Jeff Mitchell
f29bde0052
Support other names in SANs ( #3889 )
2018-02-16 17:19:34 -05:00
Jeff Mitchell
8655a1c135
Various PKI updates ( #3953 )
2018-02-10 10:07:10 -05:00
Jeff Mitchell
bd3cdd8095
Fix compile
2018-02-09 14:04:05 -05:00
Vishal Nayak
80ffd07b8b
added a flag to make common name optional if desired ( #3940 )
...
* added a flag to make common name optional if desired
* Cover one more case where cn can be empty
* remove skipping when empty; instead check for emptiness before calling validateNames
* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
Jeff Mitchell
fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary ( #3900 )
...
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Brian Kassouf
2f19de0305
Add context to storage backends and wire it through a lot of places ( #3817 )
2018-01-19 01:44:44 -05:00
Chris Hoffman
5b2b168e97
Converting OU and Organization role fields to CommaStringSlice ( #3804 )
2018-01-17 11:53:49 -05:00
Brian Kassouf
1c190d4bda
Pass context to backends ( #3750 )
...
* Start work on passing context to backends
* More work on passing context
* Unindent logical system
* Unindent token store
* Unindent passthrough
* Unindent cubbyhole
* Fix tests
* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Chris Hoffman
3b0ba609b2
Converting key_usage and allowed_domains in PKI to CommaStringSlice ( #3621 )
2017-12-11 13:13:35 -05:00
Mohsen
2aa576149c
Small typo relating to no_store in pki secret backend ( #3662 )
...
* Removed typo :)
* Corrected typo in the website related to no_store
2017-12-07 10:40:21 -05:00
Jeff Mitchell
6b72b90efa
Remove allow_base_domain from PKI role output.
...
It was never used in a release, in favor of allow_bare_domains.
Fixes #1452 (again)
2017-11-09 10:24:36 -05:00
Jeff Mitchell
3555a17d52
Don't read out an internal role member in PKI
2017-11-08 18:20:53 -05:00
Jeff Mitchell
17310654a1
Add PKCS8 marshaling to PKI ( #3518 )
2017-11-06 12:05:07 -05:00
Jeff Mitchell
d8e2179a42
Rejig some error messages in pki
2017-10-27 12:02:18 -04:00
Jeff Mitchell
a25dae82dd
Final sync
2017-10-23 17:39:21 -04:00
Jeff Mitchell
e3ce60eb1f
Allow entering PKI URLs as arrays. ( #3409 )
...
Fixes #3407
2017-10-03 16:13:57 -04:00
Jeff Mitchell
1076cea5d1
Tests were not actually forcing the intermediate to have a longer TTL
...
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
Jeff Mitchell
cb6ac1e926
Change behavior of TTL in sign-intermediate ( #3325 )
...
* Fix using wrong public key in sign-self-issued
* Change behavior of TTL in sign-intermediate
This allows signing CA certs with an expiration past the signer's
NotAfter.
It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.
Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Jeff Mitchell
7be6905eb0
Add a bit more delay to backend test in case Travis is loaded
2017-09-04 14:45:12 -04:00
Jeff Mitchell
abb2ab2918
Add pki/root/sign-self-issued. ( #3274 )
...
* Add pki/root/sign-self-issued.
This is useful for root CA rolling, and is also suitably dangerous.
Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.
* Add tests
2017-08-31 23:07:15 -04:00
Jeff Mitchell
d62937aaf3
Use TypeDurationSecond for TTL values in PKI. ( #3270 )
2017-08-31 15:46:13 -04:00
Lars Lehtonen
13901b1346
fix swallowed errors in pki package tests ( #3215 )
2017-08-29 13:15:36 -04:00
Jeff Mitchell
340fe4e609
Add permitted dns domains to pki ( #3164 )
2017-08-15 16:10:36 -04:00
Jeff Mitchell
e4eb6e9020
Make PKI root generation idempotent-ish and add delete endpoint. ( #3165 )
2017-08-15 14:00:40 -04:00
Chris Hoffman
77336f4ca2
adding warning for conflicting role and request parameters ( #3083 )
2017-08-02 10:02:40 -04:00
Calvin Leung Huang
3e8aecc7d5
Add BackendType to existing backends ( #3078 )
2017-07-28 14:04:46 -04:00
Calvin Leung Huang
bb54e9c131
Backend plugin system ( #2874 )
...
