45a442e593
Set some basic key usages by default.
...
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.
Fixes #1476
2016-06-22 16:08:24 -04:00
407373df5d
Revert "Use x509 package ext key usage instead of custom type"
...
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
2016-06-22 13:07:31 -04:00
c0dee06aab
Use x509 package ext key usage instead of custom type
2016-06-22 11:51:32 -04:00
62f66dc4d8
Do some internal renaming in PKI
2016-06-22 11:39:57 -04:00
711c05a319
Merge pull request #1546 from hashicorp/secret-aws-roles
...
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
8b490e44a1
Added list functionality to logical aws backend's roles
2016-06-20 19:51:04 -04:00
0760a89eb4
Backend() functions should return 'backend' objects.
...
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
3795b65d19
Updates to the test based on feedback.
2016-06-08 16:49:10 +00:00
2f2a80e2be
Add PKI listing
2016-06-08 11:50:59 -04:00
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
05d1da0656
Add comment about the deletions
2016-05-26 10:33:35 -04:00
ccfa8d0567
Remove deprecated entries from PKI role output.
...
Fixes #1452
2016-05-26 10:32:04 -04:00
2ca846b401
s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets
2016-05-26 10:04:11 -04:00
b0bba6d271
Store clamped TTLs back in the role's config
2016-05-15 08:13:56 -07:00
539475714d
Set entry's TTL before writing out the storage entry's config
2016-05-15 07:06:33 -07:00
d899f9d411
Don't revoke CA certificates with leases.
2016-05-09 19:53:28 -04:00
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
06eeaecef6
Skip acceptance tests if VAULT_ACC is not set
2016-04-11 20:00:15 -04:00
fd8b023655
s/TF_ACC/VAULT_ACC
2016-04-05 15:24:59 -04:00
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
dfc5a745ee
Remove check for using CSR values with non-CA certificate.
...
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.
Fixes #1250
2016-03-23 10:05:38 -04:00
1951a01998
Add ability to exclude adding the CN to SANs.
...
Fixes #1220
2016-03-17 16:28:40 -04:00
7a9122bbd1
Sanitize serial number in revocation path.
...
Ping #1180
2016-03-08 10:51:59 -05:00
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
11dc3f328f
Add revocation information to PKI fetch output (non-raw only).
...
Fixes #1180
2016-03-07 10:57:38 -05:00
2205133ae4
Only run PKI backend setup functions when TF_ACC is set
2016-02-29 14:41:14 -05:00
8ca847c9b3
Be more explicit about buffer type
2016-02-24 22:05:39 -05:00
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
f56e4a604d
Merge pull request #1114 from hashicorp/dont-delete-certs
...
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
4514192145
Address review feedback
2016-02-22 16:11:01 -05:00
f43ab6a25d
Remove extra debugging from PKI tests
2016-02-22 13:39:05 -05:00
f27eab1d28
Do not delete certs (or revocation information) to avoid potential
...
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
51ced69bf8
Fix issue where leftover values after cn tests could trigger errors in ipsan tests
2016-02-22 13:35:57 -05:00
4c327ca4cc
More improvements to PKI tests; allow setting a specific seed, output
...
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
8d4c6f4c98
Use more fuzziness in PKI backend tests
2016-02-22 10:59:37 -05:00
392a26e9cd
Better handle errors from fetchCertBySerial
2016-02-22 10:36:26 -05:00
58432c5d57
Add tests for minimum key size checking. (This will also verify that the
...
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
7fc4ee1ed7
Disallow 1024-bit RSA keys.
...
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
cb1928451b
Only specify cert sign / CRL sign for CAs and only specify extended key
...
usages for clients.
This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.
Fixes #987
2016-01-29 10:26:35 -05:00
2015118958
Add listing of roles to PKI
2016-01-28 15:18:07 -05:00
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
Jeff Mitchell