This project is mirrored from https://gitee.com/NQL886/vault.git. Pull mirroring failed .
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer.
  1. 04 Apr, 2022 4 commits
  2. 01 Apr, 2022 2 commits
  3. 30 Mar, 2022 3 commits
  4. 29 Mar, 2022 3 commits
  5. 28 Mar, 2022 2 commits
  6. 25 Mar, 2022 1 commit
  7. 21 Mar, 2022 2 commits
  8. 18 Mar, 2022 2 commits
  9. 16 Mar, 2022 1 commit
  10. 15 Mar, 2022 1 commit
  11. 14 Mar, 2022 2 commits
  12. 11 Mar, 2022 1 commit
  13. 03 Mar, 2022 2 commits
  14. 02 Mar, 2022 1 commit
  15. 28 Feb, 2022 1 commit
  16. 24 Feb, 2022 6 commits
    • Nick Cabatoff's avatar
      Update sdk for 1.8.9 (#14263) · 86542aae
      Nick Cabatoff authored
      86542aae
    • Nick Cabatoff's avatar
      Update version in sdk to 1.8.9. (#14258) · 4cb73e82
      Nick Cabatoff authored
      4cb73e82
    • hc-github-team-secure-vault-core's avatar
      Backport of UI/fix db role ttl display into release/1.8.x (#14227) · 8b1da985
      hc-github-team-secure-vault-core authored
      
      * backport of commit a9fca1048496c2b2c828c14188ca6a1db0676ef8
      
      * Fixes pre-refactor
      
      * Tests
      Co-authored-by: default avatarhashishaw <cshaw@hashicorp.com>
      Co-authored-by: default avatarChelsea Shaw <82459713+hashishaw@users.noreply.github.com>
      8b1da985
    • Nick Cabatoff's avatar
      Update to Go 1.16.14. (#14249) · 46f63581
      Nick Cabatoff authored
      46f63581
    • Alexander Scheel's avatar
      Backport 1.8.x - Add role parameter to restrict issuance of wildcard... · 138fb23b
      Alexander Scheel authored
      Backport 1.8.x - Add role parameter to restrict issuance of wildcard certificates + Clarify documentation around certificate issuance (#14252)
      
      * Add role parameter to restrict issuance of wildcard certificates (#14238)
      
      * Add new AllowWildcardCertificate field to PKI role
      
      This field allows the PKI role to control whether or not issuance of
      wildcard certificates are allowed. We default (both on migration and
      new role creation) to the less secure true value for backwards
      compatibility with existing Vault versions.
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Refactor sanitizedName to reducedName
      
      Per comment, this variable name was confusing during the reproduction
      and subsequent fix of the earlier vulnerability and associated bug
      report. Because the common name isn't necessarily _sanitized_ in any way
      (and indeed must be considered in relation to other parts or the whole),
      but portions of the entire name are removed, reducedName appears to make
      the most sense.
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Enforce AllowWildcardCertificates during issuance
      
      This commit adds the bulk of correctly validating wildcard certificate
      Common Names during issuance according to RFC 6125 Section 6.4.3
      semantics. As part of this, support for RFC 2818-conforming wildcard
      certificates (wherein there are almost no restrictions on issuance) has
      been removed.
      
      Note that this flag does take precedence over AllowAnyName, giving a
      little more safety in wildcard issuance in this case.
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Update test cases to conform with RFC 6125
      
      Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
      should've been rejected under strict conformance. For 70+71 and 83+84,
      we previously conditioned around the value of AllowSubdomains (allowing
      issuance when true), but they likely should've been rejected either way.
      