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017 )
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Seth Rutner
3874b63af3
Fix typos in error message ( #2692 )
2017-05-10 10:28:35 -04:00
Jeff Mitchell
d25aa9fc21
Don't write salts in initialization, look up on demand ( #2702 )
2017-05-09 17:51:09 -04:00
Calvin Leung Huang
26cf09ab15
Minor comment update on cert_util
2017-05-03 16:13:54 -04:00
Chris Hoffman
1c14d207b5
Merge pull request #2575 from hashicorp/pki-colons-to-hyphens
...
Change storage of PKI entries from colons to hyphens
2017-05-03 15:07:15 -04:00
Chris Hoffman
e34a45fdcd
Minor readability enhancements for migration path from old to new
2017-05-03 14:58:22 -04:00
Calvin Leung Huang
a00a7815f6
Include and use normalizeSerial func
2017-05-03 10:12:58 -04:00
Calvin Leung Huang
2b7a66e23b
Use variables for string replacements on cert_util
2017-05-02 14:11:57 -04:00
Justin Gerace
403efeb5ae
Add globbing support to the PKI backend's allowed_domains list ( #2517 )
2017-05-01 10:40:18 -04:00
Calvin Leung Huang
ff4cf41ebb
Add test for ca and crl case
2017-04-28 08:55:28 -04:00
Vishal Nayak
8bb6c8caef
Return error message for failure to parse CSR ( #2657 )
2017-04-28 08:30:24 -04:00
Calvin Leung Huang
802d030506
Refactor cert_util_test
2017-04-27 17:09:59 -04:00
Calvin Leung Huang
b5990321bf
Verify update operation was performed on revokeCert
2017-04-27 12:30:44 -04:00
Calvin Leung Huang
3b27a9c12c
Rename tests, use HandleRequest() for existing paths
2017-04-27 09:47:56 -04:00
Calvin Leung Huang
628e5d594b
Add remaining tests
2017-04-26 16:05:58 -04:00
Calvin Leung Huang
d24757f2e0
Fix crl_util test
2017-04-26 09:58:34 -04:00
Calvin Leung Huang
18ed2d6097
Tests for cert and crl util
2017-04-26 02:46:01 -04:00
Chris Hoffman
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
Jeff Mitchell
4995c69763
Update sign-verbatim to correctly set generate_lease ( #2593 )
2017-04-18 15:54:31 -04:00
Jeff Mitchell
822d86ad90
Change storage of entries from colons to hyphens and add a
...
lookup/migration path
Still TODO: tests on migration path
Fixes #2552
2017-04-18 11:14:23 -04:00
Jeff Mitchell
79fb8bdf69
Verify that a CSR specifies IP SANs before checking whether it's allowed ( #2574 )
2017-04-13 13:40:31 -04:00
Shivaram Lingamneni
2117dfd717
implement a no_store option for pki roles ( #2565 )
2017-04-07 11:25:47 -07:00
Jeff Mitchell
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
Jeff Mitchell
24886c1006
Ensure CN check is made when exclude_cn_from_sans is used
...
Fixes #2363
2017-03-16 11:41:13 -04:00
Jeff Mitchell
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
Jeff Mitchell
7ab6844eb4
Set CA chain when intermediate does not have an authority key ID.
...
This is essentially an approved review of the code provided in #2465 .
