Skip to content

OpenBao Rust Crate 0.9.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 03 Jun 13:18
· 63 commits to main since this release
v0.9.0
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
d713482
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

OpenBao Rust SDK 0.9.0 Release Notes

Version

  • Version: 0.9.0
  • Release date: Unreleased
  • Git tag: v0.9.0 planned
  • Git commit: tag target for v0.9.0
  • License: MIT OR Apache-2.0

Scope

  • Stable modules carried from 0.8.0: client configuration, direct token auth,
    AppRole login and administration, LDAP/RADIUS/Kerberos auth, Kubernetes auth,
    TLS certificate auth, Userpass auth, JWT/OIDC helpers, token lifecycle and
    token-role helpers, KV v1/v2, Transit, PKI, database, SSH, TOTP, Cubbyhole,
    Kubernetes secrets, RabbitMQ secrets, Identity, LDAP secrets, sys backend
    helpers, loopback-only dev bootstrap, admin bootstrap, policy builders,
    audit devices, lease helpers, plugin catalog helpers, production operator
    APIs behind explicit gates, optional Transit byte helpers, optional timestamp
    parsing, and advisory FIPS posture helpers.
  • New 0.9.0 work currently implemented: release-line version bump,
    stabilization audit documentation, migration guidance, release-note skeleton,
    the known-limitations decision register, RenewalHint, lease tidy, safe
    custom plugin wrapper building blocks, optional tracing instrumentation,
    optional HTTP/2 transport support, token create-orphan and
    renew-accessor helpers, AppRole delegated role-property helpers, and the
    operator-gated PKI default root deletion helper, plus explicit
    RetryPolicy/request_json_with_retry exponential-backoff ergonomics and
    shared ListPageOptions pagination for non-secret string-list endpoints,
    AdminBootstrap convergence for PKI roles and Identity entities/groups,
    representative serde response fixtures, fuzz target scaffolding, and the
    advisory quantum-readiness design note; the 0.9.0 release gate script is
    also present.
  • Remaining 0.9.0 planned work: final local and GitHub release gates,
    package inspection, pentest review, and tag preparation.
  • Finalization rule: the OpenBao 2.5.x endpoint matrix expanded the
    pre-1.0 plan through 0.15.0. 0.9.0 handles stabilization foundations;
    0.10.0 through 0.14.0 handle Identity/auth, Transit, PKI, and System
    completion; 0.15.0 is the endpoint-closure release where no matrix row may
    remain classified as planned or decision.
  • Minimum supported Rust: 1.90.0.

Security Notes

  • The 0.9.0 line is the API stabilization candidate. New public API should be
    added only when it is expected to survive into 1.0 or when the release
    notes clearly document why it remains experimental.
  • Retry helpers are explicit and call-site scoped. Default typed helpers remain
    single-shot, and callers must not use retry policies for non-idempotent writes
    unless the application owns the duplicate-operation risk.
  • Token and lease renewal helpers avoid background tasks that silently keep
    secret material alive longer than caller-owned handles require.
  • ListPageOptions bounds list page size and validates cursors. Token
    accessors, lease IDs, and other secret-bearing lists stay out of generic
    pagination ergonomics.
  • Optional tracing emits only method, validated path, and response status. It
    must never emit full URLs, headers, request bodies, response bodies, tokens,
    namespaces, or raw transport-error strings.
  • Migration guidance must not recommend disabling TLS verification, using
    root tokens in application services, logging token accessors, or using
    loopback-only dev bootstrap outside fresh local development instances.
  • Quantum-readiness guidance is advisory only until OpenBao exposes stable
    upstream primitives. It must not claim post-quantum safety for current
    OpenBao deployments. See docs/QUANTUM_READINESS.md.

Security And Stability Gate

  • Gate command: scripts/release_0_9_gate.sh
  • Result: passed locally on 2026-06-03, with cargo audit rerun separately
    outside the sandbox because the RustSec advisory database lock path is under
    ~/.cargo.
  • Pentest report: reviewed locally on 2026-06-03; actionable findings were
    remediated, and the temporary PENTEST.md file was deleted before commit.
  • cargo audit result: passed locally on 2026-06-03.
  • cargo deny check result: passed locally on 2026-06-03.
  • CodeQL result: pending.
  • Podman OpenBao integration result: passed locally on 2026-06-03.
  • SBOM generation result: passed locally on 2026-06-03.
  • Reproducible package result: passed locally on 2026-06-03.

Pentest remediations in this candidate:

  • Transit key creation validates direct auto_rotate_period field assignment.
  • CIDR validation now rejects host-bit-set network values.
  • Public BoundedStringList no longer exposes its inner vector for unchecked
    mutation and has a checked constructor for caller-provided values.
  • Retry-temporary classification no longer treats HTTP 501 or 505 as
    retryable.
  • The unreachable Error::Http(reqwest::Error) variant was removed so future
    code cannot expose reqwest URL-bearing error chains through source().
  • LDAP auth Debug redacts certificate PEM fields as operationally sensitive
    topology material.
  • OpenBao mount/endpoint path validation rejects spaces.
  • Duration builder helpers reject Duration::ZERO before formatting it as
    0s.
  • The response-size default remains 32 MiB for compatibility with snapshot and
    raw-byte workflows; small-response clients should lower
    OpenBaoConfig::max_response_bytes.

