Merge branch 'master-oss' into cubbyhole-the-world

CHANGELOG.md

@@ -27,17 +27,19 @@ DEPRECATIONS/BREAKING CHANGES:
    using the `consul` backend and will perform its own health checks.  See
    the Consul backend documentation for information on how to disable
    auto-registration and service checks.
+ * List operations that do not find any keys now return a `404` status code
+   rather than an empty response object [GH-1365]
 
 FEATURES:
 
  * **Azure Physical Backend**: You can now use Azure blob object storage as
    your Vault physical data store [GH-1266]
- * **Consul Backend**: Consul backend will automatically register a `vault`
+ * **Consul Backend Health Checks**: The Consul backend will automatically
-   service and perform its own health checking.  By default the active node
+   register a `vault` service and perform its own health checking. By default
-   can be found at `active.vault.service.consul` and all with standby nodes
+   the active node can be found at `active.vault.service.consul` and all with
-   are `standby.vault.service.consul`.  Sealed vaults are marked critical and
+   standby nodes are `standby.vault.service.consul`. Sealed vaults are marked
-   are not listed by default in Consul's service discovery.  See the
+   critical and are not listed by default in Consul's service discovery.  See
-   documentation for details. [GH-1349]
+   the documentation for details. [GH-1349]
 
 IMPROVEMENTS:
 
@@ -68,6 +70,8 @@ BUG FIXES:
  * command/various: Tell the JSON decoder to not convert all numbers to floats;
    fixes some various places where numbers were showing up in scientific
    notation
+ * core: Properly persist mount-tuned TTLs for auth backends [GH-1371]
+ * core: Don't accidentally crosswire SIGINT to the reload handler [GH-1372]
  * credential/github: Make organization comparison case-insensitive during
    login [GH-1359]
  * credential/ldap: Fix problem where certain error conditions when configuring

Godeps/Godeps.json

@@ -8,8 +8,8 @@
 	"Deps": [
 		{
 			"ImportPath": "github.com/Azure/azure-sdk-for-go/storage",
-			"Comment": "v2.1.1-beta",
+			"Comment": "v2.1.1-beta-4-gd4e45a6",
-			"Rev": "a1883f7b98346e4908a6c25230c95a8a3026a10c"
+			"Rev": "d4e45a63c9d269ddff72970df7c80d214aeddcf3"
 		},
 		{
 			"ImportPath": "github.com/armon/go-metrics",
@@ -26,153 +26,153 @@
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/awserr",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/awsutil",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/client",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/client/metadata",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/corehandlers",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/credentials",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/defaults",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/ec2metadata",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/request",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/aws/session",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/endpoints",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/ec2query",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/json/jsonutil",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/jsonrpc",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/query",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/query/queryutil",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/rest",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/restxml",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/signer/v4",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/private/waiter",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/dynamodb",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/ec2",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/iam",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/s3",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/aws/aws-sdk-go/service/sts",
-			"Comment": "v1.1.20-13-gd6f37f6",
+			"Comment": "v1.1.22-3-g1915858",
-			"Rev": "d6f37f6686a9207f3688d440733c4d20301273db"
+			"Rev": "1915858199be30d43264f86f9b9b469b7f2c8340"
 		},
 		{
 			"ImportPath": "github.com/bgentry/speakeasy",
@@ -180,32 +180,32 @@
 		},
 		{
 			"ImportPath": "github.com/cloudfoundry-incubator/candiedyaml",
-			"Rev": "5cef21e2e4f0fd147973b558d4db7395176bcd95"
+			"Rev": "99c3df83b51532e3615f851d8c2dbb638f5313bf"
 		},
 		{
 			"ImportPath": "github.com/coreos/etcd/client",
-			"Comment": "v2.3.0-556-g7161eee",
+			"Comment": "v2.3.0-651-gfd27f9c",
-			"Rev": "7161eeed8b7fa59551f8ad8ec71251be8579d5eb"
+			"Rev": "fd27f9cd288c7ccd03d2555663a2ed20178d4b5c"
 		},
 		{
 			"ImportPath": "github.com/coreos/etcd/pkg/pathutil",
-			"Comment": "v2.3.0-556-g7161eee",
+			"Comment": "v2.3.0-651-gfd27f9c",
-			"Rev": "7161eeed8b7fa59551f8ad8ec71251be8579d5eb"
+			"Rev": "fd27f9cd288c7ccd03d2555663a2ed20178d4b5c"
 		},
 		{
 			"ImportPath": "github.com/coreos/etcd/pkg/tlsutil",
-			"Comment": "v2.3.0-556-g7161eee",
+			"Comment": "v2.3.0-651-gfd27f9c",
-			"Rev": "7161eeed8b7fa59551f8ad8ec71251be8579d5eb"
+			"Rev": "fd27f9cd288c7ccd03d2555663a2ed20178d4b5c"
 		},
 		{
 			"ImportPath": "github.com/coreos/etcd/pkg/transport",
-			"Comment": "v2.3.0-556-g7161eee",
+			"Comment": "v2.3.0-651-gfd27f9c",
-			"Rev": "7161eeed8b7fa59551f8ad8ec71251be8579d5eb"
+			"Rev": "fd27f9cd288c7ccd03d2555663a2ed20178d4b5c"
 		},
 		{
 			"ImportPath": "github.com/coreos/etcd/pkg/types",
-			"Comment": "v2.3.0-556-g7161eee",
+			"Comment": "v2.3.0-651-gfd27f9c",
-			"Rev": "7161eeed8b7fa59551f8ad8ec71251be8579d5eb"
+			"Rev": "fd27f9cd288c7ccd03d2555663a2ed20178d4b5c"
 		},
 		{
 			"ImportPath": "github.com/denisenkom/go-mssqldb",
@@ -234,7 +234,7 @@
 		},
 		{
 			"ImportPath": "github.com/go-ldap/ldap",
-			"Comment": "v2.2.2-3-g0e7db8e",
+			"Comment": "v2.3.0",
 			"Rev": "0e7db8eb77695b5a952f0e5d78df9ab160050c73"
 		},
 		{
@@ -244,27 +244,27 @@
 		},
 		{
 			"ImportPath": "github.com/gocql/gocql",
-			"Comment": "pre-node-events-267-g1440c60",
+			"Comment": "pre-node-events-293-g2e0390b",
-			"Rev": "1440c609669494bcb31b1e300e8d2ef51e205dd3"
+			"Rev": "2e0390b6fbe023664fcdaa9767f0f83fbe78956d"
 		},
 		{
 			"ImportPath": "github.com/gocql/gocql/internal/lru",
-			"Comment": "pre-node-events-267-g1440c60",
+			"Comment": "pre-node-events-293-g2e0390b",
-			"Rev": "1440c609669494bcb31b1e300e8d2ef51e205dd3"
+			"Rev": "2e0390b6fbe023664fcdaa9767f0f83fbe78956d"
 		},
 		{
 			"ImportPath": "github.com/gocql/gocql/internal/murmur",
-			"Comment": "pre-node-events-267-g1440c60",
+			"Comment": "pre-node-events-293-g2e0390b",
-			"Rev": "1440c609669494bcb31b1e300e8d2ef51e205dd3"
+			"Rev": "2e0390b6fbe023664fcdaa9767f0f83fbe78956d"
 		},
 		{
 			"ImportPath": "github.com/gocql/gocql/internal/streams",
-			"Comment": "pre-node-events-267-g1440c60",
+			"Comment": "pre-node-events-293-g2e0390b",
-			"Rev": "1440c609669494bcb31b1e300e8d2ef51e205dd3"
+			"Rev": "2e0390b6fbe023664fcdaa9767f0f83fbe78956d"
 		},
 		{
 			"ImportPath": "github.com/golang/snappy",
-			"Rev": "ec642410cd033af63620b66a91ccbd3c69c2c59a"
+			"Rev": "43fea289edce21979658cbbdb3925390890aa86e"
 		},
 		{
 			"ImportPath": "github.com/google/go-github/github",
@@ -280,8 +280,13 @@
 		},
 		{
 			"ImportPath": "github.com/hashicorp/consul/api",
-			"Comment": "v0.6.4-256-gadcf935",
+			"Comment": "v0.6.4-268-g9f272b0",
-			"Rev": "adcf93535058234780f9aaffb40497ba194f60a0"
+			"Rev": "9f272b088131af951ea1f77594905ceae83fd2c1"
+		},
+		{
+			"ImportPath": "github.com/hashicorp/consul/lib",
+			"Comment": "v0.6.4-268-g9f272b0",
+			"Rev": "9f272b088131af951ea1f77594905ceae83fd2c1"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/errwrap",
@@ -295,6 +300,10 @@
 			"ImportPath": "github.com/hashicorp/go-multierror",
 			"Rev": "d30f09973e19c1dfcd120b2d9c4f168e68d6b5d5"
 		},
+		{
+			"ImportPath": "github.com/hashicorp/go-rootcerts",
+			"Rev": "6bb64b370b90e7ef1fa532be9e591a81c3493e00"
+		},
 		{
 			"ImportPath": "github.com/hashicorp/go-syslog",
 			"Rev": "42a2b573b664dbf281bd48c3cc12c086b17a39ba"
@@ -313,39 +322,39 @@
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/hcl/ast",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/hcl/parser",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/hcl/scanner",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/hcl/strconv",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/hcl/token",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/json/parser",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/json/scanner",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/hcl/json/token",
-			"Rev": "27a57f2605e04995c111273c263d51cee60d9bc4"
+			"Rev": "9a905a34e6280ce905da1a32344b25e81011197a"
 		},
 		{
 			"ImportPath": "github.com/hashicorp/logutils",
@@ -353,8 +362,8 @@
 		},
 		{
 			"ImportPath": "github.com/hashicorp/serf/coordinate",
-			"Comment": "v0.7.0-56-ga876af0",
+			"Comment": "v0.7.0-58-gdefb069",
-			"Rev": "a876af06863abed3e31252a913bad976aeff61df"
+			"Rev": "defb069b1bad9f7cdebc647810cb6ae398a1b617"
 		},
 		{
 			"ImportPath": "github.com/jmespath/go-jmespath",
@@ -363,13 +372,13 @@
 		},
 		{
 			"ImportPath": "github.com/lib/pq",
-			"Comment": "go1.0-cutoff-84-g3cd0097",
+			"Comment": "go1.0-cutoff-86-gdd3290b",
-			"Rev": "3cd0097429be7d611bb644ef85b42bfb102ceea4"
+			"Rev": "dd3290b2f71a8b30bee8e4e75a337a825263d26f"
 		},
 		{
 			"ImportPath": "github.com/lib/pq/oid",
-			"Comment": "go1.0-cutoff-84-g3cd0097",
+			"Comment": "go1.0-cutoff-86-gdd3290b",
-			"Rev": "3cd0097429be7d611bb644ef85b42bfb102ceea4"
+			"Rev": "dd3290b2f71a8b30bee8e4e75a337a825263d26f"
 		},
 		{
 			"ImportPath": "github.com/mattn/go-isatty",
@@ -410,75 +419,75 @@
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/bcrypt",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/blowfish",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/cast5",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/curve25519",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/md4",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/openpgp",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/openpgp/armor",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/openpgp/elgamal",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/openpgp/errors",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/openpgp/packet",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/openpgp/s2k",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/ssh",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/ssh/agent",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/crypto/ssh/terminal",
-			"Rev": "c9aef117f53e16ed3a6cc3d93cd357dbf2005065"
+			"Rev": "2cb52d93744fdc9a51f5c87b36fe2208d424af5a"
 		},
 		{
 			"ImportPath": "golang.org/x/net/context",
-			"Rev": "b797637b7aeeed133049c7281bfa31dcc9ca42d6"
+			"Rev": "35ec611a141ee705590b9eb64d673f9e6dfeb1ac"
 		},
 		{
 			"ImportPath": "golang.org/x/oauth2",
-			"Rev": "7e9cd5d59563851383f8f81a7fbb01213709387c"
+			"Rev": "f6a14f0423bcd7a0ae907ace2795e63ec5f9fe51"
 		},
 		{
 			"ImportPath": "golang.org/x/oauth2/internal",
-			"Rev": "7e9cd5d59563851383f8f81a7fbb01213709387c"
+			"Rev": "f6a14f0423bcd7a0ae907ace2795e63ec5f9fe51"
 		},
 		{
 			"ImportPath": "golang.org/x/sys/unix",
-			"Rev": "f64b50fbea64174967a8882830d621a18ee1548e"
+			"Rev": "b776ec39b3e54652e09028aaaaac9757f4f8211a"
 		},
 		{
 			"ImportPath": "gopkg.in/asn1-ber.v1",

api/client.go

@@ -2,21 +2,18 @@ package api
 
 import (
 	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
-	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/go-rootcerts"
 )
 
 const EnvVaultAddress = "VAULT_ADDR"
@@ -94,9 +91,9 @@ func (c *Config) ReadEnvironment() error {
 	var foundInsecure bool
 	var envTLSServerName string
 
-	var newCertPool *x509.CertPool
 	var clientCert tls.Certificate
 	var foundClientCert bool
+	var err error
 
 	if v := os.Getenv(EnvVaultAddress); v != "" {
 		envAddress = v
@@ -129,16 +126,6 @@ func (c *Config) ReadEnvironment() error {
 	}
 	// If we need custom TLS configuration, then set it
 	if envCACert != "" || envCAPath != "" || envClientCert != "" || envClientKey != "" || envInsecure {
-		var err error
-		if envCACert != "" {
-			newCertPool, err = LoadCACert(envCACert)
-		} else if envCAPath != "" {
-			newCertPool, err = LoadCAPath(envCAPath)
-		}
-		if err != nil {
-			return fmt.Errorf("Error setting up CA path: %s", err)
-		}
-
 		if envClientCert != "" && envClientKey != "" {
 			clientCert, err = tls.LoadX509KeyPair(envClientCert, envClientKey)
 			if err != nil {
@@ -162,9 +149,7 @@ func (c *Config) ReadEnvironment() error {
 	if foundInsecure {
 		clientTLSConfig.InsecureSkipVerify = envInsecure
 	}
-	if newCertPool != nil {
+
-		clientTLSConfig.RootCAs = newCertPool
-	}
 	if foundClientCert {
 		clientTLSConfig.Certificates = []tls.Certificate{clientCert}
 	}
@@ -172,6 +157,15 @@ func (c *Config) ReadEnvironment() error {
 		clientTLSConfig.ServerName = envTLSServerName
 	}
 
+	rootConfig := &rootcerts.Config{
+		CAFile: envCACert,
+		CAPath: envCAPath,
+	}
+	err = rootcerts.ConfigureTLS(clientTLSConfig, rootConfig)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -327,74 +321,3 @@ START:
 
 	return result, nil
 }
-
-// Loads the certificate from given path and creates a certificate pool from it.
-func LoadCACert(path string) (*x509.CertPool, error) {
-	certs, err := loadCertFromPEM(path)
-	if err != nil {
-		return nil, err
-	}
-
-	result := x509.NewCertPool()
-	for _, cert := range certs {
-		result.AddCert(cert)
-	}
-
-	return result, nil
-}
-
-// Loads the certificates present in the given directory and creates a
-// certificate pool from it.
-func LoadCAPath(path string) (*x509.CertPool, error) {
-	result := x509.NewCertPool()
-	fn := func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-
-		if info.IsDir() {
-			return nil
-		}
-
-		certs, err := loadCertFromPEM(path)
-		if err != nil {
-			return err
-		}
-
-		for _, cert := range certs {
-			result.AddCert(cert)
-		}
-		return nil
-	}
-
-	return result, filepath.Walk(path, fn)
-}
-
-// Creates a certificate from the given path
-func loadCertFromPEM(path string) ([]*x509.Certificate, error) {
-	pemCerts, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	certs := make([]*x509.Certificate, 0, 5)
-	for len(pemCerts) > 0 {
-		var block *pem.Block
-		block, pemCerts = pem.Decode(pemCerts)
-		if block == nil {
-			break
-		}
-		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
-			continue
-		}
-
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return nil, err
-		}
-
-		certs = append(certs, cert)
-	}
-
-	return certs, nil
-}

api/ssh_agent.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-rootcerts"
 	"github.com/hashicorp/hcl"
 	"github.com/hashicorp/hcl/hcl/ast"
 	"github.com/mitchellh/mapstructure"
@@ -85,17 +86,14 @@ func (c *SSHHelperConfig) NewClient() (*Client, error) {
 
 	// Check if certificates are provided via config file.
 	if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify {
-		var certPool *x509.CertPool
+		rootConfig := &rootcerts.Config{
-		var err error
+			CAFile: c.CACert,
-		if c.CACert != "" {
+			CAPath: c.CAPath,
-			certPool, err = LoadCACert(c.CACert)
-		} else if c.CAPath != "" {
-			certPool, err = LoadCAPath(c.CAPath)
 		}
+		certPool, err := rootcerts.LoadCACerts(rootConfig)
 		if err != nil {
 			return nil, err
 		}
-
 		// Enable TLS on the HTTP client information
 		c.SetTLSParameters(clientConfig, certPool)
 	}

builtin/credential/cert/backend_test.go

@@ -8,7 +8,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/go-rootcerts"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	logicaltest "github.com/hashicorp/vault/logical/testing"
@@ -16,19 +16,19 @@ import (
 )
 
 const (
-	serverCertPath = "test-fixtures/rootcacert.pem"
+	serverCertPath = "test-fixtures/cacert.pem"
-	serverKeyPath  = "test-fixtures/rootcakey.pem"
+	serverKeyPath  = "test-fixtures/cakey.pem"
 	serverCAPath   = serverCertPath
 
-	testRootCACertPath1 = "test-fixtures/testrootcacert.pem"
+	testRootCACertPath1 = "test-fixtures/testcacert1.pem"
-	testRootCAKeyPath1  = "test-fixtures/testrootcakey.pem"
+	testRootCAKeyPath1  = "test-fixtures/testcakey1.pem"
-	testCertPath1       = "test-fixtures/testcert.pem"
+	testCertPath1       = "test-fixtures/testissuedcert4.pem"
-	testKeyPath1        = "test-fixtures/testkey.pem"
+	testKeyPath1        = "test-fixtures/testissuedkey4.pem"
-	testIssuedCertCRL   = "test-fixtures/issuedcrl"
+	testIssuedCertCRL   = "test-fixtures/issuedcertcrl"
 
-	testRootCACertPath2 = "test-fixtures/testrootcacert2.pem"
+	testRootCACertPath2 = "test-fixtures/testcacert2.pem"
-	testRootCAKeyPath2  = "test-fixtures/testrootcakey2.pem"
+	testRootCAKeyPath2  = "test-fixtures/testcakey2.pem"
-	testRootCertCRL     = "test-fixtures/rootcrl"
+	testRootCertCRL     = "test-fixtures/cacert2crl"
 )
 
 // Unlike testConnState, this method does not use the same 'tls.Config' objects for
@@ -52,7 +52,10 @@ func connectionState(t *testing.T, serverCAPath, serverCertPath, serverKeyPath,
 		t.Fatal(err)
 	}
 	// Load the CA cert required by the client to authenticate the server.
-	serverCAs, err := api.LoadCACert(serverCAPath)
+	rootConfig := &rootcerts.Config{
+		CAFile: serverCAPath,
+	}
+	serverCAs, err := rootcerts.LoadCACerts(rootConfig)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -98,6 +101,15 @@ func connectionState(t *testing.T, serverCAPath, serverCertPath, serverKeyPath,
 	return connState
 }
 
+func failOnError(t *testing.T, resp *logical.Response, err error) {
+	if resp != nil && resp.IsError() {
+		t.Fatalf("error returned in response: %s", resp.Data["error"])
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestBackend_CRLs(t *testing.T) {
 	config := logical.TestBackendConfig()
 	storage := &logical.InmemStorage{}
@@ -127,10 +139,8 @@ func TestBackend_CRLs(t *testing.T) {
 		Data:      certData,
 	}
 
-	_, err = b.HandleRequest(certReq)
+	resp, err := b.HandleRequest(certReq)
-	if err != nil {
+	failOnError(t, resp, err)
-		t.Fatal(err)
-	}
 
 	// Connection state is presenting the client CA cert and its key.
 	// This is exactly what is registered at the backend.
@@ -143,13 +153,8 @@ func TestBackend_CRLs(t *testing.T) {
 			ConnState: &connState,
 		},
 	}
-	resp, err := b.HandleRequest(loginReq)
+	resp, err = b.HandleRequest(loginReq)
-	if err != nil {
+	failOnError(t, resp, err)
-		t.Fatal(err)
-	}
-	if resp == nil || resp.IsError() {
-		t.Fatalf("failed to login")
-	}
 
 	// Now, without changing the registered client CA cert, present from
 	// the client side, a cert issued using the registered CA.
@@ -158,12 +163,7 @@ func TestBackend_CRLs(t *testing.T) {
 
 	// Attempt login with the updated connection
 	resp, err = b.HandleRequest(loginReq)
-	if err != nil {
+	failOnError(t, resp, err)
-		t.Fatal(err)
-	}
-	if resp == nil || resp.IsError() {
-		t.Fatalf("failed to login")
-	}
 
 	// Register a CRL containing the issued client certificate used above.
 	issuedCRL, err := ioutil.ReadFile(testIssuedCertCRL)
@@ -180,10 +180,8 @@ func TestBackend_CRLs(t *testing.T) {
 		Path:      "crls/issuedcrl",
 		Data:      crlData,
 	}
-	_, err = b.HandleRequest(crlReq)
+	resp, err = b.HandleRequest(crlReq)
-	if err != nil {
+	failOnError(t, resp, err)
-		t.Fatal(err)
-	}
 
 	// Attempt login with the revoked certificate.
 	resp, err = b.HandleRequest(loginReq)
@@ -200,10 +198,8 @@ func TestBackend_CRLs(t *testing.T) {
 		t.Fatal(err)
 	}
 	certData["certificate"] = clientCA2
-	_, err = b.HandleRequest(certReq)
+	resp, err = b.HandleRequest(certReq)
-	if err != nil {
+	failOnError(t, resp, err)
-		t.Fatal(err)
-	}
 
 	// Test login using a different client CA cert pair.
 	connState = connectionState(t, serverCAPath, serverCertPath, serverKeyPath, testRootCACertPath2, testRootCAKeyPath2)
@@ -211,12 +207,7 @@ func TestBackend_CRLs(t *testing.T) {
 
 	// Attempt login with the updated connection
 	resp, err = b.HandleRequest(loginReq)
-	if err != nil {
+	failOnError(t, resp, err)
-		t.Fatal(err)
-	}
-	if resp == nil || resp.IsError() {
-		t.Fatalf("failed to login")
-	}
 
 	// Register a CRL containing the root CA certificate used above.
 	rootCRL, err := ioutil.ReadFile(testRootCertCRL)
@@ -224,10 +215,8 @@ func TestBackend_CRLs(t *testing.T) {
 		t.Fatal(err)
 	}
 	crlData["crl"] = rootCRL
-	_, err = b.HandleRequest(crlReq)
+	resp, err = b.HandleRequest(crlReq)
-	if err != nil {
+	failOnError(t, resp, err)
-		t.Fatal(err)
-	}
 
 	// Attempt login with the same connection state but with the CRL registered
 	resp, err = b.HandleRequest(loginReq)
@@ -569,7 +558,10 @@ func testConnState(t *testing.T, certPath, keyPath, rootCertPath string) tls.Con
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	rootCAs, err := api.LoadCACert(rootCertPath)
+	rootConfig := &rootcerts.Config{
+		CAFile: rootCertPath,
+	}
+	rootCAs, err := rootcerts.LoadCACerts(rootConfig)
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}

builtin/credential/cert/test-fixtures/cacert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUXiEDuecwua9+j1XHLnconxQ/JBcwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwMzU4WhgPMjA2
+NjA0MjAxNjA0MjhaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhx
+VP3IN897TYzkaBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bV
+zg9ZL1AI5H7dY2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZ
+wvBafQEjSsYk9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75
+unIJ29nL0yB7zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabks
+sqVyA825/1we2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABo4GBMH8w
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBTo2I+W
+3Wb2MBe3OWuj5qCbafavMB8GA1UdIwQYMBaAFBTo2I+W3Wb2MBe3OWuj5qCbafav
+MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
+AQAyjJzDMzf28yMgiu//2R6LD3+zuLHlfX8+p5JB7WDBT7CgSm89gzMRtD2DvqZQ
+6iLbZv/x7Td8bdLsOKf3LDCkZyOygJ0Sr9+6YZdc9heWO8tsO/SbcLhj9/vK8YyV
+5fJo+vECW8I5zQLeTKfPqJtTU0zFspv0WYCB96Hsbhd1hTfHmVgjBoxi0YuduAa8
+3EHuYPfTYkO3M4QJCoQ+3S6LXSTDqppd1KGAy7QhRU6shd29EpSVxhgqZ+CIOpZu
+3RgPOgPqfqcOD/v/SRPqhRf+P5O5Dc/N4ZXTZtfJbaY0qE+smpeQUskVQ2TrSqha
+UYpNk7+toZW3Gioo0lBD3gH2
+-----END CERTIFICATE-----

builtin/credential/cert/test-fixtures/cacert2crl

@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIBrjCBlzANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbRcN
+MTYwNTAyMTYxNDMzWhcNMTYwNTA1MTYxNDMzWjArMCkCFCXxxcbS0ATpI2PYrx8d
+ACLEQ3B9FxExNjA1MDIxMjE0MzMtMDQwMKAjMCEwHwYDVR0jBBgwFoAUwsRNYCw4
+U2won66rMKEJm8inFfgwDQYJKoZIhvcNAQELBQADggEBAD/VvoRK4eaEDzG7Z95b
+fHL5ubJGkyvkp8ruNu+rfQp8NLgFVvY6a93Hz7WLOhACkKIWJ63+/4vCfDi5uU0B
+HW2FICHdlSQ+6DdGJ6MrgujALlyT+69iF+fPiJ/M1j/N7Am8XPYYcfNdSK6CHtfg
+gHNB7E+ubBA7lIw7ucIkoiJjXrSWSXTs9/GzLUImiXJAKQ+JzPYryIsGKXKAwgHh
+HB56BnJ2vOs7+6UxQ6fjKTMxYdNgoZ34MhkkxNNhylrEndO6XUvUvC1f/1p1wlzy
+xTq2MrMfJHJyu08rkrD+kwMPH2uoVwKyDhXdRBP0QrvQwOsvNEhW8LTKwLWkK17b
+fEI=
+-----END X509 CRL-----

builtin/credential/cert/test-fixtures/cakey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAwWPjnTqnkc6acah+wWLmdTK0oCrf2687XVhxVP3IN897TYzk
+aBQ2Dn1UM2VEL71sE3OZSVm0UWs5n7UqRuDp6mvkvrT2q5zgh/bVzg9ZL1AI5H7d
+Y2Rsor95I849ymFpXZooMgNtIQLxIeleBwzTnVSkFl8RqKM7NkjZwvBafQEjSsYk
+9050Bu0GMLgFJYRo1LozJLbwIs5ykG5F5PWTMfRvLCgLBzixPb75unIJ29nL0yB7
+zzUdkM8CG1EX8NkjGLEnpRnPa7+RMf8bd10v84cr0JFCUQmoabkssqVyA825/1we
+2r5Y8blyXZVIr2lcPyGocLDxz1qT1MqxrNQIywIDAQABAoIBAD1pBd9ov8t6Surq
+sY2hZUM0Hc16r+ln5LcInbx6djjaxvHiWql+OYgyXimP764lPYuTuspjFPKB1SOU
++N7XDxCkwFeayXXHdDlYtZ4gm5Z9mMVOT+j++8xWdxZaqJ56fmX9zOPM2LuR3paB
+L52Xgh9EwHJmMApYAzaCvbu8bU+iHeNTW80xabxQrp9VCu/A1BXUX06jK4T+wmjZ
+kDA82uQp3dCOF1tv/10HgwqkJj6/1jjM0XUzUZR6iV85S6jrA7wD7gDDeqNO8YHN
+08YMRgTKk4pbA7AqoC5xbL3gbSjsjyw48KRq0FkdkjsgV0PJZRMUU9fv9puDa23K
+WRPa8LECgYEAyeth5bVH8FXnVXIAAFU6W0WdgCK3VakhjItLw0eoxshuTwbVq64w
+CNOB8y1pfP83WiJjX3qRG43NDW07X69J57YKtCCb6KICVUPmecgYZPkmegD1HBQZ
+5+Aak+5pIUQuycQ0t65yHGu4Jsju05gEFgdzydFjNANgiPxRzZxzAkkCgYEA9S+y
+ZR063oCQDg/GhMLCx19nCJyU44Figh1YCD6kTrsSTECuRpQ5B1F9a+LeZT2wnYxv
++qMvvV+lfVY73f5WZ567u2jSDIsCH34p4g7sE25lKwo+Lhik6EtOehJFs2ZUemaT
+Ym7EjqWlC1whrG7P4MnTGzPOVNAGAxsGPtT58nMCgYAs/R8A2VU//UPfy9ioOlUY
+RPiEtjd3BIoPEHI+/lZihAHf5bvx1oupS8bmcbXRPeQNVyAhA+QU6ZFIbpAOD7Y9
+xFe6LpHOUVqHuOs/MxAMX17tTA1QxkHHYi1JzJLr8I8kMW01h86w+mc7bQWZa4Nt
+jReFXfvmeOInY2CumS8e0QKBgC23ow/vj1aFqla04lNG7YK3a0LTz39MVM3mItAG
+viRgBV1qghRu9uNCcpx3RPijtBbsZMTbQL+S4gyo06jlD79qfZ7IQMJN+SteHvkj
+xykoYHzSAB4gQj9+KzffyFdXMVFRZxHnjYb7o/amSzEXyHMlrtNXqZVu5HAXzeZR
+V/m5AoGAAStS43Q7qSJSMfMBITKMdKlqCObnifD77WeR2WHGrpkq26300ggsDpMS
+UTmnAAo77lSMmDsdoNn2XZmdeTu1CPoQnoZSE5CqPd5GeHA/hhegVCdeYxSXZJoH
+Lhiac+AhCEog/MS1GmVsjynD7eDGVFcsJ6SWuam7doKfrpPqPnE=
+-----END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/generate.txt

