Alexander Scheel

icon indicating a website link https://cipherboy.com icon indicating an email [email protected]

icon company @GitLab icon location St. Paul, MN icon location Open source cryptography & violin - ex-Red Hat, ex-Canonical, ex-Hashicorp Vault, ex-Keyfactor; now at GitLab. OpenBao TSC Chair & Dev WG Chair.

Results 157 issues of Alexander Scheel

Key Agreement

1 comment

In #226, it was mentioned that JSS can't be used for [JCE Key Agreement](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyAgreement) ([class](https://docs.oracle.com/javase/8/docs/api/javax/crypto/KeyAgreement.html) | [algorithms](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#KeyAgreement)). We should expose this from NSS's PKCS#11 layer to let other people use...

enhancement
Help Wanted
javax
protocols
Stale

Fix compatibility with Vault plugins

1 comment

This adds Upstream (`VAULT_` prefixed) variants of all OpenBao-set variables during plugin startup, allowing plugins compiled for upstream to work with OpenBao. This should resolve #317 (a discussion). @DrDaveD Let...

Remove pre-1.0 migration paths

OpenBao contains a number of migration paths from pre-1.0. It is rather difficult to find all references, but some: - https://github.com/openbao/openbao/blob/74c2dddb0612b9a3da79384c20638266aa7de407/vault/expiration.go#L2152-L2159 - https://github.com/openbao/openbao/blob/74c2dddb0612b9a3da79384c20638266aa7de407/command/ssh.go#L291-L315 - https://github.com/openbao/openbao/blob/74c2dddb0612b9a3da79384c20638266aa7de407/sdk/helper/pluginutil/env.go#L65-L70 &c. More formally, we should...

bug

Removal of unnecessary forked repositories

The following plugin repositories are built-in plugins in OpenBao and thus did not need to be forked: - [ ] https://github.com/openbao/openbao-plugin-auth-jwt - [ ] https://github.com/openbao/openbao-plugin-secrets-kubernetes - [ ] https://github.com/openbao/openbao-plugin-auth-kubernetes -...

bug

Broader usage of Paginated Lists

3 comment

**Is your feature request related to a problem? Please describe.** In #140 and #170, initial support of paginated lists were added, which included some API endpoints. However, some more endpoints...

good first issue
help wanted
feature

RFE: Allow configuration of OCSP client request timeout

7 comment

As reported by @celesteking on https://github.com/hashicorp/vault/pull/17093#issuecomment-1897497036: > Can we please get configurable ocsp request timeouts? Imagine ocsp responder being down (firewalled, incorrectly configured, etc), your ocsp client would be banging...

Revert "Remove Server Side Consistent Tokens (SSCTs)"

This reverts commit 1f2635c3d1ac90a60bc4193668fd6309da2f06ab. As discussed on #openbao-general, this breaks existing migrations: anyone with SSCT tokens present in token store would lose all existing tokens and need to re-auth everything....

WIP - Transactional storage

This adds support for interactive transactions across the backend, physical, and plugin storage levels. This will ultimately allow for greater assurance in secrets management operations built on top of OpenBao....

feature
core/storage

Bump to latest Go version

Prior to release of GA, we'll want to bump to the latest Go version. There's not much point in going to 1.22.2 now, unless we're planning on cutting GA shortly,...

bug

RFC - Transactional Storage for Plugins & Core

### Summary OpenBao and its upstream lacks transactional storage semantics. This means all storage operations are logically separate: between two put operations, the contents of storage may differ or the...

rfc