New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Multiple Issuers in PKI Secret Engine Mounts - PKI Pod #15277
Commits on May 2, 2022
-
Starter PKI CA Storage API (#14796)
* Simple starting PKI storage api for CA rotation * Add key and issuer storage apis * Add listKeys and listIssuers storage implementations * Add simple keys and issuers configuration storage api methods
Configuration menu - View commit details
-
Copy full SHA for 18fcfb2 - Browse repository at this point
Copy the full SHA 18fcfb2View commit details -
Handle resolving key, issuer references
The API context will usually have a user-specified reference to the key. This is either the literal string "default" to select the default key, an identifier of the key, or a slug name for the key. Here, we wish to resolve this reference to an actual identifier that can be understood by storage. Also adds the missing Name field to keys. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for d57be55 - Browse repository at this point
Copy the full SHA d57be55View commit details -
Add method to fetch an issuer's cert bundle
This adds a method to construct a certutil.CertBundle from the specified issuer identifier, optionally loading its corresponding key for signing. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for b8fe80d - Browse repository at this point
Copy the full SHA b8fe80dView commit details -
Refactor certutil PrivateKey PEM handling
This refactors the parsing of PrivateKeys from PEM blobs into shared methods (ParsePEMKey, ParseDERKey) that can be reused by the existing Bundle parsing logic (ParsePEMBundle) or independently in the new issuers/key-based PKI storage code. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 55f0841 - Browse repository at this point
Copy the full SHA 55f0841View commit details -
Add importKey, importCert to PKI storage
importKey is generally preferable to the low-level writeKey for adding new entries. This takes only the contents of the private key (as a string -- so a PEM bundle or a managed key handle) and checks if it already exists in the storage. If it does, it returns the existing key instance. Otherwise, we create a new one. In the process, we detect any issuers using this key and link them back to the new key entry. The same holds for importCert over importKey, with the note that keys are not modified when importing certificates. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for ca3e48d - Browse repository at this point
Copy the full SHA ca3e48dView commit details -
Add tests for importing issuers, keys
This adds tests for importing keys and issuers into the new storage layout, ensuring that identifiers are correctly inferred and linked. Note that directly writing entries to storage (writeKey/writeissuer) will take KeyID links from the parent entry and should not be used for import; only existing entries should be updated with this info. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for a93690f - Browse repository at this point
Copy the full SHA a93690fView commit details -
Implement PKI storage migration.
- Hook into the backend::initialize function, calling the migration on a primary only. - Migrate an existing certificate bundle to the new issuers and key layout
Configuration menu - View commit details
-
Copy full SHA for 1411be7 - Browse repository at this point
Copy the full SHA 1411be7View commit details -
Make fetchCAInfo aware of new storage layout
This allows fetchCAInfo to fetch a specified issuer, via a reference parameter provided by the user. We pass that into the storage layer and have it return a cert bundle for us. Finally, we need to validate that it truly has the key desired. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 62467e0 - Browse repository at this point
Copy the full SHA 62467e0View commit details -
This implements the fetch operations around issuers in the PKI Secrets Engine. We implement the following operations: - LIST /issuers - returns a list of known issuers' IDs and names. - GET /issuer/:ref - returns a JSON blob with information about this issuer. - POST /issuer/:ref - allows configuring information about issuers, presently just its name. - DELETE /issuer/:ref - allows deleting the specified issuer. - GET /issuer/:ref/{der,pem} - returns a raw API response with just the DER (or PEM) of the issuer's certificate. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for c0c11c9 - Browse repository at this point
Copy the full SHA c0c11c9View commit details -
