luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/builtin/logical/pki
History
Alexander Scheel 248990a1ec
Fix leaf revocation under intermediate CAs (#16052) 
* Add test for revocation under intermediate CA

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow revocation of certs with key-less issuers

In Vault 1.11's multiple issuer functionality, we incorrectly fetched
the full CA signing bundle for validating revocation of leaf certs (when
attempting to prohibit revocation of issuers in the mount). When the
issuer lacked a key (such as the root issuer on an intermediate mount),
this signing bundle creation failed.

Instead of fetching the full CA signing bundle, fetch instead the raw
certutil.CertBundle and parse it (to x509.Certificate form) ourselves.

This manifests as the error on revocation:

> URL: PUT http://127.0.0.1:8200/v1/pki_int/revoke
> * could not fetch the CA certificate for issuer id 156e1b99-4f04-5b5e-0036-cc0422c0c0d3: unable to fetch corresponding key for issuer 156e1b99-4f04-5b5e-0036-cc0422c0c0d3; unable to use this issuer for signing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-17 18:04:51 -04:00
..
cmd/pki
backend.go Allow issuer/:issuer_ref/sign-verbatim/:role, add error on missing role (#15543) 2022-05-23 13:09:18 -04:00
backend_test.go Fix format errors in PKI tests (#16015) 2022-06-16 07:41:05 -07:00
ca_test.go
ca_util.go Add explicit cn_validations field to PKI Roles (#15996) 2022-06-16 06:53:27 -07:00
cert_util.go Add explicit cn_validations field to PKI Roles (#15996) 2022-06-16 06:53:27 -07:00
cert_util_test.go
chain_test.go Refactor PKI tests for speed (#15999) 2022-06-16 09:11:22 -04:00
chain_util.go
config_util.go
crl_test.go Fix leaf revocation under intermediate CAs (#16052) 2022-06-17 18:04:51 -04:00
crl_util.go Fix leaf revocation under intermediate CAs (#16052) 2022-06-17 18:04:51 -04:00
fields.go Rebase #14178 / Add not_before_duration API parameter to Root/Intermediate CA generation (#15511) 2022-05-19 12:35:08 -04:00
integation_test.go PKI: Only set issuers with an associated key as default on import (#15754) 2022-06-02 12:59:07 -04:00
key_util.go
managed_key_util.go
path_config_ca.go
path_config_crl.go Always return PKI configs for CRLs, URLs (#15470) 2022-05-17 11:40:09 -04:00
path_config_urls.go Always return PKI configs for CRLs, URLs (#15470) 2022-05-17 11:40:09 -04:00
path_fetch.go
path_fetch_issuers.go Add role patching test case (#15545) 2022-05-20 15:30:22 -04:00
path_fetch_keys.go PKI: Do not error out on unknown issuers/keys on delete api calls. (#15541) 2022-05-20 13:33:26 -04:00
path_intermediate.go Add warning on missing AIA info fields (#15509) 2022-05-19 11:12:10 -04:00
path_issue_sign.go Add explicit cn_validations field to PKI Roles (#15996) 2022-06-16 06:53:27 -07:00
path_manage_issuers.go PKI: Only set issuers with an associated key as default on import (#15754) 2022-06-02 12:59:07 -04:00
path_manage_keys.go Protect against key and issuer name re-use (#15481) 2022-05-18 10:31:39 -04:00
path_manage_keys_test.go PKI: Do not error out on unknown issuers/keys on delete api calls. (#15541) 2022-05-20 13:33:26 -04:00
path_revoke.go
path_roles.go Add explicit cn_validations field to PKI Roles (#15996) 2022-06-16 06:53:27 -07:00
path_roles_test.go Support for CPS URLs in Custom Policy Identifiers. (#15751) 2022-06-03 14:50:46 -04:00
path_root.go Add explicit cn_validations field to PKI Roles (#15996) 2022-06-16 06:53:27 -07:00
path_sign_issuers.go
path_tidy.go
secret_certs.go
storage.go PKI: Only set issuers with an associated key as default on import (#15754) 2022-06-02 12:59:07 -04:00
storage_migrations.go pki: Do not use a static issuer/key name within the migration (#15886) 2022-06-08 15:31:30 -04:00
storage_migrations_test.go pki: Do not use a static issuer/key name within the migration (#15886) 2022-06-08 15:31:30 -04:00
storage_test.go
test_helpers.go Refactor PKI tests for speed (#15999) 2022-06-16 09:11:22 -04:00
util.go