Fixes #2465
2017-03-15 11:52:02 -04:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
vishalnayak
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
Vishal Nayak
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
Saj Goonatilleke
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
Jeff Mitchell
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
Jeff Mitchell
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
Jeff Mitchell
f43a041bf2
Revert "Disable PKI OU tests to fix the build"
...
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
vishalnayak
c8b6ab7223
Disable PKI OU tests to fix the build
2017-01-24 06:25:56 -05:00
joe miller
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
joe miller
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
vishalnayak
1816446f46
Address review feedback
2016-12-20 11:19:47 -05:00
vishalnayak
b3e323bbcc
pki: Avoiding a storage read
2016-12-20 11:07:20 -05:00
vishalnayak
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
vishalnayak
ba1cc709bd
PKI: Added error to the error message
2016-12-19 10:47:29 -05:00
Jeff Mitchell
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
Chris Hoffman
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
Jeff Mitchell
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
Jeff Mitchell
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
Jeff Mitchell
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
Jeff Mitchell
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
Jeff Mitchell
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
Jeff Mitchell
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
Jeff Mitchell
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
Jeff Mitchell
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
Vincent Batoufflet
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
vishalnayak
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
Jeff Mitchell
3334b22993
Some minor linting
2016-07-19 13:54:18 -04:00
Jeff Mitchell
4a8d9eb942
Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time.
2016-07-01 17:28:48 -04:00
cara marie
11c205e19b
removed option to create 1024 keybitlength certs
2016-06-28 16:56:14 -04:00
Jeff Mitchell
9dc0599a30
Address review feedback
2016-06-23 10:18:03 -04:00
Jeff Mitchell
d7029fc49a
Add some more testing
2016-06-23 09:49:03 -04:00
Jeff Mitchell
45a442e593
Set some basic key usages by default.
...
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.
Fixes #1476
2016-06-22 16:08:24 -04:00
Jeff Mitchell
407373df5d
Revert "Use x509 package ext key usage instead of custom type"
...
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
2016-06-22 13:07:31 -04:00
Jeff Mitchell
c0dee06aab
Use x509 package ext key usage instead of custom type
2016-06-22 11:51:32 -04:00
Jeff Mitchell
62f66dc4d8
Do some internal renaming in PKI
2016-06-22 11:39:57 -04:00
Vishal Nayak
711c05a319
Merge pull request #1546 from hashicorp/secret-aws-roles
...
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
vishalnayak
8b490e44a1
Added list functionality to logical aws backend's roles
2016-06-20 19:51:04 -04:00
vishalnayak
0760a89eb4
Backend() functions should return 'backend' objects.
...
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
LLBennett
3795b65d19
Updates to the test based on feedback.
2016-06-08 16:49:10 +00:00
Laura Bennett
2f2a80e2be
Add PKI listing
2016-06-08 11:50:59 -04:00
Vishal Nayak
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
Jeff Mitchell
05d1da0656
Add comment about the deletions
2016-05-26 10:33:35 -04:00
Jeff Mitchell
ccfa8d0567
Remove deprecated entries from PKI role output.
...
Fixes #1452
2016-05-26 10:32:04 -04:00
vishalnayak
2ca846b401
s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets
2016-05-26 10:04:11 -04:00
Sean Chittenden
b0bba6d271
Store clamped TTLs back in the role's config
2016-05-15 08:13:56 -07:00
Sean Chittenden
539475714d
Set entry's TTL before writing out the storage entry's config
2016-05-15 07:06:33 -07:00
Jeff Mitchell
d899f9d411
Don't revoke CA certificates with leases.
2016-05-09 19:53:28 -04:00
Adam Shannon
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
vishalnayak
06eeaecef6
Skip acceptance tests if VAULT_ACC is not set
2016-04-11 20:00:15 -04:00
vishalnayak
fd8b023655
s/TF_ACC/VAULT_ACC
2016-04-05 15:24:59 -04:00
vishalnayak
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
Jeff Mitchell
dfc5a745ee
Remove check for using CSR values with non-CA certificate.
