Alexander Scheel

icon indicating a website link https://cipherboy.com icon indicating an email [email protected]

icon company @GitLab icon location St. Paul, MN icon location Open source cryptography & violin - ex-Red Hat, ex-Canonical, ex-Hashicorp Vault, ex-Keyfactor; now at GitLab. OpenBao TSC Chair & Dev WG Chair.

Results 217 comments of Alexander Scheel

Allow Shamir with a threshold of 1

@puiterwijk Do you mind giving some more context on this PR? I'm not sure I'm fully in agreement. While technically yes, Shamir's "works" in some regards, you're merely transiting the...

Key derivation and convergent encryption for ecdsa-p256

@aphorise Probably best to bring this one through PM if there's customer asks. We don't have immediate plans for this one. I think the wildcard for me is if this...

pki should not alphabetically sort OUs when using the /issue/:role path

\o Hello @pfjason-bbmus, This is currently unavoidable due to our reliance on `crypto/x509` and in particular, `crypto/x509/pkix`'s [`pkix.Name`](https://pkg.go.dev/crypto/x509/pkix#Name) type. Via the [role issue/](https://github.com/hashicorp/vault/blob/9b782bbd322860565c3b3ca5e16c3dfdec488ce9/builtin/logical/pki/path_issue_sign.go#L223-L225) [endpoint](https://github.com/hashicorp/vault/blob/9b782bbd322860565c3b3ca5e16c3dfdec488ce9/builtin/logical/pki/path_issue_sign.go#L107-L126), we [build the bundle](https://github.com/hashicorp/vault/blob/9b782bbd322860565c3b3ca5e16c3dfdec488ce9/builtin/logical/pki/cert_util.go#L475-L490) using the...

pki should not alphabetically sort OUs when using the /issue/:role path

I like this take, but I think still missing is how do we _validate_ this. Some thoughts: - Existing role's `cn` validations should probably still apply to the `rdn=cn` components......

Fix for duplicate SANs in signed certificates

\o Hey @rubendv, thanks for the PR! :-) Do you mind adding a test for this? It'd be great to make sure we don't break this again in the future.

Fix for duplicate SANs in signed certificates

@rubendv Nah, no point IMO. I understand the problem well enough. Thank you!

Fix for duplicate SANs in signed certificates

@rubendv Actually, could I bother you to rebase this on top of a newer `main`? I think `test-go-remote-docker` failed because you happened to base it off the point in time...

Fix for duplicate SANs in signed certificates

Thanks @rubendv, that worked!

content_rule_sshd_set_keepalive has the wrong value, zero disables the termination

Note that Ubuntu 18.04 v2.0.1 allows (and explicitly shows in the example) a value of 0; this is a change in 20.04 v1.0.0 guidance. I don't think 20.04 CIS benchmark...

x/crypto/ssh: rsa-sha2-256/rsa-sha2-512 tracking issue

@FiloSottile I believe a fifth part is also missing, which is allowing `x/crypto/ssh` based CAs to sign keys with these algorithms? Per [documentation](https://pkg.go.dev/golang.org/x/crypto/ssh#pkg-constants) it appears the new types aren't enabled...