Commit Graph

14 Commits

Author SHA1 Message Date
Daniel Nephin 4afc24268d tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true
See github.com/hashicorp/consul/issues/11207

When VerifyIncomingRPC is false the TLS conn will not have the required certificates.
2021-10-27 13:43:25 -04:00
Hans Hasselberg 13238dbab6
tls: consider presented intermediates during server connection tls handshake. (#10964)
* use intermediates when verifying

* extract connection state

* remove useless import

* add changelog entry

* golint

* better error

* wording

* collect errors

* use SAN.DNSName instead of CommonName

* Add test for unknown intermediate

* improve changelog entry
2021-09-09 21:48:54 +02:00
R.B. Boyer a2876453a5
connect/ca: cease including the common name field in generated certs (#10424)
As part of this change, we ensure that the SAN extensions are marked as
critical when the subject is empty so that AWS PCA tolerates the loss of
common names well and continues to function as a Connect CA provider.

Parts of this currently hack around a bug in crypto/x509 and can be
removed after https://go-review.googlesource.com/c/go/+/329129 lands in
a Go release.

Note: the AWS PCA tests do not run automatically, but the following
passed locally for me:

    ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS
2021-06-25 13:00:00 -05:00
Hans Hasselberg 53e9c134af
introduce certopts (#9606)
* introduce cert opts

* it should be using the same signer

* lint and omit serial
2021-03-22 10:16:41 +01:00
Kyle Havlovitz 3fd040be22
Merge pull request #7623 from FriedCircuits/patch-1
Add support for RSA private key to TLS utils.
2021-02-04 11:37:51 -08:00
Hans Hasselberg 444cdeb8fb
Add flags to support CA generation for Connect (#9585) 2021-01-27 08:52:15 +01:00
jsosulska fe33527412 Add RSA Test case for generating CA Cert 2021-01-20 18:36:55 -05:00
jsosulska 3a1bbf93af Reuse Connect.parseSigner.Adds change from #8898
Co-authored-by: Aliaksandr Mianzhynski <amenzhinsky@gmail.com>
2021-01-20 18:36:55 -05:00
William e9630ea263 Add RSA Support to KeyID 2021-01-20 18:36:55 -05:00
William c1d6505fe3 Add support for RSA private key to TLS utils.
Co-authored-by: Thomas Detoux <detoux@gmail.com>
2021-01-20 18:35:53 -05:00
Daniel Nephin c88fae0aac ci: Add staticcheck and fix most errors
Three of the checks are temporarily disabled to limit the size of the
diff, and allow us to enable all the other checks in CI.

In a follow up we can fix the issues reported by the other checks one
at a time, and enable them.
2020-05-28 11:59:58 -04:00
R.B. Boyer af01d397a5
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492)
The fields in the certs are meant to hold the original binary
representation of this data, not some ascii-encoded version.

The only time we should be colon-hex-encoding fields is for display
purposes or marshaling through non-TLS mediums (like RPC).
2019-09-23 12:52:35 -05:00
Todd Radel 2552f4a11a
connect: Support RSA keys in addition to ECDSA (#6055)
Support RSA keys in addition to ECDSA
2019-07-30 17:47:39 -04:00
Hans Hasselberg 33a7df3330
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 22:22:07 +02:00