This adds the two core import code paths to the API: /issuers/import/cert and /issuers/import/bundle. The former differs from the latter in that the latter allows the import of keys. This allows operators to restrict importing of keys to privileged roles, while allowing more operators permission to import additional certificates (not used for signing, but instead for path/chain building). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 5a4c6ea - Browse repository at this point
Copy the full SHA 5a4c6eaView commit details -
Add /issuer/:ref/sign-intermediate endpoint
This endpoint allows existing issuers to be used to sign intermediate CA certificates. In the process, we've updated the existing /root/sign-intermediate endpoint to be equivalent to a call to /issuer/default/sign-intermediate. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for cfe2bc8 - Browse repository at this point
Copy the full SHA cfe2bc8View commit details -
Add /issuer/:ref/sign-self-issued endpoint
This endpoint allows existing issuers to be used to sign self-signed certificates. In the process, we've updated the existing /root/sign-self-issued endpoint to be equivalent to a call to /issuer/default/sign-self-issued. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 1c589eb - Browse repository at this point
Copy the full SHA 1c589ebView commit details -
Add /issuer/:ref/sign-verbatim endpoint
This endpoint allows existing issuers to be used to directly sign CSRs. In the process, we've updated the existing /sign-verbatim endpoint to be equivalent to a call to /issuer/:ref/sign-verbatim. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 2de0e9c - Browse repository at this point
Copy the full SHA 2de0e9cView commit details -
Allow configuration of default issuers
Using the new updateDefaultIssuerId(...) from the storage migration PR allows for easy implementation of configuring the default issuer. We restrict callers from setting blank defaults and setting default to default. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 51ebbbd - Browse repository at this point
Copy the full SHA 51ebbbdView commit details -
After setting a default issuer, one should be able to use the old /ca, /ca_chain, and /cert/{ca,ca_chain} endpoints to fetch the default issuer (and its chain). Update the fetchCertBySerial helper to no longer support fetching the ca and prefer fetchCAInfo for that instead (as we've already updated that to support fetching the new issuer location). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 81498a7 - Browse repository at this point
Copy the full SHA 81498a7View commit details -
Add /issuer/:ref/{sign,issue}/:role
This updates the /sign and /issue endpoints, allowing them to take the default issuer (if none is provided by a role) and adding issuer-specific versions of them. Note that at this point in time, the behavior isn't yet ideal (as /sign/:role allows adding the ref=... parameter to override the default issuer); a later change adding role-based issuer specification will fix this incorrect behavior. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for b35f2e6 - Browse repository at this point
Copy the full SHA b35f2e6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3750055 - Browse repository at this point
Copy the full SHA 3750055View commit details -
Configuration menu - View commit details
-
Copy full SHA for 95c10b8 - Browse repository at this point
Copy the full SHA 95c10b8View commit details -
Update issuer and key arguments to consistent values
- Update all new API endpoints to use the new agreed upon argument names. - issuer_ref & key_ref to refer to existing - issuer_name & key_name for new definitions - Update returned values to always user issuer_id and key_id
Configuration menu - View commit details
-
Copy full SHA for 5cd5bad - Browse repository at this point
Copy the full SHA 5cd5badView commit details -
Add utility methods to fetch common ref and name arguments
- Add utility methods to fetch the issuer_name, issuer_ref, key_name and key_ref arguments from data fields. - Centralize the logic to clean up these inputs and apply various validations to all of them.
Configuration menu - View commit details
-
Copy full SHA for 6ddd258 - Browse repository at this point
Copy the full SHA 6ddd258View commit details -
Rename common PKI backend handlers
- Use the buildPath convention for the function name instead of common...
Configuration menu - View commit details
-
Copy full SHA for acebaea - Browse repository at this point
Copy the full SHA acebaeaView commit details -
Move setting PKI defaults from writeCaBundle to proper import{keys,is…
…suer} methods - PR feedback, move setting up the default configuration references within the import methods instead of within the writeCaBundle method. This should now cover all use cases of us setting up the defaults properly.
