1513e2baa4
* CA bundle uploading * Basic role creation * Common Name restrictions * IP SAN restrictions * EC + RSA keys * Various key usages * Lease times * CA fetching in various formats * DNS SAN handling Also, fix a bug when trying to get code signing certificates. Not tested: * Revocation (I believe this is impossible with the current testing framework) Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
134 lines
4 KiB
Go
134 lines
4 KiB
Go
package pki
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
)
|
|
|
|
func pathConfigCA(b *backend) *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: "config/ca",
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"pem_bundle": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "PEM-format, concatenated unencrypted secret key and certificate",
|
|
},
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.WriteOperation: b.pathCAWrite,
|
|
},
|
|
|
|
HelpSynopsis: pathConfigCAHelpSyn,
|
|
HelpDescription: pathConfigCAHelpDesc,
|
|
}
|
|
}
|
|
|
|
func (b *backend) pathCAWrite(
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
pemBundle := d.Get("pem_bundle").(string)
|
|
|
|
if len(pemBundle) == 0 {
|
|
return logical.ErrorResponse("Empty PEM bundle"), nil
|
|
}
|
|
|
|
pemBytes := []byte(pemBundle)
|
|
var pemBlock *pem.Block
|
|
rawBundle := &rawCertBundle{}
|
|
|
|
for {
|
|
pemBlock, pemBytes = pem.Decode(pemBytes)
|
|
if pemBlock == nil {
|
|
return logical.ErrorResponse("No PEM data found"), nil
|
|
}
|
|
|
|
if _, err := x509.ParseECPrivateKey(pemBlock.Bytes); err == nil {
|
|
if rawBundle.PrivateKeyType != UnknownPrivateKeyType {
|
|
return logical.ErrorResponse("More than one private key given; provide only one private key in the bundle"), nil
|
|
}
|
|
rawBundle.PrivateKeyType = ECPrivateKeyType
|
|
rawBundle.PrivateKeyBytes = pemBlock.Bytes
|
|
// TODO?: CRLs can only be generated with RSA keys right now, in the
|
|
// Go standard library. The plubming is here to support non-RSA keys
|
|
// if the library gets support
|
|
return logical.ErrorResponse("Only RSA keys are supported at this time due to limitations in the Go standard library"), nil
|
|
} else if _, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes); err == nil {
|
|
|
|
if rawBundle.PrivateKeyType != UnknownPrivateKeyType {
|
|
return logical.ErrorResponse("More than one private key given; provide only one private key in the bundle"), nil
|
|
}
|
|
rawBundle.PrivateKeyType = RSAPrivateKeyType
|
|
rawBundle.PrivateKeyBytes = pemBlock.Bytes
|
|
} else if certificates, err := x509.ParseCertificates(pemBlock.Bytes); err == nil {
|
|
switch len(certificates) {
|
|
case 0:
|
|
return logical.ErrorResponse("No certificates found in the bundle"), nil
|
|
case 1:
|
|
cert := certificates[0]
|
|
if !cert.IsCA {
|
|
return logical.ErrorResponse("The given certificate is not marked for CA use and cannot be used with this backend"), nil
|
|
}
|
|
rawBundle.CertificateBytes = pemBlock.Bytes
|
|
default:
|
|
return logical.ErrorResponse("More than one certificate given; provide only one certificate in the bundle"), nil
|
|
}
|
|
}
|
|
|
|
if len(pemBytes) == 0 {
|
|
break
|
|
}
|
|
}
|
|
|
|
switch {
|
|
case rawBundle.PrivateKeyType == UnknownPrivateKeyType:
|
|
return logical.ErrorResponse("Unable to figure out the private key type; must be RSA or EC"), nil
|
|
case len(rawBundle.PrivateKeyBytes) == 0:
|
|
return logical.ErrorResponse("Unable to decode the private key from the bundle"), nil
|
|
case len(rawBundle.CertificateBytes) == 0:
|
|
return logical.ErrorResponse("Unable to decode the certificate from the bundle"), nil
|
|
}
|
|
|
|
cb := rawBundle.toCertBundle()
|
|
entry, err := logical.StorageEntryJSON("config/ca_bundle", cb)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = req.Storage.Put(entry)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// For ease of later use, also store just the certificate at a known
|
|
// location, plus a blank CRL
|
|
entry.Key = "ca"
|
|
entry.Value = rawBundle.CertificateBytes
|
|
err = req.Storage.Put(entry)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
entry.Key = "crl"
|
|
entry.Value = []byte{}
|
|
err = req.Storage.Put(entry)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
const pathConfigCAHelpSyn = `
|
|
Configure the CA certificate and private key used for generated credentials.
|
|
`
|
|
|
|
const pathConfigCAHelpDesc = `
|
|
This configures the CA information used for credentials
|
|
generated by this backend. This must be a PEM-format, concatenated
|
|
unencrypted secret key and certificate.
|
|
|
|
For security reasons, you can only view the certificate when reading this endpoint.
|
|
`
|