Merge pull request #211 from Venafi/allow-rsa3072-vaas

Allow RSA 3072 for creating policy on VaaS

README-CLI-CLOUD.md

@@ -86,12 +86,17 @@ Options:
 | `--format`         | Use to specify the output format.  The `--file` option must be used with the PKCS#12 and JKS formats to specify the keystore file. JKS format also requires `--jks-alias` and at least one password (see `--key-password` and `--jks-password`) <br/>Options: `pem` (default), `json`, `pkcs12`, `jks` |
 | `--jks-alias`        | Use to specify the alias of the entry in the JKS file when `--format jks` is used |
 | `--jks-password`     | Use to specify the keystore password of the JKS file when `--format jks` is used.  If not specified, the `--key-password` value is used for both the key and store passwords |
+| `--key-curve`        | Use to specify the elliptic curve for key generation when `--key-type` is ECDSA.<br/>Options: `p256` (default), `p384`, `p521` |
 | `--key-file`         | Use to specify the name and location of an output file that will contain only the private key.<br/>Example: `--key-file /path-to/example.key` |
 | `--key-password`     | Use to specify a password for encrypting the private key. For a non-encrypted private key, specify `--no-prompt` without specifying this option. You can specify the password using one of three methods: at the command line, when prompted, or by using a password file.<br/>Example: `--key-password file:/path-to/passwd.txt` |
 | `--key-size`         | Use to specify a key size for RSA keys.  Default is 2048. |
+| `--key-type`         | Use to specify the key algorithm.<br/>Options: `rsa` (default), `ecdsa` |
 | `--no-pickup`        | Use to disable the feature of VCert that repeatedly tries to retrieve the issued certificate.  When this is used you must run VCert again in pickup mode to retrieve the certificate that was requested. |
 | `--pickup-id-file`   | Use to specify a file name where the unique identifier for the certificate will be stored for subsequent use by pickup, renew, and revoke actions.  Default is to write the Pickup ID to STDOUT. |
 | `--san-dns`          | Use to specify a DNS Subject Alternative Name. To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-dns one.example.com` `--san-dns two.example.com` |
+| `--san-email`        | Use to specify an Email Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-email [email protected]` `--san-email [email protected]` |
+| `--san-ip`           | Use to specify an IP Address Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-ip 10.20.30.40` `--san-ip 192.168.192.168` |
+| `--san-uri`          | Use to specify a Uniform Resource Indicator Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-uri spiffe://workload1.example.com` `--san-uri spiffe://workload2.example.com` |
 | `--valid-days`       | Use to specify the number of days a certificate needs to be valid.<br/>Example: `--valid-days 30` |
 | `-z`                 | Use to specify the name of the Application to which the certificate will be assigned and the API Alias of the Issuing Template that will handle the certificate request.<br/>Example: `-z "Business App\\Enterprise CIT"` |
 
@@ -130,13 +135,18 @@ Options:
 | `--id`             | Use to specify the unique identifier of the certificate returned by the enroll or renew actions.  Value may be specified as a string or read from a file by using the file: prefix.<br/>Example: `--id file:cert_id.txt` |
 | `--jks-alias`        | Use to specify the alias of the entry in the JKS file when `--format jks` is used |
 | `--jks-password`     | Use to specify the keystore password of the JKS file when `--format jks` is used.  If not specified, the `--key-password` value is used for both the key and store passwords |
+| `--key-curve`        | Use to specify the elliptic curve for key generation when `--key-type` is ECDSA.<br/>Options: `p256` (default), `p384`, `p521` |
 | `--key-file`       | Use to specify the name and location of an output file that will contain only the private key.<br/>Example: `--key-file /path-to/example.key` |
 | `--key-password`   | Use to specify a password for encrypting the private key. For a non-encrypted private key, specify `--no-prompt` without specifying this option. You can specify the password using one of three methods: at the command line, when prompted, or by using a password file. |
 | `--key-size`       | Use to specify a key size for RSA keys. Default is 2048.     |
+| `--key-type`         | Use to specify the key algorithm.<br/>Options: `rsa` (default), `ecdsa` |
 | `--no-pickup`      | Use to disable the feature of VCert that repeatedly tries to retrieve the issued certificate.  When this is used you must run VCert again in pickup mode to retrieve the certificate that was requested. |
 | `--omit-sans`      | Ignore SANs in the previous certificate when preparing the renewal request. Workaround for CAs that forbid any SANs even when the SANs match those the CA automatically adds to the issued certificate. |
 | `--pickup-id-file` | Use to specify a file name where the unique identifier for the certificate will be stored for subsequent use by `pickup`, `renew`, and `revoke` actions.  By default it is written to STDOUT. |
 | `--san-dns`          | Use to specify a DNS Subject Alternative Name. To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-dns one.example.com` `--san-dns two.example.com` |
+| `--san-email`        | Use to specify an Email Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-email [email protected]` `--san-email [email protected]` |
+| `--san-ip`           | Use to specify an IP Address Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-ip 10.20.30.40` `--san-ip 192.168.192.168` |
+| `--san-uri`          | Use to specify a Uniform Resource Indicator Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-uri spiffe://workload1.example.com` `--san-uri spiffe://workload2.example.com` |
 | `--thumbprint`     | Use to specify the SHA1 thumbprint of the certificate to renew. Value may be specified as a string or read from the certificate file using the `file:` prefix. |
 