@@ -0,0 +1,67 @@
+vault mount pki
+vault mount-tune -max-lease-ttl=438000h pki
+vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
+vi cacert.pem
+vi cakey.pem
+
+vaultcert.hcl
+backend "inmem" {
+}
+disable_mlock = true
+default_lease_ttl = "700h"
+max_lease_ttl = "720h"
+listener "tcp" {
+  address = "127.0.0.1:8200"
+  tls_cert_file = "./cacert.pem"
+  tls_key_file = "./cakey.pem"
+}
+========================================
+vault mount pki
+vault mount-tune -max-lease-ttl=438000h pki
+vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1
+vi testcacert1.pem
+vi testcakey1.pem
+vi testcaserial1
+
+vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
+vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedserial1
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedcert2.pem
+vi testissuedkey2.pem
+vi testissuedserial2
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedserial3
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedcert4.pem
+vi testissuedkey4.pem
+vi testissuedserial4
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedserial5
+
+vault write pki/revoke serial_number=$(cat testissuedserial2)
+vault write pki/revoke serial_number=$(cat testissuedserial4)
+curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl
+openssl crl -in issuedcertcrl -noout -text
+
+========================================
+export VAULT_ADDR='http://127.0.0.1:8200'
+vault mount pki
+vault mount-tune -max-lease-ttl=438000h pki
+vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
+vi testcacert2.pem
+vi testcakey2.pem
+vi testcaserial2
+vi testcacert2leaseid
+
+vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
+vault revoke $(cat testcacert2leaseid)
+
+curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl
+openssl crl -in cacert2crl -noout -text

builtin/credential/cert/test-fixtures/issuedcertcrl

@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB2TCBwjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbRcN
+MTYwNTAyMTYxMTA4WhcNMTYwNTA1MTYxMTA4WjBWMCkCFAS6oenLRllQ1MRYcSV+
+5ukv2563FxExNjA1MDIxMjExMDgtMDQwMDApAhQaQdPJfbIwE3q4nyYp60lVnZaE
+5hcRMTYwNTAyMTIxMTA1LTA0MDCgIzAhMB8GA1UdIwQYMBaAFOuKvPiUG06iHkRX
+AOeMiUdBfHFyMA0GCSqGSIb3DQEBCwUAA4IBAQBD2jkeOAmkDdYkAXbmjLGdHaQI
+WMS/M+wtFnHVIDVQEmUmj/KPsrkshTZv2UgCHIxBha6y+kXUMQFMg6FwriDTB170
+WyJVDVhGg2WjiQjnzrzEI+iOmcpx60sPPXE63J/Zxo4QS5M62RTXRq3909HQTFI5
+f3xf0pog8mOrv5uQxO1SACP6YFtdDE2dGOVwoIPuNMTY5vijnj8I9dAw8VrbdoBX
+m/Ky56kT+BpmVWHKwQd1nEcP/RHSKbZwwJzJG0BoGM8cvzjITtBmpEF+OZcea81x
+p9XJkpfFeiVIgzxks3zTeuQjLF8u+MDcdGt0ztHEbkswjxuk1cCovZe2GFr4
+-----END X509 CRL-----

builtin/credential/cert/test-fixtures/issuedcrl

@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBrjCBlzANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbRcN
-MTYwNDI5MDA1NTQwWhcNMTYwNTAyMDA1NTQwWjArMCkCFEOWF6CnaboEe7/IyD/D
-4MJjqiK9FxExNjA0MjgyMDU1NDAtMDQwMKAjMCEwHwYDVR0jBBgwFoAULYlz83DS
-o7GoN/zBNq0yxU73SkswDQYJKoZIhvcNAQELBQADggEBAHKrtTf5lUDf9+TOmtvn
-o6kq9nqydZABS5m0ZhH3xpLEEUltaIWukQexcHd8RBTlqm8Ugm0HVYsAZKW2rTGk
-h0ITzsNjRBpM+xjpWaWzIQ4b5RBrmvll92dGcG6PUUoOgH6Bi6jqcHutS3Ov2gsf
-GYwBV0h/2/TyIeBewGU/UNIwR1/A4MSA2cOGrgTFKbiIqwQ8XdJS2zzY6lA2Df90
-SuWfnL28lY2nnRv+uu3+klkMBT3WpFcWPWLC6pJP1nOxjPbbGU+zu9vrP1dn/L2f
-FKrQ+e08X591LHh7LE5mm5gLxZBnIQfo8xTrWWnyIEmb1ds3rRAs9ypRbsMNZD5X
-aa4=
------END X509 CRL-----

builtin/credential/cert/test-fixtures/rootcacert.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUN8ptO7rZ7Oc9Y0q0Fs3B3R/xHfcwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTYwNDI5MDAyNzEyWhcNMjYw
-NDI3MDAyNzQyWjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAJvz6FvPLDkqrSiYuW3yh3Jk40a+/IBBzQleKsbk
-BhKJwMRGUR24KfPdc+JJVXTtpi6Gd4rFjhklXo5MiRF4QP805EOrtcRlDyYeCoLM
-YxcZP2EKAMRWdX4wJN5wKs9hxXyLJ42VWRNPstQJk1uDwUo0W7DCEGZS9UJ0WoRb
-e2lQ2U+kFzaiKF0snNhRKDhL5vrNpo6LWgxSBpTEqFbqaUj18txYVI3DmZVEdkOi
-BCqDwHXdZi0lWLk7DX105CVOTfoo66IO1zYyQ8swile2ty/V/X6HpSq689cPWp6n
-76LQlJUPnXeI8Pcwedq7/3cKyE00JAlKJ8cvNgJlDihg0bECAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTdlyxSIpqy
-LNMnJiGoU3EZUCDwZDAfBgNVHSMEGDAWgBTdlyxSIpqyLNMnJiGoU3EZUCDwZDAc
-BgNVHREEFTATggtteXZhdWx0LmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-aB/5JtjNbhyQhHvpgRxXKHWl32tHC9NId5btCScPOYs2FikpylrVMjZ4VcMtdUX0
-/rV3ixQ20ViWV7CVQHENloLPV0NnKgtgcrhxl+BzDMF+G6tez90BE5r3NMCL10Lx
-NxjvWddNSaMPgnGPKKe9/w6Ybk1CBDGcSQhKOoc7MQ168hPc73TkwBOaoNoNbu9L
-u8ZnmI4e1m0Gd+oqhv2FFEhGeqZdcbjk4ra3xAuwNFhqmqFU/Zw/q4b1+8qQl1mj
-5lTGNYP9aJNHgEmis9InCwA0bkGzt7DBosnVhBIFfugKrERynM3L7qvm3c+NKmTV
-Zsv5kfBVKxCrYy0XoBJ0ug==
------END CERTIFICATE-----

builtin/credential/cert/test-fixtures/rootcakey.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAm/PoW88sOSqtKJi5bfKHcmTjRr78gEHNCV4qxuQGEonAxEZR
-Hbgp891z4klVdO2mLoZ3isWOGSVejkyJEXhA/zTkQ6u1xGUPJh4KgsxjFxk/YQoA
-xFZ1fjAk3nAqz2HFfIsnjZVZE0+y1AmTW4PBSjRbsMIQZlL1QnRahFt7aVDZT6QX
-NqIoXSyc2FEoOEvm+s2mjotaDFIGlMSoVuppSPXy3FhUjcOZlUR2Q6IEKoPAdd1m
-LSVYuTsNfXTkJU5N+ijrog7XNjJDyzCKV7a3L9X9foelKrrz1w9anqfvotCUlQ+d
-d4jw9zB52rv/dwrITTQkCUonxy82AmUOKGDRsQIDAQABAoIBAQCJ0LqG34bqIe+R
-z50WL1xI2CUMsNw8j2mdHK1aw8kl+rvx913ZkJTqX8n3r+yn/xd7R/M+HCTdzetI
-fxQl7wopPVl2/7gKjXActDF/sxTiJbqfi5Jv7yO3Vt5N//uk9nbp/6L9eHyWFzkm
-LiwdlEpsw+Y/Rs/tTORWTLJtAtcFkj5+Nrk7I0I6u01q4kP2SesGCraIFdVJDKzc
-Q7yjleicklRbOpthRgeykU0wyB6ZUItfCXSMPr588cOA7BPantM/ov/Qg1b0Z2sx
-WgpUv2a9KXsILyb9VuzYw4AxfaWl9n8MDFznGo3UkFHn9XJG7eVtJ9X/KfjwbqWa
-xzwZg669AoGBAMA3bEjqyTKUw4jHh/ZOy/5kTtGSytyv/PNZaj0tjJFkkUMmrvsm
-7P2mcveGaVqvAzFhwBMPOE8dZHH5+/dCecOBqq41Bl9jD7q8n8v9YMBIfhc3lIHz
-WIQeB6UmewJCDS/LM9wHnBbFgyOcLZm5NJI4qqrlUCejyv+4rcno28bDAoGBAM+z
-68wc/9JNJzzfaJGKzyLXwep3gS9zEgP9s3cjm+TrxoHdUOEVHDBQd3ACq9gCHvOt
-TMBo0BhDaOBucCpUQ8BGzuUG7bXI6eDM3+4BHADz8K5QRpUqEi+BpsN/2YwMvNjk
-s28iVYv2rLYomWTefRDqEyDs2No7jfK2oK325UZ7AoGAFdj21N7i2X3xL6XGPWe9
-Zf/OuaFer3DNZnd+TM/Vj10H6cMG1oMZIsd9f8bmSKllyoIay8/KDawAk7ffPL5w
-ipk9ZimevM7MpeP0ocH98j0LH+ZwWcjoAbRMGChkiOArEYieL18qDaiLfEuvHy7e
-29PXCi+gSbEjTKeYEUAHYvMCgYApTGYbPLzlLPAbW3SoU8hh7jKhk0d9jszLPFu9
-2be6qeLbmYzmZFMpjCZjgDR5C9rpqtCzBWQzHtwwm+TzlbOu/KVQxrLnTV6rkzEH
-WvMdgWOe1VljeW0KQyZMgxRXk4TNP5QqCdKmtNKcma/+bXrCrThGeLGZmvPbidKj
-JI9sFwKBgB9enxL3H589k1hMo3WEuHFgzjCbLRDJzch2a+sUPAz2wUHjbUmsEJhT
-VhY6XqiRJHWUDljMmvtcvlAfAjfpAO6XIqzAuus08GdrKw75RzBqUVMBmqVGft9f
-/WefUcApnxUzdrxHmI3z+bkvAkly1+zKU+ea/KxoMj/81IuBnW3O
------END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/rootcrl

@@ -1,12 +0,0 @@
------BEGIN X509 CRL-----
-MIIBrjCBlzANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbRcN
-MTYwNDI5MDI0NDU1WhcNMTYwNTAyMDI0NDU1WjArMCkCFDcPNl1VetnQ9Lj3FBVl
-4Exa/8jEFxExNjA0MjgyMjQ0NTUtMDQwMKAjMCEwHwYDVR0jBBgwFoAU2/PiKSal
-bB4ISQHSbyhmt2R2Z8swDQYJKoZIhvcNAQELBQADggEBAHVZeSRj+xSwesreyV0L
-DgkBLI4zIjmftxj1gDnSENtDtBGoPCCBa2YOtF6MmJ8eZBOUZovOVtfBz4eVK9rq
-Dg26F6rwv+dBV/7mvf1yyEePlf95ml8jkI0OYe9wwEbPcOPwQLy6xKMdKIFICjV6
-0P9+rrGHBhhW3p7S93Ro3TX7Ct9dbyQklYyPi28jChbNJhZh/j+kRVSw0X1pnhS+
-SlhvDAHluKYeUO1fVGJQy0yHsliK1EPrOk7oQisQydewCJ9XkWpxYHTZZBSgVMPN
-pjC25KY/KAqfBJXsqIxcoqK+P5pX2wC4mRS9A/ZY3xZOyQ0S81fTBrdAwUulqGbw
-iVI=
------END X509 CRL-----

builtin/credential/cert/test-fixtures/testcacert1.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUfIKsF2VPT7sdFcKOHJH2Ii6K4MwwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwNTQyWhgPMjA2
+NjA0MjAxNjA2MTJaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuOimEXawD2qBoLCFP3Skq5zi1XzzcMAJlfdS
+xz9hfymuJb+cN8rB91HOdU9wQCwVKnkUtGWxUnMp0tT0uAZj5NzhNfyinf0JGAbP
+67HDzVZhGBHlHTjPX0638yaiUx90cTnucX0N20SgCYct29dMSgcPl+W78D3Jw3xE
+JsHQPYS9ASe2eONxG09F/qNw7w/RO5/6WYoV2EmdarMMxq52pPe2chtNMQdSyOUb
+cCcIZyk4QVFZ1ZLl6jTnUPb+JoCx1uMxXvMek4NF/5IL0Wr9dw2gKXKVKoHDr6SY
+WrCONRw61A5Zwx1V+kn73YX3USRlkufQv/ih6/xThYDAXDC9cwIDAQABo4GBMH8w
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOuKvPiU
+G06iHkRXAOeMiUdBfHFyMB8GA1UdIwQYMBaAFOuKvPiUG06iHkRXAOeMiUdBfHFy
+MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
+AQBcN/UdAMzc7UjRdnIpZvO+5keBGhL/vjltnGM1dMWYHa60Y5oh7UIXF+P1RdNW
+n7g80lOyvkSR15/r1rDkqOK8/4oruXU31EcwGhDOC4hU6yMUy4ltV/nBoodHBXNh
+MfKiXeOstH1vdI6G0P6W93Bcww6RyV1KH6sT2dbETCw+iq2VN9CrruGIWzd67UT/
+spe/kYttr3UYVV3O9kqgffVVgVXg/JoRZ3J7Hy2UEXfh9UtWNanDlRuXaZgE9s/d
+CpA30CHpNXvKeyNeW2ktv+2nAbSpvNW+e6MecBCTBIoDSkgU8ShbrzmDKVwNN66Q
+5gn6KxUPBKHEtNzs5DgGM7nq
+-----END CERTIFICATE-----

builtin/credential/cert/test-fixtures/testcacert2.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIUJfHFxtLQBOkjY9ivHx0AIsRDcH0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYxMjI5WhgPMjA2
+NjA0MjAxNjEyNTlaMBYxFDASBgNVBAMTC215dmF1bHQuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqj8ANjAGrg5BgUb3owGwUHlMYDxljMdwroA/
+Bv76ESjomj1zCyVtoJxlDZ8m9VcKQldk5ashFNuY+Ms9FrJ1YsePvsfStNe37C26
+2uldDToh5rm7K8uwp/bQiErwM9QZMCVYCPEH8QgETPg9qWnikDFLMqcLBNbIiXVL
+alxEYgA1Qt6+ayMvoS35288hFdZj6a0pCF0+zMHORZxloPhkXWnZLp5lWBiunSJG
+0kVz56TjF+oY0L74iW4y3x2805biisGvFqgpZJW8/hLw/kDthNylNTzEqBktsctQ
+BXpSMcwG3woJ0uZ8cH/HA/m0VDeIA77UisXnlLiQDpdB7U7QPwIDAQABo4GBMH8w
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMLETWAs
+OFNsKJ+uqzChCZvIpxX4MB8GA1UdIwQYMBaAFMLETWAsOFNsKJ+uqzChCZvIpxX4
+MBwGA1UdEQQVMBOCC215dmF1bHQuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
+AQCRlFb6bZDrq3NkoZF9evls7cT41V3XCdykMA4K9YRgDroZ5psanSvYEnSrk9cU
+Y7sVYW7b8qSRWkLZrHCAwc2V0/i5F5j4q9yVnWaTZ+kOVCFYCI8yUS7ixRQdTLNN
+os/r9dcRSzzTEqoQThAzn571yRcbJHzTjda3gCJ5F4utYUBU2F9WK+ukW9nqfepa
+ju5vEEGDuL2+RyApzL0nGzMUkCdBcK82QBksTlElPnbICbJZWUUMTZWPaZ7WGDDa
+Pj+pWMXiDQmzIuzgXUCNtQL6lEv4tQwGYRHjjPmhgJP4sr6Cyrj4G0iljrqM+z/3
+gLyJOlNU8c5x02/C1nFDDa14
+-----END CERTIFICATE-----

builtin/credential/cert/test-fixtures/testcakey1.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuOimEXawD2qBoLCFP3Skq5zi1XzzcMAJlfdSxz9hfymuJb+c
+N8rB91HOdU9wQCwVKnkUtGWxUnMp0tT0uAZj5NzhNfyinf0JGAbP67HDzVZhGBHl
+HTjPX0638yaiUx90cTnucX0N20SgCYct29dMSgcPl+W78D3Jw3xEJsHQPYS9ASe2
+eONxG09F/qNw7w/RO5/6WYoV2EmdarMMxq52pPe2chtNMQdSyOUbcCcIZyk4QVFZ
+1ZLl6jTnUPb+JoCx1uMxXvMek4NF/5IL0Wr9dw2gKXKVKoHDr6SYWrCONRw61A5Z
+wx1V+kn73YX3USRlkufQv/ih6/xThYDAXDC9cwIDAQABAoIBAG3bCo7ljMQb6tel
+CAUjL5Ilqz5a9ebOsONABRYLOclq4ePbatxawdJF7/sSLwZxKkIJnZtvr2Hkubxg
+eOO8KC0YbVS9u39Rjc2QfobxHfsojpbWSuCJl+pvwinbkiUAUxXR7S/PtCPJKat/
+fGdYCiMQ/tqnynh4vR4+/d5o12c0KuuQ22/MdEf3GOadUamRXS1ET9iJWqla1pJW
+TmzrlkGAEnR5PPO2RMxbnZCYmj3dArxWAnB57W+bWYla0DstkDKtwg2j2ikNZpXB
+nkZJJpxR76IYD1GxfwftqAKxujKcyfqB0dIKCJ0UmfOkauNWjexroNLwaAOC3Nud
+XIxppAECgYEA1wJ9EH6A6CrSjdzUocF9LtQy1LCDHbdiQFHxM5/zZqIxraJZ8Gzh
+Q0d8JeOjwPdG4zL9pHcWS7+x64Wmfn0+Qfh6/47Vy3v90PIL0AeZYshrVZyJ/s6X
+YkgFK80KEuWtacqIZ1K2UJyCw81u/ynIl2doRsIbgkbNeN0opjmqVTMCgYEA3CkW
+2fETWK1LvmgKFjG1TjOotVRIOUfy4iN0kznPm6DK2PgTF5DX5RfktlmA8i8WPmB7
+YFOEdAWHf+RtoM/URa7EAGZncCWe6uggAcWqznTS619BJ63OmncpSWov5Byg90gJ
+48qIMY4wDjE85ypz1bmBc2Iph974dtWeDtB7dsECgYAyKZh4EquMfwEkq9LH8lZ8
+aHF7gbr1YeWAUB3QB49H8KtacTg+iYh8o97pEBUSXh6hvzHB/y6qeYzPAB16AUpX
+Jdu8Z9ylXsY2y2HKJRu6GjxAewcO9bAH8/mQ4INrKT6uIdx1Dq0OXZV8jR9KVLtB
+55RCfeLhIBesDR0Auw9sVQKBgB0xTZhkgP43LF35Ca1btgDClNJGdLUztx8JOIH1
+HnQyY/NVIaL0T8xO2MLdJ131pGts+68QI/YGbaslrOuv4yPCQrcS3RBfzKy1Ttkt
+TrLFhtoy7T7HqyeMOWtEq0kCCs3/PWB5EIoRoomfOcYlOOrUCDg2ge9EP4nyVVz9
+hAGBAoGBAJXw/ufevxpBJJMSyULmVWYr34GwLC1OhSE6AVVt9JkIYnc5L4xBKTHP
+QNKKJLmFmMsEqfxHUNWmpiHkm2E0p37Zehui3kywo+A4ybHPTua70ZWQfZhKxLUr
+PvJa8JmwiCM7kO8zjOv+edY1mMWrbjAZH1YUbfcTHmST7S8vp0F3
+-----END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/testcakey2.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqj8ANjAGrg5BgUb3owGwUHlMYDxljMdwroA/Bv76ESjomj1z
+CyVtoJxlDZ8m9VcKQldk5ashFNuY+Ms9FrJ1YsePvsfStNe37C262uldDToh5rm7
+K8uwp/bQiErwM9QZMCVYCPEH8QgETPg9qWnikDFLMqcLBNbIiXVLalxEYgA1Qt6+
+ayMvoS35288hFdZj6a0pCF0+zMHORZxloPhkXWnZLp5lWBiunSJG0kVz56TjF+oY
+0L74iW4y3x2805biisGvFqgpZJW8/hLw/kDthNylNTzEqBktsctQBXpSMcwG3woJ
+0uZ8cH/HA/m0VDeIA77UisXnlLiQDpdB7U7QPwIDAQABAoIBADivQ2XHdeHsUzk1
+JOz8efVBfgGo+nL2UPl5MAMnUKH4CgKZJT3311mb2TXA4RrdQUg3ixvBcAFe4L8u
+BIgTIWyjX6Q5KloWXWHhFA8hll76FSGag8ygRJCYaHSI5xOKslxKgtZvUqKZdb0f
+BoDrBYnXL9+MqOmSjjDegh7G2+n49n774Z2VVR47TZTBB5LCWDWj4AtEcalgwlvw
+d5yL/GU/RfCkXCjCeie1pInp3eCMUI9jlvbe/vyaoFq2RiaJw1LSlJLXZBMYzaij
+XkgMtRsr5bf0Tg2z3SPiaa9QZogfVLqHWAt6RHZf9Keidtiho+Ad6/dzJu+jKDys
+Z6cthOECgYEAxMUCIYKO74BtPRN2r7KxbSjHzFsasxbfwkSg4Qefd4UoZJX2ShlL
+cClnef3WdkKxtShJhqEPaKTYTrfgM+iz/a9+3lAFnS4EZawSf3YgXXslVTory0Da
+yPQZKxX6XsupaLl4s13ehw/D0qfdxWVYaiFad3ePEE4ytmSkMMHLHo8CgYEA3X4a
+jMWVbVv1W1lj+LFcg7AhU7lHgla+p7NI4gHw9V783noafnW7/8pNF80kshYo4u0g
+aJRwaU/Inr5uw14eAyEjB4X7N8AE5wGmcxxS2uluGG6r3oyQSJBqktGnLwyTfcfC
+XrfsGJza2BRGF4Mn8SFb7WtCl3f1qu0hTF+mC1ECgYB4oA1eXZsiV6if+H6Z1wHN
+2WIidPc5MpyZi1jUmse3jXnlr8j8Q+VrLPayYlpGxTwLwlbQoYvAqs2v9CkNqWot
+6pfr0UKfyMYJTiNI4DGXHRcV2ENgprF436tOLnr+AfwopwrHapQwWAnD6gSaLja1
+WR0Mf87EQCv2hFvjR+otIQKBgQCLyvJQ1MeZzQdPT1zkcnSUfM6b+/1hCwSr7WDb
+nCQLiZcJh4E/PWmZaII9unEloQzPJKBmwQEtxng1kLVxwu4oRXrJXcuPhTbS4dy/
+HCpDFj8xVnBNNuQ9mEBbR80/ya0xHqnThDuT0TPiWvFeF55W9xoA/8h4tvKrnZx9
+ioTO8QKBgCMqRa5pHb+vCniTWUTz9JZRnRsdq7fRSsJHngMe5gOR4HylyAmmqKrd
+kEXfkdu9TH2jxSWcZbHUPVwKfOUqQUZMz0pml0DIs1kedUDFanTZ8Rgg5SGUHBW0
+5bNCq64tKMmw6GiicaAGqd04OPo85WD9h8mPhM1Jdv/UmTV+HFAr
+-----END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/testcert.pem

