Alexander Scheel

icon indicating a website link https://cipherboy.com icon indicating an email [email protected]

icon company @Keyfactor icon location Ann Arbor, MI icon location Open source cryptography & violin @ Keyfactor / ex-Red Hat, ex-Canonical, ex-Hashicorp Vault. The BUSL is not OSS. OpenBao maintainer & Development WG Chair.

Results 86 comments of Alexander Scheel

Allow old certs to be cross-signed

@dmitriy-moiseev -- do you want to test this to make sure this satisfies your use case? If you go to the [GH test build -> summary page](https://github.com/hashicorp/vault/actions/runs/2756614713) you can fetch...

Error Parsing CA Pem File

Hey @jnapl1 -- A program like this (suggested by my colleague @swenson) might be helpful to diagnose the problem: ```go package main import ( "crypto/x509" "encoding/pem" "fmt" "os" ) func...

Error Parsing CA Pem File

Hey @jnapl1, So this says the PEM file is improperly formatted. You might find [RFC 1421](https://datatracker.ietf.org/doc/html/rfc1421.html) interesting. It is surprising that OpenSSL accepts it but [Go's doesn't](https://cs.opensource.google/go/go/+/refs/tags/go1.18.3:src/encoding/pem/pem.go;l=83-181). I wonder if...

Error Parsing CA Pem File

Out of curiosity, if you have the original cert still, could you take and convert it from PEM->DER->PEM via OpenSSL and get something Go would accept? Something like: ``` openssl...

Error Parsing CA Pem File

Iiiinteresting, and you definitely see `panic: Invalid PEM block` when running the Go program on both PEMs? If you can get permission from your organization, please share it with our...

Error Parsing CA Pem File

@jnapl1 That's very interesting -- I wouldn't have expected the SKID to result in a `panic: Invalid PEM block` error. I'm not able to reproduce it either. Here's a certificate...

pki: can't issue a valid cross-signed certificate if vault was too old (SKID calculation)

@sgmiller Sounds like we should've made the SKID change configurable. I think OpenSSL was the one that was breaking validation for me with mismatched SKIDs when I was trying it...

Unable to install vault in Suse Linux Micro OS

@vijayscsa I'm unable to reproduce this without more information. Using the [vault_1.11.1_linux_amd64.zip](https://releases.hashicorp.com/vault/1.11.1/vault_1.11.1_linux_amd64.zip) binary [from here](https://releases.hashicorp.com/vault/1.11.1) and extracted, I use the following Containerfile: ```Dockerfile from registry.suse.com/bci/bci-micro COPY vault /bin/vault ``` And...

PKI - Honor header If-Modified-Since if present

Sorry @Gabrielopesantos -- I've been on vacation for a bit, I'll take a look at this week now that I'm back :)

RFE: PKI: support requiring attestation of keys

@DemiMarie Is there a standard format for this? I've seen a lot of one-off discussions on how to do this with vendor A or vendor B's products, but I've not...