Configuration menu - View commit details
-
Copy full SHA for 9f6731c - Browse repository at this point
Copy the full SHA 9f6731cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 5950270 - Browse repository at this point
Copy the full SHA 5950270View commit details -
Fix legacy PKI sign-verbatim api path
- Addresses some test failures due to an incorrect refactoring of a legacy api path /sign-verbatim within PKI
Configuration menu - View commit details
-
Copy full SHA for a926452 - Browse repository at this point
Copy the full SHA a926452View commit details -
Use import code to handle intermediate, config/ca
The existing bundle import code will satisfy the intermediate import; use it instead of the old ca_bundle import logic. Additionally, update /config/ca to use the new import code as well. While testing, a panic was discovered: > reflect.Value.SetMapIndex: value of type string is not assignable to type pki.keyId This was caused by returning a map with type issuerId->keyId; instead switch to returning string->string maps so the audit log can properly HMAC them. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 6511333 - Browse repository at this point
Copy the full SHA 6511333View commit details -
Clarify error message on missing defaults
When the default issuer and key are missing (and haven't yet been specified), we should clarify that error message. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 0a30e50 - Browse repository at this point
Copy the full SHA 0a30e50View commit details -
Update test semantics for new changes
This makes two minor changes to the existing test suite: 1. Importing partial bundles should now succeed, where they'd previously error. 2. fetchCertBySerial no longer handles CA certificates. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for bfd41cf - Browse repository at this point
Copy the full SHA bfd41cfView commit details -
Add support for deleting all keys, issuers
The old DELETE /root code must now delete all keys and issuers for backwards compatibility. We strongly suggest calling individual delete methods (DELETE /key/:key_ref or DELETE /issuer/:issuer_ref) instead, for finer control. In the process, we detect whether the deleted key/issuers was set as the default. This will allow us to warn (from the single key/deletion issuer code) whether or not the default was deleted (while allowing the operation to succeed). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 547012f - Browse repository at this point
Copy the full SHA 547012fView commit details -
Introduce defaultRef constant within PKI
- Replace hardcoded "default" references with a constant to easily identify various usages. - Use the addIssuerRefField function instead of redefining the field in various locations.
Configuration menu - View commit details
-
Copy full SHA for f34f024 - Browse repository at this point
Copy the full SHA f34f024View commit details -
Rework PKI test TestBackend_Root_Idempotency
- Validate that generate/root calls are no longer idempotent, but the bundle importing does not generate new keys/issuers - As before make sure that the delete root api resets everything - Address a bug within the storage that we bombed when we had multiple different key types within storage.
Configuration menu - View commit details
-
Copy full SHA for 705d64f - Browse repository at this point
Copy the full SHA 705d64fView commit details -
Assign Name=current to migrated key and issuer
- Detail I missed from the RFC was to assign the Name field as "current" for migrated key and issuer.
Configuration menu - View commit details
-
Copy full SHA for 12131b3 - Browse repository at this point
Copy the full SHA 12131b3View commit details -
Build CRL upon PKI intermediary set-signed api called
- Add a call to buildCRL if we created an issuer within pathImportIssuers - Augment existing FullCAChain to verify we have a proper CRL post set-signed api call - Remove a code block writing out "ca" storage entry that is no longer used.