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIUQ5YXoKdpugR7v8jIP8PgwmOqIr0wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTYwNDI5MDA1MzIwWhcNMTYw
-NTAyMDA1MzUwWjAbMRkwFwYDVQQDExBjZXJ0Lm15dmF1bHQuY29tMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvfWblshW9TN6CV41Vo8wCAY4OqgL/cbS
-WpAaDGlDOOE0ZHfEm1Eq0//jNQXsLF3uSA9eY9hxBwzwpNsaacx98sJjqNE4En3P
-T5cXUKuOFsxmfvJK7mTahepwfqbdcgWDKh533pdHde+1QlrRtIKhXMKQmlFGvvxG
-jO9zcD1G1qUPZlB/zwLOF3EbmLk0/9qB0jR5+61Yr3fo1pSQd9lQSsXdrXYzTzmT
-E71Z05BxafoW/EtKvs0X5NrKPD9wAoGhlK9yOGabcK2bw650XQlCy1aoJyoQYJ8e
-oQL59tDULfRhYBCdcmQ7iWWq1d68ry6pp9lf66sca4CkCnbLjaPR1wIDAQABo4H1
-MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUyAlR
-TO+MtA8fKz+ZwZjqLDABcOAwHwYDVR0jBBgwFoAULYlz83DSo7GoN/zBNq0yxU73
-SkswOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x
-OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQubXl2YXVsdC5jb22HBH8A
-AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br
-aS9jcmwwDQYJKoZIhvcNAQELBQADggEBAAzJbbmvdy7+1CHJVLZqcV+IT6z/NZHG
-De99zMlj1QlLNjnz/pg747XYCEWMmLL746Tp3FSy6XRETYwvMhp/NVmRn40RfKE3
-TuhXcoaWzfVYBLLgQW0Uf0F5PmAM19iGP80y5qbE0p26cvAlVaCc0Esr1DvvY273
-+0jI7xoeeQZXS1/VMtom4bfgXP1sQpXjawha0+CmUb89vloNjPwi5uiwviHyRsay
-gBrr3gUZ90yjASA+jLccW2iDvOO29nV9oBNn4BQddID6S7gO5+zKKWRfSOSjyXk5
-7N1rfw4smvp8JwOlcYf5bBQ5iIIPmYKUOrzuYwJ+X11BZFqw8UGbg5Y=
------END CERTIFICATE-----

builtin/credential/cert/test-fixtures/testissuedcert4.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIUBLqh6ctGWVDUxFhxJX7m6S/bnrcwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wIBcNMTYwNTAyMTYwOTI2WhgPMjA2
+NjA0MjAxNTA5NTZaMBsxGTAXBgNVBAMTEGNlcnQubXl2YXVsdC5jb20wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY3gPB29kkdbu0mPO6J0efagQhSiXB
+9OyDuLf5sMk6CVDWVWal5hISkyBmw/lXgF7qC2XFKivpJOrcGQd5Ep9otBqyJLzI
+b0IWdXuPIrVnXDwcdWr86ybX2iC42zKWfbXgjzGijeAVpl0UJLKBj+fk5q6NvkRL
+5FUL6TRV7Krn9mrmnrV9J5IqV15pTd9W2aVJ6IqWvIPCACtZKulqWn4707uy2X2W
+1Stq/5qnp1pDshiGk1VPyxCwQ6yw3iEcgecbYo3vQfhWcv7Q8LpSIM9ZYpXu6OmF
++czqRZS9gERl+wipmmrN1MdYVrTuQem21C/PNZ4jo4XUk1SFx6JrcA+lAgMBAAGj
+gfUwgfIwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSe
+Cl9WV3BjGCwmS/KrDSLRjfwyqjAfBgNVHSMEGDAWgBTrirz4lBtOoh5EVwDnjIlH
+QXxxcjA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAKGH2h0dHA6Ly8xMjcuMC4w
+LjE6ODIwMC92MS9wa2kvY2EwIQYDVR0RBBowGIIQY2VydC5teXZhdWx0LmNvbYcE
+fwAAATAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vMTI3LjAuMC4xOjgyMDAvdjEv
+cGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAWGholPN8buDYwKbUiDavbzjsxUIX
+lU4MxEqOHw7CD3qIYIauPboLvB9EldBQwhgOOy607Yvdg3rtyYwyBFwPhHo/hK3Z
+6mn4hc6TF2V+AUdHBvGzp2dbYLeo8noVoWbQ/lBulggwlIHNNF6+a3kALqsqk1Ch
+f/hzsjFnDhAlNcYFgG8TgfE2lE/FckvejPqBffo7Q3I+wVAw0buqiz5QL81NOT+D
+Y2S9LLKLRaCsWo9wRU1Az4Rhd7vK5SEMh16jJ82GyEODWPvuxOTI1MnzfnbWyLYe
+TTp6YBjGMVf1I6NEcWNur7U17uIOiQjMZ9krNvoMJ1A/cxCoZ98QHgcIPg==
+-----END CERTIFICATE-----

builtin/credential/cert/test-fixtures/testissuedkey4.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2N4DwdvZJHW7tJjzuidHn2oEIUolwfTsg7i3+bDJOglQ1lVm
+peYSEpMgZsP5V4Be6gtlxSor6STq3BkHeRKfaLQasiS8yG9CFnV7jyK1Z1w8HHVq
+/Osm19oguNsyln214I8xoo3gFaZdFCSygY/n5Oaujb5ES+RVC+k0Veyq5/Zq5p61
+fSeSKldeaU3fVtmlSeiKlryDwgArWSrpalp+O9O7stl9ltUrav+ap6daQ7IYhpNV
+T8sQsEOssN4hHIHnG2KN70H4VnL+0PC6UiDPWWKV7ujphfnM6kWUvYBEZfsIqZpq
+zdTHWFa07kHpttQvzzWeI6OF1JNUhceia3APpQIDAQABAoIBAQCH3vEzr+3nreug
+RoPNCXcSJXXY9X+aeT0FeeGqClzIg7Wl03OwVOjVwl/2gqnhbIgK0oE8eiNwurR6
+mSPZcxV0oAJpwiKU4T/imlCDaReGXn86xUX2l82KRxthNdQH/VLKEmzij0jpx4Vh
+bWx5SBPdkbmjDKX1dmTiRYWIn/KjyNPvNvmtwdi8Qluhf4eJcNEUr2BtblnGOmfL
+FdSu+brPJozpoQ1QdDnbAQRgqnh7Shl0tT85whQi0uquqIj1gEOGVjmBvDDnL3GV
+WOENTKqsmIIoEzdZrql1pfmYTk7WNaD92bfpN128j8BF7RmAV4/DphH0pvK05y9m
+tmRhyHGxAoGBAOV2BBocsm6xup575VqmFN+EnIOiTn+haOvfdnVsyQHnth63fOQx
+PNtMpTPR1OMKGpJ13e2bV0IgcYRsRkScVkUtoa/17VIgqZXffnJJ0A/HT67uKBq3
+8o7RrtyK5N20otw0lZHyqOPhyCdpSsurDhNON1kPVJVYY4N1RiIxfut/AoGBAPHz
+HfsJ5ZkyELE9N/r4fce04lprxWH+mQGK0/PfjS9caXPhj/r5ZkVMvzWesF3mmnY8
+goE5S35TuTvV1+6rKGizwlCFAQlyXJiFpOryNWpLwCmDDSzLcm+sToAlML3tMgWU
+jM3dWHx3C93c3ft4rSWJaUYI9JbHsMzDW6Yh+GbbAoGBANIbKwxh5Hx5XwEJP2yu
+kIROYCYkMy6otHLujgBdmPyWl+suZjxoXWoMl2SIqR8vPD+Jj6mmyNJy9J6lqf3f
+DRuQ+fEuBZ1i7QWfvJ+XuN0JyovJ5Iz6jC58D1pAD+p2IX3y5FXcVQs8zVJRFjzB
+p0TEJOf2oqORaKWRd6ONoMKvAoGALKu6aVMWdQZtVov6/fdLIcgf0pn7Q3CCR2qe
+X3Ry2L+zKJYIw0mwvDLDSt8VqQCenB3n6nvtmFFU7ds5lvM67rnhsoQcAOaAehiS
+rl4xxoJd5Ewx7odRhZTGmZpEOYzFo4odxRSM9c30/u18fqV1Mm0AZtHYds4/sk6P
+aUj0V+kCgYBMpGrJk8RSez5g0XZ35HfpI4ENoWbiwB59FIpWsLl2LADEh29eC455
+t9Muq7MprBVBHQo11TMLLFxDIjkuMho/gcKgpYXCt0LfiNm8EZehvLJUXH+3WqUx
+we6ywrbFCs6LaxaOCtTiLsN+GbZCatITL0UJaeBmTAbiw0KQjUuZPQ==
+-----END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/testkey.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAvfWblshW9TN6CV41Vo8wCAY4OqgL/cbSWpAaDGlDOOE0ZHfE
-m1Eq0//jNQXsLF3uSA9eY9hxBwzwpNsaacx98sJjqNE4En3PT5cXUKuOFsxmfvJK
-7mTahepwfqbdcgWDKh533pdHde+1QlrRtIKhXMKQmlFGvvxGjO9zcD1G1qUPZlB/
-zwLOF3EbmLk0/9qB0jR5+61Yr3fo1pSQd9lQSsXdrXYzTzmTE71Z05BxafoW/EtK
-vs0X5NrKPD9wAoGhlK9yOGabcK2bw650XQlCy1aoJyoQYJ8eoQL59tDULfRhYBCd
-cmQ7iWWq1d68ry6pp9lf66sca4CkCnbLjaPR1wIDAQABAoIBAAagQJMb3dyjtQgK
-nzWrvPMqtF9naTOq8b9y81Wnfk7HnDo860C3rhTDAjvhPwG1LRCaaKJ29EpYqzQ0
-6FD0bxg+q5dB5QDQHqEaFhgcQ9KLwq9+6Bo0rmKpcM8aJvNJOfAILAo5oKZ+fAYa
-gOIZBGPl7YFUgHE8/4D/ATnTCVuHSu1EHceANLj4WXmyhiBp870sZFMHF5xAHlIg
-xrxvmTIEyt18Okq8l67HA/0oIRjvbMgBep3MRiynccgiOz5LAKETzCESEjzG3awo
-1budODxfbku1I73xyNrAU4MZp018gxu3QH3MDRrA6FRaBhLeoF1OyOkJJtobLQM3
-AkrBEaECgYEAxTg4YOy4mXMfbQOlwAXptvwCdtCTAUH6ibHsj61QzTn1Y/zl8qp5
-RMD0hwkanxTm2zIV1klrR2HSr7BPOiSjDRZI7UzND7A2rF+RBELcRPcdmSENyS3A
-xH7TG7fD4MW5/tuePN438b9MvvC71ioyvD+d5LHdU/WYlwf83bK2DP8CgYEA9pNv
-zPP8PQVnIiWJu97Ux1ngUZ+iOJfZzuCrfWhlY8CiPPZSA2Ql8Ti5u0Em9HsXhVEC
-xH9ccThEhv8O9t8vjf1YRhxnOs2OLYpbfX2DPM+Oiodn0X3zw5B5E9b/Pk9jThxC
-bI5J+b3HDObjeABQc1mLo4+UAsbB2a0j+qXrQykCgYEAkqqmst4YwnVs74OA5nb/
-QkfUBUxDpvHMQk6BYLBBoP3zUjKnR3ojyU++ChZpJ9lBfc2Xk87x6xoCtwllQhYw
-8/CYt3EgJwSjBDnl/MdETD2CU3jTacOO0hKHKNvW3fftxGzLFvUjobLkfjNFXZXw
-OTMOVx83O9MvcVJNaQoYfT0CgYEA9iaZJXEsDX6nRl9S8EmzAI+ob9N8jiKJPQzs
-JXViQgK78z+y/8+qUPTf9R9FVCrNgDkvGhpKnnwdbOaSecC0KHsQ9GzGYN1zYeMN
-EmmJ6dsJ4SDrcybZghFnzXaDuCBockGjzdr93mKloyubSOCHb5+k1tMuXtcsDbHa
-iQ25noECgYBR8sAqrI7iVy8i2I39MojzZ/WwX6cOxrLnLAGZNH0zqX08jXMuiJmx
-5o/HfXEtfF3omW9sreqXBl+/DR4b7+sbQG8dFjQcRPCm1LVTzTCZEbEqrdzIQZQ8
-LBvME7CziOVj1XaXh5Q0A9nvDTryTmJZPThGkfm8G1bQi+BggMCtow==
------END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/testrootcacert.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUQcXZZo9q4z+uGaZMwyQCWIrOCuAwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTYwNDI5MDA0OTM1WhcNMjYw
-NDI3MDA1MDA1WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMRVZsQlTp0sw2fLQmh0mP43cshVrUWjg7GWsf6k
-8/TvoXYA6hMBqK5/UvLDDcoJLVyLdAsJeFJcT6VbpHO7BH2xShGIht1ZA5V9rshC
-fONcvLvToCRiTWplm8GNC5/dmmGoVe6GpGbskEIlg2t4rCekjemCB0+Yy5arqd1n
-QgcR8iftu6SR59wvdcVPseH/PC0HIF9wdhJXcod0K2jbZ7m3WVqoG0yk+1ok5frw
-eKFkopPIFk7RLeTm1M5s4uY7tqPXcfskGX0Y8LSYAJUz4kZI1EphIYSsdQAlSuC8
-RZNnOVRwxxQfaZpv6qHygkdTgh8UL+wVUMOdmp8k+uSyap8CAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQtiXPzcNKj
-sag3/ME2rTLFTvdKSzAfBgNVHSMEGDAWgBQtiXPzcNKjsag3/ME2rTLFTvdKSzAc
-BgNVHREEFTATggtteXZhdWx0LmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-NKO/wkPepxzBfcTalprpjRDBNo+El4SsmSUKdC38MOc1jyQ8ScQzYRCD+q6v2Sih
-ap/unGVCnDMQmSyRr/RdhQtcw1zs1zIVa+THBGYhemFf7tJ7KZ8XkE3BEnMeAvnJ
-ZAt1hn+pkc2vmxzrpb/NPukWfFJOByED5ffGyTc99IpWb6shbOcARXyYLJg+7pWp
-rC+gdVw72XLTcx1VSEeFZNDVK+tDFybxAZd7yjKdXvQiWPacqzSU7Ejg9HToohne
-DTk867BKvsTl47JjW8l6wEKr/B0tBZeCH1oGtbXKqYq8DqDh+KZSDkpR33ZgX8V6
-IIo4+Te8d8sfXABrMUc1LA==
------END CERTIFICATE-----

builtin/credential/cert/test-fixtures/testrootcacert2.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDPDCCAiSgAwIBAgIUNw82XVV62dD0uPcUFWXgTFr/yMQwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTYwNDI5MDI0MTM4WhcNMjYw
-NDI3MDI0MjA4WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAN7rILk/ABRrnEU1olA8Nn8TGhSOM/nxJ8V8Z9gW
-QjRRzvvKJvqJ9WqQJTQmaqfHPbDjHfk71tK9kfB02gdWFrmIgZrUcPh9WL3qrWoW
-y2O64pYa3Xqni7RWW86haCgXDFaWIDP2SljVQSEkvTIOMZdnMn5BxwiyFSoUdglh
-x7BAJgW3z1VkZsTnLWyy0Y2yu1Fb8FxlJzxHSIQTugqUioDf0pkohUItJIWbIncO
-v73sxtWIUXdlEq7fcvxSiBNd5WXxEPoXHYHd5FYLpuDBOyUc4vV82n+O9DBzrVuV
-XxYKhql5lQpDVzBSz9eEIN1DGAAkL7gDphar1gMOZIIfW+MCAwEAAaOBgTB/MA4G
-A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTb8+IpJqVs
-HghJAdJvKGa3ZHZnyzAfBgNVHSMEGDAWgBTb8+IpJqVsHghJAdJvKGa3ZHZnyzAc
-BgNVHREEFTATggtteXZhdWx0LmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
-z5pwDJcYqDTp+hHGrumzzb/FwDfwtxI2wOPhcA48pFVaqDhmH+38H2XoPEEMvYik
-bpR+CP8DSqAzKIh+aO6fgva0strRxN0+KIrr/HSpxSadXeFcTS/SN1xAuUvoYX2z
-Movqr/ZOYlNcQiJDzFMRkzMJSClDSKk8oYDB2kUuZu4fi0WvvT8yNK9bSWcGzj+d
-4GYBRTWUvB7aVEI1PGpbe8K1Gnu0tpukcVY1yveo77Zk1QAf3hJBex8v1gwYX/TB
-/LvLCwzRoUdLozSWClH3Hu0iqTW9FKxG0QLi6YQijWyYwZd2s+pIi2LVSdMf9sEK
-fAMclYTqopTL4Qemorc57w==
------END CERTIFICATE-----

builtin/credential/cert/test-fixtures/testrootcakey.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEAxFVmxCVOnSzDZ8tCaHSY/jdyyFWtRaODsZax/qTz9O+hdgDq
-EwGorn9S8sMNygktXIt0Cwl4UlxPpVukc7sEfbFKEYiG3VkDlX2uyEJ841y8u9Og
-JGJNamWbwY0Ln92aYahV7oakZuyQQiWDa3isJ6SN6YIHT5jLlqup3WdCBxHyJ+27
-pJHn3C91xU+x4f88LQcgX3B2Eldyh3QraNtnubdZWqgbTKT7WiTl+vB4oWSik8gW
-TtEt5ObUzmzi5ju2o9dx+yQZfRjwtJgAlTPiRkjUSmEhhKx1ACVK4LxFk2c5VHDH
-FB9pmm/qofKCR1OCHxQv7BVQw52anyT65LJqnwIDAQABAoIBAQCLdkKWiA2stjRj
-0U1t140p34dIaRu5AOq2Rl5PjSrBzUp7ATFEqQQCV+07BnUQE67GM0UN5f8zOeFV
-i6BomOsawcnkZH+wUd+q2+lA1YHTG3fxT+VMkwt8zYpzVVZxi79zKVlJIxk7B0V9
-xxnwSHq5ejlYKoY480eC0pPJ8uRDEiy44ivfkCgOp2LyNTSVhjfxlhZ6yukuRMc4
-qTcrrTKDv+RHLgcw6IXDV7Ow6yPWUdATUcBN4RC1TYz12BTFr4SlrhI2rKkttuRY
-trSfVEGIL80AvpaPx9sFot30kjpCMRudCoUrgDP/5c7/gB2BJqwrWH9kDC1KLuzt
-6GPAhLn5AoGBAOaZW+ww02u8UqAVy8e5Vyfbef6nN76am6wxpPnKHk2yut+c8C6j
-gIi9hhPVO1VVGw3iQJfLqzd6ZOFnu7Gvr62WgrOceyPeP2SWDppop4jkfDorrjZ7
-2DnGT4ZwyKsLyYO4nvMazJirTA3T+n6QXFZQScR2psGijNRhfaqAognNAoGBANn1
-yz6QJZWQe2BPMpQZaJsoY+pgkxmkbjOd1vtDEQcrz8BLVG67Qg0cKJ4Lmq7aEqdQ
-Dvu5OXhdC1xuk+Dr/99L10g00WaUxQCZGyaxLpFwAGh4kUzlBDvxj5Q2lXiILjGt
-wcqdRDD26rjLcbAQ+VScboO9YnQmB7Bxex0zPuobAoGBAMAfgbCVNXCLZKOvxSpP
-xseUWl3KX+1TzuN2MSdUOE8v2/Y2QP36hzpl/PFFNLvxviqhGIPf0nTUanxJ+t0d
-rNaJkbenZgkKP/LD+sK28u5gvweQIQOPxyTLjrJKAUZQ+cHe7b9J0rBX93OF6yvL
-hsL6/ZrL6D9n+MFxwEtwBJD5AoGBALbpzmovoEr3GIMHk8Oz2xSy/b7Y0zomwxDw
-OlVcwDKLcurGjRHsdo73/aI8zNBGVHcy+ZAIrpEzTHCCn/mXNIFZbU68fKsg2H8a
-/i0nbpRBMSZ7YDzuyPHhVAQnFqMzbcjlMAfwmSSaYvs4SK1gYU2/hgNq8O/WZoeN
-hKtJsVfXAoGBALQxwvlhN5dUiR8nmOi19tnouiWhp658iIVbvJgK+H8QReaqATCq
-EsmsCv+TWdPWLyzlZ0G5dqRNUKV30nK3+Y8eLtogBurRvnkInjvyQBaDqa5CQX3v
-kMdbQtIkHnX1/rqbIpZ7uAA7NH7gnigGThVYRk7gpBWiWFxFA/RgYvLt
------END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/testrootcakey2.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEA3usguT8AFGucRTWiUDw2fxMaFI4z+fEnxXxn2BZCNFHO+8om
-+on1apAlNCZqp8c9sOMd+TvW0r2R8HTaB1YWuYiBmtRw+H1YveqtahbLY7rilhrd
-eqeLtFZbzqFoKBcMVpYgM/ZKWNVBISS9Mg4xl2cyfkHHCLIVKhR2CWHHsEAmBbfP
-VWRmxOctbLLRjbK7UVvwXGUnPEdIhBO6CpSKgN/SmSiFQi0khZsidw6/vezG1YhR
-d2USrt9y/FKIE13lZfEQ+hcdgd3kVgum4ME7JRzi9Xzaf470MHOtW5VfFgqGqXmV
-CkNXMFLP14Qg3UMYACQvuAOmFqvWAw5kgh9b4wIDAQABAoIBAQCgh5ySKo9JJVFs
-+bnApAvuqPfgE6PUe1jTu8ogb68PdFZlNmepho3oRpO0IXIvDqkbaALex7vlGUUu
-b0fPfqxwwZ/rus7783Bjm8t0GaQwVpXz2LbkLCHMJWCJxex26lolRIk+Qj+6ByCW
-2JkyocwOpu9SwtWtKmlZW1DBYtvlzIPbesBP04DvJZGMtLZXgLILAv5K8zuuuruX
-YBoXv0EZ58gMbXCqOs/HR3KbpjhM4rboHm4OW8pNiKblijGuYxtyzqM6MdAPY6+K
-J8KKDpcSA7Y7+yF1eHsXfbyOYtGaYgDWdaN1/DvKBck2CofkxSPiCIuqFk2tqqxQ
-7NR66lqJAoGBAPrbOhVXyDv6oPk5KmUOrFKmKdNg+zlGclbPBVKNXEoofc20mHfA
-+b8c9NnEeFeI5HXXTHOVC9LzKzkgeYqC1hlj+0knPQm6/jIL3Lu/b7wsXESadEw4
-b4Z3lVDB2QSKykSH2OeCMJNjDG4yPXcHxLvKZ8jqQLVCaSYcA+mOV++FAoGBAON9
-QHiTa2B4j08Txa4ib/lEFyRVEx2Ul+9vEtVXy6sgkUPaAR3Od6ZsiwAWXPP/Dh8b
-T8zTbV02abA16u1t9mee24sDP03hgi6M8wvyu9VVjBJuk0C5KeT7JMefEjybKwVf
-CJo+qDHdcRBikyQZ/zdmTunlF3J96h6C+8MPFJZHAoGBAMsylUQAjSN4irgWBC9D
-yXZRPoQIhLcKR0fl/Wu3MdCoJ+9eoDowyJxz+ioDqW9OZbDGqxjc3G0NqC9oDMuT
-25VJlZzV+e1N2OX1EeHK2dlVHZA8hIPRGxWS/BIkU4QIYHtOhvZQUMSycLk6XOt0
-EXoEJDls9ulcWAwUmV6wfK55AoGBAKWeja57HWSpwSQAMB474iumv/ZqnbUedpMR
-2bNK7POUjU3JzKBHreKTCYuxvFDDcyOAfdOQZgHD2KQ6TOQ493ivNgT6Az+PG3kK
-kvQy7z88vfK5YClx5SdZFIjkraFEEskhTCEH1uoe3u7f5WIWLzHFIVS1viFTvHwk
-PmjfdMyHAoGBANgqNmdx7b6h/vwPhNWdvuwp09C0IMaZ45NVO48oXT3Qx89UhzEK
-zcrZPhwx0yaIPMLfu28KfewMSH8ADostQWIGIBved0A1+3FOrw3VmqLS0/wgbbr4
-Mpaiykvl9p0cKcQ+aZrCWi9yH3kNzx8j2xVzLUIvCTEdNrLqMukiLVeG
------END RSA PRIVATE KEY-----

builtin/credential/cert/test-fixtures/testrootcaserial2

@@ -1 +0,0 @@
-37:0f:36:5d:55:7a:d9:d0:f4:b8:f7:14:15:65:e0:4c:5a:ff:c8:c4

command/init.go

@@ -92,8 +92,8 @@ func (c *InitCommand) Run(args []string) int {
 			"\n"+
 				"Recovery key initialized with %d keys and a key threshold of %d. Please\n"+
 				"securely distribute the above keys.",
-			shares,
+			recoveryShares,
-			threshold,
+			recoveryThreshold,
 		))
 	}
 

command/server.go

@@ -685,7 +685,6 @@ func MakeShutdownCh() chan struct{} {
 	resultCh := make(chan struct{})
 
 	shutdownCh := make(chan os.Signal, 4)
-	signal.Notify(shutdownCh, os.Interrupt, syscall.SIGINT)
 	signal.Notify(shutdownCh, os.Interrupt, syscall.SIGTERM)
 	go func() {
 		for {
@@ -703,7 +702,7 @@ func MakeSighupCh() chan struct{} {
 	resultCh := make(chan struct{})
 
 	signalCh := make(chan os.Signal, 4)
-	signal.Notify(signalCh, os.Interrupt, syscall.SIGHUP)
+	signal.Notify(signalCh, syscall.SIGHUP)
 	go func() {
 		for {
 			<-signalCh

http/logical.go

@@ -99,9 +99,34 @@ func handleLogical(core *vault.Core, dataOnly bool, prepareRequestCallback Prepa
 		if !ok {
 			return
 		}
-		if (op == logical.ReadOperation || op == logical.ListOperation) && resp == nil {
+		switch {
-			respondError(w, http.StatusNotFound, nil)
+		case op == logical.ReadOperation:
-			return
+			if resp == nil {
+				respondError(w, http.StatusNotFound, nil)
+				return
+			}
+
+		// Basically: if we have empty "keys" or no keys at all, 404. This
+		// provides consistency with GET.
+		case op == logical.ListOperation:
+			if resp == nil || len(resp.Data) == 0 {
+				respondError(w, http.StatusNotFound, nil)
+				return
+			}
+			keysInt, ok := resp.Data["keys"]
+			if !ok || keysInt == nil {
+				respondError(w, http.StatusNotFound, nil)
+				return
+			}
+			keys, ok := keysInt.([]string)
+			if !ok {
+				respondError(w, http.StatusInternalServerError, nil)
+				return
+			}
+			if len(keys) == 0 {
+				respondError(w, http.StatusNotFound, nil)
+				return
+			}
 		}
 
 		// Build the proper response

meta/meta.go

@@ -3,17 +3,13 @@ package meta
 import (
 	"bufio"
 	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
-	"os"
-	"path/filepath"
 
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/go-rootcerts"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/command/token"
 	"github.com/mitchellh/cli"
@@ -75,20 +71,14 @@ func (m *Meta) Client() (*api.Client, error) {
 		// existing TLS config
 		tlsConfig := config.HttpClient.Transport.(*http.Transport).TLSClientConfig
 
-		var certPool *x509.CertPool
+		rootConfig := &rootcerts.Config{
-		var err error
+			CAFile: m.flagCACert,
-		if m.flagCACert != "" {
+			CAPath: m.flagCAPath,
-			certPool, err = api.LoadCACert(m.flagCACert)
-		} else if m.flagCAPath != "" {
-			certPool, err = api.LoadCAPath(m.flagCAPath)
 		}
-		if err != nil {
+		if err := rootcerts.ConfigureTLS(tlsConfig, rootConfig); err != nil {
-			return nil, errwrap.Wrapf("Error setting up CA path: {{err}}", err)
+			return nil, err
 		}
 
-		if certPool != nil {
-			tlsConfig.RootCAs = certPool
-		}
 		if m.flagInsecure {
 			tlsConfig.InsecureSkipVerify = true
 		}
@@ -181,73 +171,6 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 	return f
 }
 
-func (m *Meta) loadCACert(path string) (*x509.CertPool, error) {
-	certs, err := m.loadCertFromPEM(path)
-	if err != nil {
-		return nil, fmt.Errorf("Error loading %s: %s", path, err)
-	}
-
-	result := x509.NewCertPool()
-	for _, cert := range certs {
-		result.AddCert(cert)
-	}
-
-	return result, nil
-}
-
-func (m *Meta) loadCAPath(path string) (*x509.CertPool, error) {
-	result := x509.NewCertPool()
-	fn := func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-
-		if info.IsDir() {
-			return nil
-		}
-
-		certs, err := m.loadCertFromPEM(path)
-		if err != nil {
-			return fmt.Errorf("Error loading %s: %s", path, err)
-		}
-
-		for _, cert := range certs {
-			result.AddCert(cert)
-		}
-		return nil
-	}
-
-	return result, filepath.Walk(path, fn)
-}
-
-func (m *Meta) loadCertFromPEM(path string) ([]*x509.Certificate, error) {
-	pemCerts, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	certs := make([]*x509.Certificate, 0, 5)
-	for len(pemCerts) > 0 {
-		var block *pem.Block
-		block, pemCerts = pem.Decode(pemCerts)
-		if block == nil {
-			break
-		}
-		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
-			continue
-		}
-
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return nil, err
-		}
-
-		certs = append(certs, cert)
-	}
-
-	return certs, nil
-}
-
 // GeneralOptionsUsage returns the usage documenation for commonly
 // available options
 func GeneralOptionsUsage() string {

vault/logical_system.go

@@ -3,6 +3,7 @@ package vault
 import (
 	"fmt"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/hashicorp/vault/logical"
@@ -845,6 +846,14 @@ func (b *SystemBackend) handleMountTuneWrite(
 		return handleError(err)
 	}
 
