diff --git a/changelog/17328.txt b/changelog/17328.txt new file mode 100644 index 000000000000..e10e380b51e4 --- /dev/null +++ b/changelog/17328.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key +``` diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index 348c85f9dd49..56ab5324aeea 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -1127,7 +1127,12 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun certTemplate.NotBefore = time.Now().Add(-1 * data.Params.NotBeforeDuration) } - switch data.SigningBundle.PrivateKeyType { + privateKeyType := data.SigningBundle.PrivateKeyType + if privateKeyType == ManagedPrivateKey { + privateKeyType = GetPrivateKeyTypeFromSigner(data.SigningBundle.PrivateKey) + } + + switch privateKeyType { case RSAPrivateKey: certTemplateSetSigAlgo(certTemplate, data) case ECPrivateKey: diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index 03aba84996b1..15b816f0c8ea 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -148,16 +148,16 @@ type KeyBundle struct { } func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { - switch signer.(type) { - case *rsa.PrivateKey: + // We look at the public key types to work-around limitations/typing of managed keys. + switch signer.Public().(type) { + case *rsa.PublicKey: return RSAPrivateKey - case *ecdsa.PrivateKey: + case *ecdsa.PublicKey: return ECPrivateKey - case ed25519.PrivateKey: + case ed25519.PublicKey: return Ed25519PrivateKey - default: - return UnknownPrivateKey } + return UnknownPrivateKey } // ToPEMBundle converts a string-based certificate bundle