Initial PKI backend implementation

[jefferai]

Pinging #125.

Complete:

• Up-to-date API documents
• Backend configuration (root certificate and private key)
• Highly granular role configuration
• Certificate generation
• CN checking against role
• IP and DNS subject alternative names
• Server, client, and code signing usage types
• Later certificate (but not private key) retrieval
• CRL creation and update
• CRL/CA bare endpoints (for cert extensions)
• Revocation (both Vault-native and by serial number)
• CRL force-rotation endpoint
• Acceptance tests (a few more could be added, but they're fairly comprehensive‡)

Missing:

• OCSP support (can't implement without changes in Vault)

‡ Note: I believe revocation tests are impossible with the current logical testing framework, so this is a big missing piece of acceptance tests.

Commit contents (C)2015 Akamai Technologies, Inc. opensource@akamai.com

[armon]

Awesome! I will review shortly and provide any feedback I have!

[jefferai]

I've created a small test program for an internal demo here, and thought I'd share it: https://gist.github.com/jefferai/e2bebc3bb97fed521666.

You'll obviously need correct roles set up, and an appropriate CA certificate (see advice about CRL endpoints in the documentation).

Also, I pushed some bug fixes into this -- since there are no reviews/comments yet, I simply rebased. Once there are reviews/comments I will commit fixes normally.

[jefferai]

@armon With a few minor exceptions, acceptance tests are done. At some point we should discuss the current testing framework because I don't see any way to actually do revocation testing.

[armon]

It would be amazing if /pki/config/ca support an option to just generated a new CA. This way, you can let Vault auto-generate the CA, and pull out the certificate and install it on new clients dynamically (say with Terraform). No need to ever touch OpenSSL.

[armon]

This is crl/rotate in the docs, not sure which it should be

[jefferai]

Hah, the problem with not yet having unit tests for revocation. I landed on "rotate" so I'll update that here (it's that path in the actual Path struct, just didn't update it here).

[armon]

Left a few comments, but this looks SUPER solid! Very excited to get it in

[jefferai]

@armon I agree that it would be nice if the backend generated a certificate for you; however, I wanted to avoid dealing with the number of variables, or with templating, and with having to have users then configure a base domain to use when generating CRL endpoints, and so on. It seems like a good future enhancement...it requires actually processing a good amount of data if you want certs that support all of the various configuration options, and someone that will be using this will probably not be too scared by a quick openssl command especially using easy-rsa...

[jefferai]

I've updated the gist (https://gist.github.com/jefferai/e2bebc3bb97fed521666) to use the functions in helper/certutil to deal with the returned data. The result is a 60-line (33%) reduction in code and significantly less complexity for most users; this hopefully shows how moving these functions to a helper location is a win.

Note that although it has helper functions to directly parse the output from the PKI backend, in the Cassandra backend I'm coding it actually doesn't need to use these; the user can upload the returned JSON from the PKI backend or upload a PEM bundle directly with a cert that does not need to be sourced from the PKI backend; in either case the functions are still extremely useful, and huge time/LoC savers.

The gist is now a fully error-checking cert-fetching client/server TLS auth program in 125 lines.

[armon]

We should have tests for all the methods in the certutil package!

[jefferai]

All of that code is tested by the tests in the pki package, since that package is heavily dependent upon it and the code was split out from it. But if you want separate tests, they could happen.

[armon]

It would be great to get the tests in this package separately. This way we can refactor each layer of the code without trying to remember what package tests what other packages.

[armon]

If the certificate is revoked just due to age (e.g. expiration time hit) then we probably do not need to generate a CRL entry. The underlying certificate is already invalid anyways. It's only for an early revocation that CRL must be generated. (Correct me if I'm wrong)

[jefferai]

Certificates that are expired are not added to the CRL. (In fact, when building the CRL, any revoked certificates that are expired are simply removed from the underlying store.)

[armon]

@jefferai Left a bit more feedback. It looks super solid. The major feedback points would be:

• Testing for the individual packages. This way you can modify a single package and run its tests without needing to understand the interdependencies.
• Do we need the revoked/ endpoints?
• Please add a short comment to every function describing what it does for style

Otherwise we are pretty much on the finish line!

[jefferai]

At this point I believe I have addressed all feedback except for testing for the certutil package.

[jefferai]

Unit tests for certutil are done. I think that solves all outstanding issues.

[armon]

Awesome work! Let's get this in!

[jefferai]

@armon You're supposed to be on vacation. :-)