+	var lock *sync.RWMutex
+	switch {
+	case strings.HasPrefix(path, "auth/"):
+		lock = &b.Core.authLock
+	default:
+		lock = &b.Core.mountsLock
+	}
+
 	// Timing configuration parameters
 	{
 		var newDefault, newMax *time.Duration
@@ -877,8 +886,9 @@ func (b *SystemBackend) handleMountTuneWrite(
 		}
 
 		if newDefault != nil || newMax != nil {
-			b.Core.mountsLock.Lock()
+			lock.Lock()
-			defer b.Core.mountsLock.Unlock()
+			defer lock.Unlock()
+
 			if err := b.tuneMountTTLs(path, &mountEntry.Config, newDefault, newMax); err != nil {
 				b.Backend.Logger().Printf("[ERR] sys: tune of path '%s' failed: %v", path, err)
 				return handleError(err)

vault/logical_system_helpers.go

@@ -1,8 +1,8 @@
 package vault
 
 import (
-	"errors"
 	"fmt"
+	"strings"
 	"time"
 )
 
@@ -51,6 +51,9 @@ func (b *SystemBackend) tuneMountTTLs(path string, meConfig *MountConfig, newDef
 		}
 	}
 
+	origMax := meConfig.MaxLeaseTTL
+	origDefault := meConfig.DefaultLeaseTTL
+
 	if newMax != nil {
 		meConfig.MaxLeaseTTL = *newMax
 	}
@@ -59,8 +62,17 @@ func (b *SystemBackend) tuneMountTTLs(path string, meConfig *MountConfig, newDef
 	}
 
 	// Update the mount table
-	if err := b.Core.persistMounts(b.Core.mounts); err != nil {
+	var err error
-		return errors.New("failed to update mount table")
+	switch {
+	case strings.HasPrefix(path, "auth/"):
+		err = b.Core.persistAuth(b.Core.auth)
+	default:
+		err = b.Core.persistMounts(b.Core.mounts)
+	}
+	if err != nil {
+		meConfig.MaxLeaseTTL = origMax
+		meConfig.DefaultLeaseTTL = origDefault
+		return fmt.Errorf("failed to update mount table, rolling back TTL changes")
 	}
 
 	b.Core.logger.Printf("[INFO] core: tuned '%s'", path)

vendor/github.com/Azure/azure-sdk-for-go/storage/blob.go

@@ -55,7 +55,33 @@ type ContainerListResponse struct {
 type Blob struct {
 	Name       string         `xml:"Name"`
 	Properties BlobProperties `xml:"Properties"`
-	// TODO (ahmetalpbalkan) Metadata
+	Metadata   BlobMetadata   `xml:"Metadata"`
+}
+
+// BlobMetadata contains various mtadata properties of the blob
+type BlobMetadata map[string]string
+
+type blobMetadataEntries struct {
+	Entries []blobMetadataEntry `xml:",any"`
+}
+type blobMetadataEntry struct {
+	XMLName xml.Name
+	Value   string `xml:",chardata"`
+}
+
+// UnmarshalXML converts the xml:Metadata into Metadata map
+func (bm *BlobMetadata) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
+	var entries blobMetadataEntries
+	if err := d.DecodeElement(&entries, &start); err != nil {
+		return err
+	}
+	for _, entry := range entries.Entries {
+		if *bm == nil {
+			*bm = make(BlobMetadata)
+		}
+		(*bm)[strings.ToLower(entry.XMLName.Local)] = entry.Value
+	}
+	return nil
 }
 
 // BlobProperties contains various properties of a blob
@@ -457,7 +483,7 @@ func (b BlobStorageClient) GetBlobURL(container, name string) string {
 //
 // See https://msdn.microsoft.com/en-us/library/azure/dd179440.aspx
 func (b BlobStorageClient) GetBlob(container, name string) (io.ReadCloser, error) {
-	resp, err := b.getBlobRange(container, name, "")
+	resp, err := b.getBlobRange(container, name, "", nil)
 	if err != nil {
 		return nil, err
 	}
@@ -472,8 +498,8 @@ func (b BlobStorageClient) GetBlob(container, name string) (io.ReadCloser, error
 // string must be in a format like "0-", "10-100" as defined in HTTP 1.1 spec.
 //
 // See https://msdn.microsoft.com/en-us/library/azure/dd179440.aspx
-func (b BlobStorageClient) GetBlobRange(container, name, bytesRange string) (io.ReadCloser, error) {
+func (b BlobStorageClient) GetBlobRange(container, name, bytesRange string, extraHeaders map[string]string) (io.ReadCloser, error) {
-	resp, err := b.getBlobRange(container, name, bytesRange)
+	resp, err := b.getBlobRange(container, name, bytesRange, extraHeaders)
 	if err != nil {
 		return nil, err
 	}
@@ -484,7 +510,7 @@ func (b BlobStorageClient) GetBlobRange(container, name, bytesRange string) (io.
 	return resp.body, nil
 }
 
-func (b BlobStorageClient) getBlobRange(container, name, bytesRange string) (*storageResponse, error) {
+func (b BlobStorageClient) getBlobRange(container, name, bytesRange string, extraHeaders map[string]string) (*storageResponse, error) {
 	verb := "GET"
 	uri := b.client.getEndpoint(blobServiceName, pathForBlob(container, name), url.Values{})
 
@@ -492,6 +518,11 @@ func (b BlobStorageClient) getBlobRange(container, name, bytesRange string) (*st
 	if bytesRange != "" {
 		headers["Range"] = fmt.Sprintf("bytes=%s", bytesRange)
 	}
+
+	for k, v := range extraHeaders {
+		headers[k] = v
+	}
+
 	resp, err := b.client.exec(verb, uri, headers, nil)
 	if err != nil {
 		return nil, err

vendor/github.com/Azure/azure-sdk-for-go/storage/client.go

@@ -4,6 +4,7 @@ package storage
 import (
 	"bytes"
 	"encoding/base64"
+	"encoding/json"
 	"encoding/xml"
 	"errors"
 	"fmt"
@@ -54,6 +55,11 @@ type storageResponse struct {
 	body       io.ReadCloser
 }
 
+type odataResponse struct {
+	storageResponse
+	odata odataErrorMessage
+}
+
 // AzureStorageServiceError contains fields of the error response from
 // Azure Storage Service REST API. See https://msdn.microsoft.com/en-us/library/azure/dd179382.aspx
 // Some fields might be specific to certain calls.
@@ -68,6 +74,20 @@ type AzureStorageServiceError struct {
 	RequestID                 string
 }
 
+type odataErrorMessageMessage struct {
+	Lang  string `json:"lang"`
+	Value string `json:"value"`
+}
+
+type odataErrorMessageInternal struct {
+	Code    string                   `json:"code"`
+	Message odataErrorMessageMessage `json:"message"`
+}
+
+type odataErrorMessage struct {
+	Err odataErrorMessageInternal `json:"odata.error"`
+}
+
 // UnexpectedStatusCodeError is returned when a storage service responds with neither an error
 // nor with an HTTP status code indicating success.
 type UnexpectedStatusCodeError struct {
@@ -166,6 +186,12 @@ func (c Client) GetQueueService() QueueServiceClient {
 	return QueueServiceClient{c}
 }
 
+// GetTableService returns a TableServiceClient which can operate on the table
+// service of the storage account.
+func (c Client) GetTableService() TableServiceClient {
+	return TableServiceClient{c}
+}
+
 // GetFileService returns a FileServiceClient which can operate on the file
 // service of the storage account.
 func (c Client) GetFileService() FileServiceClient {
@@ -228,6 +254,22 @@ func (c Client) buildCanonicalizedHeader(headers map[string]string) string {
 	return ch
 }
 
+func (c Client) buildCanonicalizedResourceTable(uri string) (string, error) {
+	errMsg := "buildCanonicalizedResourceTable error: %s"
+	u, err := url.Parse(uri)
+	if err != nil {
+		return "", fmt.Errorf(errMsg, err.Error())
+	}
+
+	cr := "/" + c.accountName
+
+	if len(u.Path) > 0 {
+		cr += u.Path
+	}
+
+	return cr, nil
+}
+
 func (c Client) buildCanonicalizedResource(uri string) (string, error) {
 	errMsg := "buildCanonicalizedResource error: %s"
 	u, err := url.Parse(uri)
@@ -236,6 +278,7 @@ func (c Client) buildCanonicalizedResource(uri string) (string, error) {
 	}
 
 	cr := "/" + c.accountName
+
 	if len(u.Path) > 0 {
 		cr += u.Path
 	}
@@ -266,6 +309,7 @@ func (c Client) buildCanonicalizedResource(uri string) (string, error) {
 			}
 		}
 	}
+
 	return cr, nil
 }
 
@@ -364,6 +408,70 @@ func (c Client) exec(verb, url string, headers map[string]string, body io.Reader
 		body:       resp.Body}, nil
 }
 
+func (c Client) execInternalJSON(verb, url string, headers map[string]string, body io.Reader) (*odataResponse, error) {
+	req, err := http.NewRequest(verb, url, body)
+	for k, v := range headers {
+		req.Header.Add(k, v)
+	}
+
+	httpClient := c.HTTPClient
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	respToRet := &odataResponse{}
+	respToRet.body = resp.Body
+	respToRet.statusCode = resp.StatusCode
+	respToRet.headers = resp.Header
+
+	statusCode := resp.StatusCode
+	if statusCode >= 400 && statusCode <= 505 {
+		var respBody []byte
+		respBody, err = readResponseBody(resp)
+		if err != nil {
+			return nil, err
+		}
+
+		if len(respBody) == 0 {
+			// no error in response body
+			err = fmt.Errorf("storage: service returned without a response body (%d)", resp.StatusCode)
+			return respToRet, err
+		}
+		// try unmarshal as odata.error json
+		err = json.Unmarshal(respBody, &respToRet.odata)
+		return respToRet, err
+	}
+
+	return respToRet, nil
+}
+
+func (c Client) createSharedKeyLite(url string, headers map[string]string) (string, error) {
+	can, err := c.buildCanonicalizedResourceTable(url)
+
+	if err != nil {
+		return "", err
+	}
+	strToSign := headers["x-ms-date"] + "\n" + can
+
+	hmac := c.computeHmac256(strToSign)
+	return fmt.Sprintf("SharedKeyLite %s:%s", c.accountName, hmac), nil
+}
+
+func (c Client) execTable(verb, url string, headers map[string]string, body io.Reader) (*odataResponse, error) {
+	var err error
+	headers["Authorization"], err = c.createSharedKeyLite(url, headers)
+	if err != nil {
+		return nil, err
+	}
+
+	return c.execInternalJSON(verb, url, headers, body)
+}
+
 func readResponseBody(resp *http.Response) ([]byte, error) {
 	defer resp.Body.Close()
 	out, err := ioutil.ReadAll(resp.Body)

vendor/github.com/Azure/azure-sdk-for-go/storage/table.go

@@ -0,0 +1,129 @@
+package storage
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+)
+
+// TableServiceClient contains operations for Microsoft Azure Table Storage
+// Service.
+type TableServiceClient struct {
+	client Client
+}
+
+// AzureTable is the typedef of the Azure Table name
+type AzureTable string
+
+const (
+	tablesURIPath = "/Tables"
+)
+
+type createTableRequest struct {
+	TableName string `json:"TableName"`
+}
+
+func pathForTable(table AzureTable) string { return fmt.Sprintf("%s", table) }
+
+func (c *TableServiceClient) getStandardHeaders() map[string]string {
+	return map[string]string{
+		"x-ms-version":   "2015-02-21",
+		"x-ms-date":      currentTimeRfc1123Formatted(),
+		"Accept":         "application/json;odata=nometadata",
+		"Accept-Charset": "UTF-8",
+		"Content-Type":   "application/json",
+	}
+}
+
+// QueryTables returns the tables created in the
+// *TableServiceClient storage account.
+func (c *TableServiceClient) QueryTables() ([]AzureTable, error) {
+	uri := c.client.getEndpoint(tableServiceName, tablesURIPath, url.Values{})
+
+	headers := c.getStandardHeaders()
+	headers["Content-Length"] = "0"
+
+	resp, err := c.client.execTable("GET", uri, headers, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.body.Close()
+
+	if err := checkRespCode(resp.statusCode, []int{http.StatusOK}); err != nil {
+		return nil, err
+	}
+
+	buf := new(bytes.Buffer)
+	buf.ReadFrom(resp.body)
+
+	var respArray queryTablesResponse
+	if err := json.Unmarshal(buf.Bytes(), &respArray); err != nil {
+		return nil, err
+	}
+
+	s := make([]AzureTable, len(respArray.TableName))
+	for i, elem := range respArray.TableName {
+		s[i] = AzureTable(elem.TableName)
+	}
+
+	return s, nil
+}
+
+// CreateTable creates the table given the specific
+// name. This function fails if the name is not compliant
+// with the specification or the tables already exists.
+func (c *TableServiceClient) CreateTable(table AzureTable) error {
+	uri := c.client.getEndpoint(tableServiceName, tablesURIPath, url.Values{})
+
+	headers := c.getStandardHeaders()
+
+	req := createTableRequest{TableName: string(table)}
+	buf := new(bytes.Buffer)
+
+	if err := json.NewEncoder(buf).Encode(req); err != nil {
+		return err
+	}
+
+	headers["Content-Length"] = fmt.Sprintf("%d", buf.Len())
+
+	resp, err := c.client.execTable("POST", uri, headers, buf)
+
+	if err != nil {
+		return err
+	}
+	defer resp.body.Close()
+
+	if err := checkRespCode(resp.statusCode, []int{http.StatusCreated}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// DeleteTable deletes the table given the specific
+// name. This function fails if the table is not present.
+// Be advised: DeleteTable deletes all the entries
+// that may be present.
+func (c *TableServiceClient) DeleteTable(table AzureTable) error {
+	uri := c.client.getEndpoint(tableServiceName, tablesURIPath, url.Values{})
+	uri += fmt.Sprintf("('%s')", string(table))
+
+	headers := c.getStandardHeaders()
+
+	headers["Content-Length"] = "0"
+
+	resp, err := c.client.execTable("DELETE", uri, headers, nil)
+
+	if err != nil {
+		return err
+	}
+	defer resp.body.Close()
+
+	if err := checkRespCode(resp.statusCode, []int{http.StatusNoContent}); err != nil {
+		return err
+
+	}
+	return nil
+}

vendor/github.com/Azure/azure-sdk-for-go/storage/table_entities.go

@@ -0,0 +1,351 @@
+package storage
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"reflect"
+)
+
+const (
+	partitionKeyNode                    = "PartitionKey"
+	rowKeyNode                          = "RowKey"
+	tag                                 = "table"
+	tagIgnore                           = "-"
+	continuationTokenPartitionKeyHeader = "X-Ms-Continuation-Nextpartitionkey"
+	continuationTokenRowHeader          = "X-Ms-Continuation-Nextrowkey"
+	maxTopParameter                     = 1000
+)
+
+type queryTablesResponse struct {
+	TableName []struct {
+		TableName string `json:"TableName"`
+	} `json:"value"`
+}
+
+const (
+	tableOperationTypeInsert          = iota
+	tableOperationTypeUpdate          = iota
+	tableOperationTypeMerge           = iota
+	tableOperationTypeInsertOrReplace = iota
+	tableOperationTypeInsertOrMerge   = iota
+)
+
+type tableOperation int
+
+// TableEntity interface specifies
+// the functions needed to support
+// marshaling and unmarshaling into
+// Azure Tables. The struct must only contain
+// simple types because Azure Tables do not
+// support hierarchy.
+type TableEntity interface {
+	PartitionKey() string
+	RowKey() string
+	SetPartitionKey(string) error
+	SetRowKey(string) error
+}
+
+// ContinuationToken is an opaque (ie not useful to inspect)
+// struct that Get... methods can return if there are more
+// entries to be returned than the ones already
+// returned. Just pass it to the same function to continue
+// receiving the remaining entries.
+type ContinuationToken struct {
+	NextPartitionKey string
+	NextRowKey       string
+}
+
+type getTableEntriesResponse struct {
+	Elements []map[string]interface{} `json:"value"`
+}
+
+// QueryTableEntities queries the specified table and returns the unmarshaled
+// entities of type retType.
+// top parameter limits the returned entries up to top. Maximum top
+// allowed by Azure API is 1000. In case there are more than top entries to be
+// returned the function will return a non nil *ContinuationToken. You can call the
+// same function again passing the received ContinuationToken as previousContToken
+// parameter in order to get the following entries. The query parameter
+// is the odata query. To retrieve all the entries pass the empty string.
+// The function returns a pointer to a TableEntity slice, the *ContinuationToken
+// if there are more entries to be returned and an error in case something went
+// wrong.
+//
+// Example:
+// 		entities, cToken, err = tSvc.QueryTableEntities("table", cToken, reflect.TypeOf(entity), 20, "")
+func (c *TableServiceClient) QueryTableEntities(tableName AzureTable, previousContToken *ContinuationToken, retType reflect.Type, top int, query string) ([]TableEntity, *ContinuationToken, error) {
+	if top > maxTopParameter {
+		return nil, nil, fmt.Errorf("top accepts at maximum %d elements. Requested %d instead", maxTopParameter, top)
+	}
+
+	uri := c.client.getEndpoint(tableServiceName, pathForTable(tableName), url.Values{})
+	uri += fmt.Sprintf("?$top=%d", top)
+	if query != "" {
+		uri += fmt.Sprintf("&$filter=%s", url.QueryEscape(query))
+	}
+
+	if previousContToken != nil {
+		uri += fmt.Sprintf("&NextPartitionKey=%s&NextRowKey=%s", previousContToken.NextPartitionKey, previousContToken.NextRowKey)
+	}
+
+	headers := c.getStandardHeaders()
+
+	headers["Content-Length"] = "0"
+
+	resp, err := c.client.execTable("GET", uri, headers, nil)
+
+	contToken := extractContinuationTokenFromHeaders(resp.headers)
+
+	if err != nil {
+		return nil, contToken, err
+	}
+	defer resp.body.Close()
+
+	if err := checkRespCode(resp.statusCode, []int{http.StatusOK}); err != nil {
+		return nil, contToken, err
+	}
+
+	retEntries, err := deserializeEntity(retType, resp.body)
+	if err != nil {
+		return nil, contToken, err
+	}
+
+	return retEntries, contToken, nil
+}
+
+// InsertEntity inserts an entity in the specified table.
+// The function fails if there is an entity with the same
+// PartitionKey and RowKey in the table.
+func (c *TableServiceClient) InsertEntity(table AzureTable, entity TableEntity) error {
+	var err error
+
+	if sc, err := c.execTable(table, entity, false, "POST"); err != nil {
+		return checkRespCode(sc, []int{http.StatusCreated})
+	}
+
+	return err
+}
+
+func (c *TableServiceClient) execTable(table AzureTable, entity TableEntity, specifyKeysInURL bool, method string) (int, error) {
+	uri := c.client.getEndpoint(tableServiceName, pathForTable(table), url.Values{})
+	if specifyKeysInURL {
+		uri += fmt.Sprintf("(PartitionKey='%s',RowKey='%s')", url.QueryEscape(entity.PartitionKey()), url.QueryEscape(entity.RowKey()))
+	}
+
+	headers := c.getStandardHeaders()
+
+	var buf bytes.Buffer
+
+	if err := injectPartitionAndRowKeys(entity, &buf); err != nil {
+		return 0, err
+	}
+
+	headers["Content-Length"] = fmt.Sprintf("%d", buf.Len())
+
+	var err error
+	var resp *odataResponse
+
+	resp, err = c.client.execTable(method, uri, headers, &buf)
+
+	if err != nil {
+		return 0, err
+	}
+
+	defer resp.body.Close()
+
+	return resp.statusCode, nil
+}
+
+// UpdateEntity updates the contents of an entity with the
+// one passed as parameter. The function fails if there is no entity
+// with the same PartitionKey and RowKey in the table.
+func (c *TableServiceClient) UpdateEntity(table AzureTable, entity TableEntity) error {
+	var err error
+
+	if sc, err := c.execTable(table, entity, true, "PUT"); err != nil {
+		return checkRespCode(sc, []int{http.StatusNoContent})
+	}
+	return err
+}
+
+// MergeEntity merges the contents of an entity with the
+// one passed as parameter.
+// The function fails if there is no entity
+// with the same PartitionKey and RowKey in the table.
+func (c *TableServiceClient) MergeEntity(table AzureTable, entity TableEntity) error {
+	var err error
+
+	if sc, err := c.execTable(table, entity, true, "MERGE"); err != nil {
+		return checkRespCode(sc, []int{http.StatusNoContent})
+	}
+	return err
+}
+
+// DeleteEntityWithoutCheck deletes the entity matching by
+// PartitionKey and RowKey. There is no check on IfMatch
+// parameter so the entity is always deleted.
+// The function fails if there is no entity
+// with the same PartitionKey and RowKey in the table.
+func (c *TableServiceClient) DeleteEntityWithoutCheck(table AzureTable, entity TableEntity) error {
+	return c.DeleteEntity(table, entity, "*")
+}
+
+// DeleteEntity deletes the entity matching by
+// PartitionKey, RowKey and ifMatch field.
+// The function fails if there is no entity
+// with the same PartitionKey and RowKey in the table or
+// the ifMatch is different.
+func (c *TableServiceClient) DeleteEntity(table AzureTable, entity TableEntity, ifMatch string) error {
+	uri := c.client.getEndpoint(tableServiceName, pathForTable(table), url.Values{})
+	uri += fmt.Sprintf("(PartitionKey='%s',RowKey='%s')", url.QueryEscape(entity.PartitionKey()), url.QueryEscape(entity.RowKey()))
+
+	headers := c.getStandardHeaders()
+
+	headers["Content-Length"] = "0"
+	headers["If-Match"] = ifMatch
+
+	resp, err := c.client.execTable("DELETE", uri, headers, nil)
+
+	if err != nil {
+		return err
+	}
+	defer resp.body.Close()
+
+	if err := checkRespCode(resp.statusCode, []int{http.StatusNoContent}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// InsertOrReplaceEntity inserts an entity in the specified table
+// or replaced the existing one.
+func (c *TableServiceClient) InsertOrReplaceEntity(table AzureTable, entity TableEntity) error {
+	var err error
+
+	if sc, err := c.execTable(table, entity, true, "PUT"); err != nil {
+		return checkRespCode(sc, []int{http.StatusNoContent})
+	}
+	return err
+}
+
+// InsertOrMergeEntity inserts an entity in the specified table
+// or merges the existing one.
+func (c *TableServiceClient) InsertOrMergeEntity(table AzureTable, entity TableEntity) error {
+	var err error
+
+	if sc, err := c.execTable(table, entity, true, "MERGE"); err != nil {
+		return checkRespCode(sc, []int{http.StatusNoContent})
+	}
+	return err
+}
+
+func injectPartitionAndRowKeys(entity TableEntity, buf *bytes.Buffer) error {
+	if err := json.NewEncoder(buf).Encode(entity); err != nil {
+		return err
+	}
+
+	dec := make(map[string]interface{})
+	if err := json.NewDecoder(buf).Decode(&dec); err != nil {
+		return err
+	}
+
+	// Inject PartitionKey and RowKey
+	dec[partitionKeyNode] = entity.PartitionKey()
+	dec[rowKeyNode] = entity.RowKey()
+
+	// Remove tagged fields
+	// The tag is defined in the const section
+	// This is useful to avoid storing the PartitionKey and RowKey twice.
+	numFields := reflect.ValueOf(entity).Elem().NumField()
+	for i := 0; i < numFields; i++ {
+		f := reflect.ValueOf(entity).Elem().Type().Field(i)
+
+		if f.Tag.Get(tag) == tagIgnore {
+			// we must look for its JSON name in the dictionary
+			// as the user can rename it using a tag
+			jsonName := f.Name
+			if f.Tag.Get("json") != "" {
+				jsonName = f.Tag.Get("json")
+			}
+			delete(dec, jsonName)
+		}
+	}
+
+	buf.Reset()
+
+	if err := json.NewEncoder(buf).Encode(&dec); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func deserializeEntity(retType reflect.Type, reader io.Reader) ([]TableEntity, error) {
+	buf := new(bytes.Buffer)
+
+	var ret getTableEntriesResponse
+	if err := json.NewDecoder(reader).Decode(&ret); err != nil {
+		return nil, err
+	}
+
+	tEntries := make([]TableEntity, len(ret.Elements))
+
+	for i, entry := range ret.Elements {
+
+		buf.Reset()
+		if err := json.NewEncoder(buf).Encode(entry); err != nil {
+			return nil, err
+		}
+
+		dec := make(map[string]interface{})
+		if err := json.NewDecoder(buf).Decode(&dec); err != nil {
+			return nil, err
+		}
+
+		var pKey, rKey string
+		// strip pk and rk
+		for key, val := range dec {
+			switch key {
+			case partitionKeyNode:
+				pKey = val.(string)
+			case rowKeyNode:
+				rKey = val.(string)
+			}
+		}
+
+		delete(dec, partitionKeyNode)
+		delete(dec, rowKeyNode)
+
+		buf.Reset()
+		if err := json.NewEncoder(buf).Encode(dec); err != nil {
+			return nil, err
+		}
+
+		// Create a empty retType instance
+		tEntries[i] = reflect.New(retType.Elem()).Interface().(TableEntity)
+		// Popolate it with the values
+		if err := json.NewDecoder(buf).Decode(&tEntries[i]); err != nil {
+			return nil, err
+		}
+
+		// Reset PartitionKey and RowKey
+		tEntries[i].SetPartitionKey(pKey)
+		tEntries[i].SetRowKey(rKey)
+	}
+
+	return tEntries, nil
+}
+
+func extractContinuationTokenFromHeaders(h http.Header) *ContinuationToken {
+	ct := ContinuationToken{h.Get(continuationTokenPartitionKeyHeader), h.Get(continuationTokenRowHeader)}
+
+	if ct.NextPartitionKey != "" && ct.NextRowKey != "" {
+		return &ct
+	}
+	return nil
+}

vendor/github.com/aws/aws-sdk-go/aws/request/request.go

@@ -221,6 +221,13 @@ func (r *Request) Sign() error {
 //
 // Send will sign the request prior to sending. All Send Handlers will
 // be executed in the order they were set.
+//
+// Canceling a request is non-deterministic. If a request has been canceled,
+// then the transport will choose, randomly, one of the state channels during
+// reads or getting the connection.
+//
+// readLoop() and getConn(req *Request, cm connectMethod)
+// https://github.com/golang/go/blob/master/src/net/http/transport.go
 func (r *Request) Send() error {
 	for {
 		if aws.BoolValue(r.Retryable) {

vendor/github.com/aws/aws-sdk-go/aws/version.go

@@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.1.20"
+const SDKVersion = "1.1.22"

vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/build.go

@@ -120,7 +120,8 @@ func buildStruct(value reflect.Value, buf *bytes.Buffer, tag reflect.StructTag)
 			name = locName
 		}
 
-		fmt.Fprintf(buf, "%q:", name)
+		writeString(name, buf)
+		buf.WriteString(`:`)
 
 		err := buildAny(member, buf, field.Tag)
 		if err != nil {
@@ -167,7 +168,9 @@ func buildMap(value reflect.Value, buf *bytes.Buffer, tag reflect.StructTag) err
 			buf.WriteByte(',')
 		}
 