Configuration menu - View commit details
-
Copy full SHA for 1546015 - Browse repository at this point
Copy the full SHA 1546015View commit details -
Identify which certificate or key failed
When importing complex chains, we should identify in which certificate or key the failure occurred. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for d9c7f2a - Browse repository at this point
Copy the full SHA d9c7f2aView commit details -
PKI migration writes out empty migration log entry
- Since the elements of the struct were not exported we serialized an empty migration log to disk and would re-run the migration
Configuration menu - View commit details
-
Copy full SHA for fe33037 - Browse repository at this point
Copy the full SHA fe33037View commit details -
Add chain-building logic to PKI issuers path
With the one-entry-per-issuer approach, CA Chains become implicitly constructed from the pool of issuers. This roughly matches the existing expectations from /config/ca (wherein a chain could be provided) and /intemediate/set-signed (where a chain may be provided). However, in both of those cases, we simply accepted a chain. Here, we need to be able to reconstruct the chain from parts on disk. However, with potential rotation of roots, we need to be aware of disparate chains. Simply concating together all issuers isn't sufficient. Thus we need to be able to parse a certificate's Issuer and Subject field and reconstruct valid (and potentially parallel) parent<->child mappings. This attempts to handle roots, intermediates, cross-signed intermediates, cross-signed roots, and rotated keys (wherein one might not have a valid signature due to changed key material with the same subject). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for a25845e - Browse repository at this point
Copy the full SHA a25845eView commit details -
Return CA Chain when fetching issuers
This returns the CA Chain attribute of an issuer, showing its computed chain based on other issuers in the database, when fetching a specific issuer. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for e7d5258 - Browse repository at this point
Copy the full SHA e7d5258View commit details -
Add testing for chain building
Using the issuance infrastructure, we generate new certificates (either roots or intermediates), positing that this is roughly equivalent to importing an external bundle (minus error handling during partial imports). This allows us to incrementally construct complex chains, creating reissuance cliques and cross-signing cycles. By using ECDSA certificates, we avoid high signature verification and key generation times. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for ade2b49 - Browse repository at this point
Copy the full SHA ade2b49View commit details -
Allow manual construction of issuer chain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 4caf0a2 - Browse repository at this point
Copy the full SHA 4caf0a2View commit details -
Fix handling of duplicate names
With the new issuer field (manual_chain), we can no longer err when a name already exists: we might be updating the existing issuer (with the same name), but changing its manual_chain field. Detect this error and correctly handle it. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 5ffcf4b - Browse repository at this point
Copy the full SHA 5ffcf4bView commit details -
Add tests for manual chain building
We break the clique, instead building these chains manually, ensuring that the remaining chains do not change and only the modified certs change. We then reset them (back to implicit chain building) and ensure we get the same results as earlier. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 4a3de6a - Browse repository at this point
Copy the full SHA 4a3de6aView commit details -
Add stricter verification of issuers PEM format
This ensures each issuer is only a single certificate entry (as validated by count and parsing) without any trailing data. We further ensure that each certificate PEM has leading and trailing spaces removed with only a single trailing new line remaining. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 361e8b8 - Browse repository at this point
Copy the full SHA 361e8b8View commit details -
Don't set the legacy IssuingCA field on the certificate bundle, as we prefer the CAChain field over it. Additionally, building the full chain could result in duplicate certificates when the CAChain included the leaf certificate itself. When building the full chain, ensure we don't include the bundle's certificate twice. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 3768fde - Browse repository at this point
Copy the full SHA 3768fdeView commit details -
Add stricter tests for full chain construction
We wish to ensure that each desired certificate in the chain is only present once. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 3ff4dfd - Browse repository at this point
Copy the full SHA 3ff4dfdView commit details -
Rename PKI types to avoid constant variable name collisions
keyId -> keyID issuerId -> issuerID key -> keyEntry issuer -> issuerEntry keyConfig -> keyConfigEntry issuerConfig -> issuerConfigEntry
Configuration menu - View commit details
-
Copy full SHA for 46a2e48 - Browse repository at this point
Copy the full SHA 46a2e48View commit details -
Update CRL handling for multiple issuers
