Add issuer usage restrictions #15255
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cipherboy
force-pushed
the
cipherboy-fix-delete-stuff
branch
from
8967ca9
to
75632ef
Compare
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
b0f1641
to
19faacd
Compare
cipherboy
changed the base branch from
cipherboy-fix-delete-stuff
to
pki-pod-rotation
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
19faacd
to
0456808
Compare
sgmiller
reviewed
May 3, 2022
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
0456808
to
ae9ff5c
Compare
|
Testing: source devvault
vault secrets enable pki
vault write pki/root/generate/internal common_name="root x1" issuer_name=x1
vault write pki/root/generate/internal common_name="root x2" issuer_name=x2
vault write pki/issuer/default issuer_name=x1 usage="read only,issuing certificates"
vault write pki/roles/testing enforce_hostnames=false client_flag=true allow_any_name=true require_cn=false organization=hashicorp key_type=rsa
vault write pki/issue/testing common_name=localhost ttl=1s
vault write pki/issuer/default issuer_name=x1 usage="read only"
vault write pki/issue/testing common_name=localhost ttl=1s # should fail |
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
ae9ff5c
to
36d31c0
Compare
stevendpclark
approved these changes
May 3, 2022
This allows issuers to have usage restrictions, limiting whether they can be used to issue certificates or if they can generate CRLs. This allows certain issuers to not generate a CRL (if the global config is with the CRL enabled) or allows the issuer to not issue new certificates (but potentially letting the CRL generation continue). Setting both fields to false effectively forms a soft delete capability. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
force-pushed
the
cipherboy-add-issuer-usage-restrictions
branch
from
36d31c0
to
15bc598
Compare
|
Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Built on top of #15254; will be rebased when that merges.This handles adding usage restrictions to issuers, limiting if they can be used for signing certs and CRLs (separately).
We updated the legacy bundle shim (showing it can be used for both), the issuer update/fetch paths, and mostly enforce the constraint in
fetchCAInfo. When fetching a cert (not for signing certs or CRLs), we usefalse, falseas arguments.I'm wondering if we want to make this an actual usage vector set? Or if separate flags are better? Seems like its all just about the same amount of work, minus the arguments to
fetchCAInfo, which is an internal function.