-		fmt.Fprintf(buf, "%q:", k)
+		writeString(k.String(), buf)
+		buf.WriteString(`:`)
+
 		buildAny(value.MapIndex(k), buf, "")
 	}
 

vendor/github.com/aws/aws-sdk-go/service/ec2/api.go

@@ -1777,6 +1777,11 @@ func (c *EC2) CreateVpcRequest(input *CreateVpcInput) (req *request.Request, out
 // which includes only a default DNS server that we provide (AmazonProvidedDNS).
 // For more information about DHCP options, see DHCP Options Sets (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html)
 // in the Amazon Virtual Private Cloud User Guide.
+//
+// You can specify the instance tenancy value for the VPC when you create it.
+// You can't change this value for the VPC after you create it. For more information,
+// see Dedicated Instances (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/dedicated-instance.html.html)
+// in the Amazon Virtual Private Cloud User Guide.
 func (c *EC2) CreateVpc(input *CreateVpcInput) (*CreateVpcOutput, error) {
 	req, out := c.CreateVpcRequest(input)
 	err := req.Send()
@@ -1887,6 +1892,9 @@ func (c *EC2) CreateVpnConnectionRequest(input *CreateVpnConnectionInput) (req *
 // create a new VPN connection, you must reconfigure your customer gateway with
 // the new information returned from this call.
 //
+// This is an idempotent operation. If you perform the operation more than
+// once, Amazon EC2 doesn't return an error.
+//
 // For more information about VPN connections, see Adding a Hardware Virtual
 // Private Gateway to Your VPC (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html)
 // in the Amazon Virtual Private Cloud User Guide.
@@ -3130,7 +3138,8 @@ func (c *EC2) DescribeIdFormatRequest(input *DescribeIdFormatInput) (req *reques
 // request only returns information about resource types whose ID formats can
 // be modified; it does not return information about other resource types.
 //
-// The following resource types support longer IDs: instance | reservation.
+// The following resource types support longer IDs: instance | reservation
+// | snapshot | volume.
 //
 // These settings apply to the IAM user who makes the request; they do not
 // apply to the entire AWS account. By default, an IAM user defaults to the
@@ -3318,7 +3327,8 @@ func (c *EC2) DescribeInstanceStatusRequest(input *DescribeInstanceStatusInput)
 	return
 }
 
-// Describes the status of one or more instances.
+// Describes the status of one or more instances. By default, only running instances
+// are described, unless specified otherwise.
 //
 // Instance status includes the following components:
 //
@@ -3328,7 +3338,7 @@ func (c *EC2) DescribeInstanceStatusRequest(input *DescribeInstanceStatusInput)
 // and Troubleshooting Instances with Failed Status Checks (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstances.html)
 // in the Amazon Elastic Compute Cloud User Guide.
 //
-//   Scheduled events - Amazon EC2 can schedule events (such as reboot, stop,
+//  Scheduled events - Amazon EC2 can schedule events (such as reboot, stop,
 // or terminate) for your instances related to hardware issues, software updates,
 // or system maintenance. For more information, see Scheduled Events for Your
 // Instances (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html)
@@ -5559,7 +5569,7 @@ func (c *EC2) ModifyIdFormatRequest(input *ModifyIdFormatInput) (req *request.Re
 // Modifies the ID format for the specified resource on a per-region basis.
 // You can specify that resources should receive longer IDs (17-character IDs)
 // when they are created. The following resource types support longer IDs: instance
-// | reservation.
+// | reservation | snapshot | volume.
 //
 // This setting applies to the IAM user who makes the request; it does not
 // apply to the entire AWS account. By default, an IAM user defaults to the
@@ -5964,6 +5974,49 @@ func (c *EC2) ModifyVpcEndpoint(input *ModifyVpcEndpointInput) (*ModifyVpcEndpoi
 	return out, err
 }
 
+const opModifyVpcPeeringConnectionOptions = "ModifyVpcPeeringConnectionOptions"
+
+// ModifyVpcPeeringConnectionOptionsRequest generates a request for the ModifyVpcPeeringConnectionOptions operation.
+func (c *EC2) ModifyVpcPeeringConnectionOptionsRequest(input *ModifyVpcPeeringConnectionOptionsInput) (req *request.Request, output *ModifyVpcPeeringConnectionOptionsOutput) {
+	op := &request.Operation{
+		Name:       opModifyVpcPeeringConnectionOptions,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &ModifyVpcPeeringConnectionOptionsInput{}
+	}
+
+	req = c.newRequest(op, input, output)
+	output = &ModifyVpcPeeringConnectionOptionsOutput{}
+	req.Data = output
+	return
+}
+
+// Modifies the VPC peering connection options on one side of a VPC peering
+// connection. You can do the following:
+//
+//  Enable/disable communication over the peering connection between an EC2-Classic
+// instance that's linked to your VPC (using ClassicLink) and instances in the
+// peer VPC.
+//
+// Enable/disable communication over the peering connection between instances
+// in your VPC and an EC2-Classic instance that's linked to the peer VPC.
+//
+//  If the peered VPCs are in different accounts, each owner must initiate
+// a separate request to enable or disable communication in either direction,
+// depending on whether their VPC was the requester or accepter for the VPC
+// peering connection. If the peered VPCs are in the same account, you can modify
+// the requester and accepter options in the same request. To confirm which
+// VPC is the accepter and requester for a VPC peering connection, use the DescribeVpcPeeringConnections
+// command.
+func (c *EC2) ModifyVpcPeeringConnectionOptions(input *ModifyVpcPeeringConnectionOptionsInput) (*ModifyVpcPeeringConnectionOptionsOutput, error) {
+	req, out := c.ModifyVpcPeeringConnectionOptionsRequest(input)
+	err := req.Send()
+	return out, err
+}
+
 const opMonitorInstances = "MonitorInstances"
 
 // MonitorInstancesRequest generates a request for the MonitorInstances operation.
@@ -6091,7 +6144,11 @@ func (c *EC2) PurchaseScheduledInstancesRequest(input *PurchaseScheduledInstance
 // Scheduled Instances enable you to purchase Amazon EC2 compute capacity by
 // the hour for a one-year term. Before you can purchase a Scheduled Instance,
 // you must call DescribeScheduledInstanceAvailability to check for available
-// schedules and obtain a purchase token.
+// schedules and obtain a purchase token. After you purchase a Scheduled Instance,
+// you must call RunScheduledInstances during each scheduled time period.
+//
+// After you purchase a Scheduled Instance, you can't cancel, modify, or resell
+// your purchase.
 func (c *EC2) PurchaseScheduledInstances(input *PurchaseScheduledInstancesInput) (*PurchaseScheduledInstancesOutput, error) {
 	req, out := c.PurchaseScheduledInstancesRequest(input)
 	err := req.Send()
@@ -6125,8 +6182,8 @@ func (c *EC2) RebootInstancesRequest(input *RebootInstancesInput) (req *request.
 // succeeds if the instances are valid and belong to you. Requests to reboot
 // terminated instances are ignored.
 //
-// If a Linux/Unix instance does not cleanly shut down within four minutes,
+// If an instance does not cleanly shut down within four minutes, Amazon EC2
-// Amazon EC2 performs a hard reboot.
+// performs a hard reboot.
 //
 // For more information about troubleshooting, see Getting Console Output and
 // Rebooting Instances (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-console.html)
@@ -6887,7 +6944,9 @@ func (c *EC2) RunScheduledInstancesRequest(input *RunScheduledInstancesInput) (r
 // You must launch a Scheduled Instance during its scheduled time period. You
 // can't stop or reboot a Scheduled Instance, but you can terminate it as needed.
 // If you terminate a Scheduled Instance before the current scheduled time period
-// ends, you can launch it again after a few minutes.
+// ends, you can launch it again after a few minutes. For more information,
+// see Scheduled Instances (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-scheduled-instances.html)
+// in the Amazon Elastic Compute Cloud User Guide.
 func (c *EC2) RunScheduledInstances(input *RunScheduledInstancesInput) (*RunScheduledInstancesOutput, error) {
 	req, out := c.RunScheduledInstancesRequest(input)
 	err := req.Send()
@@ -6959,32 +7018,29 @@ func (c *EC2) StopInstancesRequest(input *StopInstancesInput) (req *request.Requ
 	return
 }
 
-// Stops an Amazon EBS-backed instance. Each time you transition an instance
+// Stops an Amazon EBS-backed instance.
-// from stopped to started, Amazon EC2 charges a full instance hour, even if
-// transitions happen multiple times within a single hour.
 //
-// You can't start or stop Spot instances.
+// We don't charge hourly usage for a stopped instance, or data transfer fees;
+// however, your root partition Amazon EBS volume remains, continues to persist
+// your data, and you are charged for Amazon EBS volume usage. Each time you
+// transition an instance from stopped to started, Amazon EC2 charges a full
+// instance hour, even if transitions happen multiple times within a single
+// hour.
 //
-// Instances that use Amazon EBS volumes as their root devices can be quickly
+// You can't start or stop Spot instances, and you can't stop instance store-backed
-// stopped and started. When an instance is stopped, the compute resources are
+// instances.
-// released and you are not billed for hourly instance usage. However, your
-// root partition Amazon EBS volume remains, continues to persist your data,
-// and you are charged for Amazon EBS volume usage. You can restart your instance
-// at any time.
 //
-// Before stopping an instance, make sure it is in a state from which it can
+// When you stop an instance, we shut it down. You can restart your instance
-// be restarted. Stopping an instance does not preserve data stored in RAM.
+// at any time. Before stopping an instance, make sure it is in a state from
+// which it can be restarted. Stopping an instance does not preserve data stored
+// in RAM.
 //
-// Performing this operation on an instance that uses an instance store as
+// Stopping an instance is different to rebooting or terminating it. For example,
-// its root device returns an error.
+// when you stop an instance, the root device and any other devices attached
-//
+// to the instance persist. When you terminate an instance, the root device
-// You can stop, start, and terminate EBS-backed instances. You can only terminate
+// and any other devices attached during the instance launch are automatically
-// instance store-backed instances. What happens to an instance differs if you
+// deleted. For more information about the differences between rebooting, stopping,
-// stop it or terminate it. For example, when you stop an instance, the root
+// and terminating instances, see Instance Lifecycle (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html)
-// device and any other devices attached to the instance persist. When you terminate
-// an instance, the root device and any other devices attached during the instance
-// launch are automatically deleted. For more information about the differences
-// between stopping and terminating instances, see Instance Lifecycle (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html)
 // in the Amazon Elastic Compute Cloud User Guide.
 //
 // For more information about troubleshooting, see Troubleshooting Stopping
@@ -9450,11 +9506,10 @@ type CreateImageInput struct {
 	// at-signs (@), or underscores(_)
 	Name *string `locationName:"name" type:"string" required:"true"`
 
-	// By default, this parameter is set to false, which means Amazon EC2 attempts
+	// By default, Amazon EC2 attempts to shut down and reboot the instance before
-	// to shut down the instance cleanly before image creation and then reboots
+	// creating the image. If the 'No Reboot' option is set, Amazon EC2 doesn't
-	// the instance. When the parameter is set to true, Amazon EC2 doesn't shut
+	// shut down the instance before creating the image. When this option is used,
-	// down the instance before creating the image. When this option is used, file
+	// file system integrity on the created image can't be guaranteed.
-	// system integrity on the created image can't be guaranteed.
 	NoReboot *bool `locationName:"noReboot" type:"boolean"`
 }
 
@@ -10755,11 +10810,11 @@ type CreateVpcInput struct {
 	// it is UnauthorizedOperation.
 	DryRun *bool `locationName:"dryRun" type:"boolean"`
 
-	// The supported tenancy options for instances launched into the VPC. A value
+	// The tenancy options for instances launched into the VPC. For default, instances
-	// of default means that instances can be launched with any tenancy; a value
+	// are launched with shared tenancy by default. You can launch instances with
-	// of dedicated means all instances launched into the VPC are launched as dedicated
+	// any tenancy into a shared tenancy VPC. For dedicated, instances are launched
-	// tenancy instances regardless of the tenancy assigned to the instance at launch.
+	// as dedicated tenancy instances by default. You can only launch instances
-	// Dedicated tenancy instances run on single-tenant hardware.
+	// with a tenancy of dedicated or host into a dedicated tenancy VPC.
 	//
 	// Important: The host value cannot be used with this parameter. Use the default
 	// or dedicated values only.
@@ -13282,7 +13337,8 @@ type DescribeImportImageTasksInput struct {
 	// it is UnauthorizedOperation.
 	DryRun *bool `type:"boolean"`
 
-	// One or more filters.
+	// Filter tasks using the task-state filter and one of the following values:
+	// active, completed, deleting, deleted.
 	Filters []*Filter `locationNameList:"Filter" type:"list"`
 
 	// A list of import image task IDs.
@@ -21159,6 +21215,78 @@ func (s ModifyVpcEndpointOutput) GoString() string {
 	return s.String()
 }
 
+type ModifyVpcPeeringConnectionOptionsInput struct {
+	_ struct{} `type:"structure"`
+
+	// The VPC peering connection options for the accepter VPC.
+	AccepterPeeringConnectionOptions *PeeringConnectionOptionsRequest `type:"structure"`
+
+	// Checks whether you have the required permissions for the operation, without
+	// actually making the request, and provides an error response. If you have
+	// the required permissions, the error response is DryRunOperation. Otherwise,
+	// it is UnauthorizedOperation.
+	DryRun *bool `type:"boolean"`
+
+	// The VPC peering connection options for the requester VPC.
+	RequesterPeeringConnectionOptions *PeeringConnectionOptionsRequest `type:"structure"`
+
+	// The ID of the VPC peering connection.
+	VpcPeeringConnectionId *string `type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s ModifyVpcPeeringConnectionOptionsInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ModifyVpcPeeringConnectionOptionsInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ModifyVpcPeeringConnectionOptionsInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ModifyVpcPeeringConnectionOptionsInput"}
+	if s.VpcPeeringConnectionId == nil {
+		invalidParams.Add(request.NewErrParamRequired("VpcPeeringConnectionId"))
+	}
+	if s.AccepterPeeringConnectionOptions != nil {
+		if err := s.AccepterPeeringConnectionOptions.Validate(); err != nil {
+			invalidParams.AddNested("AccepterPeeringConnectionOptions", err.(request.ErrInvalidParams))
+		}
+	}
+	if s.RequesterPeeringConnectionOptions != nil {
+		if err := s.RequesterPeeringConnectionOptions.Validate(); err != nil {
+			invalidParams.AddNested("RequesterPeeringConnectionOptions", err.(request.ErrInvalidParams))
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+type ModifyVpcPeeringConnectionOptionsOutput struct {
+	_ struct{} `type:"structure"`
+
+	// Information about the VPC peering connection options for the accepter VPC.
+	AccepterPeeringConnectionOptions *PeeringConnectionOptions `locationName:"accepterPeeringConnectionOptions" type:"structure"`
+
+	// Information about the VPC peering connection options for the requester VPC.
+	RequesterPeeringConnectionOptions *PeeringConnectionOptions `locationName:"requesterPeeringConnectionOptions" type:"structure"`
+}
+
+// String returns the string representation
+func (s ModifyVpcPeeringConnectionOptionsOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s ModifyVpcPeeringConnectionOptionsOutput) GoString() string {
+	return s.String()
+}
+
 // Contains the parameters for MonitorInstances.
 type MonitorInstancesInput struct {
 	_ struct{} `type:"structure"`
@@ -21706,6 +21834,68 @@ func (s NewDhcpConfiguration) GoString() string {
 	return s.String()
 }
 
+// Describes the VPC peering connection options.
+type PeeringConnectionOptions struct {
+	_ struct{} `type:"structure"`
+
+	// If true, enables outbound communication from an EC2-Classic instance that's
+	// linked to a local VPC via ClassicLink to instances in a peer VPC.
+	AllowEgressFromLocalClassicLinkToRemoteVpc *bool `locationName:"allowEgressFromLocalClassicLinkToRemoteVpc" type:"boolean"`
+
+	// If true, enables outbound communication from instances in a local VPC to
+	// an EC2-Classic instance that's linked to a peer VPC via ClassicLink.
+	AllowEgressFromLocalVpcToRemoteClassicLink *bool `locationName:"allowEgressFromLocalVpcToRemoteClassicLink" type:"boolean"`
+}
+
+// String returns the string representation
+func (s PeeringConnectionOptions) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s PeeringConnectionOptions) GoString() string {
+	return s.String()
+}
+
+// The VPC peering connection options.
+type PeeringConnectionOptionsRequest struct {
+	_ struct{} `type:"structure"`
+
+	// If true, enables outbound communication from an EC2-Classic instance that's
+	// linked to a local VPC via ClassicLink to instances in a peer VPC.
+	AllowEgressFromLocalClassicLinkToRemoteVpc *bool `type:"boolean" required:"true"`
+
+	// If true, enables outbound communication from instances in a local VPC to
+	// an EC2-Classic instance that's linked to a peer VPC via ClassicLink.
+	AllowEgressFromLocalVpcToRemoteClassicLink *bool `type:"boolean" required:"true"`
+}
+
+// String returns the string representation
+func (s PeeringConnectionOptionsRequest) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s PeeringConnectionOptionsRequest) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *PeeringConnectionOptionsRequest) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "PeeringConnectionOptionsRequest"}
+	if s.AllowEgressFromLocalClassicLinkToRemoteVpc == nil {
+		invalidParams.Add(request.NewErrParamRequired("AllowEgressFromLocalClassicLinkToRemoteVpc"))
+	}
+	if s.AllowEgressFromLocalVpcToRemoteClassicLink == nil {
+		invalidParams.Add(request.NewErrParamRequired("AllowEgressFromLocalVpcToRemoteClassicLink"))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
 // Describes the placement for the instance.
 type Placement struct {
 	_ struct{} `type:"structure"`
@@ -25698,29 +25888,28 @@ type StateReason struct {
 
 	// The message for the state change.
 	//
-	//   Server.SpotInstanceTermination: A Spot instance was terminated due to
+	//  Server.SpotInstanceTermination: A Spot instance was terminated due to an
-	// an increase in the market price.
+	// increase in the market price.
 	//
-	//   Server.InternalError: An internal error occurred during instance launch,
+	// Server.InternalError: An internal error occurred during instance launch,
 	// resulting in termination.
 	//
-	//   Server.InsufficientInstanceCapacity: There was insufficient instance capacity
+	// Server.InsufficientInstanceCapacity: There was insufficient instance capacity
 	// to satisfy the launch request.
 	//
-	//   Client.InternalError: A client error caused the instance to terminate
+	// Client.InternalError: A client error caused the instance to terminate on
-	// on launch.
+	// launch.
 	//
-	//   Client.InstanceInitiatedShutdown: The instance was shut down using the
+	// Client.InstanceInitiatedShutdown: The instance was shut down using the shutdown
-	// shutdown -h command from the instance.
+	// -h command from the instance.
 	//
-	//   Client.UserInitiatedShutdown: The instance was shut down using the Amazon
+	// Client.UserInitiatedShutdown: The instance was shut down using the Amazon
 	// EC2 API.
 	//
-	//   Client.VolumeLimitExceeded: The limit on the number of EBS volumes or
+	// Client.VolumeLimitExceeded: The limit on the number of EBS volumes or total
-	// total storage was exceeded. Decrease usage or request an increase in your
+	// storage was exceeded. Decrease usage or request an increase in your limits.
-	// limits.
 	//
-	//   Client.InvalidSnapshot.NotFound: The specified snapshot was not found.
+	// Client.InvalidSnapshot.NotFound: The specified snapshot was not found.
 	Message *string `locationName:"message" type:"string"`
 }
 
@@ -26627,13 +26816,15 @@ func (s VpcEndpoint) GoString() string {
 type VpcPeeringConnection struct {
 	_ struct{} `type:"structure"`
 
-	// The information of the peer VPC.
+	// Information about the peer VPC. CIDR block information is not returned when
+	// creating a VPC peering connection, or when describing a VPC peering connection
+	// that's in the initiating-request or pending-acceptance state.
 	AccepterVpcInfo *VpcPeeringConnectionVpcInfo `locationName:"accepterVpcInfo" type:"structure"`
 
 	// The time that an unaccepted VPC peering connection will expire.
 	ExpirationTime *time.Time `locationName:"expirationTime" type:"timestamp" timestampFormat:"iso8601"`
 
-	// The information of the requester VPC.
+	// Information about the requester VPC.
 	RequesterVpcInfo *VpcPeeringConnectionVpcInfo `locationName:"requesterVpcInfo" type:"structure"`
 
 	// The status of the VPC peering connection.
@@ -26656,6 +26847,29 @@ func (s VpcPeeringConnection) GoString() string {
 	return s.String()
 }
 
+// Describes the VPC peering connection options.
+type VpcPeeringConnectionOptionsDescription struct {
+	_ struct{} `type:"structure"`
+
+	// Indicates whether a local ClassicLink connection can communicate with the
+	// peer VPC over the VPC peering connection.
+	AllowEgressFromLocalClassicLinkToRemoteVpc *bool `locationName:"allowEgressFromLocalClassicLinkToRemoteVpc" type:"boolean"`
+
+	// Indicates whether a local VPC can communicate with a ClassicLink connection
+	// in the peer VPC over the VPC peering connection.
+	AllowEgressFromLocalVpcToRemoteClassicLink *bool `locationName:"allowEgressFromLocalVpcToRemoteClassicLink" type:"boolean"`
+}
+
+// String returns the string representation
+func (s VpcPeeringConnectionOptionsDescription) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s VpcPeeringConnectionOptionsDescription) GoString() string {
+	return s.String()
+}
+
 // Describes the status of a VPC peering connection.
 type VpcPeeringConnectionStateReason struct {
 	_ struct{} `type:"structure"`
@@ -26687,6 +26901,10 @@ type VpcPeeringConnectionVpcInfo struct {
 	// The AWS account ID of the VPC owner.
 	OwnerId *string `locationName:"ownerId" type:"string"`
 
+	// Information about the VPC peering connection options for the accepter or
+	// requester VPC.
+	PeeringOptions *VpcPeeringConnectionOptionsDescription `locationName:"peeringOptions" type:"structure"`
+
 	// The ID of the VPC.
 	VpcId *string `locationName:"vpcId" type:"string"`
 }

vendor/github.com/aws/aws-sdk-go/service/sts/api.go

@@ -39,7 +39,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
-// Important: You cannot call AssumeRole by using AWS root account credentials;
+//  Important: You cannot call AssumeRole by using AWS root account credentials;
 // access is denied. You must use IAM user credentials or temporary security
 // credentials to call AssumeRole.
 //
@@ -78,8 +78,8 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // policy of the role that is being assumed. If you pass a policy to this operation,
 // the temporary security credentials that are returned by the operation have
 // the permissions that are allowed by both the access policy of the role that
-// is being assumed, and the policy that you pass. This gives you a way to further
+// is being assumed,  and  the policy that you pass. This gives you a way to
-// restrict the permissions for the resulting temporary security credentials.
+// further restrict the permissions for the resulting temporary security credentials.
 // You cannot use the passed policy to grant permissions that are in excess
 // of those allowed by the access policy of the role that is being assumed.
 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
@@ -174,8 +174,8 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // policy of the role that is being assumed. If you pass a policy to this operation,
 // the temporary security credentials that are returned by the operation have
 // the permissions that are allowed by both the access policy of the role that
-// is being assumed, and the policy that you pass. This gives you a way to further
+// is being assumed,  and  the policy that you pass. This gives you a way to
-// restrict the permissions for the resulting temporary security credentials.
+// further restrict the permissions for the resulting temporary security credentials.
 // You cannot use the passed policy to grant permissions that are in excess
 // of those allowed by the access policy of the role that is being assumed.
 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
@@ -192,12 +192,24 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // The identity of the caller is validated by using keys in the metadata document
 // that is uploaded for the SAML provider entity for your identity provider.
 //
-// For more information, see the following resources:
+//  Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
+// logs. The entry includes the value in the NameID element of the SAML assertion.
+// We recommend that you use a NameIDType that is not associated with any personally
+// identifiable information (PII). For example, you could instead use the Persistent
+// Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
 //
-//  About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
+//  For more information, see the following resources:
-// in the IAM User Guide.   Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+//
-// in the IAM User Guide.   Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
+//    About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
-// in the IAM User Guide.   Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
+// in the IAM User Guide.
+//
+//    Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+// in the IAM User Guide.
+//
+//    Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
+// in the IAM User Guide.
+//
+//    Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
 // in the IAM User Guide.
 func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) {
 	req, out := c.AssumeRoleWithSAMLRequest(input)
@@ -270,8 +282,8 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // policy of the role that is being assumed. If you pass a policy to this operation,
 // the temporary security credentials that are returned by the operation have
 // the permissions that are allowed by both the access policy of the role that
-// is being assumed, and the policy that you pass. This gives you a way to further
+// is being assumed,  and  the policy that you pass. This gives you a way to
-// restrict the permissions for the resulting temporary security credentials.
+// further restrict the permissions for the resulting temporary security credentials.
 // You cannot use the passed policy to grant permissions that are in excess
 // of those allowed by the access policy of the role that is being assumed.
 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
@@ -284,19 +296,30 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // the identity provider that is associated with the identity token. In other
 // words, the identity provider must be specified in the role's trust policy.
 //
-// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
+//  Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
+// logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
+// of the provided Web Identity Token. We recommend that you avoid using any
+// personally identifiable information (PII) in this field. For example, you
+// could instead use a GUID or a pairwise identifier, as suggested in the OIDC
+// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
+//
+//  For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
 // API, see the following resources:
 //
-//   Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual)
+//    Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual)
 // and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
-//   Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
+//
+//     Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
 // This interactive website lets you walk through the process of authenticating
 // via Login with Amazon, Facebook, or Google, getting temporary security credentials,
-// and then using those credentials to make a request to AWS.  AWS SDK for iOS
+// and then using those credentials to make a request to AWS.
-// (http://aws.amazon.com/sdkforios/) and AWS SDK for Android (http://aws.amazon.com/sdkforandroid/).
+//
-// These toolkits contain sample apps that show how to invoke the identity providers,
+//    AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
-// and then how to use the information from these providers to get and use temporary
+// (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample apps
-// security credentials.  Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/4617974389850313).
+// that show how to invoke the identity providers, and then how to use the information
+// from these providers to get and use temporary security credentials.
+//
+//    Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/4617974389850313).
 // This article discusses web identity federation and shows an example of how
 // to use web identity federation to get access to content in Amazon S3.
 func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) {
@@ -335,20 +358,28 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag
 //
 //  Only certain AWS actions return an encoded authorization message. The documentation
 // for an individual action indicates whether that action returns an encoded
-// message in addition to returning an HTTP code.  The message is encoded because
+// message in addition to returning an HTTP code.
-// the details of the authorization status can constitute privileged information
+//
-// that the user who requested the action should not see. To decode an authorization
+//  The message is encoded because the details of the authorization status
-// status message, a user must be granted permissions via an IAM policy to request
+// can constitute privileged information that the user who requested the action
-// the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.
+// should not see. To decode an authorization status message, a user must be
+// granted permissions via an IAM policy to request the DecodeAuthorizationMessage
+// (sts:DecodeAuthorizationMessage) action.
 //
 // The decoded message includes the following type of information:
 //
-//  Whether the request was denied due to an explicit deny or due to the absence
+//   Whether the request was denied due to an explicit deny or due to the absence
 // of an explicit allow. For more information, see Determining Whether a Request
 // is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
-// in the IAM User Guide.  The principal who made the request. The requested
+// in the IAM User Guide.
-// action. The requested resource. The values of condition keys in the context
+//
-// of the user's request.
+//   The principal who made the request.
+//
+//   The requested action.
+//
+//   The requested resource.
+//
+//   The values of condition keys in the context of the user's request.
 func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) {
 	req, out := c.DecodeAuthorizationMessageRequest(input)
 	err := req.Send()
@@ -449,17 +480,20 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // The permissions for the temporary security credentials returned by GetFederationToken
 // are determined by a combination of the following:
 //
-//  The policy or policies that are attached to the IAM user whose credentials
+//   The policy or policies that are attached to the IAM user whose credentials
-// are used to call GetFederationToken. The policy that is passed as a parameter
+// are used to call GetFederationToken.
-// in the call.  The passed policy is attached to the temporary security credentials
+//
-// that result from the GetFederationToken API call--that is, to the federated
+//   The policy that is passed as a parameter in the call.
-// user. When the federated user makes an AWS request, AWS evaluates the policy
+//
-// attached to the federated user in combination with the policy or policies
+//   The passed policy is attached to the temporary security credentials that
-// attached to the IAM user whose credentials were used to call GetFederationToken.
+// result from the GetFederationToken API call--that is, to the federated user.
-// AWS allows the federated user's request only when both the federated user
+// When the federated user makes an AWS request, AWS evaluates the policy attached
-// and the IAM user are explicitly allowed to perform the requested action.
+// to the federated user in combination with the policy or policies attached
-// The passed policy cannot grant more permissions than those that are defined
+// to the IAM user whose credentials were used to call GetFederationToken. AWS
-// in the IAM user policy.
+// allows the federated user's request only when both the federated user  and
+//  the IAM user are explicitly allowed to perform the requested action. The
+// passed policy cannot grant more permissions than those that are defined in
+// the IAM user policy.
 //
 // A typical use case is that the permissions of the IAM user whose credentials
 // are used to call GetFederationToken are designed to allow access to all the
@@ -573,6 +607,10 @@ type AssumeRoleInput struct {
 	// created it. For more information about the external ID, see How to Use an
 	// External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
 	// in the IAM User Guide.
+	//
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters consisting of upper- and lower-case alphanumeric characters
+	// with no spaces. You can also include any of the following characters: =,.@:\/-
 	ExternalId *string `min:"2" type:"string"`
 
