* PKI - Add not_before_duration API parameter to:
- Root CA generation
- Intermediate CA generation
- Intermediate CA signing
* Move not_before_duration to addCACommonFields
This gets applied on both root generation and intermediate signing,
which is the correct place to apply this.
Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Resolves: #10631
Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for root/generate, sign-intermediate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update path role description
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new not_before_duration to relevant docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: guysv <sviryguy@gmail.com>
* Add leaf not after best practice
Also suggest concrete recommendations for lifetimes of various issuers.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add advice to use a proper CA hierarchy
Also mention name constraints and HSM backing.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add section on safer usage of Roles
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial RBAC example for PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add warning on missing AIA info fields
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog:
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This clarifies a limitation of the FIPS based container images,
to note that due to OpenShift requirements, we need to suggest
ways of disabling mlock or allowing Vault to set mlock.
* remove manipulations of data ranges;
* fix bar aligntment
* consume empty months existing on response
* revert grey bar transformation
* up one more line..
* remove attr
* Add a warning when Issuing Certificate set on a role does not resolve.
* Ivanka's requests - add a warning on deleting issuer or changing it's name.
* reduce number of roles to iterate through; only verify roles after migration. ignore roles deleted behind our back.
Make sure that autopilot is disabled when we step down from active node state. Forward autopilot state requests to the active node. Avoid self-dialing due to stale advertisement.
* CLI: Add ability to display ListResponseWithInfos
The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).
Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:
$ vault list -detailed pki/issuers
Keys issuer_name
---- -----------
0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7 n/a
35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0 n/a
382fad1e-e99c-9c54-e147-bb1faa8033d3 n/a
8bb4a793-2ad9-460c-9fa8-574c84a981f7 n/a
8bd231d7-20e2-f21f-ae1a-7aa3319715e7 n/a
9425d51f-cb81-426d-d6ad-5147d092094e n/a
ae679732-b497-ab0d-3220-806a2b9d81ed n/a
c5a44a1f-2ae4-2140-3acf-74b2609448cc utf8
d41d2419-efce-0e36-c96b-e91179a24dc1 something
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow detailed printing of LIST responses in JSON
When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.
This returns something like the following:
{
"request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"key_info": {
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
"issuer_name": ""
},
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
"issuer_name": ""
},
"382fad1e-e99c-9c54-e147-bb1faa8033d3": {
"issuer_name": ""
},
"8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
"issuer_name": ""
},
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
"issuer_name": ""
},
"9425d51f-cb81-426d-d6ad-5147d092094e": {
"issuer_name": ""
},
"ae679732-b497-ab0d-3220-806a2b9d81ed": {
"issuer_name": ""
},
"c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
"issuer_name": "utf8"
},
"d41d2419-efce-0e36-c96b-e91179a24dc1": {
"issuer_name": "something"
}
},
"keys": [
"0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
"35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
"382fad1e-e99c-9c54-e147-bb1faa8033d3",
"8bb4a793-2ad9-460c-9fa8-574c84a981f7",
"8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
"9425d51f-cb81-426d-d6ad-5147d092094e",
"ae679732-b497-ab0d-3220-806a2b9d81ed",
"c5a44a1f-2ae4-2140-3acf-74b2609448cc",
"d41d2419-efce-0e36-c96b-e91179a24dc1"
]
},
"warnings": null
}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use field on UI rather than secret.Data
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Only include headers from visitable key_infos
Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use setupEnv sourced detailed info
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix changelog environment variable
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken tests using setupEnv
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Protect against key and issuer name re-use
- While importing keys and issuers verify that the provided name if any has not been used by another key that we did not match against.
- Validate an assumption within the key import api, that we were provided a single key
- Add additional tests on the new key generation and key import handlers.
* Protect key import api end-users from using "default" as a name
- Do not allow end-users to provide the value of default as a name for key imports
as that would lead to weird and wonderful behaviors to the end-user.
* Add missing api-docs for PKI key import
* Warn on empty Subject field for issuers
When generating a root or signing an intermediate certificate, it is
possible to have Vault generate a certificate with an empty Subject.
