-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add issuer usage restrictions #15255
Merged
cipherboy
merged 1 commit into
pki-pod-rotation
from
cipherboy-add-issuer-usage-restrictions
May 3, 2022
Merged
Add issuer usage restrictions #15255
cipherboy
merged 1 commit into
pki-pod-rotation
from
cipherboy-add-issuer-usage-restrictions
May 3, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cipherboy
force-pushed
the
cipherboy-fix-delete-stuff
branch
from
May 2, 2022 15:43
8967ca9
to
75632ef
Compare
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
May 2, 2022 15:44
b0f1641
to
19faacd
Compare
cipherboy
changed the base branch from
cipherboy-fix-delete-stuff
to
pki-pod-rotation
May 3, 2022 12:42
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
May 3, 2022 12:42
19faacd
to
0456808
Compare
sgmiller
reviewed
May 3, 2022
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
May 3, 2022 16:14
0456808
to
ae9ff5c
Compare
Testing: source devvault
vault secrets enable pki
vault write pki/root/generate/internal common_name="root x1" issuer_name=x1
vault write pki/root/generate/internal common_name="root x2" issuer_name=x2
vault write pki/issuer/default issuer_name=x1 usage="read only,issuing certificates"
vault write pki/roles/testing enforce_hostnames=false client_flag=true allow_any_name=true require_cn=false organization=hashicorp key_type=rsa
vault write pki/issue/testing common_name=localhost ttl=1s
vault write pki/issuer/default issuer_name=x1 usage="read only"
vault write pki/issue/testing common_name=localhost ttl=1s # should fail |
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
May 3, 2022 19:44
ae9ff5c
to
36d31c0
Compare
stevendpclark
approved these changes
May 3, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small nit on docs, but 👍
This allows issuers to have usage restrictions, limiting whether they can be used to issue certificates or if they can generate CRLs. This allows certain issuers to not generate a CRL (if the global config is with the CRL enabled) or allows the issuer to not issue new certificates (but potentially letting the CRL generation continue). Setting both fields to false effectively forms a soft delete capability. Signed-off-by: Alexander Scheel <[email protected]>
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
May 3, 2022 20:40
36d31c0
to
15bc598
Compare
Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Built on top of #15254; will be rebased when that merges.This handles adding usage restrictions to issuers, limiting if they can be used for signing certs and CRLs (separately).
We updated the legacy bundle shim (showing it can be used for both), the issuer update/fetch paths, and mostly enforce the constraint in
fetchCAInfo
. When fetching a cert (not for signing certs or CRLs), we usefalse, false
as arguments.I'm wondering if we want to make this an actual usage vector set? Or if separate flags are better? Seems like its all just about the same amount of work, minus the arguments to
fetchCAInfo
, which is an internal function.