 	// An IAM policy in JSON format.
@@ -588,7 +626,13 @@ type AssumeRoleInput struct {
 	// and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
 	// in the IAM User Guide.
 	//
-	// The policy plain text must be 2048 bytes or shorter. However, an internal
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters up to 2048 characters in length. The characters can be any
+	// ASCII character from the space character to the end of the valid character
+	// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+	// and carriage return (\u000D) characters.
+	//
+	//  The policy plain text must be 2048 bytes or shorter. However, an internal
 	// conversion compresses it into a packed binary format with a separate limit.
 	// The PackedPolicySize response element indicates by percentage how close to
 	// the upper size limit the policy is, with 100% equaling the maximum allowed
@@ -607,6 +651,10 @@ type AssumeRoleInput struct {
 	// of the assumed role principal. This means that subsequent cross-account API
 	// requests using the temporary security credentials will expose the role session
 	// name to the external account in their CloudTrail logs.
+	//
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters consisting of upper- and lower-case alphanumeric characters
+	// with no spaces. You can also include any of the following characters: =,.@-
 	RoleSessionName *string `min:"2" type:"string" required:"true"`
 
 	// The identification number of the MFA device that is associated with the user
@@ -614,12 +662,19 @@ type AssumeRoleInput struct {
 	// of the role being assumed includes a condition that requires MFA authentication.
 	// The value is either the serial number for a hardware device (such as GAHT12345678)
 	// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
+	//
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters consisting of upper- and lower-case alphanumeric characters
+	// with no spaces. You can also include any of the following characters: =,.@-
 	SerialNumber *string `min:"9" type:"string"`
 
 	// The value provided by the MFA device, if the trust policy of the role being
 	// assumed requires MFA (that is, if the policy includes a condition that tests
 	// for MFA). If the role being assumed requires MFA and if the TokenCode value
 	// is missing or expired, the AssumeRole call returns an "access denied" error.
+	//
+	// The format for this parameter, as described by its regex pattern, is a sequence
+	// of six numeric digits.
 	TokenCode *string `min:"6" type:"string"`
 }
 
@@ -685,7 +740,7 @@ type AssumeRoleOutput struct {
 	// The temporary security credentials, which include an access key ID, a secret
 	// access key, and a security (or session) token.
 	//
-	// Note: The size of the security token that STS APIs return is not fixed.
+	//  Note: The size of the security token that STS APIs return is not fixed.
 	// We strongly recommend that you make no assumptions about the maximum size.
 	// As of this writing, the typical size is less than 4096 bytes, but that can
 	// vary. Also, future updates to AWS might require larger sizes.
@@ -716,8 +771,8 @@ type AssumeRoleWithSAMLInput struct {
 	// response's SessionNotOnOrAfter value. The actual expiration time is whichever
 	// value is shorter.
 	//
-	// The maximum duration for a session is 1 hour, and the minimum duration is
+	//  The maximum duration for a session is 1 hour, and the minimum duration
-	// 15 minutes, even if values outside this range are specified.
+	// is 15 minutes, even if values outside this range are specified.
 	DurationSeconds *int64 `min:"900" type:"integer"`
 
 	// An IAM policy in JSON format.
@@ -725,15 +780,21 @@ type AssumeRoleWithSAMLInput struct {
 	// The policy parameter is optional. If you pass a policy, the temporary security
 	// credentials that are returned by the operation have the permissions that
 	// are allowed by both the access policy of the role that is being assumed,
-	// and the policy that you pass. This gives you a way to further restrict the
+	//  and  the policy that you pass. This gives you a way to further restrict
-	// permissions for the resulting temporary security credentials. You cannot
+	// the permissions for the resulting temporary security credentials. You cannot
 	// use the passed policy to grant permissions that are in excess of those allowed
 	// by the access policy of the role that is being assumed. For more information,
 	// Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
 	// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
 	// in the IAM User Guide.
 	//
-	// The policy plain text must be 2048 bytes or shorter. However, an internal
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters up to 2048 characters in length. The characters can be any
+	// ASCII character from the space character to the end of the valid character
+	// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+	// and carriage return (\u000D) characters.
+	//
+	//  The policy plain text must be 2048 bytes or shorter. However, an internal
 	// conversion compresses it into a packed binary format with a separate limit.
 	// The PackedPolicySize response element indicates by percentage how close to
 	// the upper size limit the policy is, with 100% equaling the maximum allowed
@@ -815,7 +876,7 @@ type AssumeRoleWithSAMLOutput struct {
 	// The temporary security credentials, which include an access key ID, a secret
 	// access key, and a security (or session) token.
 	//
-	// Note: The size of the security token that STS APIs return is not fixed.
+	//  Note: The size of the security token that STS APIs return is not fixed.
 	// We strongly recommend that you make no assumptions about the maximum size.
 	// As of this writing, the typical size is less than 4096 bytes, but that can
 	// vary. Also, future updates to AWS might require larger sizes.
@@ -877,14 +938,20 @@ type AssumeRoleWithWebIdentityInput struct {
 	// The policy parameter is optional. If you pass a policy, the temporary security
 	// credentials that are returned by the operation have the permissions that
 	// are allowed by both the access policy of the role that is being assumed,
-	// and the policy that you pass. This gives you a way to further restrict the
+	//  and  the policy that you pass. This gives you a way to further restrict
-	// permissions for the resulting temporary security credentials. You cannot
+	// the permissions for the resulting temporary security credentials. You cannot
 	// use the passed policy to grant permissions that are in excess of those allowed
 	// by the access policy of the role that is being assumed. For more information,
 	// see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
 	// in the IAM User Guide.
 	//
-	// The policy plain text must be 2048 bytes or shorter. However, an internal
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters up to 2048 characters in length. The characters can be any
+	// ASCII character from the space character to the end of the valid character
+	// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+	// and carriage return (\u000D) characters.
+	//
+	//  The policy plain text must be 2048 bytes or shorter. However, an internal
 	// conversion compresses it into a packed binary format with a separate limit.
 	// The PackedPolicySize response element indicates by percentage how close to
 	// the upper size limit the policy is, with 100% equaling the maximum allowed
@@ -908,6 +975,10 @@ type AssumeRoleWithWebIdentityInput struct {
 	// That way, the temporary security credentials that your application will use
 	// are associated with that user. This session name is included as part of the
 	// ARN and assumed role ID in the AssumedRoleUser response element.
+	//
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters consisting of upper- and lower-case alphanumeric characters
+	// with no spaces. You can also include any of the following characters: =,.@-
 	RoleSessionName *string `min:"2" type:"string" required:"true"`
 
 	// The OAuth 2.0 access token or OpenID Connect ID token that is provided by
@@ -984,7 +1055,7 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// The temporary security credentials, which include an access key ID, a secret
 	// access key, and a security token.
 	//
-	// Note: The size of the security token that STS APIs return is not fixed.
+	//  Note: The size of the security token that STS APIs return is not fixed.
 	// We strongly recommend that you make no assumptions about the maximum size.
 	// As of this writing, the typical size is less than 4096 bytes, but that can
 	// vary. Also, future updates to AWS might require larger sizes.
@@ -1113,8 +1184,7 @@ func (s *DecodeAuthorizationMessageInput) Validate() error {
 type DecodeAuthorizationMessageOutput struct {
 	_ struct{} `type:"structure"`
 
-	// An XML document that contains the decoded message. For more information,
+	// An XML document that contains the decoded message.
-	// see DecodeAuthorizationMessage.
 	DecodedMessage *string `type:"string"`
 }
 
@@ -1212,6 +1282,10 @@ type GetFederationTokenInput struct {
 	// temporary security credentials (such as Bob). For example, you can reference
 	// the federated user name in a resource-based policy, such as in an Amazon
 	// S3 bucket policy.
+	//
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters consisting of upper- and lower-case alphanumeric characters
+	// with no spaces. You can also include any of the following characters: =,.@-
 	Name *string `min:"2" type:"string" required:"true"`
 
 	// An IAM policy in JSON format that is passed with the GetFederationToken call
@@ -1229,12 +1303,20 @@ type GetFederationTokenInput struct {
 	// credentials are used to access a resource that has a resource-based policy
 	// that specifically allows the federated user to access the resource.
 	//
-	// The policy plain text must be 2048 bytes or shorter. However, an internal
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters up to 2048 characters in length. The characters can be any
+	// ASCII character from the space character to the end of the valid character
+	// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+	// and carriage return (\u000D) characters.
+	//
+	//  The policy plain text must be 2048 bytes or shorter. However, an internal
 	// conversion compresses it into a packed binary format with a separate limit.
 	// The PackedPolicySize response element indicates by percentage how close to
 	// the upper size limit the policy is, with 100% equaling the maximum allowed
-	// size.  For more information about how permissions work, see Permissions for
+	// size.
-	// GetFederationToken (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
+	//
+	//  For more information about how permissions work, see Permissions for GetFederationToken
+	// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
 	Policy *string `min:"1" type:"string"`
 }
 
@@ -1278,7 +1360,7 @@ type GetFederationTokenOutput struct {
 	// The temporary security credentials, which include an access key ID, a secret
 	// access key, and a security (or session) token.
 	//
-	// Note: The size of the security token that STS APIs return is not fixed.
+	//  Note: The size of the security token that STS APIs return is not fixed.
 	// We strongly recommend that you make no assumptions about the maximum size.
 	// As of this writing, the typical size is less than 4096 bytes, but that can
 	// vary. Also, future updates to AWS might require larger sizes.
@@ -1324,6 +1406,10 @@ type GetSessionTokenInput struct {
 	// Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
 	// You can find the device for an IAM user by going to the AWS Management Console
 	// and viewing the user's security credentials.
+	//
+	// The format for this parameter, as described by its regex pattern, is a string
+	// of characters consisting of upper- and lower-case alphanumeric characters
+	// with no spaces. You can also include any of the following characters: =,.@-
 	SerialNumber *string `min:"9" type:"string"`
 
 	// The value provided by the MFA device, if MFA is required. If any policy requires
@@ -1331,6 +1417,9 @@ type GetSessionTokenInput struct {
 	// is required, and the user does not provide a code when requesting a set of
 	// temporary security credentials, the user will receive an "access denied"
 	// response when requesting resources that require MFA authentication.
+	//
+	// The format for this parameter, as described by its regex pattern, is a sequence
+	// of six numeric digits.
 	TokenCode *string `min:"6" type:"string"`
 }
 
@@ -1371,7 +1460,7 @@ type GetSessionTokenOutput struct {
 	// The temporary security credentials, which include an access key ID, a secret
 	// access key, and a security (or session) token.
 	//
-	// Note: The size of the security token that STS APIs return is not fixed.
+	//  Note: The size of the security token that STS APIs return is not fixed.
 	// We strongly recommend that you make no assumptions about the maximum size.
 	// As of this writing, the typical size is less than 4096 bytes, but that can
 	// vary. Also, future updates to AWS might require larger sizes.

vendor/github.com/aws/aws-sdk-go/service/sts/service.go

@@ -17,24 +17,25 @@ import (
 // This guide provides descriptions of the STS API. For more detailed information
 // about using this service, go to Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
 //
-//  As an alternative to using the API, you can use one of the AWS SDKs, which
+//   As an alternative to using the API, you can use one of the AWS SDKs, which
 // consist of libraries and sample code for various programming languages and
 // platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient
 // way to create programmatic access to STS. For example, the SDKs take care
 // of cryptographically signing requests, managing errors, and retrying requests
 // automatically. For information about the AWS SDKs, including how to download
 // and install them, see the Tools for Amazon Web Services page (http://aws.amazon.com/tools/).
+//
 //  For information about setting up signatures and authorization through the
-// API, go to Signing AWS API Requests (http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html"
+// API, go to Signing AWS API Requests (http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html)
-// target="_blank) in the AWS General Reference. For general information about
+// in the AWS General Reference. For general information about the Query API,
-// the Query API, go to Making Query Requests (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html"
+// go to Making Query Requests (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html)
-// target="_blank) in Using IAM. For information about using security tokens
+// in Using IAM. For information about using security tokens with other AWS
-// with other AWS products, go to AWS Services That Work with IAM (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
+// products, go to AWS Services That Work with IAM (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
 // in the IAM User Guide.
 //
 // If you're new to AWS and need additional technical information about a specific
 // AWS product, you can find the product's technical documentation at http://aws.amazon.com/documentation/
-// (http://aws.amazon.com/documentation/" target="_blank).
+// (http://aws.amazon.com/documentation/).
 //
 //  Endpoints
 //

vendor/github.com/cloudfoundry-incubator/candiedyaml/README.md

@@ -1,4 +1,6 @@
 [![Build Status](https://travis-ci.org/cloudfoundry-incubator/candiedyaml.svg)](https://travis-ci.org/cloudfoundry-incubator/candiedyaml)
+[![GoDoc](https://godoc.org/github.com/cloudfoundry-incubator/candiedyaml?status.svg)](https://godoc.org/github.com/cloudfoundry-incubator/candiedyaml)
+
 
 candiedyaml
 ===========

vendor/github.com/gocql/gocql/.travis.yml

@@ -1,6 +1,7 @@
 language: go
 
-sudo: false
+sudo: required
+dist: trusty
 
 cache:
   directories:

vendor/github.com/gocql/gocql/AUTHORS

@@ -67,3 +67,4 @@ nikandfor <nikandfor@gmail.com>
 Anthony Woods <awoods@raintank.io>
 Alexander Inozemtsev <alexander.inozemtsev@gmail.com>
 Rob McColl <rob@robmccoll.com>; <rmccoll@ionicsecurity.com>
+Viktor Tönköl <viktor.toenkoel@motionlogic.de>

vendor/github.com/gocql/gocql/cluster.go

@@ -72,6 +72,9 @@ type ClusterConfig struct {
 
 	Discovery DiscoveryConfig
 
+	// If not zero, gocql attempt to reconnect known DOWN nodes in every ReconnectSleep.
+	ReconnectInterval time.Duration
+
 	// The maximum amount of time to wait for schema agreement in a cluster after
 	// receiving a schema change frame. (deault: 60s)
 	MaxWaitSchemaAgreement time.Duration
@@ -126,6 +129,7 @@ func NewCluster(hosts ...string) *ClusterConfig {
 		PageSize:               5000,
 		DefaultTimestamp:       true,
 		MaxWaitSchemaAgreement: 60 * time.Second,
+		ReconnectInterval:      60 * time.Second,
 	}
 	return cfg
 }

vendor/github.com/gocql/gocql/conn.go

@@ -9,7 +9,6 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"golang.org/x/net/context"
 	"io"
 	"io/ioutil"
 	"log"
@@ -20,6 +19,8 @@ import (
 	"sync/atomic"
 	"time"
 
+	"golang.org/x/net/context"
+
 	"github.com/gocql/gocql/internal/lru"
 
 	"github.com/gocql/gocql/internal/streams"
@@ -127,7 +128,7 @@ type Conn struct {
 	timeout time.Duration
 	cfg     *ConnConfig
 
-	headerBuf []byte
+	headerBuf [maxFrameHeaderSize]byte
 
 	streams *streams.IDGenerator
 	mu      sync.RWMutex
@@ -175,17 +176,6 @@ func Connect(host *HostInfo, addr string, cfg *ConnConfig,
 		return nil, err
 	}
 
-	// going to default to proto 2
-	if cfg.ProtoVersion < protoVersion1 || cfg.ProtoVersion > protoVersion4 {
-		log.Printf("unsupported protocol version: %d using 2\n", cfg.ProtoVersion)
-		cfg.ProtoVersion = 2
-	}
-
-	headerSize := 8
-	if cfg.ProtoVersion > protoVersion2 {
-		headerSize = 9
-	}
-
 	c := &Conn{
 		conn:         conn,
 		r:            bufio.NewReader(conn),
@@ -197,7 +187,6 @@ func Connect(host *HostInfo, addr string, cfg *ConnConfig,
 		errorHandler: errorHandler,
 		compressor:   cfg.Compressor,
 		auth:         cfg.Authenticator,
-		headerBuf:    make([]byte, headerSize),
 		quit:         make(chan struct{}),
 		session:      session,
 		streams:      streams.New(cfg.ProtoVersion),
@@ -208,33 +197,49 @@ func Connect(host *HostInfo, addr string, cfg *ConnConfig,
 		c.setKeepalive(cfg.Keepalive)
 	}
 
+	var (
+		ctx    context.Context
+		cancel func()
+	)
+	if c.timeout > 0 {
+		ctx, cancel = context.WithTimeout(context.Background(), c.timeout)
+	} else {
+		ctx, cancel = context.WithCancel(context.Background())
+	}
+	defer cancel()
+
 	frameTicker := make(chan struct{}, 1)
-	startupErr := make(chan error, 1)
+	startupErr := make(chan error)
 	go func() {
 		for range frameTicker {
 			err := c.recv()
-			startupErr <- err
 			if err != nil {
+				select {
+				case startupErr <- err:
+				case <-ctx.Done():
+				}
+
 				return
 			}
 		}
 	}()
 
-	err = c.startup(frameTicker)
+	go func() {
-	close(frameTicker)
+		defer close(frameTicker)
-	if err != nil {
+		err := c.startup(ctx, frameTicker)
-		conn.Close()
+		select {
-		return nil, err
+		case startupErr <- err:
-	}
+		case <-ctx.Done():
+		}
+	}()
 
 	select {
 	case err := <-startupErr:
 		if err != nil {
-			log.Println(err)
 			c.Close()
 			return nil, err
 		}
-	case <-time.After(c.timeout):
+	case <-ctx.Done():
 		c.Close()
 		return nil, errors.New("gocql: no response to connection startup within timeout")
 	}
@@ -275,7 +280,7 @@ func (c *Conn) Read(p []byte) (n int, err error) {
 	return
 }
 
-func (c *Conn) startup(frameTicker chan struct{}) error {
+func (c *Conn) startup(ctx context.Context, frameTicker chan struct{}) error {
 	m := map[string]string{
 		"CQL_VERSION": c.cfg.CQLVersion,
 	}
@@ -284,8 +289,13 @@ func (c *Conn) startup(frameTicker chan struct{}) error {
 		m["COMPRESSION"] = c.compressor.Name()
 	}
 
-	frameTicker <- struct{}{}
+	select {
-	framer, err := c.exec(context.Background(), &writeStartupFrame{opts: m}, nil)
+	case frameTicker <- struct{}{}:
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+
+	framer, err := c.exec(ctx, &writeStartupFrame{opts: m}, nil)
 	if err != nil {
 		return err
 	}
@@ -301,13 +311,13 @@ func (c *Conn) startup(frameTicker chan struct{}) error {
 	case *readyFrame:
 		return nil
 	case *authenticateFrame:
-		return c.authenticateHandshake(v, frameTicker)
+		return c.authenticateHandshake(ctx, v, frameTicker)
 	default:
 		return NewErrProtocol("Unknown type of response to startup frame: %s", v)
 	}
 }
 
-func (c *Conn) authenticateHandshake(authFrame *authenticateFrame, frameTicker chan struct{}) error {
+func (c *Conn) authenticateHandshake(ctx context.Context, authFrame *authenticateFrame, frameTicker chan struct{}) error {
 	if c.auth == nil {
 		return fmt.Errorf("authentication required (using %q)", authFrame.class)
 	}
@@ -320,8 +330,13 @@ func (c *Conn) authenticateHandshake(authFrame *authenticateFrame, frameTicker c
 	req := &writeAuthResponseFrame{data: resp}
 
 	for {
-		frameTicker <- struct{}{}
+		select {
-		framer, err := c.exec(context.Background(), req, nil)
+		case frameTicker <- struct{}{}:
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+
+		framer, err := c.exec(ctx, req, nil)
 		if err != nil {
 			return err
 		}
@@ -425,7 +440,7 @@ func (c *Conn) recv() error {
 	}
 
 	// were just reading headers over and over and copy bodies
-	head, err := readHeader(c.r, c.headerBuf)
+	head, err := readHeader(c.r, c.headerBuf[:])
 	if err != nil {
 		return err
 	}

vendor/github.com/gocql/gocql/control.go

@@ -89,6 +89,22 @@ func (c *controlConn) heartBeat() {
 	}
 }
 
+func hostInfo(addr string, defaultPort int) (*HostInfo, error) {
+	var port int
+	host, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		host = addr
+		port = defaultPort
+	} else {
+		port, err = strconv.Atoi(portStr)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &HostInfo{peer: host, port: port}, nil
+}
+
 func (c *controlConn) shuffleDial(endpoints []string) (conn *Conn, err error) {
 	perm := randr.Perm(len(endpoints))
 	shuffled := make([]string, len(endpoints))
@@ -101,24 +117,19 @@ func (c *controlConn) shuffleDial(endpoints []string) (conn *Conn, err error) {
 	// node.
 	for _, addr := range shuffled {
 		if addr == "" {
-			return nil, fmt.Errorf("control: invalid address: %q", addr)
+			return nil, fmt.Errorf("invalid address: %q", addr)
 		}
 
 		port := c.session.cfg.Port
 		addr = JoinHostPort(addr, port)
-		host, portStr, err := net.SplitHostPort(addr)
+
+		var host *HostInfo
+		host, err = hostInfo(addr, port)
 		if err != nil {
-			host = addr
+			return nil, fmt.Errorf("invalid address: %q: %v", addr, err)
-			port = c.session.cfg.Port
-			err = nil
-		} else {
-			port, err = strconv.Atoi(portStr)
-			if err != nil {
-				return nil, err
-			}
 		}
 
-		hostInfo, _ := c.session.ring.addHostIfMissing(&HostInfo{peer: host, port: port})
+		hostInfo, _ := c.session.ring.addHostIfMissing(host)
 		conn, err = c.session.connect(addr, c, hostInfo)
 		if err == nil {
 			return conn, err
@@ -127,7 +138,11 @@ func (c *controlConn) shuffleDial(endpoints []string) (conn *Conn, err error) {
 		log.Printf("gocql: unable to dial control conn %v: %v\n", addr, err)
 	}
 
-	return
+	if err != nil {
+		return nil, err
+	}
+
+	return conn, nil
 }
 
 func (c *controlConn) connect(endpoints []string) error {
@@ -137,9 +152,7 @@ func (c *controlConn) connect(endpoints []string) error {
 
 	conn, err := c.shuffleDial(endpoints)
 	if err != nil {
-		return fmt.Errorf("control: unable to connect: %v", err)
+		return fmt.Errorf("control: unable to connect to initial hosts: %v", err)
-	} else if conn == nil {
-		return errors.New("control: unable to connect to initial endpoints")
 	}
 
 	if err := c.setupConn(conn); err != nil {

vendor/github.com/gocql/gocql/errors.go

@@ -14,6 +14,7 @@ const (
 	errReadTimeout     = 0x1200
 	errReadFailure     = 0x1300
 	errFunctionFailure = 0x1400
+	errWriteFailure    = 0x1500
 	errSyntax          = 0x2000
 	errUnauthorized    = 0x2100
 	errInvalid         = 0x2200
@@ -70,6 +71,15 @@ type RequestErrWriteTimeout struct {
 	WriteType   string
 }
 
+type RequestErrWriteFailure struct {
+	errorFrame
+	Consistency Consistency
+	Received    int
+	BlockFor    int
+	NumFailures int
+	WriteType   string
+}
+
 type RequestErrReadTimeout struct {
 	errorFrame
 	Consistency Consistency

vendor/github.com/gocql/gocql/events.go

@@ -107,6 +107,17 @@ func (s *Session) handleEvent(framer *framer) {
 }
 
 func (s *Session) handleSchemaEvent(frames []frame) {
+	if s.schemaDescriber == nil {
+		return
+	}
+	for _, frame := range frames {
+		switch f := frame.(type) {
+		case *schemaChangeKeyspace:
+			s.schemaDescriber.clearSchema(f.keyspace)
+		case *schemaChangeTable:
+			s.schemaDescriber.clearSchema(f.keyspace)
+		}
+	}
 }
 
 func (s *Session) handleNodeEvent(frames []frame) {
@@ -233,6 +244,9 @@ func (s *Session) handleRemovedNode(ip net.IP, port int) {
 }
 
 func (s *Session) handleNodeUp(ip net.IP, port int, waitForBinary bool) {
+	if gocqlDebug {
+		log.Printf("gocql: Session.handleNodeUp: %s:%d\n", ip.String(), port)
+	}
 	addr := ip.String()
 	host := s.ring.getHost(addr)
 	if host != nil {
@@ -264,6 +278,9 @@ func (s *Session) handleNodeUp(ip net.IP, port int, waitForBinary bool) {
 }
 
 func (s *Session) handleNodeDown(ip net.IP, port int) {
+	if gocqlDebug {
+		log.Printf("gocql: Session.handleNodeDown: %s:%d\n", ip.String(), port)
+	}
 	addr := ip.String()
 	host := s.ring.getHost(addr)
 	if host == nil {

vendor/github.com/gocql/gocql/frame.go

@@ -231,6 +231,8 @@ var (
 	ErrFrameTooBig = errors.New("frame length is bigger than the maximum allowed")
 )
 
+const maxFrameHeaderSize = 9
+
 func writeInt(p []byte, n int32) {
 	p[0] = byte(n >> 24)
 	p[1] = byte(n >> 16)
@@ -339,23 +341,34 @@ type frame interface {
 }
 
 func readHeader(r io.Reader, p []byte) (head frameHeader, err error) {
-	_, err = io.ReadFull(r, p)
+	_, err = io.ReadFull(r, p[:1])
 	if err != nil {
-		return
+		return frameHeader{}, err
 	}
 
 	version := p[0] & protoVersionMask
 
 	if version < protoVersion1 || version > protoVersion4 {
-		err = fmt.Errorf("gocql: invalid version: %d", version)
+		return frameHeader{}, fmt.Errorf("gocql: unsupported response version: %d", version)
-		return
 	}
 
+	headSize := 9
+	if version < protoVersion3 {
+		headSize = 8
+	}
+
+	_, err = io.ReadFull(r, p[1:headSize])
+	if err != nil {
+		return frameHeader{}, err
+	}
+
+	p = p[:headSize]
+
 	head.version = protoVersion(p[0])
 	head.flags = p[1]
 
 	if version > protoVersion2 {
-		if len(p) < 9 {
+		if len(p) != 9 {
 			return frameHeader{}, fmt.Errorf("not enough bytes to read header require 9 got: %d", len(p))
 		}
 
@@ -363,7 +376,7 @@ func readHeader(r io.Reader, p []byte) (head frameHeader, err error) {
 		head.op = frameOp(p[4])
 		head.length = int(readInt(p[5:]))
 	} else {
-		if len(p) < 8 {
+		if len(p) != 8 {
 			return frameHeader{}, fmt.Errorf("not enough bytes to read header require 8 got: %d", len(p))
 		}
 
@@ -372,7 +385,7 @@ func readHeader(r io.Reader, p []byte) (head frameHeader, err error) {
 		head.length = int(readInt(p[4:]))
 	}
 
-	return
+	return head, nil
 }
 
 // explicitly enables tracing for the framers outgoing requests
@@ -401,9 +414,9 @@ func (f *framer) readFrame(head *frameHeader) error {
 	}
 