When building CRLs, we've gotta make sure certs issued by that issuer land up on that issuer's CRL and not some other CRL. If no CRL is found (matching a cert), we'll place it on the default CRL. However, in the event of equivalent issuers (those with the same subject AND the same key material) -- perhaps due to reissuance -- we'll only create a single (unified) CRL for them. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for c4d384f - Browse repository at this point
Copy the full SHA c4d384fView commit details -
Allow fetching updated CRL locations
This updates fetchCertBySerial to support querying the default issuer's CRL. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for a63f803 - Browse repository at this point
Copy the full SHA a63f803View commit details -
Remove legacy CRL storage location test case
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 05c44f8 - Browse repository at this point
Copy the full SHA 05c44f8View commit details -
Update to CRLv2 Format to copy RawIssuer
When using the older Certificate.CreateCRL(...) call, Go's x509 library copies the parsed pkix.Name version of the CRL Issuer's Subject field. For certain constructed CAs, this fails since pkix.Name is not suitable for round-tripping. This also builds a CRLv1 (per RFC 5280) CRL. In updating to the newer x509.CreateRevocationList(...) call, we can construct the CRL in the CRLv2 format and correctly copy the issuer's name. However, this requires holding an additional field per-CRL, the CRLNumber field, which is required in Go's implementation of CRLv2 (though OPTIONAL in the spec). We store this on the new LocalCRLConfigEntry object, per-CRL. Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 1182a71 - Browse repository at this point
Copy the full SHA 1182a71View commit details -
Add comment regarding CRL non-assignment in GOTO
In previous versions of Vault, it was possible to sign an empty CRL (when the CRL was disabled and a force-rebuild was requested). Add a comment about this case. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 48ec19e - Browse repository at this point
Copy the full SHA 48ec19eView commit details -
Allow fetching the specified issuer's CRL
We add a new API endpoint to fetch the specified issuer's CRL directly (rather than the default issuer's CRL at /crl and /certs/crl). We also add a new test to validate the CRL in a multi-root scenario and ensure it is signed with the correct keys. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 9189e7f - Browse repository at this point
Copy the full SHA 9189e7fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 9f10a67 - Browse repository at this point
Copy the full SHA 9f10a67View commit details -
Refactor common backend initialization within backend_test
- Leverage an existing helper method within the PKI backend tests to setup a PKI backend with storage.
Configuration menu - View commit details
-
Copy full SHA for 2b740ec - Browse repository at this point
Copy the full SHA 2b740ecView commit details -
Add ability to read legacy cert bundle if the migration has not occur…
…red on secondaries. - Track the migration state forbidding an issuer/key writing api call if we have not migrated - For operations that just need to read the CA bundle, use the same tracking variable to switch between reading the legacy bundle or use the new key/issuer storage. - Add an invalidation function that will listen for updates to our log path to refresh the state on secondary clusters.
Configuration menu - View commit details
-
Copy full SHA for 8145882 - Browse repository at this point
Copy the full SHA 8145882View commit details -
Always write migration entry to trigger secondary clusters to wake up
- Some PR feedback and handle a case in which the primary cluster does not have a CA bundle within storage but somehow a secondary does.
Configuration menu - View commit details
-
Copy full SHA for e9e4a06 - Browse repository at this point
Copy the full SHA e9e4a06View commit details -
Update CA Chain to report entire chain
This merges the ca_chain JSON field (of the /certs/ca_chain path) with the regular certificate field, returning the root of trust always. This also affects the non-JSON (raw) endpoints as well. We return the default issuer's chain here, rather than all known issuers (as that may not form a strict chain). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 5b692bb - Browse repository at this point
Copy the full SHA 5b692bbView commit details -
Allow explicit issuer override on roles
When a role is used to generate a certificate (such as with the sign/ and issue/ legacy paths or the legacy sign-verbatim/ paths), we prefer that issuer to the one on the request. This allows operators to set an issuer (other than default) for requests to be issued against, effectively making the change no different from the users' perspective as it is "just" a different role name. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 21e0d48 - Browse repository at this point
Copy the full SHA 21e0d48View commit details -
Add tests for role-based issuer selection
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 104b42e - Browse repository at this point
Copy the full SHA 104b42eView commit details -
Expand NotAfter limit enforcement behavior
