-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add per-issuer AIA URI information to PKI secrets engine #16563
Conversation
7ab6961
to
7b97305
Compare
7b97305
to
5d648c4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of nits, nothing preventing merging
builtin/logical/pki/backend_test.go
Outdated
leafCert = parseCert(t, resp.Data["certificate"].(string)) | ||
require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://example.com/ca"}) | ||
require.Equal(t, leafCert.OCSPServer, []string{"https://example.com/ocsp"}) | ||
require.Equal(t, leafCert.CRLDistributionPoints, []string{"https://example.com/crl"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we exercise the PATCH version in this test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me know if you want more PATCH tests. :-)
Hi, thanks for working on this, and sorry it has taken me so long to look into the code. There's a bit of a terminology mix-up here - AIA is a technical term which refers only to Vault's Looking further into the rest of the code too now. |
distribution point. These separate CRLs should either be aggregated into a | ||
single CRL (externally; as Vault does not support this functionality) | ||
or multiple `crl_distribution_points` should be specified here, pointing | ||
to each cluster and issuer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this is orthogonal to this PR, as this is language copied from elsewhere in the docs, but actually specifying multiple crl_distribution_points
is not a correct way to deal with Performance Replication environments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah......
builtin/logical/pki/cert_util.go
Outdated
@@ -674,7 +674,8 @@ func generateCert(sc *storageContext, | |||
data.Params.PermittedDNSDomains = input.apiData.Get("permitted_dns_domains").([]string) | |||
|
|||
if data.SigningBundle == nil { | |||
// Generating a self-signed root certificate | |||
// Generating a self-signed root certificate. Since we have no | |||
// issuer entry yet, we default to the global URLs. | |||
entries, err := getURLs(ctx, sc.Storage) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this approach works for now, but it means there are certain configurations it will be hard to orchestrate reasonably with desired state configuration e.g. terraform-provider-vault. (I'm thinking of ones where you deliberately want to create multiple issuers with different URLs.)
It may be worth re-visiting allowing the URLs to be passed in as part of the root generation request itself in a later PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there should be no issue once terraform-provider-vault
is updated to support setting AIAs on issuers? (cc @stevendpclark & @benashz).
My understanding from the RFC -- and correct me if I'm wrong -- is generally you don't want AIAs on roots. So while we don't support setting them on root generation (as you mention in the last sentence), the approach you'd probably want is:
- Generate root without AIA URLs.
- Configure per-issuer AIA on the root.
- Generate intermediates. These will use the root's per-issuer AIA for signing the intermediate cert proper.
- Once intermediate is imported, configure per-issuer AIA on the intermediate.
- Issue leaf certs, which will consume intermediate AIAs.
- Global URLs should probably never be set. This workflow works independent of whether one or several mounts are used.
AIA should then be structured correctly, minus the cross-cluster discussion elsewhere.
This comment is mostly about preserving backwards compatibility and noting why we call getURLs
rather than the newer issuer-entry call (used above).
@maxb said:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1 is titled AIA and includes both CA Issuers and OCSP. That CRL isn't strictly included there is, IMO, more a comment towards its structure (instead having a separate extension) -- but it is mentioned from there as being related conceptually. :-) Indeed, I think they kinda intended to if you read this quote from the start (+/- actually having it as a separate extension):
My 2c. but I think conceptually, it makes sense especially given OCSP is actually part of the main AIA extension. |
Ah... whoops. My experience is entirely with CRL-based revocation, never having actually deployed OCSP, and I extrapolated wrongly. OK then, I just learned that OCSP URLs are communicated within AIA too!
I don't think your quote from the changelog compared to the previous version of the RFC - mentioning the AIA extension for CRLs, not certificates - gives any additional clarity. I do now see two of the three URLs are actually in the AIA extension, and the third can be considered "AIA adjacent" from a certain point of view - and maybe that's sufficient to use AIA as an unofficial catch-all term in internal program symbols. In public documentation and error messages, though, I think there's still a good case for talking about "AIA/CDP" or "Authority Information Access or CRL Distribution Points", so that users receive unambiguous information, regardless of their viewpoint regarding implied nesting of the concepts, or not. |
Cool, I'll update much of the wording to be clearer but otherwise leave them internally as AIAs. Thanks! |
5d648c4
to
ec68a76
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All of these are totally nits, feel free to ignore. This is really well done.
0134187
to
8812163
Compare
Per discussion on GitHub with @maxb, this allows issuers to have their own copy of AIA URIs. Because each issuer has its own URLs (for CA and CRL access), its necessary to mint their issued certs pointing to the correct issuer and not to the global default issuer. For anyone using multiple issuers within a mount, this change allows the issuer to point back to itself via leaf's AIA info. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Also add it to the considerations page as something to watch out for. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This introduces a common helper per Steve's suggestion. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This clarifies which request parameter the invalid URL is contained in, disambiguating the sometimes ambiguous usage of AIA, per suggestion by Max. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
8812163
to
a5e743c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great!
Per discussion on GitHub with @maxb, this allows issuers to have their
own copy of AIA URIs. Because each issuer has its own URLs (for CA and
CRL access), its necessary to mint their issued certs pointing to the
correct issuer and not to the global default issuer. For anyone using
multiple issuers within a mount, this change allows the issuer to point
back to itself via leaf's AIA info.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>