These don't validate in most TLS implementations well, so add a warning.
Note that non-Common Name fields could be present to make a non-empty
subject, so simply requiring a CommonName isn't strictly the best.
For example:
$ vault write pki/root/generate/exported common_name=""
WARNING! The following warnings were returned from Vault:
* This issuer certificate was generated without a Subject; this makes
it likely that issuing leaf certs with this certificate will cause TLS
validation libraries to reject this certificate.
....
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove signature_bits on intermediate generate
This extraneous field wasn't respected during intermediate generation
and it isn't clear that it should be. Strictly, this field, if it were
to exist, would control the CSR's internal signature algorithm (certutil
defaults to the sane SHA-256 here). However, there's little value in
changing this as the signing authority can and probably will override
the final certificate's signature bits value, completely ignoring
whatever was in the provided CSR.
Removing this field will now cause warnings for those providing the
parameter (which already wasn't respected), which is the desired
behavior. No breakage should occur as a result of this change.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* TTL Picker convers to largest unit when value is number
* Initial value for transit auto-rotation period is 30d
* Add auto-rotation check to transit test
* Add changelog
* Add clarifying comment
* Begin restructuring FIPS documentation
This creates a new FIPS category under Enterprise and copies the
FIPS-specific seal wrap documentation into it.
We leave the existing Seal Wrap page at the old path, but document that
the FIPS-specific portions of it have moved.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial FIPS 140-2 inside documentation
This documents the new FIPS 140-2 Inside binary and how to use and
validate it. This also documents which algorithms are certified for
use in the BoringCrypto distribution.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add notes about FIPS algorithm restrictions
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* updating MFA to use official Okta SDK
* add changelog
* Update vault/login_mfa.go
Co-authored-by: swayne275 <swayne@hashicorp.com>
* cleanup query param building
* skip if not user factor
* updating struct tags to be more explicit
* fixing incorrect merge
* worrying that URL construction may change in the future, reimplementing GetFactorTransactionStatus
* adding some safety around url building
Co-authored-by: swayne275 <swayne@hashicorp.com>
* VAULT-5885: Fix erroneous success message in case of two-phase MFA, and provide MFA information in table format
* VAULT-5885 Add changelog
* VAULT-5885 Update changelog as per PR comments
* VAULT-5885 Update changelog category to just 'auth'
* VAULT-5885 Hide useless token info in two-phase MFA case
* VAULT-5885 Update changelog to reflect token info now no longer present
* VAULT-5885 split up changelog into three blocks
* Always return non-nil CRL configuration
When using the default CRL configuration (as none has been set), return
the default configuration rather than inferring it in buildCRL. This
additionally allows us to return the default configuration on GET
operations to /config/crl.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Always return non-nil URL configuration
When using the default (empty) URL configuration as none has been set,
return the default configuration rather than inferring it inside of
fetchCAInfoByIssuerId or generateCert. This additionally allows us to
return the default configuration on GET operations to /config/urls.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* secret/pki: Return correct algorithm type from key fetch api for managed keys
- fix an issue that key_type field returned from the key fetch api had
the ManagedPrivateKey type instead of the real algorithm of the managed key.
* Remove key_type from key list PKI operation. Partial revert of #15435
- The key_type field should be used solely for the key algorithm but as implemented
we would be returning the value ManagedPrivateKey for managed keys which is not
in sync with the rest of the apis. We also did not want to take the performance
hit if many managed keys existed so we will simply remove the field from the list
operation
- No point in writing any logs if no previous bundle exists
- Only log output and schedule a CRL rebuild is we actually migration something
- Do not log on PKI storage version set/checks.
* Use "not_before_duration" fiueld from role if above 0
* 'test' and update docs
* changelog file
* Requested changes - improved test and better description to changelog
* changelog description:
* update to ttl and not_before_duration API docs
* fill out nil response months in activity log query handle response based on requested month data
* changelog
* reverse month ordering for nil end months
* typo caught in ent test
* Use new parseutil helper: Safe variants
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update parseutil to v0.1.5
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix additional integer overflow in command/server
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>