Vault previously strictly enforced NotAfter/ttl values on certificate requests, erring if the requested TTL extended past the NotAfter date of the issuer. In the event of issuing an intermediate, this behavior was ignored, instead permitting the issuance. Users generally do not think to check their issuer's NotAfter date when requesting a certificate; thus this behavior was generally surprising. Per RFC 5280 however, issuers need to maintain status information throughout the life cycle of the issued cert. If this leaf cert were to be issued for a longer duration than the parent issuer, the CA must still maintain revocation information past its expiration. Thus, we add an option to the issuer to change the desired behavior: - err, to err out, - permit, to permit the longer NotAfter date, or - truncate, to silently truncate the expiration to the issuer's NotAfter date. Since expiration of certificates in the system's trust store are not generally validated (when validating an arbitrary leaf, e.g., during TLS validation), permit should generally only be used in that case. However, browsers usually validate intermediate's validity periods, and thus truncate should likely be used (as with permit, the leaf's chain will not validate towards the end of the issuance period). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 8b2f2b0 - Browse repository at this point
Copy the full SHA 8b2f2b0View commit details -
Add tests for expanded issuance behaviors
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 8aa7caa - Browse repository at this point
Copy the full SHA 8aa7caaView commit details -
Add warning on keyless default issuer (#15178)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 35a8716 - Browse repository at this point
Copy the full SHA 35a8716View commit details -
Update PKI to new Operations framework (#15180)
The backend Framework has updated Callbacks (used extensively in PKI) to become deprecated; Operations takes their place and clarifies forwarding of requests. We switch to the new format everywhere, updating some bad assumptions about forwarding along the way. Anywhere writes are handled (that should be propagated to all nodes in all clusters), we choose to forward the request all the way up to the performance primary cluster's primary node. This holds for issuers/keys, roles, and configs (such as CRL config, which is globally set for all clusters despite all clusters having their own separate CRL). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 1b53ccd - Browse repository at this point
Copy the full SHA 1b53ccdView commit details -
Kitography/vault 5474 rebase (#15150)
* These parts work (put in signature so that backend wouldn't break, but missing fields, desc, etc.) * Import and Generate API calls w/ needed additions to SDK. * make fmt * Add Help/Sync Text, fix some of internal/exported/kms code. * Fix PEM/DER Encoding issue. * make fmt * Standardize keyIdParam, keyNameParam, keyTypeParam * Add error response if key to be deleted is in use. * replaces all instances of "default" in code with defaultRef * Updates from Callbacks to Operations Function with explicit forwarding. * Fixes a panic with names not being updated everywhere. * add a logged error in addition to warning on deleting default key. * Normalize whitespace upon importing keys. Authored-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Fix isKeyInUse functionality. * Fixes tests associated with newline at end of key pem.
Configuration menu - View commit details
-
Copy full SHA for c57c1ab - Browse repository at this point
Copy the full SHA c57c1abView commit details -
Add alternative proposal PKI aliased paths (#15211)
* Add aliased path for root/rotate/:exported This adds a user-friendly path name for generating a rotated root. We automatically choose the name "next" for the newly generated root at this path if it doesn't already exist. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add aliased path for intermediate/cross-sign This allows cross-signatures to work. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add path for replacing the current root This updates default to point to the value of the issuer with name "next" rather than its current value. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove plural issuers/ in signing paths These paths use a single issuer and thus shouldn't include the plural issuers/ as a path prefix, instead using the singular issuer/ path prefix. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Only warn if default issuer was imported When the default issuer was not (re-)imported, we'd fail to find it, causing an extraneous warning about missing keys, even though this issuer indeed had a key. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add missing issuer sign/issue paths Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for e9abf67 - Browse repository at this point
Copy the full SHA e9abf67View commit details -
Configuration menu - View commit details
-
Copy full SHA for 06aed80 - Browse repository at this point
Copy the full SHA 06aed80View commit details -
Rebuild CRLs on secondary performance clusters post migration and on …
…new/updated issuers - Hook into the backend invalidation function so that secondaries are notified of new/updated issuer or migrations occuring on the primary cluster. Upon notification schedule a CRL rebuild to take place upon the next process to read/update the CRL or within the periodic function if no request comes in.
Configuration menu - View commit details
-
Copy full SHA for 52087ad - Browse repository at this point
Copy the full SHA 52087adView commit details -
Schedule rebuilding PKI CRLs on active nodes only
- Address an issue that we were scheduling the rebuilding of a CRL on standby nodes, which would not be able to write to storage. - Fix an issue with standby nodes not correctly determining that a migration previously occurred.
