our mapping of issuers, we incorrectly used the issuer's
RawIssuer field to construct the mapping, rather than the issuer's
RawSubject. This caused us to not correctly detect the cross-signed
issuers as having the same CRLs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Address issues with revoke operations pre-migration of PKI issuers
- Leverage the legacyBundleShimID though out the path of CRL building
when legacy storage mode is active.
- Instead of having multiple locations without a lock checking for the
useLegacyBundleCaStorage flag is set, check it once and then use the
same issuerId everywhere
- Address some locking issues that might lead to a bad read/write when
switching from legacy to non-legacy mode on startup and post-migration
* Add test suite for PKI apis pre-migration to new issuer storage format
- Add tests that validate all apis work as expected in pre-migration mode
- Add tests for apis that we don't expect to work, they should return a
migration related error message
- Add some missing validations on various new apis.
* Refactor chain building test cases to be shared
This will allow us to execute these test cases and then benchmark just
the chain building, separate from the certificate creation (and without
the consistency tests).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Benchmark chain building code
Using the existing test cases (and a few special ones), generate some
simple chains and benchmark how long chain building takes. We switch
from generating a cluster (slow) to directly calling
createBackendWithStorage(), which improves test execution time too:
$ go test -count=1 -run=Test_CAChainBuilding github.com/hashicorp/vault/builtin/logical/pki
ok github.com/hashicorp/vault/builtin/logical/pki 0.764s
(previously it was 5-10 seconds, for fewer tests).
Additionally, we now have benchmarks:
$ go test -v -run=BenchmarkChainBuilding -bench=. github.com/hashicorp/vault/builtin/logical/pki
goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/logical/pki
cpu: Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz
BenchmarkChainBuilding
BenchmarkChainBuilding/test-case-0
BenchmarkChainBuilding/test-case-0-16 616 1921783 ns/op
BenchmarkChainBuilding/test-case-1
BenchmarkChainBuilding/test-case-1-16 1191 998201 ns/op
BenchmarkChainBuilding/test-case-2
BenchmarkChainBuilding/test-case-2-16 547 2229810 ns/op
BenchmarkChainBuilding/test-case-3
BenchmarkChainBuilding/test-case-3-16 525 2264951 ns/op
BenchmarkChainBuilding/test-case-4
BenchmarkChainBuilding/test-case-4-16 1732 693686 ns/op
BenchmarkChainBuilding/test-case-5
BenchmarkChainBuilding/test-case-5-16 51700 23230 ns/op
BenchmarkChainBuilding/test-case-6
BenchmarkChainBuilding/test-case-6-16 9343 124523 ns/op
BenchmarkChainBuilding/test-case-7
BenchmarkChainBuilding/test-case-7-16 5106 234902 ns/op
BenchmarkChainBuilding/test-case-8
BenchmarkChainBuilding/test-case-8-16 2334 494382 ns/op
PASS
ok github.com/hashicorp/vault/builtin/logical/pki 12.707s
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- Do not grab a lock within the requestRebuildIfActiveNode function
to avoid issues being called from the invalidate function
- Leverage more atmoic operations, and only grab the lock if we are
going to perform the rebuild.
Previously we'd return the raw enum value, which the entity accessing
the API wouldn't have any easy way of translating back into string
values. Return the string value directly instead.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- Leverage a Get lookup operation to see if our reference field is a UUID
instead of listing all key/issuers and iterating over the list.
- This should be faster and we get a cached lookup possibly if it was a
UUID entry that we previously loaded.
- Address some small feedback about migration wording as well.
* Return the ca_chain response from root issued cert api
* Fix parent selection in cert chain building
When building chains, we'd choose the next neighbor from Go's
unordered map. However, this doesn't necessarily result in the most
optimal path: we want to prefer to visit roots over other
intermediates, as this allows us to have a more consistent chain,
putting roots before their cross-signed equivalents rather than
potentially at the end.
We additionally now ensure chains are stable.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
- Validate the key_type and key_bits arguments that were provided and
perform the same default processing of 0 as we used to do for the
generateRoot/generateIntermediate apis
- Add a test that validates the behaviour
- Update the field description blurbs.
* Move existing test helpers into a new test_helpers.go file within PKI
* Compare issuer certificates by cert, signature algo and signature
- Instead of comparing the strings of a certificate, instead leverage
the Go Raw attribute within a parsed certificate to compare. The Raw
attribute is a byte array of an ASN.1 DER containing the cert,
signature algo and signature.
- Rework a bit of the importIssuers function as well to fail checks on the
inbound issuer earlier as well as load keys/issuers just before we need
them