 	// assume the underlying reader takes care of timeouts and retries
-	_, err := io.ReadFull(f.r, f.rbuf)
+	n, err := io.ReadFull(f.r, f.rbuf)
 	if err != nil {
-		return err
+		return fmt.Errorf("unable to read frame body: read %d/%d bytes: %v", n, head.length, err)
 	}
 
 	if head.flags&flagCompress == flagCompress {
@@ -544,6 +557,16 @@ func (f *framer) parseErrorFrame() frame {
 		res.BlockFor = f.readInt()
 		res.DataPresent = f.readByte() != 0
 		return res
+	case errWriteFailure:
+		res := &RequestErrWriteFailure{
+			errorFrame: errD,
+		}
+		res.Consistency = f.readConsistency()
+		res.Received = f.readInt()
+		res.BlockFor = f.readInt()
+		res.NumFailures = f.readInt()
+		res.WriteType = f.readString()
+		return res
 	case errFunctionFailure:
 		res := RequestErrFunctionFailure{
 			errorFrame: errD,
@@ -552,8 +575,12 @@ func (f *framer) parseErrorFrame() frame {
 		res.Function = f.readString()
 		res.ArgTypes = f.readStringList()
 		return res
+	case errInvalid, errBootstrapping, errConfig, errCredentials, errOverloaded,
+		errProtocol, errServer, errSyntax, errTruncate, errUnauthorized:
+		// TODO(zariel): we should have some distinct types for these errors
+		return errD
 	default:
-		return &errD
+		panic(fmt.Errorf("unknown error code: 0x%x", errD.code))
 	}
 }
 

vendor/github.com/gocql/gocql/metadata.go

@@ -105,8 +105,6 @@ func (s *schemaDescriber) getSchema(keyspaceName string) (*KeyspaceMetadata, err
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	// TODO handle schema change events
-
 	metadata, found := s.cache[keyspaceName]
 	if !found {
 		// refresh the cache for this keyspace
@@ -121,6 +119,14 @@ func (s *schemaDescriber) getSchema(keyspaceName string) (*KeyspaceMetadata, err
 	return metadata, nil
 }
 
+// clears the already cached keyspace metadata
+func (s *schemaDescriber) clearSchema(keyspaceName string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	delete(s.cache, keyspaceName)
+}
+
 // forcibly updates the current KeyspaceMetadata held by the schema describer
 // for a given named keyspace.
 func (s *schemaDescriber) refreshSchema(keyspaceName string) error {

vendor/github.com/gocql/gocql/session.go

@@ -9,8 +9,8 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
-	"golang.org/x/net/context"
 	"io"
+	"log"
 	"net"
 	"strconv"
 	"strings"
@@ -19,6 +19,8 @@ import (
 	"time"
 	"unicode"
 
+	"golang.org/x/net/context"
+
 	"github.com/gocql/gocql/internal/lru"
 )
 
@@ -175,6 +177,10 @@ func NewSession(cfg ClusterConfig) (*Session, error) {
 		}
 	}
 
+	if cfg.ReconnectInterval > 0 {
+		go s.reconnectDownedHosts(cfg.ReconnectInterval)
+	}
+
 	// TODO(zariel): we probably dont need this any more as we verify that we
 	// can connect to one of the endpoints supplied by using the control conn.
 	// See if there are any connections in the pool
@@ -188,6 +194,30 @@ func NewSession(cfg ClusterConfig) (*Session, error) {
 	return s, nil
 }
 
+func (s *Session) reconnectDownedHosts(intv time.Duration) {
+	for !s.Closed() {
+		time.Sleep(intv)
+
+		hosts := s.ring.allHosts()
+
+		// Print session.ring for debug.
+		if gocqlDebug {
+			buf := bytes.NewBufferString("Session.ring:")
+			for _, h := range hosts {
+				buf.WriteString("[" + h.Peer() + ":" + h.State().String() + "]")
+			}
+			log.Println(buf.String())
+		}
+
+		for _, h := range hosts {
+			if h.IsUp() {
+				continue
+			}
+			s.handleNodeUp(net.ParseIP(h.Peer()), h.Port(), true)
+		}
+	}
+}
+
 // SetConsistency sets the default consistency level for this session. This
 // setting can also be changed on a per-query basis and the default value
 // is Quorum.

vendor/github.com/golang/snappy/README

@@ -5,3 +5,103 @@ $ go get github.com/golang/snappy
 
 Unless otherwise noted, the Snappy-Go source files are distributed
 under the BSD-style license found in the LICENSE file.
+
+
+
+Benchmarks.
+
+The golang/snappy benchmarks include compressing (Z) and decompressing (U) ten
+or so files, the same set used by the C++ Snappy code (github.com/google/snappy
+and note the "google", not "golang"). On an "Intel(R) Core(TM) i7-3770 CPU @
+3.40GHz", Go's GOARCH=amd64 numbers as of 2016-04-29:
+
+"go test -test.bench=."
+
+_UFlat0-8         2.23GB/s ± 1%  html
+_UFlat1-8         1.43GB/s ± 0%  urls
+_UFlat2-8         23.7GB/s ± 1%  jpg
+_UFlat3-8         1.93GB/s ± 0%  jpg_200
+_UFlat4-8         13.9GB/s ± 2%  pdf
+_UFlat5-8         2.00GB/s ± 0%  html4
+_UFlat6-8          829MB/s ± 0%  txt1
+_UFlat7-8          799MB/s ± 0%  txt2
+_UFlat8-8          871MB/s ± 0%  txt3
+_UFlat9-8          730MB/s ± 0%  txt4
+_UFlat10-8        2.87GB/s ± 0%  pb
+_UFlat11-8        1.07GB/s ± 0%  gaviota
+
+_ZFlat0-8         1.04GB/s ± 0%  html
+_ZFlat1-8          536MB/s ± 0%  urls
+_ZFlat2-8         16.3GB/s ± 2%  jpg
+_ZFlat3-8          762MB/s ± 0%  jpg_200
+_ZFlat4-8         9.48GB/s ± 1%  pdf
+_ZFlat5-8          990MB/s ± 0%  html4
+_ZFlat6-8          381MB/s ± 0%  txt1
+_ZFlat7-8          353MB/s ± 0%  txt2
+_ZFlat8-8          398MB/s ± 0%  txt3
+_ZFlat9-8          329MB/s ± 0%  txt4
+_ZFlat10-8        1.35GB/s ± 1%  pb
+_ZFlat11-8         608MB/s ± 0%  gaviota
+
+
+
+"go test -test.bench=. -tags=noasm"
+
+_UFlat0-8          637MB/s ± 0%  html
+_UFlat1-8          506MB/s ± 0%  urls
+_UFlat2-8         23.0GB/s ± 5%  jpg
+_UFlat3-8         1.17GB/s ± 0%  jpg_200
+_UFlat4-8         4.44GB/s ± 1%  pdf
+_UFlat5-8          623MB/s ± 0%  html4
+_UFlat6-8          300MB/s ± 1%  txt1
+_UFlat7-8          293MB/s ± 0%  txt2
+_UFlat8-8          316MB/s ± 0%  txt3
+_UFlat9-8          285MB/s ± 0%  txt4
+_UFlat10-8         768MB/s ± 0%  pb
+_UFlat11-8         406MB/s ± 1%  gaviota
+
+_ZFlat0-8          411MB/s ± 1%  html
+_ZFlat1-8          250MB/s ± 1%  urls
+_ZFlat2-8         12.7GB/s ± 1%  jpg
+_ZFlat3-8          157MB/s ± 0%  jpg_200
+_ZFlat4-8         2.95GB/s ± 0%  pdf
+_ZFlat5-8          406MB/s ± 0%  html4
+_ZFlat6-8          182MB/s ± 0%  txt1
+_ZFlat7-8          173MB/s ± 1%  txt2
+_ZFlat8-8          191MB/s ± 0%  txt3
+_ZFlat9-8          166MB/s ± 0%  txt4
+_ZFlat10-8         480MB/s ± 0%  pb
+_ZFlat11-8         272MB/s ± 0%  gaviota
+
+
+
+For comparison (Go's encoded output is byte-for-byte identical to C++'s), here
+are the numbers from C++ Snappy's
+
+make CXXFLAGS="-O2 -DNDEBUG -g" clean snappy_unittest.log && cat snappy_unittest.log
+
+BM_UFlat/0     2.4GB/s  html
+BM_UFlat/1     1.4GB/s  urls
+BM_UFlat/2    21.8GB/s  jpg
+BM_UFlat/3     1.5GB/s  jpg_200
+BM_UFlat/4    13.3GB/s  pdf
+BM_UFlat/5     2.1GB/s  html4
+BM_UFlat/6     1.0GB/s  txt1
+BM_UFlat/7   959.4MB/s  txt2
+BM_UFlat/8     1.0GB/s  txt3
+BM_UFlat/9   864.5MB/s  txt4
+BM_UFlat/10    2.9GB/s  pb
+BM_UFlat/11    1.2GB/s  gaviota
+
+BM_ZFlat/0   944.3MB/s  html (22.31 %)
+BM_ZFlat/1   501.6MB/s  urls (47.78 %)
+BM_ZFlat/2    14.3GB/s  jpg (99.95 %)
+BM_ZFlat/3   538.3MB/s  jpg_200 (73.00 %)
+BM_ZFlat/4     8.3GB/s  pdf (83.30 %)
+BM_ZFlat/5   903.5MB/s  html4 (22.52 %)
+BM_ZFlat/6   336.0MB/s  txt1 (57.88 %)
+BM_ZFlat/7   312.3MB/s  txt2 (61.91 %)
+BM_ZFlat/8   353.1MB/s  txt3 (54.99 %)
+BM_ZFlat/9   289.9MB/s  txt4 (66.26 %)
+BM_ZFlat/10    1.2GB/s  pb (19.68 %)
+BM_ZFlat/11  527.4MB/s  gaviota (37.72 %)

vendor/github.com/golang/snappy/encode_amd64.s

@@ -8,10 +8,17 @@
 
 #include "textflag.h"
 
-// TODO: figure out why the XXX lines compile with Go 1.4 and Go tip but not
+// The XXX lines assemble on Go 1.4, 1.5 and 1.7, but not 1.6, due to a
-// Go 1.6.
+// Go toolchain regression. See https://github.com/golang/go/issues/15426 and
+// https://github.com/golang/snappy/issues/29
 //
-// This is https://github.com/golang/snappy/issues/29
+// As a workaround, the package was built with a known good assembler, and
+// those instructions were disassembled by "objdump -d" to yield the
+//	4e 0f b7 7c 5c 78       movzwq 0x78(%rsp,%r11,2),%r15
+// style comments, in AT&T asm syntax. Note that rsp here is a physical
+// register, not Go/asm's SP pseudo-register (see https://golang.org/doc/asm).
+// The instructions were then encoded as "BYTE $0x.." sequences, which assemble
+// fine on Go 1.6.
 
 // The asm code generally follows the pure Go code in encode_other.go, except
 // where marked with a "!!!".
@@ -21,19 +28,23 @@
 // func emitLiteral(dst, lit []byte) int
 //
 // All local variables fit into registers. The register allocation:
-//	- AX	return value
+//	- AX	len(lit)
 //	- BX	n
-//	- CX	len(lit)
+//	- DX	return value
-//	- SI	&lit[0]
 //	- DI	&dst[i]
+//	- R10	&lit[0]
 //
 // The 24 bytes of stack space is to call runtime·memmove.
+//
+// The unusual register allocation of local variables, such as R10 for the
+// source pointer, matches the allocation used at the call site in encodeBlock,
+// which makes it easier to manually inline this function.
 TEXT ·emitLiteral(SB), NOSPLIT, $24-56
 	MOVQ dst_base+0(FP), DI
-	MOVQ lit_base+24(FP), SI
+	MOVQ lit_base+24(FP), R10
-	MOVQ lit_len+32(FP), CX
+	MOVQ lit_len+32(FP), AX
-	MOVQ CX, AX
+	MOVQ AX, DX
-	MOVL CX, BX
+	MOVL AX, BX
 	SUBL $1, BX
 
 	CMPL BX, $60
@@ -45,32 +56,32 @@ threeBytes:
 	MOVB $0xf4, 0(DI)
 	MOVW BX, 1(DI)
 	ADDQ $3, DI
-	ADDQ $3, AX
+	ADDQ $3, DX
-	JMP  emitLiteralEnd
+	JMP  memmove
 
 twoBytes:
 	MOVB $0xf0, 0(DI)
 	MOVB BX, 1(DI)
 	ADDQ $2, DI
-	ADDQ $2, AX
+	ADDQ $2, DX
-	JMP  emitLiteralEnd
+	JMP  memmove
 
 oneByte:
 	SHLB $2, BX
 	MOVB BX, 0(DI)
 	ADDQ $1, DI
-	ADDQ $1, AX
+	ADDQ $1, DX
 
-emitLiteralEnd:
+memmove:
-	MOVQ AX, ret+48(FP)
+	MOVQ DX, ret+48(FP)
 
 	// copy(dst[i:], lit)
 	//
 	// This means calling runtime·memmove(&dst[i], &lit[0], len(lit)), so we push
-	// DI, SI and CX as arguments.
+	// DI, R10 and AX as arguments.
 	MOVQ DI, 0(SP)
-	MOVQ SI, 8(SP)
+	MOVQ R10, 8(SP)
-	MOVQ CX, 16(SP)
+	MOVQ AX, 16(SP)
 	CALL runtime·memmove(SB)
 	RET
 
@@ -79,55 +90,59 @@ emitLiteralEnd:
 // func emitCopy(dst []byte, offset, length int) int
 //
 // All local variables fit into registers. The register allocation:
-//	- BX	offset
+//	- AX	length
-//	- CX	length
 //	- SI	&dst[0]
 //	- DI	&dst[i]
+//	- R11	offset
+//
+// The unusual register allocation of local variables, such as R11 for the
+// offset, matches the allocation used at the call site in encodeBlock, which
+// makes it easier to manually inline this function.
 TEXT ·emitCopy(SB), NOSPLIT, $0-48
 	MOVQ dst_base+0(FP), DI
 	MOVQ DI, SI
-	MOVQ offset+24(FP), BX
+	MOVQ offset+24(FP), R11
-	MOVQ length+32(FP), CX
+	MOVQ length+32(FP), AX
 
 loop0:
 	// for length >= 68 { etc }
-	CMPL CX, $68
+	CMPL AX, $68
 	JLT  step1
 
 	// Emit a length 64 copy, encoded as 3 bytes.
 	MOVB $0xfe, 0(DI)
-	MOVW BX, 1(DI)
+	MOVW R11, 1(DI)
 	ADDQ $3, DI
-	SUBL $64, CX
+	SUBL $64, AX
 	JMP  loop0
 
 step1:
 	// if length > 64 { etc }
-	CMPL CX, $64
+	CMPL AX, $64
 	JLE  step2
 
 	// Emit a length 60 copy, encoded as 3 bytes.
 	MOVB $0xee, 0(DI)
-	MOVW BX, 1(DI)
+	MOVW R11, 1(DI)
 	ADDQ $3, DI
-	SUBL $60, CX
+	SUBL $60, AX
 
 step2:
 	// if length >= 12 || offset >= 2048 { goto step3 }
-	CMPL CX, $12
+	CMPL AX, $12
 	JGE  step3
-	CMPL BX, $2048
+	CMPL R11, $2048
 	JGE  step3
 
 	// Emit the remaining copy, encoded as 2 bytes.
-	MOVB BX, 1(DI)
+	MOVB R11, 1(DI)
-	SHRL $8, BX
+	SHRL $8, R11
-	SHLB $5, BX
+	SHLB $5, R11
-	SUBB $4, CX
+	SUBB $4, AX
-	SHLB $2, CX
+	SHLB $2, AX
-	ORB  CX, BX
+	ORB  AX, R11
-	ORB  $1, BX
+	ORB  $1, R11
-	MOVB BX, 0(DI)
+	MOVB R11, 0(DI)
 	ADDQ $2, DI
 
 	// Return the number of bytes written.
@@ -137,11 +152,11 @@ step2:
 
 step3:
 	// Emit the remaining copy, encoded as 3 bytes.
-	SUBL $1, CX
+	SUBL $1, AX
-	SHLB $2, CX
+	SHLB $2, AX
-	ORB  $2, CX
+	ORB  $2, AX
-	MOVB CX, 0(DI)
+	MOVB AX, 0(DI)
-	MOVW BX, 1(DI)
+	MOVW R11, 1(DI)
 	ADDQ $3, DI
 
 	// Return the number of bytes written.
@@ -154,33 +169,37 @@ step3:
 // func extendMatch(src []byte, i, j int) int
 //
 // All local variables fit into registers. The register allocation:
-//	- CX	&src[0]
+//	- DX	&src[0]
-//	- DX	&src[len(src)]
+//	- SI	&src[j]
-//	- SI	&src[i]
+//	- R13	&src[len(src) - 8]
-//	- DI	&src[j]
+//	- R14	&src[len(src)]
-//	- R9	&src[len(src) - 8]
+//	- R15	&src[i]
+//
+// The unusual register allocation of local variables, such as R15 for a source
+// pointer, matches the allocation used at the call site in encodeBlock, which
+// makes it easier to manually inline this function.
 TEXT ·extendMatch(SB), NOSPLIT, $0-48
-	MOVQ src_base+0(FP), CX
+	MOVQ src_base+0(FP), DX
-	MOVQ src_len+8(FP), DX
+	MOVQ src_len+8(FP), R14
-	MOVQ i+24(FP), SI
+	MOVQ i+24(FP), R15
-	MOVQ j+32(FP), DI
+	MOVQ j+32(FP), SI
-	ADDQ CX, DX
+	ADDQ DX, R14
-	ADDQ CX, SI
+	ADDQ DX, R15
-	ADDQ CX, DI
+	ADDQ DX, SI
-	MOVQ DX, R9
+	MOVQ R14, R13
-	SUBQ $8, R9
+	SUBQ $8, R13
 
 cmp8:
 	// As long as we are 8 or more bytes before the end of src, we can load and
 	// compare 8 bytes at a time. If those 8 bytes are equal, repeat.
-	CMPQ DI, R9
+	CMPQ SI, R13
 	JA   cmp1
-	MOVQ (SI), AX
+	MOVQ (R15), AX
-	MOVQ (DI), BX
+	MOVQ (SI), BX
 	CMPQ AX, BX
 	JNE  bsf
+	ADDQ $8, R15
 	ADDQ $8, SI
-	ADDQ $8, DI
 	JMP  cmp8
 
 bsf:
@@ -191,29 +210,29 @@ bsf:
 	XORQ AX, BX
 	BSFQ BX, BX
 	SHRQ $3, BX
-	ADDQ BX, DI
+	ADDQ BX, SI
 
 	// Convert from &src[ret] to ret.
-	SUBQ CX, DI
+	SUBQ DX, SI
-	MOVQ DI, ret+40(FP)
+	MOVQ SI, ret+40(FP)
 	RET
 
 cmp1:
 	// In src's tail, compare 1 byte at a time.
-	CMPQ DI, DX
+	CMPQ SI, R14
 	JAE  extendMatchEnd
-	MOVB (SI), AX
+	MOVB (R15), AX
-	MOVB (DI), BX
+	MOVB (SI), BX
 	CMPB AX, BX
 	JNE  extendMatchEnd
+	ADDQ $1, R15
 	ADDQ $1, SI
-	ADDQ $1, DI
 	JMP  cmp1
 
 extendMatchEnd:
 	// Convert from &src[ret] to ret.
-	SUBQ CX, DI
+	SUBQ DX, SI
-	MOVQ DI, ret+40(FP)
+	MOVQ SI, ret+40(FP)
 	RET
 
 // ----------------------------------------------------------------------------
@@ -232,8 +251,8 @@ extendMatchEnd:
 //	- R10	.	&src[nextEmit]
 //	- R11	96	prevHash, currHash, nextHash, offset
 //	- R12	104	&src[base], skip
-//	- R13	.	&src[nextS]
+//	- R13	.	&src[nextS], &src[len(src) - 8]
-//	- R14	.	len(src), bytesBetweenHashLookups, x
+//	- R14	.	len(src), bytesBetweenHashLookups, &src[len(src)], x
 //	- R15	112	candidate
 //
 // The second column (56, 64, etc) is the stack offset to spill the registers
@@ -352,6 +371,7 @@ inner0:
 	// table[nextHash] = uint16(s)
 	MOVQ SI, AX
 	SUBQ DX, AX
+
 	// XXX: MOVW AX, table-32768(SP)(R11*2)
 	// XXX: 66 42 89 44 5c 78       mov    %ax,0x78(%rsp,%r11,2)
 	BYTE $0x66
@@ -384,32 +404,63 @@ fourByteMatch:
 	CMPQ AX, $16
 	JLE  emitLiteralFastPath
 
-	// d += emitLiteral(dst[d:], src[nextEmit:s])
+	// ----------------------------------------
+	// Begin inline of the emitLiteral call.
 	//
-	// Push args.
+	// d += emitLiteral(dst[d:], src[nextEmit:s])
-	MOVQ DI, 0(SP)
-	MOVQ $0, 8(SP)   // Unnecessary, as the callee ignores it, but conservative.
-	MOVQ $0, 16(SP)  // Unnecessary, as the callee ignores it, but conservative.
-	MOVQ R10, 24(SP)
-	MOVQ AX, 32(SP)
-	MOVQ AX, 40(SP)  // Unnecessary, as the callee ignores it, but conservative.
 
+	MOVL AX, BX
+	SUBL $1, BX
+
+	CMPL BX, $60
+	JLT  inlineEmitLiteralOneByte
+	CMPL BX, $256
+	JLT  inlineEmitLiteralTwoBytes
+
+inlineEmitLiteralThreeBytes:
+	MOVB $0xf4, 0(DI)
+	MOVW BX, 1(DI)
+	ADDQ $3, DI
+	JMP  inlineEmitLiteralMemmove
+
+inlineEmitLiteralTwoBytes:
+	MOVB $0xf0, 0(DI)
+	MOVB BX, 1(DI)
+	ADDQ $2, DI
+	JMP  inlineEmitLiteralMemmove
+
+inlineEmitLiteralOneByte:
+	SHLB $2, BX
+	MOVB BX, 0(DI)
+	ADDQ $1, DI
+
+inlineEmitLiteralMemmove:
 	// Spill local variables (registers) onto the stack; call; unspill.
+	//
+	// copy(dst[i:], lit)
+	//
+	// This means calling runtime·memmove(&dst[i], &lit[0], len(lit)), so we push
+	// DI, R10 and AX as arguments.
+	MOVQ DI, 0(SP)
+	MOVQ R10, 8(SP)
+	MOVQ AX, 16(SP)
+	ADDQ AX, DI              // Finish the "d +=" part of "d += emitLiteral(etc)".
 	MOVQ SI, 72(SP)
 	MOVQ DI, 80(SP)
 	MOVQ R15, 112(SP)
-	CALL ·emitLiteral(SB)
+	CALL runtime·memmove(SB)
 	MOVQ 56(SP), CX
 	MOVQ 64(SP), DX
 	MOVQ 72(SP), SI
 	MOVQ 80(SP), DI
 	MOVQ 88(SP), R9
 	MOVQ 112(SP), R15
-
-	// Finish the "d +=" part of "d += emitLiteral(etc)".
-	ADDQ 48(SP), DI
 	JMP  inner1
 
+inlineEmitLiteralEnd:
+	// End inline of the emitLiteral call.
+	// ----------------------------------------
+
 emitLiteralFastPath:
 	// !!! Emit the 1-byte encoding "uint8(len(lit)-1)<<2".
 	MOVB AX, BX
@@ -442,60 +493,129 @@ inner1:
 	SUBQ R15, R11
 	SUBQ DX, R11
 
+	// ----------------------------------------
+	// Begin inline of the extendMatch call.
+	//
 	// s = extendMatch(src, candidate+4, s+4)
-	//
+
-	// Push args.
+	// !!! R14 = &src[len(src)]
-	MOVQ DX, 0(SP)
 	MOVQ src_len+32(FP), R14
-	MOVQ R14, 8(SP)
+	ADDQ DX, R14
-	MOVQ R14, 16(SP)         // Unnecessary, as the callee ignores it, but conservative.
+
+	// !!! R13 = &src[len(src) - 8]
+	MOVQ R14, R13
+	SUBQ $8, R13
+
+	// !!! R15 = &src[candidate + 4]
 	ADDQ $4, R15
-	MOVQ R15, 24(SP)
+	ADDQ DX, R15
+
+	// !!! s += 4
 	ADDQ $4, SI
-	SUBQ DX, SI
-	MOVQ SI, 32(SP)
 
-	// Spill local variables (registers) onto the stack; call; unspill.
+inlineExtendMatchCmp8:
+	// As long as we are 8 or more bytes before the end of src, we can load and
+	// compare 8 bytes at a time. If those 8 bytes are equal, repeat.
+	CMPQ SI, R13
+	JA   inlineExtendMatchCmp1
+	MOVQ (R15), AX
+	MOVQ (SI), BX
+	CMPQ AX, BX
+	JNE  inlineExtendMatchBSF
+	ADDQ $8, R15
+	ADDQ $8, SI
+	JMP  inlineExtendMatchCmp8
+
+inlineExtendMatchBSF:
+	// If those 8 bytes were not equal, XOR the two 8 byte values, and return
+	// the index of the first byte that differs. The BSF instruction finds the
+	// least significant 1 bit, the amd64 architecture is little-endian, and
+	// the shift by 3 converts a bit index to a byte index.
+	XORQ AX, BX
+	BSFQ BX, BX
+	SHRQ $3, BX
+	ADDQ BX, SI
+	JMP  inlineExtendMatchEnd
+
+inlineExtendMatchCmp1:
+	// In src's tail, compare 1 byte at a time.
+	CMPQ SI, R14
+	JAE  inlineExtendMatchEnd
+	MOVB (R15), AX
+	MOVB (SI), BX
+	CMPB AX, BX
+	JNE  inlineExtendMatchEnd
+	ADDQ $1, R15
+	ADDQ $1, SI
+	JMP  inlineExtendMatchCmp1
+
+inlineExtendMatchEnd:
+	// End inline of the extendMatch call.
+	// ----------------------------------------
+
+	// ----------------------------------------
+	// Begin inline of the emitCopy call.
 	//
-	// We don't need to unspill CX or R9 as we are just about to call another
-	// function.
-	MOVQ DI, 80(SP)
-	MOVQ R11, 96(SP)
-	MOVQ R12, 104(SP)
-	CALL ·extendMatch(SB)
-	MOVQ 64(SP), DX
-	MOVQ 80(SP), DI
-	MOVQ 96(SP), R11
-	MOVQ 104(SP), R12
-
-	// Finish the "s =" part of "s = extendMatch(etc)", remembering that the SI
-	// register holds &src[s], not s.
-	MOVQ 40(SP), SI
-	ADDQ DX, SI
-
 	// d += emitCopy(dst[d:], base-candidate, s-base)
-	//
+
-	// Push args.
+	// !!! length := s - base
-	MOVQ DI, 0(SP)
-	MOVQ $0, 8(SP)   // Unnecessary, as the callee ignores it, but conservative.
-	MOVQ $0, 16(SP)  // Unnecessary, as the callee ignores it, but conservative.
-	MOVQ R11, 24(SP)
 	MOVQ SI, AX
 	SUBQ R12, AX
-	MOVQ AX, 32(SP)
 
-	// Spill local variables (registers) onto the stack; call; unspill.
+inlineEmitCopyLoop0:
-	MOVQ SI, 72(SP)
+	// for length >= 68 { etc }
-	MOVQ DI, 80(SP)
+	CMPL AX, $68
-	CALL ·emitCopy(SB)
+	JLT  inlineEmitCopyStep1
-	MOVQ 56(SP), CX
-	MOVQ 64(SP), DX
-	MOVQ 72(SP), SI
-	MOVQ 80(SP), DI
-	MOVQ 88(SP), R9
 
