Skip to content

OpenBao Rust Crate 0.4.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 29 May 11:23
· 167 commits to main since this release
v0.4.0
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
15a3fcb
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

OpenBao Rust SDK 0.4.0 Release Notes

Version

  • Version: 0.4.0
  • Release date: 2026-05-29
  • Git tag: v0.4.0
  • Git commit: tag target for v0.4.0
  • License: MIT OR Apache-2.0

Scope

  • Stable modules carried from 0.3.0: client configuration, direct token auth,
    AppRole login, token lifecycle helpers, KV v1/v2, Transit, sys health/seal
    status, loopback-only dev bootstrap, mount/auth mount management, response
    wrapping, ACL policies, capabilities, audit devices, exact lease helpers,
    and plugin catalog helpers.
  • New 0.4.0 work: environment-based client construction for
    OpenBao/Vault-compatible address, token, namespace, CA certificate,
    root-only trust, and loopback HTTP opt-in variables.
  • Kubernetes auth helpers cover login, auth method config, role
    write/read/list/delete, and secret-aware service account JWT handling.
  • TLS certificate auth helpers cover login, auth method config, CA role
    write/read/list/delete, CRL write/read/list/delete, and mutual TLS client
    identity configuration.
  • PKI helpers cover URL and CRL config, root generation, intermediate
    generation, intermediate signing, signed intermediate install, role
    write/read/list/delete, issue, sign, revoke, certificate list/read,
    issuer/key list/read/delete/update, issuer revoke, CA/key import, ACME
    configuration/EAB tokens/directory URL helpers, CRL rotation, and tidy.
  • KV v2 service config helpers cover typed data reads and bounded
    environment-style maps with SecretString values.
  • Default Cargo features: approle, cert-auth, kubernetes-auth, token,
    kv1, kv2, pki, transit, sys, rustls-tls.
  • Non-default Cargo features: allow-sha1, native-tls,
    native-tls-acknowledged.
  • Minimum supported Rust: 1.90.0.
  • Rust compatibility evidence: full test suite and clippy on 1.90.0; feature
    checks through 1.96.0.
  • Tested OpenBao version: latest OpenBao release verified as v2.5.4 on
    2026-05-29.

Security Changes

  • Environment-based construction preserves secure defaults: HTTPS is still
    required unless an explicit loopback HTTP opt-in variable is set, and
    loopback HTTP remains restricted to numeric loopback hosts.
  • Environment token aliases are loaded into SecretString.
  • Custom CA files can be merged with system roots or used as the only trusted
    roots through explicit root-only trust variables.
  • Namespace values from environment variables are path-validated before use.
  • Kubernetes service account JWTs and token reviewer JWTs are handled as
    SecretString and exposed only in request payloads immediately before the
    shared HTTP request layer.
  • Kubernetes role names, mount paths, and login roles are path-validated before
    request construction.
  • Kubernetes role lists and login metadata maps are bounded during
    deserialization.
  • TLS certificate auth role names, CRL names, mount paths, and login role names
    are path-validated before request construction.
  • TLS certificate auth tokens/accessors are represented as SecretString,
    role/CRL lists and CRL serial maps are bounded during deserialization, and
    role fields accept both documented comma-delimited strings and arrays.
  • Mutual TLS client identities are configured through OpenBaoConfig and are
    redacted from debug output as a boolean presence flag only.
  • PKI generated private keys are represented as SecretString and redacted
    from debug output.
  • PKI role lists, certificate lists, CA chains, URL/CRL config lists, and role
    list fields are bounded during deserialization.
  • PKI issuer/key list responses and issuer URL/usage/manual-chain fields are
    bounded during deserialization.
  • PKI import helpers accept private key PEM bundles as SecretString and
    bound all server-controlled import result lists/maps during deserialization.
  • PKI issuer changes use JSON Merge Patch to avoid OpenBao's POST replace
    semantics resetting omitted issuer fields to defaults.
  • PKI ACME EAB HMAC keys are represented as SecretString and redacted from
    debug output; EAB token list responses are bounded during deserialization.
  • PKI ACME directory URL helpers validate mount, issuer, and role path
    segments before returning URLs for external ACME clients.
  • KV v2 service config maps are bounded during deserialization and values are
    represented as SecretString with debug redaction.
  • AppRole login policy lists are bounded during deserialization.
  • User-agent values are rejected at configuration time if they contain control
    characters.
  • Plugin registration SHA-256 digests require canonical lowercase hex.
  • Transit SHA-1 selection is unavailable unless the explicit allow-sha1
    feature is enabled.
  • Clients can lower the default 32 MiB response body limit for workflows that
    expect smaller OpenBao responses.
  • Crate docs now call out request-body residual buffer risks in the HTTP/TLS
    stack and the dev bootstrap root-token duplication tradeoff.

Security And Stability Gate

  • Gate command: scripts/release_0_4_gate.sh
  • Result: local release gate checks passed on 2026-05-29 after pentest
    remediations; sandbox-blocked cargo audit, real OpenBao integration, and
    SBOM generation were rerun individually with the required local access.
  • Pentest report: local PENTEST.md reviewed on 2026-05-29; all actionable
    findings fixed or documented, and report source deleted before commit.
  • cargo audit result: passed on 2026-05-29.
  • cargo deny check result: passed on 2026-05-29 with duplicate dependency
    warnings only.
  • CodeQL result: passed on GitHub before tag on 2026-05-29.
  • Podman OpenBao integration result: passed against v2.5.4 on 2026-05-29.
  • SBOM generation result: passed on 2026-05-29, CycloneDX JSON written under
    target/sbom/.

Known Limitations

  • Full ACME account/order/authorization/challenge protocol flows are not
    implemented; use the directory URL helpers with dedicated ACME clients.
  • KV service config helpers intentionally accept flat string maps for the
    secret-aware Kv2ServiceConfig type; use typed structs for nested JSON.
  • Exact certificate/public-key pinning is not implemented; use custom CA roots
    and root-only trust stores for private PKI.
Assets 2
Loading
0 Join discussion