scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
13d302d5094165c19a15f51d61b2b5f0752241db
vault/changelog/21081.txt
Gabriel Santos 1996377b4f Transit backend: Create CSR's from keys in transit and import certificate chains (#21081) 
* setup initial boilerplate code for sign csr endpoint

* add function to sign csr

* working version of sign csr endpoint

* improving errors for csr create and sign endpoint

* initial implementation for import leaf certificate endpoint

* check if more than one certificate was provided in the ceritificate chain

* improve validate cert public key matches transit key

* convert provided cert chain from PEM to DER so it can be parsed by
x509.ParseCertificates and fixing other bugs

* fix creation of csr from csrTemplate

* add missing persist of certificate chain after validations in set-certificate endpoint

* allow exporting a certificate-chain

* move function declaration to end of page

* improving variable and function names, removing comments

* fix certificate chain parsing - work in progress

* test for signCsr endpoint

* use Operations instead of Callbacks in framework.Path

* setup test for set-certificate endpoint

fix problems with sign-csr endpoint returning base64

* finish set-certificate endpoint test

* use public key KeyEntry fields instead of retrieving public key from private

* improve error message and make better distinction between client and server error

also moved check of key types before checking if key match to endpoint handler

* check if private key has been imported for key version selected when signing a csr

* improve errors

* add endpoint description and synopsis

* fix functions calls in backend as function names changed

* improve import cert chain test

* trim whitespaces on export certificate chain

* changelog

* pass context from handler function to policy Persist

* make fmt run

* fix: assign returned error from PersistCertificateChain to err so it can be evaluated

* additional validations and improvements to parseCertificateChain function

* add validation to check if there is only one certificate in the certificate chain and it is in the first position

* import cert chain test: move creation of cluster to exported test function

* move check of end-cert pub key algorithm and key transit algorithm match into a separate function

* test export certificate chain

* Update sdk/helper/keysutil/policy.go

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

* fix validateLeafCertPosition

* reject certificate actions on policies that allow key derivation and remove derived checks

* return UserError from CreateCSR SDK function as 400 in transit API handler

* add derived check for ED5519 keys on CreateCSR SDK func

* remove unecessary calls of x509.CreateCertificateRequest

* move validate key type match back into SDK ValidateLeafCertMatch function

* add additional validations (ValidateLeafCertKeyMatch, etc) in SDK PersistCertificateChain function

* remove uncessary call of ValidateLeafCertKeyMatch in parseImportCertChainWrite

* store certificate chain as a [][]byte instead of []*x509.Certificate

* include persisted ca chain in import cert-chain response

* remove NOTE comment

* allow exporting cert-chain even if exportable is set as false

* remove NOTE comment

* add certifcate chain to formatKeyPublic if present

also added an additional check to validate if field is added when
certchain is present

---------

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2023-08-22 08:24:56 -04:00

4 lines
140 B
Plaintext
Raw Blame History

```release-note:improvement
secrets/transit: Add support to create CSRs from keys in transit engine and import/export x509 certificates
```
Reference in New Issue View Git Blame Copy Permalink