...
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.
Fixes #1250
2016-03-23 10:05:38 -04:00
Jeff Mitchell
1951a01998
Add ability to exclude adding the CN to SANs.
...
Fixes #1220
2016-03-17 16:28:40 -04:00
Jeff Mitchell
7a9122bbd1
Sanitize serial number in revocation path.
...
Ping #1180
2016-03-08 10:51:59 -05:00
Jeff Mitchell
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
Jeff Mitchell
11dc3f328f
Add revocation information to PKI fetch output (non-raw only).
...
Fixes #1180
2016-03-07 10:57:38 -05:00
Jeff Mitchell
2205133ae4
Only run PKI backend setup functions when TF_ACC is set
2016-02-29 14:41:14 -05:00
Jeff Mitchell
8ca847c9b3
Be more explicit about buffer type
2016-02-24 22:05:39 -05:00
Jeff Mitchell
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
Jeff Mitchell
f56e4a604d
Merge pull request #1114 from hashicorp/dont-delete-certs
...
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
Jeff Mitchell
4514192145
Address review feedback
2016-02-22 16:11:01 -05:00
Jeff Mitchell
f43ab6a25d
Remove extra debugging from PKI tests
2016-02-22 13:39:05 -05:00
Jeff Mitchell
f27eab1d28
Do not delete certs (or revocation information) to avoid potential
...
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
Jeff Mitchell
51ced69bf8
Fix issue where leftover values after cn tests could trigger errors in ipsan tests
2016-02-22 13:35:57 -05:00
Jeff Mitchell
4c327ca4cc
More improvements to PKI tests; allow setting a specific seed, output
...
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
Jeff Mitchell
8d4c6f4c98
Use more fuzziness in PKI backend tests
2016-02-22 10:59:37 -05:00
Jeff Mitchell
392a26e9cd
Better handle errors from fetchCertBySerial
2016-02-22 10:36:26 -05:00
Jeff Mitchell
58432c5d57
Add tests for minimum key size checking. (This will also verify that the
...
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
Jeff Mitchell
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
Jeff Mitchell
7fc4ee1ed7
Disallow 1024-bit RSA keys.
...
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
vishalnayak
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
Jeff Mitchell
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
Tom Ritter
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
Tom Ritter
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
Jeff Mitchell
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
Jeff Mitchell
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
Jeff Mitchell
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell
cb1928451b
Only specify cert sign / CRL sign for CAs and only specify extended key
...
usages for clients.
This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.
Fixes #987
2016-01-29 10:26:35 -05:00
Jeff Mitchell
2015118958
Add listing of roles to PKI
2016-01-28 15:18:07 -05:00
Jeff Mitchell
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
134b4d2a42
Built on GH-890 to add other types
2015-12-29 13:07:24 -05:00
Issac Goldstand
fba756075a
fix CA compatibility with OpenSSL
2015-12-29 18:52:43 +02:00
Jeff Mitchell
dd445a53a5
Update key usage logic
...
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
Windows Crypto API and Go's validation logic
Fixes #846
2015-12-14 14:23:51 -05:00
Jeff Mitchell
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell
b6c49ddf01
Remove token display names from input options as there isn't a viable
...
use-case for it at the moment
2015-11-30 18:07:42 -05:00
Jeff Mitchell
cf366bda9c
Greatly simplify and fix the name validation function, as well as fully
...
comment it.
2015-11-23 14:15:32 -05:00
Jeff Mitchell
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
Jeff Mitchell
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
Jeff Mitchell
af3d6ced8e
Update validator function for URIs. Change example of entering a CA to a
...
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
Jeff Mitchell
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
Jeff Mitchell
a95228e4ee
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
Jeff Mitchell
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
Jeff Mitchell
c6ba4f24bc
Add URL validation
2015-11-19 09:51:18 -05:00