      Additionally, update the notes about globs matching wildcard
      certificates to notate this is indeed the case.
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Check AllowWildcardCertifciates in issuance tests
      
      This allows for regression tests to cover the new
      AllowWildcardCertificate conditional. We add additional test cases
      ensuring that wildcard issuance is properly forbidden in all relevant
      scenarios, while allowing the existing test cases to validate that
      wildcard status doesn't affect non-wildcard certificates.
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Add Wildcard allowance during signing operations
      
      When using sign-verbatim, sign-intermediate, or getting certificate
      generation parameters, set AllowWildcardCertificates to mirror existing
      policies.
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Add changelog entry
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Clarify documentation around certificate issuance (#14236)
      
      We note that:
      
       - allow_bare_domains, allow_glob_domains, and allow_subdomains are all
         independent,
       - enforce_hostnames and allow_wildcard_certificates take precedence over
         allow_any_name,
       - We limit to RFC 6125 wildcards.
       - Clarify that both allow_bare_domains and allow_glob_domains will permit
         wildcard issuance in certain scenarios.
      Co-authored-by: default avatarmickael-hc <86245626+mickael-hc@users.noreply.github.com>
      Co-authored-by: default avatarKit Haines <kit.haines@hashicorp.com>
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      Co-authored-by: default avatarmickael-hc <86245626+mickael-hc@users.noreply.github.com>
      Co-authored-by: default avatarKit Haines <kit.haines@hashicorp.com>
      Co-authored-by: default avatarmickael-hc <86245626+mickael-hc@users.noreply.github.com>
      Co-authored-by: default avatarKit Haines <kit.haines@hashicorp.com>
      138fb23b
    • Alexander Scheel's avatar
      Fix broken interactions between glob_domains and wildcards (#14242) · d230ad7e
      Alexander Scheel authored
      
      * Allow issuance of wildcard via glob match
      
      From Vault v1.8.0 onwards, we would incorrectly disallow issuance of a
      wildcard certificate when allow_glob_domain was enabled with a
      multi-part glob domain in allowed_domains (such as *.*.foo) when
      attempting to issue a wildcard for a subdomain (such as *.bar.foo).
      
      This fixes that by reverting an errant change in the case insensitivity
      patch. Here, when validating against a very powerful glob construct, we
      leave the wildcard prefix (*.) from the raw common_name element, to
      allow multi-part globs to match wildcard entries.
      
      It is important to note that "sanitizedName" is an incorrect variable
      naming here. Wildcard parsing (per RFC 6125 which supercedes RFC 2818)
      must be in the left-most segment of the domain, but we lack validation
      to ensure no internal wildcards exist. Additionally per item 3 of
      section 6.4.3 of RFC 6125, wildcards MAY be internal to a domain
      segment, in which case sanitizedName again leaves the wildcard in place.
      
      Resolves: #13530
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Remove duplicate email address check
      
      As pointed out by Steven Clark (author of the removed conditional in
      70012cd8
      
      ), this is duplicate from the
      now-reintroduced comparison against name (versus the erroneous
      sanitizedName at the time of his commit).
      
      This is a reversion of the changes to builtin/logical/pki/cert_util.go,
      but keeping the additional valuable test cases.
      Co-authored-by: default avatarSteven Clark <steven.clark@hashicorp.com>
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Add multi-dimensional PKI role issuance tests
      
      This commit introduces multi-dimensional testing of PKI secrets engine's
      role-based certificate issuance with the intent of preventing future
      regressions.
      
      Here, dimensions of testing include:
      
       - AllowedDomains to decide which domains are approved for issuance,
       - AllowBareDomains to decide if raw entries of AllowedDomains are
         permitted,
       - AllowGlobDomains to decide if glob patterns in AllowedDomains are
         parsed,
       - AllowSubdomains to decide if subdomains of AllowedDomains are
         permitted,
       - AllowLocalhost to decide if localhost identifiers are permitted, and
       - CommonName of the certificate to request.
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      
      * Add changelog entry
      Signed-off-by: default avatarAlexander Scheel <alex.scheel@hashicorp.com>
      Co-authored-by: default avatarSteven Clark <steven.clark@hashicorp.com>
      Co-authored-by: default avatarSteven Clark <steven.clark@hashicorp.com>
      d230ad7e
  17. 19 Feb, 2022 1 commit
  18. 18 Feb, 2022 1 commit
  19. 11 Feb, 2022 1 commit
  20. 08 Feb, 2022 1 commit
  21. 07 Feb, 2022 1 commit
  22. 04 Feb, 2022 1 commit