Configuration menu - View commit details
-
Copy full SHA for db40514 - Browse repository at this point
Copy the full SHA db40514View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9157497 - Browse repository at this point
Copy the full SHA 9157497View commit details -
Handle issuer, keys locking (#15227)
* Handle locking of issuers during writes We need a write lock around writes to ensure serialization of modifications. We use a single lock for both issuer and key updates, in part because certain operations (like deletion) will potentially affect both. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add missing b.useLegacyBundleCaStorage guards Several locations needed to guard against early usage of the new issuers endpoint pre-migration. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 94169e5 - Browse repository at this point
Copy the full SHA 94169e5View commit details -
Address PKI to properly support managed keys (#15256)
* Address codebase for managed key fixes * Add proper public key comparison for better managed key support to importKeys * Remove redundant public key fetching within PKI importKeys
Configuration menu - View commit details
-
Copy full SHA for 358e1b8 - Browse repository at this point
Copy the full SHA 358e1b8View commit details
Commits on May 3, 2022
-
Correctly handle rebuilding remaining chains
When deleting a specific issuer, we might impact the chains. From a consistency perspective, we need to ensure the remaining chains are correct and don't refer to the since-deleted issuer, so trigger a full rebuild here. We don't need to call this in the delete-the-world (DELETE /root) code path, as there shouldn't be any remaining issuers or chains to build. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 6ac18d1 - Browse repository at this point
Copy the full SHA 6ac18d1View commit details -
Remove legacy CRL bundle on world deletion
When calling DELETE /root, we should remove the legacy CRL bundle, since we're deleting the legacy CA issuer bundle as well. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 39b8093 - Browse repository at this point
Copy the full SHA 39b8093View commit details -
Remove deleted issuers' CRL entries
Since CRLs are no longer resolvable after deletion (due to missing issuer ID, which will cause resolution to fail regardless of if an ID or a name/default reference was used), we should delete these CRLs from storage to avoid leaking them. In the event that this issuer comes back (with key material), we can simply rebuild the CRL at that time (from the remaining revoked storage entries). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 2b4d256 - Browse repository at this point
Copy the full SHA 2b4d256View commit details -
Add unauthed JSON fetching of CRLs, Issuers (#15253)
Default to fetching JSON CRL for consistency This makes the bare issuer-specific CRL fetching endpoint return the JSON-wrapped CRL by default, moving the DER CRL to a specific endpoint. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Add JSON-specific endpoint for fetching issuers Unlike the unqualified /issuer/:ref endpoint (which also returns JSON), we have a separate /issuer/:ref/json endpoint to return _only_ the PEM-encoded certificate and the chain, mirroring the existing /cert/ca endpoint but for a specific issuer. This allows us to make the endpoint unauthenticated, whereas the bare endpoint would remain authenticated and usually privileged. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Add tests for raw JSON endpoints Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for f82d3ef - Browse repository at this point
Copy the full SHA f82d3efView commit details -
Add unauthenticated issuers endpoints to PKI table
This adds the unauthenticated issuers endpoints? - LIST /issuers, - Fetching _just_ the issuer certificates (in JSON/DER/PEM form), and - Fetching the CRL of this issuer (in JSON/DER/PEM form). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 725bd2e - Browse repository at this point
Copy the full SHA 725bd2eView commit details -
Add issuer usage restrictions bitset
This allows issuers to have usage restrictions, limiting whether they can be used to issue certificates or if they can generate CRLs. This allows certain issuers to not generate a CRL (if the global config is with the CRL enabled) or allows the issuer to not issue new certificates (but potentially letting the CRL generation continue). Setting both fields to false effectively forms a soft delete capability. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Configuration menu - View commit details
-
Copy full SHA for 15bc598 - Browse repository at this point
Copy the full SHA 15bc598View commit details
Commits on May 4, 2022
-
PKI Pod rotation Add Base Changelog (#15283)
* PKI Pod rotation changelog. * Use feature release-note formatting of changelog.
Configuration menu - View commit details
-
Copy full SHA for bba4bcb - Browse repository at this point
Copy the full SHA bba4bcbView commit details