From 4e56b4d8d0a820123386361e4e4090885e99c302 Mon Sep 17 00:00:00 2001 From: Steve Clark Date: Tue, 27 Sep 2022 15:14:18 -0400 Subject: [PATCH] PKI: Fix managed key signatures when using specified signature_bits - When calling sign-intermediate and other apis with signature_bits value overridden with a backing managed key we did not use that value as tests for the private key type were not working. --- sdk/helper/certutil/helpers.go | 7 ++++++- sdk/helper/certutil/types.go | 12 ++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index 348c85f9dd49..56ab5324aeea 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -1127,7 +1127,12 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun certTemplate.NotBefore = time.Now().Add(-1 * data.Params.NotBeforeDuration) } - switch data.SigningBundle.PrivateKeyType { + privateKeyType := data.SigningBundle.PrivateKeyType + if privateKeyType == ManagedPrivateKey { + privateKeyType = GetPrivateKeyTypeFromSigner(data.SigningBundle.PrivateKey) + } + + switch privateKeyType { case RSAPrivateKey: certTemplateSetSigAlgo(certTemplate, data) case ECPrivateKey: diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index 03aba84996b1..15b816f0c8ea 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -148,16 +148,16 @@ type KeyBundle struct { } func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { - switch signer.(type) { - case *rsa.PrivateKey: + // We look at the public key types to work-around limitations/typing of managed keys. + switch signer.Public().(type) { + case *rsa.PublicKey: return RSAPrivateKey - case *ecdsa.PrivateKey: + case *ecdsa.PublicKey: return ECPrivateKey - case ed25519.PrivateKey: + case ed25519.PublicKey: return Ed25519PrivateKey - default: - return UnknownPrivateKey } + return UnknownPrivateKey } // ToPEMBundle converts a string-based certificate bundle