Kyle Havlovitz
f67a4d59c0
connect/ca: simplify passing of leaf cert TTL
2018-07-25 17:51:45 -07:00
Kyle Havlovitz
ce10de036e
connect/ca: check LeafCertTTL when rotating expired roots
2018-07-20 16:04:04 -07:00
Kyle Havlovitz
d6ca015a42
connect/ca: add configurable leaf cert TTL
2018-07-16 13:33:37 -07:00
Matt Keeler
677d6dac80
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Kyle Havlovitz
8c2c9705d9
connect/ca: use weak type decoding in the Vault config parsing
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
050da22473
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
914d9e5e20
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
bc997688e3
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
8a70ea64a6
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
6a2fc00997
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
226a59215d
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
1a8ac686b2
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
51fc48e8a6
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
e514570dfa
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
Kyle Havlovitz
ab4a9a94f4
Re-use uint8ToString
2018-06-14 09:42:23 -07:00
Kyle Havlovitz
5683d628c4
Support giving the duration as a string in CA config
2018-06-14 09:42:22 -07:00
Paul Banks
140f3f5a44
Fix logical conflicts with CA refactor
2018-06-14 09:42:17 -07:00
Paul Banks
4aeab3897c
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.
2018-06-14 09:42:16 -07:00
Paul Banks
1722734313
Verify trust domain on /authorize calls
2018-06-14 09:42:16 -07:00
Paul Banks
b4803eca59
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
622a475eb1
Add CSR signing verification of service ACL, trust domain and datacenter.
2018-06-14 09:42:16 -07:00
Paul Banks
c1f2025d96
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
e00088e8ee
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
627aa80d5a
Use provider state table for a global serial index
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
988510f53c
Add test for ca config http endpoint
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
de72834b8c
Move connect CA provider to separate package
2018-06-14 09:42:15 -07:00
Paul Banks
e0e12e165b
TLS watching integrated into Service with some basic tests.
...
There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.
2018-06-14 09:42:07 -07:00
Paul Banks
90c574ebaa
Wire up agent leaf endpoint to cache framework to support blocking.
2018-06-14 09:42:07 -07:00
Kyle Havlovitz
edcfdb37af
Fix some inconsistencies around the CA provider code
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
315b8bf594
Simplify the CAProvider.Sign method
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
c6e1b72ccb
Simplify the CA provider interface by moving some logic out
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
a325388939
Clarify some comments and names around CA bootstrapping
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
33418afd3c
Add cross-signing mechanism to root rotation
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
d83fbfc766
Add the root rotation mechanism to the CA config endpoint
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
f9d92d795e
Have the built in CA store its state in raft
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
9fc33d2a62
Add the CA provider interface and built-in provider
2018-06-14 09:41:58 -07:00
Paul Banks
10db79c8ae
Rework connect/proxy and command/connect/proxy. End to end demo working again
2018-06-14 09:41:57 -07:00
Paul Banks
26e65f6bfd
connect.Service based implementation after review feedback.
2018-06-14 09:41:56 -07:00
Mitchell Hashimoto
3ef0b93159
agent/connect: Authorize for CertURI
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
ffe4cdfc15
agent/connect: support any values in the URL
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
75bf0e1638
agent/connect: support SpiffeIDSigning
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
17ca8ad083
agent/connect: rename SpiffeID to CertURI
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
0cbcb07d61
agent/connect: use proper keyusage fields for CA and leaf
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
73442ada5a
agent/connect: address PR feedback for the CA.go file
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
a54d1af421
agent/consul: encode issued cert serial number as hex encoded
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
c2588262b7
agent: /v1/connect/ca/leaf/:service_id
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
891cd22ad9
agent/consul: key the public key of the CSR, verify in test
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
d768d5e9a7
agent/consul: test for ConnectCA.Sign
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
f4ec28bfe3
agent/consul: basic sign endpoint not tested yet
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
548ce190d5
agent/connect: package for agent-related Connect, parse SPIFFE IDs
2018-06-14 09:41:50 -07:00