 
@@ -267,4 +277,5 @@ Options:
 | `--san-dns`          | Use to specify a DNS Subject Alternative Name. To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-dns one.example.com` `--san-dns two.example.com` |
 | `--san-email`        | Use to specify an Email Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-email [email protected]` `--san-email [email protected]` |
 | `--san-ip`           | Use to specify an IP Address Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-ip 10.20.30.40` `--san-ip 192.168.192.168` |
+| `--san-uri`          | Use to specify a Uniform Resource Indicator Subject Alternative Name.  To specify more than one, simply repeat this parameter for each value.<br/>Example: `--san-uri spiffe://workload1.example.com` `--san-uri spiffe://workload2.example.com` |
 | `--st` | Use to specify the state or province (ST) for the Subject DN. |

README-POLICY-SPEC.md

@@ -87,16 +87,16 @@ specification and results in a policy that uses TPP or VaaS defaults.
 |   `states` | string array | State/Province (ST) values that are permitted |
 |   `countries` | string array | [ISO 3166 2-Alpha](https://www.iso.org/obp/ui/#search/code/) Country (C) code values that are permitted |
 |   `keyPair` |||
-|   `keyTypes` | string array | Key algorithm: "RSA" and/or _"ECDSA"_ ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) |
+|   `keyTypes` | string array | Key algorithm: "RSA" and/or "ECDSA" |
 |   `rsaKeySizes` | integer array | Permitted number of bits for RSA keys: 512, 1024, 2048, 3072, and/or 4096 |
-|   `ellipticCurves` | string array | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) Permitted elliptic curves: "P256", "P384", and/or "P521" |
-|   `serviceGenerated` | boolean | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) Indicates whether key pair and CSR must be generated by the Venafi machine identity service |
+|   `ellipticCurves` | string array | Permitted elliptic curves: "P256", "P384", and/or "P521" |
+|   `serviceGenerated` | boolean | Indicates whether key pair and CSR must be generated by the Venafi machine identity service |
 |   `reuseAllowed` | boolean | Indicates whether new certificate requests are permitted to reuse a key pair of a known certificate |
 |  `subjectAltNames` |||
 |   `dnsAllowed` | boolean | Indicates whether DNS Subject Alternative Names are permitted|
-|   `ipAllowed` | boolean | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) Indicates whether IP Address Subject Alternative Names are permitted |
-|   `emailAllowed` | boolean | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) Indicates whether Email Address (RFC822) Subject Alternative Names are permitted |
-|   `uriAllowed` | boolean | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) Indicates whether Uniform Resource Indicator (URI) Subject Alternative Names are permitted |
+|   `ipAllowed` | boolean | Indicates whether IP Address Subject Alternative Names are permitted |
+|   `emailAllowed` | boolean | Indicates whether Email Address (RFC822) Subject Alternative Names are permitted |
+|   `uriAllowed` | boolean | Indicates whether Uniform Resource Indicator (URI) Subject Alternative Names are permitted |
 |   `upnAllowed` | boolean | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) Indicates whether User Principal Name (UPN) Subject Alternative Names are permitted |
 | `defaults` |||
 |  `domain` |string| Domain suffix that should be used by default (e.g. "example.com")|
@@ -107,7 +107,7 @@ specification and results in a policy that uses TPP or VaaS defaults.
 |   `state` | string | State/Province (ST) value that should be used by default (e.g. "Utah")|
 |   `country` | string |[ISO 3166 2-Alpha](https://www.iso.org/obp/ui/#search/code/) Country (C) code value that should be used by default (e.g. "US")|
 |  `keyPair` |||
-|   `keyType` | string | Key algorithm that should be used by default, "RSA" or _"ECDSA"_ ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg)|
+|   `keyType` | string | Key algorithm that should be used by default, "RSA" or "ECDSA"|
 |   `rsaKeySize` | integer | Number of bits that should be used by default for RSA keys: 512, 1024, 2048, 3072, or 4096|
-|   `ellipticCurve` | string | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) The elliptic curve that should be used by default: "P256", "P384", or "P521"|
-|   `serviceGenerated` | boolean | ![TPP Only](https://img.shields.io/badge/TPP%20Only-orange.svg) Indicates whether keys should be generated by the Venafi machine identity service by default|
+| &emsp;&emsp;`ellipticCurve` | string | The elliptic curve that should be used by default: "P256", "P384", "P521"<br/>or _"ED25519"_ ![VaaS Only](https://img.shields.io/badge/VaaS%20Only-orange.svg)|
+| &emsp;&emsp;`serviceGenerated` | boolean | Indicates whether keys should be generated by the Venafi machine identity service by default|

