ncabatoff
fde5e55ce9
Handle otherName SANs in CSRs ( #6163 )
...
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.
Allow single star in allowed_other_sans to match any OtherName. Update documentation to clarify globbing behaviour.
2019-12-11 10:16:44 -05:00
Chris Hoffman
ea0974b578
if storing the certificate, always generate/sign the certificate on the primary ( #7904 )
2019-12-05 13:50:28 -05:00
ncabatoff
c48936c4fd
Refactor cert util ( #6676 )
...
Break dataBundle into two pieces: inputBundle, which contains data that
is specific to the pki backend, and creationBundle, which is a more
generic bundle of validated inputs given to certificate creation/signing routines.
Move functions that only take creationBundle to certutil and make them public.
2019-05-09 11:43:11 -04:00
Jeff Mitchell
9ebc57581d
Switch to go modules ( #6585 )
...
* Switch to go modules
* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell
8bcb533a1b
Create sdk/ and api/ submodules ( #6583 )
2019-04-12 17:54:35 -04:00
Jeff Mitchell
5e2cc31cb6
Remove now-spurious ttl check and logic from sign-verbatim. ( #5552 )
...
This endpoint eventually goes through generateCreationBundle where we
already have the right checks.
Also add expiration to returned value to match output when using root
generation.
Fixes #5549
2018-10-19 11:13:59 -04:00
Mr Talbot
5551a63221
pki: add ext_key_usage to mirror key_usage and add to sign-verbatim ( #4777 )
...
* pki: add ext_key_usage parameter to role
* pki: add key_usage and ext_key_usage parameter to sign-verbatim
* pki: cleanup code as per comments
2018-06-15 18:20:43 -04:00
Jeff Mitchell
91ca3d4b7f
Add URI SANs ( #4767 )
2018-06-15 15:32:25 -04:00
Marcin Wielgoszewski
9316c96364
Add support for x.509 Name Serial Number attribute in subject of certificates ( #4694 )
2018-06-04 23:18:39 -04:00
Jeff Mitchell
72200603c6
Fix role writing not allowing key_type of any ( #4596 )
...
Fixes #4595
2018-05-19 10:24:43 -07:00
Jeff Mitchell
e5f4ca83a0
Update PKI to natively use time.Duration ( #4493 )
...
* Update PKI to natively use time.Duration
Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.
* Add a warning when refusing to blow away an existing root instead of just returning success
* Fix another issue found while debugging this...
The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
2018-05-09 10:29:54 -04:00
Vishal Nayak
28e3eb9e2c
Errwrap everywhere ( #4252 )
...
* package api
* package builtin/credential
* package builtin/logical
* package command
* package helper
* package http and logical
* package physical
* package shamir
* package vault
* package vault
* address feedback
* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell
8697d80d2e
More cleanup of TTL handling in PKI ( #4158 )
...
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
2018-03-19 21:01:41 -04:00
Jeff Mitchell
f29bde0052
Support other names in SANs ( #3889 )
2018-02-16 17:19:34 -05:00
Brian Kassouf
2f19de0305
Add context to storage backends and wire it through a lot of places ( #3817 )
2018-01-19 01:44:44 -05:00
Brian Kassouf
1c190d4bda
Pass context to backends ( #3750 )
...
* Start work on passing context to backends
* More work on passing context
* Unindent logical system
* Unindent token store
* Unindent passthrough
* Unindent cubbyhole
* Fix tests
* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Jeff Mitchell
17310654a1
Add PKCS8 marshaling to PKI ( #3518 )
2017-11-06 12:05:07 -05:00
Jeff Mitchell
d8e2179a42
Rejig some error messages in pki
2017-10-27 12:02:18 -04:00
Chris Hoffman
77336f4ca2
adding warning for conflicting role and request parameters ( #3083 )
2017-08-02 10:02:40 -04:00
Chris Hoffman
1c14d207b5
Merge pull request #2575 from hashicorp/pki-colons-to-hyphens
...
Change storage of PKI entries from colons to hyphens
2017-05-03 15:07:15 -04:00
Calvin Leung Huang
a00a7815f6
Include and use normalizeSerial func
2017-05-03 10:12:58 -04:00
Jeff Mitchell
4995c69763
Update sign-verbatim to correctly set generate_lease ( #2593 )
2017-04-18 15:54:31 -04:00
Jeff Mitchell
822d86ad90
Change storage of entries from colons to hyphens and add a
...
lookup/migration path
Still TODO: tests on migration path
Fixes #2552
2017-04-18 11:14:23 -04:00
Shivaram Lingamneni
2117dfd717
implement a no_store option for pki roles ( #2565 )
2017-04-07 11:25:47 -07:00
Jeff Mitchell
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
vishalnayak
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
Vishal Nayak
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
Saj Goonatilleke
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
joe miller
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
vishalnayak
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
Chris Hoffman
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
vishalnayak
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
Jeff Mitchell
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
Jeff Mitchell
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
Jeff Mitchell
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
Jeff Mitchell
af3d6ced8e
Update validator function for URIs. Change example of entering a CA to a
...
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
Jeff Mitchell
a95228e4ee
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
Jeff Mitchell
b14050bebc
Fix zero path length handling, and move common field defs elsewhere
2015-11-19 09:51:18 -05:00
Jeff Mitchell
ed62afec14
Large documentation updates, remove the pathlength path in favor of
...
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
deb5131cd3
Add config/urls CRUD operations to get and set the URLs encoded into
...
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
54c5c232fd
Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR
2015-11-19 09:51:17 -05:00
Jeff Mitchell
7c5a174493
Add capability to use the CSR's common name (by default for CA CSRs if
...
no common_name parameter is given, role-controlled for non-CA CSRs).
Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
Jeff Mitchell
f16d8b8cd2
Cleanup, and add ability to sign CA CSRs that aren't destined for Vault
2015-11-19 09:51:17 -05:00
Jeff Mitchell
b2df079446
Add unit tests to test signing logic, fix up test logic for names
2015-11-19 09:51:17 -05:00
Jeff Mitchell
fe7dbfaada
Handle email address alternative names, fix up tests, fix up logic around name verification
2015-11-19 09:51:17 -05:00
Jeff Mitchell
b3eb5c4957
Add sign method (untested)
2015-11-19 09:51:17 -05:00