Skip to content

Allow Root + Intermediate Key_Usage to be set #30034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 3, 2025
Merged

Allow Root + Intermediate Key_Usage to be set #30034

merged 11 commits into from
Apr 3, 2025

Conversation

kitography
Copy link
Contributor

@kitography kitography commented Mar 26, 2025
edited
Loading

Description

Allows Root and Intermediate Key_Usage to be set via CLI, not just in the CSR

Fixes: #29362

The test here doesn't successfully fail on a bad branch, so this is a draft right now.

TODO only if you're a HashiCorp employee

  • Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.

@kitography kitography added this to the 1.19.1 milestone Mar 26, 2025
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Mar 26, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 26, 2025
edited
Loading

CI Results:
All Go tests succeeded! ✅

@kitography kitography marked this pull request as ready for review March 26, 2025 17:35
@kitography kitography requested review from a team as code owners March 26, 2025 17:35
@kitography kitography requested a review from angelocordon March 26, 2025 17:35
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 26, 2025
edited
Loading

Build Results:
All builds succeeded! ✅

victorr
victorr previously approved these changes Mar 26, 2025
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 👍

stevendpclark
stevendpclark requested changes Mar 26, 2025
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather we follow the CAB forum guidelines section 7.1.2.10.7 and limit CA key_usages to just digitalSignature, keyCertSign and cRLSign.

Can we add a check within the root generate and sign-intermediate paths to error out if we are provided any key usage value outside of those , along with updating the relevant docs?

@kitography kitography requested a review from a team as a code owner March 27, 2025 14:21
stevendpclark
stevendpclark previously approved these changes Mar 27, 2025
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kitography kitography changed the title Allow Root + Intermediate Key_Usage and Ext_Key_Usage to be set Allow Root + Intermediate Key_Usage to be set Mar 27, 2025
@kitography kitography enabled auto-merge (squash) March 27, 2025 19:31
stevendpclark
stevendpclark previously approved these changes Mar 28, 2025
View reviewed changes
stevendpclark
stevendpclark previously approved these changes Apr 2, 2025
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kitography kitography self-assigned this Apr 3, 2025
schavis
schavis requested changes Apr 3, 2025
View reviewed changes
@kitography @schavis
Update website/content/api-docs/secret/pki/index.mdx
abe91e6 
Style correction suggested by Sarah Chavis.

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
@kitography kitography merged commit 2a14b1c into main Apr 3, 2025
88 checks passed
@kitography kitography deleted the bugfix/VAULT-34410 branch April 3, 2025 18:48
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@schavis schavis schavis approved these changes

@victorr victorr victorr left review comments

@angelocordon angelocordon Awaiting requested review from angelocordon angelocordon is a code owner automatically assigned from hashicorp/vault

Assignees

@kitography kitography

Labels
cryptosec hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.19.1
Development

Successfully merging this pull request may close these issues.

The Generate root API doesn't consider changes of field key_usage
4 participants
@kitography @victorr @stevendpclark @schavis