cmd/vcert/main.go

@@ -78,7 +78,7 @@ func main() {
 		},
 		EnableBashCompletion: true, //todo: write BashComplete function for options
 		//HideHelp:             true,
-		Copyright: `2018-2021 Venafi, Inc.
+		Copyright: `2018-2022 Venafi, Inc.
 	 Licensed under the Apache License, Version 2.0`,
 	}
 

pkg/policy/policyUtils.go

@@ -15,7 +15,7 @@ import (
 //this is the nearest to a constant on arrays.
 var TppKeyType = []string{"RSA", "ECDSA"}
 var TppRsaKeySize = []int{512, 1024, 2048, 3072, 4096}
-var CloudRsaKeySize = []int{1024, 2048, 4096}
+var CloudRsaKeySize = []int{1024, 2048, 3072, 4096}
 var TppEllipticCurves = []string{"P256", "P384", "P521"}
 
 func GetFileType(f string) string {
@@ -731,7 +731,7 @@ func ValidateCloudPolicySpecification(ps *PolicySpecification) error {
 			if len(ps.Policy.KeyPair.RsaKeySizes) > 0 {
 				unSupported := getInvalidCloudRsaKeySizeValue(ps.Policy.KeyPair.RsaKeySizes)
 				if unSupported != nil {
-					return fmt.Errorf("specified attribute key lenght value: %s is not supported on Venafi cloud", strconv.Itoa(*(unSupported)))
+					return fmt.Errorf("specified attribute key length value: %s is not supported on VaaS", strconv.Itoa(*(unSupported)))
 				}
 			}
 		}
@@ -813,15 +813,15 @@ func ValidateCloudPolicySpecification(ps *PolicySpecification) error {
 
 		if ps.Default.KeyPair.KeyType != nil && *(ps.Default.KeyPair.KeyType) != "" {
 			if *(ps.Default.KeyPair.KeyType) != "RSA" {
-				return fmt.Errorf("specified default attribute keyType value is not supported on Venafi cloud")
+				return fmt.Errorf("specified default attribute keyType value is not supported on VaaS")
 			}
 		}
 
 		//validate key KeyTypes:keyLengths
 		if ps.Default.KeyPair.RsaKeySize != nil && *(ps.Default.KeyPair.RsaKeySize) != 0 {
 			unSupported := getInvalidCloudRsaKeySizeValue([]int{*(ps.Default.KeyPair.RsaKeySize)})
 			if unSupported != nil {
-				return fmt.Errorf("specified attribute key lenght value: %s is not supported on Venafi cloud", strconv.Itoa(*(unSupported)))
+				return fmt.Errorf("specified attribute key length value: %s is not supported on VaaS", strconv.Itoa(*(unSupported)))
 			}
 		}
 	}