Add proof possession revocation for PKI secrets engine #16566
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cipherboy
force-pushed
the
cipherboy-add-proof-possession-revocation
branch
from
2bdf39e to
3b9bcdd
Compare
Revocation by proof of possession ensures that we have a private key matching the (provided or stored) certificate. This allows callers to revoke certificate they own (as proven by holding the corresponding private key), without having an admin create innumerable ACLs around the serial_number parameter for every issuance/user. We base this on Go TLS stack's verification of certificate<->key matching, but extend it where applicable to ensure curves match, the private key is indeed valid, and has the same structure as the corresponding public key from the certificate. This endpoint currently is authenticated, allowing operators to disable the endpoint if it isn't desirable to use, via ACL policies. Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
After some discussion, given the potential for DoS (via submitting a lot of keys/certs to validate, including invalid pairs), it seems best to leave this as an authenticated endpoint. Presently in Vault, there's no way to have an authenticated-but-unauthorized path (i.e., one which bypasses ACL controls), so it is recommended (but not enforced) to make this endpoint generally available by permissive ACL policies. Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
cipherboy
force-pushed
the
cipherboy-add-proof-possession-revocation
branch
from
3b9bcdd to
9b7782a
Compare
|
@kitography / @stevendpclark -- this is ready for review now \o/ |
stevendpclark
approved these changes
Aug 16, 2022
Signed-off-by: Alexander Scheel <[email protected]>
cipherboy
force-pushed
the
cipherboy-add-proof-possession-revocation
branch
from
c59b21c to
5076d1d
Compare
stevendpclark
approved these changes
Aug 16, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support to the PKI secrets engine for revocation of certs without requiring privileged access to the
/revokeendpoint. In particular, we use the private key as evidence of permission to revoke the certificate: either the private key was leaked, therefore suggesting the certificate should be revoked anyways, or someone with access to the private key material (and thus, likely the original issuer) suggests the certificate should be revoked and could publish the private key publicly (therefore, triggering case one).This is done by hitting a new
/revoke-with-keyendpoint with theprivate_keyfield (taking a PEM-encoded private key). This endpoint otherwise has semantics similar to/revoke(allowing it to either revoke by BYOC or stored cert serial number), but is less privileged.