-	// Finish the "d +=" part of "d += emitCopy(etc)".
+	// Emit a length 64 copy, encoded as 3 bytes.
-	ADDQ 40(SP), DI
+	MOVB $0xfe, 0(DI)
+	MOVW R11, 1(DI)
+	ADDQ $3, DI
+	SUBL $64, AX
+	JMP  inlineEmitCopyLoop0
+
+inlineEmitCopyStep1:
+	// if length > 64 { etc }
+	CMPL AX, $64
+	JLE  inlineEmitCopyStep2
+
+	// Emit a length 60 copy, encoded as 3 bytes.
+	MOVB $0xee, 0(DI)
+	MOVW R11, 1(DI)
+	ADDQ $3, DI
+	SUBL $60, AX
+
+inlineEmitCopyStep2:
+	// if length >= 12 || offset >= 2048 { goto inlineEmitCopyStep3 }
+	CMPL AX, $12
+	JGE  inlineEmitCopyStep3
+	CMPL R11, $2048
+	JGE  inlineEmitCopyStep3
+
+	// Emit the remaining copy, encoded as 2 bytes.
+	MOVB R11, 1(DI)
+	SHRL $8, R11
+	SHLB $5, R11
+	SUBB $4, AX
+	SHLB $2, AX
+	ORB  AX, R11
+	ORB  $1, R11
+	MOVB R11, 0(DI)
+	ADDQ $2, DI
+	JMP  inlineEmitCopyEnd
+
+inlineEmitCopyStep3:
+	// Emit the remaining copy, encoded as 3 bytes.
+	SUBL $1, AX
+	SHLB $2, AX
+	ORB  $2, AX
+	MOVB AX, 0(DI)
+	MOVW R11, 1(DI)
+	ADDQ $3, DI
+
+inlineEmitCopyEnd:
+	// End inline of the emitCopy call.
+	// ----------------------------------------
 
 	// nextEmit = s
 	MOVQ SI, R10
@@ -522,6 +642,7 @@ inner1:
 	MOVQ SI, AX
 	SUBQ DX, AX
 	SUBQ $1, AX
+
 	// XXX: MOVW AX, table-32768(SP)(R11*2)
 	// XXX: 66 42 89 44 5c 78       mov    %ax,0x78(%rsp,%r11,2)
 	BYTE $0x66
@@ -549,6 +670,7 @@ inner1:
 
 	// table[currHash] = uint16(s)
 	ADDQ $1, AX
+
 	// XXX: MOVW AX, table-32768(SP)(R11*2)
 	// XXX: 66 42 89 44 5c 78       mov    %ax,0x78(%rsp,%r11,2)
 	BYTE $0x66

vendor/github.com/hashicorp/go-rootcerts/.travis.yml

@@ -0,0 +1,12 @@
+sudo: false
+
+language: go
+
+go:
+  - 1.6
+
+branches:
+  only:
+    - master
+
+script: make test

vendor/github.com/hashicorp/go-rootcerts/LICENSE

@@ -0,0 +1,363 @@
+Mozilla Public License, version 2.0
+
+1. Definitions
+
+1.1. "Contributor"
+
+     means each individual or legal entity that creates, contributes to the
+     creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+
+     means the combination of the Contributions of others (if any) used by a
+     Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+
+     means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+
+     means Source Code Form to which the initial Contributor has attached the
+     notice in Exhibit A, the Executable Form of such Source Code Form, and
+     Modifications of such Source Code Form, in each case including portions
+     thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+     means
+
+     a. that the initial Contributor has attached the notice described in
+        Exhibit B to the Covered Software; or
+
+     b. that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the terms of
+        a Secondary License.
+
+1.6. "Executable Form"
+
+     means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+
+     means a work that combines Covered Software with other material, in a
+     separate file or files, that is not Covered Software.
+
+1.8. "License"
+
+     means this document.
+
+1.9. "Licensable"
+
+     means having the right to grant, to the maximum extent possible, whether
+     at the time of the initial grant or subsequently, any and all of the
+     rights conveyed by this License.
+
+1.10. "Modifications"
+
+     means any of the following:
+
+     a. any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered Software; or
+
+     b. any new file in Source Code Form that contains any Covered Software.
+
+1.11. "Patent Claims" of a Contributor
+
+      means any patent claim(s), including without limitation, method,
+      process, and apparatus claims, in any patent Licensable by such
+      Contributor that would be infringed, but for the grant of the License,
+      by the making, using, selling, offering for sale, having made, import,
+      or transfer of either its Contributions or its Contributor Version.
+
+1.12. "Secondary License"
+
+      means either the GNU General Public License, Version 2.0, the GNU Lesser
+      General Public License, Version 2.1, the GNU Affero General Public
+      License, Version 3.0, or any later versions of those licenses.
+
+1.13. "Source Code Form"
+
+      means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+
+      means an individual or a legal entity exercising rights under this
+      License. For legal entities, "You" includes any entity that controls, is
+      controlled by, or is under common control with You. For purposes of this
+      definition, "control" means (a) the power, direct or indirect, to cause
+      the direction or management of such entity, whether by contract or
+      otherwise, or (b) ownership of more than fifty percent (50%) of the
+      outstanding shares or beneficial ownership of such entity.
+
+
+2. License Grants and Conditions
+
+2.1. Grants
+
+     Each Contributor hereby grants You a world-wide, royalty-free,
+     non-exclusive license:
+
+     a. under intellectual property rights (other than patent or trademark)
+        Licensable by such Contributor to use, reproduce, make available,
+        modify, display, perform, distribute, and otherwise exploit its
+        Contributions, either on an unmodified basis, with Modifications, or
+        as part of a Larger Work; and
+
+     b. under Patent Claims of such Contributor to make, use, sell, offer for
+        sale, have made, import, and otherwise transfer either its
+        Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+     The licenses granted in Section 2.1 with respect to any Contribution
+     become effective for each Contribution on the date the Contributor first
+     distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+     The licenses granted in this Section 2 are the only rights granted under
+     this License. No additional rights or licenses will be implied from the
+     distribution or licensing of Covered Software under this License.
+     Notwithstanding Section 2.1(b) above, no patent license is granted by a
+     Contributor:
+
+     a. for any code that a Contributor has removed from Covered Software; or
+
+     b. for infringements caused by: (i) Your and any other third party's
+        modifications of Covered Software, or (ii) the combination of its
+        Contributions with other software (except as part of its Contributor
+        Version); or
+
+     c. under Patent Claims infringed by Covered Software in the absence of
+        its Contributions.
+
+     This License does not grant any rights in the trademarks, service marks,
+     or logos of any Contributor (except as may be necessary to comply with
+     the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+     No Contributor makes additional grants as a result of Your choice to
+     distribute the Covered Software under a subsequent version of this
+     License (see Section 10.2) or under the terms of a Secondary License (if
+     permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+     Each Contributor represents that the Contributor believes its
+     Contributions are its original creation(s) or it has sufficient rights to
+     grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+     This License is not intended to limit any rights You have under
+     applicable copyright doctrines of fair use, fair dealing, or other
+     equivalents.
+
+2.7. Conditions
+
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+     Section 2.1.
+
+
+3. Responsibilities
+
+3.1. Distribution of Source Form
+
+     All distribution of Covered Software in Source Code Form, including any
+     Modifications that You create or to which You contribute, must be under
+     the terms of this License. You must inform recipients that the Source
+     Code Form of the Covered Software is governed by the terms of this
+     License, and how they can obtain a copy of this License. You may not
+     attempt to alter or restrict the recipients' rights in the Source Code
+     Form.
+
+3.2. Distribution of Executable Form
+
+     If You distribute Covered Software in Executable Form then:
+
+     a. such Covered Software must also be made available in Source Code Form,
+        as described in Section 3.1, and You must inform recipients of the
+        Executable Form how they can obtain a copy of such Source Code Form by
+        reasonable means in a timely manner, at a charge no more than the cost
+        of distribution to the recipient; and
+
+     b. You may distribute such Executable Form under the terms of this
+        License, or sublicense it under different terms, provided that the
+        license for the Executable Form does not attempt to limit or alter the
+        recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+     You may create and distribute a Larger Work under terms of Your choice,
+     provided that You also comply with the requirements of this License for
+     the Covered Software. If the Larger Work is a combination of Covered
+     Software with a work governed by one or more Secondary Licenses, and the
+     Covered Software is not Incompatible With Secondary Licenses, this
+     License permits You to additionally distribute such Covered Software
+     under the terms of such Secondary License(s), so that the recipient of
+     the Larger Work may, at their option, further distribute the Covered
+     Software under the terms of either this License or such Secondary
+     License(s).
+
+3.4. Notices
+
+     You may not remove or alter the substance of any license notices
+     (including copyright notices, patent notices, disclaimers of warranty, or
+     limitations of liability) contained within the Source Code Form of the
+     Covered Software, except that You may alter any license notices to the
+     extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+     You may choose to offer, and to charge a fee for, warranty, support,
+     indemnity or liability obligations to one or more recipients of Covered
+     Software. However, You may do so only on Your own behalf, and not on
+     behalf of any Contributor. You must make it absolutely clear that any
+     such warranty, support, indemnity, or liability obligation is offered by
+     You alone, and You hereby agree to indemnify every Contributor for any
+     liability incurred by such Contributor as a result of warranty, support,
+     indemnity or liability terms You offer. You may include additional
+     disclaimers of warranty and limitations of liability specific to any
+     jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+
+   If it is impossible for You to comply with any of the terms of this License
+   with respect to some or all of the Covered Software due to statute,
+   judicial order, or regulation then You must: (a) comply with the terms of
+   this License to the maximum extent possible; and (b) describe the
+   limitations and the code they affect. Such description must be placed in a
+   text file included with all distributions of the Covered Software under
+   this License. Except to the extent prohibited by statute or regulation,
+   such description must be sufficiently detailed for a recipient of ordinary
+   skill to be able to understand it.
+
+5. Termination
+
+5.1. The rights granted under this License will terminate automatically if You
+     fail to comply with any of its terms. However, if You become compliant,
+     then the rights granted under this License from a particular Contributor
+     are reinstated (a) provisionally, unless and until such Contributor
+     explicitly and finally terminates Your grants, and (b) on an ongoing
+     basis, if such Contributor fails to notify You of the non-compliance by
+     some reasonable means prior to 60 days after You have come back into
+     compliance. Moreover, Your grants from a particular Contributor are
+     reinstated on an ongoing basis if such Contributor notifies You of the
+     non-compliance by some reasonable means, this is the first time You have
+     received notice of non-compliance with this License from such
+     Contributor, and You become compliant prior to 30 days after Your receipt
+     of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+     infringement claim (excluding declaratory judgment actions,
+     counter-claims, and cross-claims) alleging that a Contributor Version
+     directly or indirectly infringes any patent, then the rights granted to
+     You by any and all Contributors for the Covered Software under Section
+     2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
+     license agreements (excluding distributors and resellers) which have been
+     validly granted by You or Your distributors under this License prior to
+     termination shall survive termination.
+
+6. Disclaimer of Warranty
+
+   Covered Software is provided under this License on an "as is" basis,
+   without warranty of any kind, either expressed, implied, or statutory,
+   including, without limitation, warranties that the Covered Software is free
+   of defects, merchantable, fit for a particular purpose or non-infringing.
+   The entire risk as to the quality and performance of the Covered Software
+   is with You. Should any Covered Software prove defective in any respect,
+   You (not any Contributor) assume the cost of any necessary servicing,
+   repair, or correction. This disclaimer of warranty constitutes an essential
+   part of this License. No use of  any Covered Software is authorized under
+   this License except under this disclaimer.
+
+7. Limitation of Liability
+
+   Under no circumstances and under no legal theory, whether tort (including
+   negligence), contract, or otherwise, shall any Contributor, or anyone who
+   distributes Covered Software as permitted above, be liable to You for any
+   direct, indirect, special, incidental, or consequential damages of any
+   character including, without limitation, damages for lost profits, loss of
+   goodwill, work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses, even if such party shall have been
+   informed of the possibility of such damages. This limitation of liability
+   shall not apply to liability for death or personal injury resulting from
+   such party's negligence to the extent applicable law prohibits such
+   limitation. Some jurisdictions do not allow the exclusion or limitation of
+   incidental or consequential damages, so this exclusion and limitation may
+   not apply to You.
+
+8. Litigation
+
+   Any litigation relating to this License may be brought only in the courts
+   of a jurisdiction where the defendant maintains its principal place of
+   business and such litigation shall be governed by laws of that
+   jurisdiction, without reference to its conflict-of-law provisions. Nothing
+   in this Section shall prevent a party's ability to bring cross-claims or
+   counter-claims.
+
+9. Miscellaneous
+
+   This License represents the complete agreement concerning the subject
+   matter hereof. If any provision of this License is held to be
+   unenforceable, such provision shall be reformed only to the extent
+   necessary to make it enforceable. Any law or regulation which provides that
+   the language of a contract shall be construed against the drafter shall not
+   be used to construe this License against a Contributor.
+
+
+10. Versions of the License
+
+10.1. New Versions
+
+      Mozilla Foundation is the license steward. Except as provided in Section
+      10.3, no one other than the license steward has the right to modify or
+      publish new versions of this License. Each version will be given a
+      distinguishing version number.
+
+10.2. Effect of New Versions
+
+      You may distribute the Covered Software under the terms of the version
+      of the License under which You originally received the Covered Software,
+      or under the terms of any subsequent version published by the license
+      steward.
+
+10.3. Modified Versions
+
+      If you create software not governed by this License, and you want to
+      create a new license for such software, you may create and use a
+      modified version of this License if you rename the license and remove
+      any references to the name of the license steward (except to note that
+      such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+      Licenses If You choose to distribute Source Code Form that is
+      Incompatible With Secondary Licenses under the terms of this version of
+      the License, the notice described in Exhibit B of this License must be
+      attached.
+
+Exhibit A - Source Code Form License Notice
+
+      This Source Code Form is subject to the
+      terms of the Mozilla Public License, v.
+      2.0. If a copy of the MPL was not
+      distributed with this file, You can
+      obtain one at
+      http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file,
+then You may include the notice in a location (such as a LICENSE file in a
+relevant directory) where a recipient would be likely to look for such a
+notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+
+      This Source Code Form is "Incompatible
+      With Secondary Licenses", as defined by
+      the Mozilla Public License, v. 2.0.
+

vendor/github.com/hashicorp/go-rootcerts/Makefile

@@ -0,0 +1,8 @@
+TEST?=./...
+
+test:
+	go test $(TEST) $(TESTARGS) -timeout=3s -parallel=4
+	go vet $(TEST)
+	go test $(TEST) -race
+
+.PHONY: test

vendor/github.com/hashicorp/go-rootcerts/README.md

@@ -0,0 +1,43 @@
+# rootcerts
+
+Functions for loading root certificates for TLS connections.
+
+-----
+
+Go's standard library `crypto/tls` provides a common mechanism for configuring
+TLS connections in `tls.Config`. The `RootCAs` field on this struct is a pool
+of certificates for the client to use as a trust store when verifying server
+certificates.
+
+This library contains utility functions for loading certificates destined for
+that field, as well as one other important thing:
+
+When the `RootCAs` field is `nil`, the standard library attempts to load the
+host's root CA set.  This behavior is OS-specific, and the Darwin
+implementation contains [a bug that prevents trusted certificates from the
+System and Login keychains from being loaded][1]. This library contains
+Darwin-specific behavior that works around that bug.
+
+[1]: https://github.com/golang/go/issues/14514
+
+## Example Usage
+
+Here's a snippet demonstrating how this library is meant to be used:
+
+```go
+func httpClient() (*http.Client, error)
+	tlsConfig := &tls.Config{}
+	err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{
+		CAFile: os.Getenv("MYAPP_CAFILE"),
+		CAPath: os.Getenv("MYAPP_CAPATH"),
+	})
+	if err != nil {
+		return nil, err
+	}
+	c := cleanhttp.DefaultClient()
+	t := cleanhttp.DefaultTransport()
+	t.TLSClientConfig = tlsConfig
+	c.Transport = t
+	return c, nil
+}
+```

vendor/github.com/hashicorp/go-rootcerts/doc.go

@@ -0,0 +1,9 @@
+// Package rootcerts contains functions to aid in loading CA certificates for
+// TLS connections.
+//
+// In addition, its default behavior on Darwin works around an open issue [1]
+// in Go's crypto/x509 that prevents certicates from being loaded from the
+// System or Login keychains.
+//
+// [1] https://github.com/golang/go/issues/14514
+package rootcerts

vendor/github.com/hashicorp/go-rootcerts/rootcerts.go

@@ -0,0 +1,103 @@
+package rootcerts
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// Config determines where LoadCACerts will load certificates from. When both
+// CAFile and CAPath are blank, this library's functions will either load
+// system roots explicitly and return them, or set the CertPool to nil to allow
+// Go's standard library to load system certs.
+type Config struct {
+	// CAFile is a path to a PEM-encoded certificate file or bundle. Takes
+	// precedence over CAPath.
+	CAFile string
+
+	// CAPath is a path to a directory populated with PEM-encoded certificates.
+	CAPath string
+}
+
+// ConfigureTLS sets up the RootCAs on the provided tls.Config based on the
+// Config specified.
+func ConfigureTLS(t *tls.Config, c *Config) error {
+	if t == nil {
+		return nil
+	}
+	pool, err := LoadCACerts(c)
+	if err != nil {
+		return err
+	}
+	t.RootCAs = pool
+	return nil
+}
+
+// LoadCACerts loads a CertPool based on the Config specified.
+func LoadCACerts(c *Config) (*x509.CertPool, error) {
+	if c == nil {
+		c = &Config{}
+	}
+	if c.CAFile != "" {
+		return LoadCAFile(c.CAFile)
+	}
+	if c.CAPath != "" {
+		return LoadCAPath(c.CAPath)
+	}
+
+	return LoadSystemCAs()
+}
+
+// LoadCAFile loads a single PEM-encoded file from the path specified.
+func LoadCAFile(caFile string) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+
+	pem, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return nil, fmt.Errorf("Error loading CA File: %s", err)
+	}
+
+	ok := pool.AppendCertsFromPEM(pem)
+	if !ok {
+		return nil, fmt.Errorf("Error loading CA File: Couldn't parse PEM in: %s", caFile)
+	}
+
+	return pool, nil
+}
+
+// LoadCAPath walks the provided path and loads all certificates encounted into
+// a pool.
+func LoadCAPath(caPath string) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+	walkFn := func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if info.IsDir() {
+			return nil
+		}
+
+		pem, err := ioutil.ReadFile(path)
+		if err != nil {
+			return fmt.Errorf("Error loading file from CAPath: %s", err)
+		}
+
+		ok := pool.AppendCertsFromPEM(pem)
+		if !ok {
+			return fmt.Errorf("Error loading CA Path: Couldn't parse PEM in: %s", path)
+		}
+
+		return nil
+	}
+
+	err := filepath.Walk(caPath, walkFn)
+	if err != nil {
+		return nil, err
+	}
+
+	return pool, nil
+}

vendor/github.com/hashicorp/go-rootcerts/rootcerts_base.go

@@ -0,0 +1,12 @@
+// +build !darwin
+
+package rootcerts
+
+import "crypto/x509"
+
+// LoadSystemCAs does nothing on non-Darwin systems. We return nil so that
+// default behavior of standard TLS config libraries is triggered, which is to
+// load system certs.
+func LoadSystemCAs() (*x509.CertPool, error) {
+	return nil, nil
+}

vendor/github.com/hashicorp/go-rootcerts/rootcerts_darwin.go

@@ -0,0 +1,48 @@
+package rootcerts
+
+import (
+	"crypto/x509"
+	"os/exec"
+	"path"
+
+	"github.com/mitchellh/go-homedir"
+)
+
+// LoadSystemCAs has special behavior on Darwin systems to work around
+func LoadSystemCAs() (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+
+	for _, keychain := range certKeychains() {
+		err := addCertsFromKeychain(pool, keychain)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return pool, nil
+}
+
+func addCertsFromKeychain(pool *x509.CertPool, keychain string) error {
+	cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", keychain)
+	data, err := cmd.Output()
+	if err != nil {
+		return err
+	}
+
+	pool.AppendCertsFromPEM(data)
+
+	return nil
+}
+
+func certKeychains() []string {
+	keychains := []string{
+		"/System/Library/Keychains/SystemRootCertificates.keychain",
+		"/Library/Keychains/System.keychain",
+	}
+	home, err := homedir.Dir()
+	if err == nil {
+		loginKeychain := path.Join(home, "Library", "Keychains", "login.keychain")
+		keychains = append(keychains, loginKeychain)
+	}
+	return keychains
+}

vendor/github.com/lib/pq/user_posix.go

@@ -1,6 +1,6 @@
 // Package pq is a pure Go Postgres driver for the database/sql package.
 
-// +build darwin dragonfly freebsd linux nacl netbsd openbsd solaris
+// +build darwin dragonfly freebsd linux nacl netbsd openbsd solaris rumprun
 
 package pq
 

vendor/golang.org/x/crypto/ssh/handshake.go

@@ -161,8 +161,12 @@ func (t *handshakeTransport) readOnePacket() ([]byte, error) {
 
 	t.readSinceKex += uint64(len(p))
 	if debugHandshake {
-		msg, err := decode(p)
+		if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
-		log.Printf("%s got %T %v (%v)", t.id(), msg, msg, err)
+			log.Printf("%s got data (packet %d bytes)", t.id(), len(p))
+		} else {
+			msg, err := decode(p)
+			log.Printf("%s got %T %v (%v)", t.id(), msg, msg, err)
+		}
 	}
 	if p[0] != msgKexInit {
 		return p, nil
@@ -370,8 +374,8 @@ func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) erro
 
 	if t.sessionID == nil {
 		t.sessionID = result.H
-		result.SessionID = result.H
 	}
+	result.SessionID = t.sessionID
 
 	t.conn.prepareKeyChange(algs, result)
 	if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {

vendor/golang.org/x/net/context/context.go

@@ -61,7 +61,7 @@ type Context interface {
 	//
 	//  // Stream generates values with DoSomething and sends them to out
 	//  // until DoSomething returns an error or ctx.Done is closed.
-	//  func Stream(ctx context.Context, out <-chan Value) error {
+	//  func Stream(ctx context.Context, out chan<- Value) error {
 	//  	for {
 	//  		v, err := DoSomething(ctx)
 	//  		if err != nil {

vendor/golang.org/x/sys/unix/sockcmsg_unix.go

@@ -62,7 +62,7 @@ func ParseSocketControlMessage(b []byte) ([]SocketControlMessage, error) {
 
 func socketControlMessageHeaderAndData(b []byte) (*Cmsghdr, []byte, error) {
 	h := (*Cmsghdr)(unsafe.Pointer(&b[0]))
-	if h.Len < SizeofCmsghdr || int(h.Len) > len(b) {
+	if h.Len < SizeofCmsghdr || uint64(h.Len) > uint64(len(b)) {
 		return nil, nil, EINVAL
 	}
 	return h, b[cmsgAlignOf(SizeofCmsghdr):h.Len], nil

vendor/golang.org/x/sys/unix/syscall_linux_ppc64x.go

@@ -18,6 +18,7 @@ package unix
 //sysnb	Getgid() (gid int)
 //sysnb	Getrlimit(resource int, rlim *Rlimit) (err error) = SYS_UGETRLIMIT
 //sysnb	Getuid() (uid int)
+//sysnb	InotifyInit() (fd int, err error)
 //sys	Ioperm(from int, num int, on int) (err error)
 //sys	Iopl(level int) (err error)
 //sys	Lchown(path string, uid int, gid int) (err error)
@@ -97,3 +98,29 @@ func (msghdr *Msghdr) SetControllen(length int) {
 func (cmsg *Cmsghdr) SetLen(length int) {
 	cmsg.Len = uint64(length)
 }
+
+//sysnb pipe(p *[2]_C_int) (err error)
+
+func Pipe(p []int) (err error) {
+	if len(p) != 2 {
+		return EINVAL
+	}
+	var pp [2]_C_int
+	err = pipe(&pp)
+	p[0] = int(pp[0])
+	p[1] = int(pp[1])
+	return
+}
+
+//sysnb pipe2(p *[2]_C_int, flags int) (err error)
+
+func Pipe2(p []int, flags int) (err error) {
+	if len(p) != 2 {
+		return EINVAL
+	}
+	var pp [2]_C_int
+	err = pipe2(&pp, flags)
+	p[0] = int(pp[0])
+	p[1] = int(pp[1])
+	return
+}

vendor/golang.org/x/sys/unix/types_linux.go

@@ -113,6 +113,9 @@ struct my_epoll_event {
 	// padding is not specified in linux/eventpoll.h but added to conform to the
 	// alignment requirements of EABI
 	int32_t padFd;
+#endif
+#ifdef  __powerpc64__
+	int32_t _padFd;
 #endif
 	int32_t fd;
 	int32_t pad;

vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64.go

@@ -1298,6 +1298,17 @@ func Getuid() (uid int) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func InotifyInit() (fd int, err error) {
+	r0, _, e1 := RawSyscall(SYS_INOTIFY_INIT, 0, 0, 0)
+	fd = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Ioperm(from int, num int, on int) (err error) {
 	_, _, e1 := Syscall(SYS_IOPERM, uintptr(from), uintptr(num), uintptr(on))
 	if e1 != 0 {
@@ -1810,3 +1821,23 @@ func Utime(path string, buf *Utimbuf) (err error) {
 	}
 	return
 }
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pipe(p *[2]_C_int) (err error) {
+	_, _, e1 := RawSyscall(SYS_PIPE, uintptr(unsafe.Pointer(p)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pipe2(p *[2]_C_int, flags int) (err error) {
+	_, _, e1 := RawSyscall(SYS_PIPE2, uintptr(unsafe.Pointer(p)), uintptr(flags), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}

vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64le.go

@@ -1298,6 +1298,17 @@ func Getuid() (uid int) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func InotifyInit() (fd int, err error) {
+	r0, _, e1 := RawSyscall(SYS_INOTIFY_INIT, 0, 0, 0)
+	fd = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Ioperm(from int, num int, on int) (err error) {
 	_, _, e1 := Syscall(SYS_IOPERM, uintptr(from), uintptr(num), uintptr(on))
 	if e1 != 0 {
@@ -1810,3 +1821,23 @@ func Utime(path string, buf *Utimbuf) (err error) {
 	}
 	return
 }
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pipe(p *[2]_C_int) (err error) {
+	_, _, e1 := RawSyscall(SYS_PIPE, uintptr(unsafe.Pointer(p)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pipe2(p *[2]_C_int, flags int) (err error) {
+	_, _, e1 := RawSyscall(SYS_PIPE2, uintptr(unsafe.Pointer(p)), uintptr(flags), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}

vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go

@@ -589,9 +589,10 @@ type Ustat_t struct {
 }
 
 type EpollEvent struct {
-	Events uint32
+	Events  uint32
-	Fd     int32
+	X_padFd int32
-	Pad    int32
+	Fd      int32
+	Pad     int32
 }
 
 const (

vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go

@@ -589,9 +589,10 @@ type Ustat_t struct {
 }
 
 type EpollEvent struct {
-	Events uint32
+	Events  uint32
-	Fd     int32
+	X_padFd int32
-	Pad    int32
+	Fd      int32
+	Pad     int32
 }
 
 const (

website/source/docs/auth/token.html.md

@@ -599,8 +599,9 @@ of the header should be "X-Vault-Token" and the value should be the token.
         If set, tokens created against this role will <i>not</i> have a maximum
         lifetime. Instead, they will have a fixed TTL that is refreshed with
         each renewal. So long as they continue to be renewed, they will never
-        expire. The parameter is an integer duration of seconds or a duration
+        expire. The parameter is an integer duration of seconds. Tokens issued
-        string (e.g. `"72h"`).
+        track updates to the role value; the new period takes effect upon next
+        renew.
       </li>
       <li>
         <span class="param">path_suffix</span>

website/source/layouts/_footer.erb

@@ -43,7 +43,8 @@
   m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
   })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
 
-  ga('create', 'UA-62364009-1', 'auto');
+  ga('create', 'UA-62364009-1', 'vaultproject.io');
+  ga('require', 'linkid');
   ga('send', 'pageview');
 </script>