* Sign empty to cert on manual-chain update.
* Add role defaults.
* Add changelog.
* More useful error message.
* Suggestions from PR Review.
* Fixes to update as well as write; test that still fails; revert code.
* Unit Test fix.
* Add go doc to TestManualChainValidation
* Move all pki-verification calls from sdk-Verify() to pki-specific
VerifyCertifcate(...); update sdk-Verify to allow multiple chains,
but validate that at least one of those chains is valid.
* Updates to Validate on Parse PEMBlock, so that a single cert or a single key parses (test fixes).
* Add changelog.
* Make test certificate expire in a while, not at linux epoch.
* Remove duplicate code.
* Fix header file + go mod tidy.
* Updates based on review.
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
* Allow a Vault operator to list, read and update PKI ACME accounts
- This allows an operator to list the ACME account key ids, read
the ACME account getting all the various information along with
the account's associated orders and update the ACME account's
status to either valid or revoked
* Add tests for new ACME management APIs
* Update PKI api-docs
* Add cl
* Add missing error handling and a few more test assertions
* PR feedback
* Fix Note tags within the website
* Apply suggestions from docscode review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/pki/issuance.mdx
* Update website/content/api-docs/secret/pki/issuance.mdx
* Update website/content/api-docs/secret/pki/issuance.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* More CE changes for hybrid wireup
* remove unused func
* undo reintroduction of loss of omitempty
* Add ent hooks and handle unsupported keys correctly
* tidy import
* Fix ent encode test logic
* CE side changes to key policy engine for ML-DSA/Hybrid support
* fix ce mismatch for verify
* restore omitempty
* unnecessary
* Perform code reuse of ed25519 validation differently
* make parts of export testing ent only
* license
* add open api params
* support pki name constraints
* fix conditional
* revert helptextwsubtext
* fix typo
* add name constraints to sign intermediate form
* add changelog
* update test
Sort CA chain into root and intermediates on VerifyCertificate.
In order for the Certificate.Verify method to work correctly, the certificates
in the CA chain need to be sorted into separate root and intermediate
certificate pools.
Add unit tests to verify that name constraints in both the root and intermediate
certificates are checked.
Support all fields of the name constraints extension when generating CA certs.
The PKI secrets engine only provided parameter permitted_dns_domains to create
the name constraints extension when generating CA certificates.
Add the following parameters to provide full support for the extension:
* permitted_email_addresses
* permitted_ip_ranges
* permitted_uri_domains
* excluded_dns_domains
* excluded_email_addresses
* excluded_ip_ranges
* excluded_uri_domains
Specifying any combination of these parameters will trigger the creation of the
name constraints extension as per RFC 5280 section 4.2.1.10.
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* update go.mod
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* Use DRBG based RSA key generation everywhere
* update go.mod
* fix import
* Remove rsa2 alias, remove test code
* move cryptoutil/rsa.go to sdk
* move imports too
* remove makefile change
* rsa2->rsa
* more rsa2->rsa, remove test code
* fix some overzelous search/replace
* Update to a real tag
* changelog
* copyright
* work around copyright check
* work around copyright check pt2
* bunch of dupe imports
* missing import
* wrong license
* fix go.mod conflict
* missed a spot
* dupe import
* Add an option to allow cert-auth to return metadata about client certs that fail login
* Add cl
* Update SPDX header for sdk/logical/response_test.go
* add ml-dsa key type and stubs
* add in sdk changes
* ent breakout
* fix private key func and run go mod tidy
* change function name
* tidy go.mod
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