Known Limitations And Decisions

  • Committed 0.9.0 work, no owner decision required unless implementation or
    pentest risk changes: explicit opt-in retry policy, shared pagination for
    non-secret string lists, PKI role and Identity entity/group bootstrap
    convergence, public response fixtures, fuzz targets for path validation/API
    error decoding/response envelopes, public API audit, migration guide
    completion, and an advisory quantum-readiness design note.
  • Rejected for stable scope: background token auto-renewal, background lease
    tracking, and LeaseHandle wrappers. Applications own the renewal loop,
    renewal-failure policy, and shutdown ordering; use RenewalHint for timing
    and increment guidance.
  • Rejected for stable scope: generic Plugin/SecretEngine traits, codegen,
    and macro approaches. Deployment-specific plugin wrappers should use
    PluginMount, public path validators, and bounded list helpers instead.
  • Implement in 0.10.0: Identity OIDC admin/discovery/token/introspection
    rows, MFA method and login-enforcement rows, and sys/mfa/validate; classify
    named-provider OIDC /authorize, /token, and /userinfo as external
    browser protocol flows.
  • Implement in 0.11.0: Transit wrapping-key, import/import-version, BYOK
    export, soft-delete/restore, cache/global config, CSR generation, and
    certificate install rows. wrapping_key returns a public PEM string; import
    wrappers accept only pre-wrapped SecretString ciphertext, reject empty
    ciphertext constructors, redact ciphertext/context in Debug, and document
    that raw key bytes must not be passed to endpoint wrappers. BYOK export
    returns wrapped ciphertext as SecretString. A pre-1.0.0 optional
    client-side wrapping helper is planned behind transit-import with
    feature-gated rsa and aes-gcm dependencies, secret-aware inputs, redacted
    output handling, and no security-certification claims.
  • Implement in 0.12.0: PKI default issuer/key config, named-issuer
    issue/sign, root rotate/replace, standalone key generation, sign-verbatim
    behind operator gates, revoke-with-key, cluster/auto-tidy config, and
    current-doc field expansion for role/generation/CRL/tidy structs. Destructive
    DELETE /pki/root is resolved in 0.9.0 as Pki::delete_root behind
    operator-ops plus operator-ops-acknowledged, requiring
    PkiRootDeletion::confirm() at the call site.
  • Implement in 0.13.0: PKI revocation/CRL management, CEL roles and
    issue/sign, named-issuer sign-intermediate/sign-self-issued, delta CRL
    rotation, and cross-sign rows. Unauthenticated public CA/certificate/CRL
    reads and OCSP responder endpoints are external protocol/public-distribution
    boundaries.
  • Implement in 0.14.0: system generate-root/recovery-token, decode-token,
    legacy recovery-key rekey behind operator gates; password policy CRUD/list/
    generate and resultant ACL without gates; and typed operator-gated in-flight
    request inspection with SecretString token accessors and bounded response
    maps. Rejected for stable scope: sys/config/ui, sys/monitor streaming,
    internal router inspection, internal counters, and internal request
    inspection.
  • Implement in 0.15.0: a bounded wait_until_unsealed helper behind an
    explicit Tokio helper feature, typed response-wrapping ergonomics with
    redacted wrapping tokens and typed unwrap, selective AdminBootstrap
    convergence for PKI mounts/roles, database mounts/dynamic and static roles,
    and SSH mounts/roles, plus ACL policy-builder wrapping-TTL constraints.
    Rejected for stable scope: request-level seal back-pressure, per-engine
    wrapped method duplication, PKI CA setup in bootstrap, database connection
    configuration in bootstrap, SSH CA setup in bootstrap, KV v1 bootstrap
    convergence, and ACL parameter-constraint HCL generation.
  • Runtime HTTP/2 transport knobs are rejected; use the non-default http2
    feature for TLS ALPN HTTP/2 negotiation, and keep default builds HTTP/1.1-only.
    HTTP/3 is rejected for stable scope. Certificate and public-key pinning are
    rejected for stable scope; use root-only trust with an internal CA or
    self-signed OpenBao certificate instead. Tracing is resolved with a
    non-default tracing feature; OpenTelemetry SDK dependencies and custom
    request hooks are rejected for stable scope, and W3C traceparent
    propagation is deferred past 1.0.0.
  • Reject for stable feature scope unless a pentest or downstream integration
    proves otherwise before 1.0.0: full JOSE/JWKS construction and raw
    unauthenticated SSH public-key reads. The crate keeps safe lower-level
    helpers or documented alternatives for those workflows.
  • Permanent ACME boundary: account, order, authorization, challenge, polling,
    and certificate download flows stay with dedicated ACME clients. This crate
    provides typed OpenBao ACME config, EAB provisioning, and directory URL
    helpers for that handoff, with EAB HMAC keys kept in SecretString.
  • Permanent boundary: request-body bytes can be zeroized by this crate before
    handoff, but buffers owned by reqwest, TLS providers, the operating system,
    allocator, or network devices remain outside this crate's control.
Assets 2
Loading
0 Join discussion