Intermediate Cross-Sign Fails for ED25519 keys

[forsberg]

Describe the bug

Trying to follow the Build your own certificate Authority tutorial, but with ed25519 keys, vault fails when trying to generate a CSR to cross-sign the intermediate.

To Reproduce

Running the following test script:

#!/bin/bash 
# https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine#step-2-generate-intermediate-ca but with ${key_type}

key_type=ed25519

vault secrets disable pki_${key_type}
vault secrets disable pki_int_${key_type}

# Create root CA
vault secrets enable -path pki_${key_type} pki
vault secrets tune -max-lease-ttl=87600h pki_${key_type}

vault write -field=certificate pki_${key_type}/root/generate/internal \
     common_name="example.com" \
     issuer_name="root-2023" \
     key_type=${key_type} \
     ttl=87600h > root_2023_ca.crt

vault write pki_${key_type}/roles/2023-servers allow_any_name=true
vault write pki_${key_type}/config/urls \
     issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
     crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

# Create intermediate CA
vault secrets enable -path=pki_int_${key_type} pki
vault secrets tune -max-lease-ttl=43800h pki_int_${key_type}

vault write -format=json pki_int_${key_type}/intermediate/generate/internal \
     common_name="example.com Intermediate Authority" \
     issuer_name="example-dot-com-intermediate" \
     key_type=${key_type} \
     | jq -r '.data.csr' > pki_intermediate.csr

vault write -format=json pki_${key_type}/root/sign-intermediate \
     issuer_ref="root-2023" \
     csr=@pki_intermediate.csr \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > intermediate.cert.pem


vault write pki_int_${key_type}/intermediate/set-signed [email protected]

# Rotate root CA
vault write pki_${key_type}/root/rotate/internal \
    common_name="example.com" \
    issuer_name="root-2024" \
    key_type=${key_type}

# Ask for CSR for cross-signing
vault write -format=json pki_int_${key_type}/intermediate/cross-sign \
   common_name="example.com Intermediate Authority" \
   key_ref="$(vault read pki_int_${key_type}/issuer/$(vault read -field=default pki_int_${key_type}/config/issuers) \
   | grep -i key_id | awk '{print $2}')" \
   | jq -r '.data.csr' \
   | tee cross-signed-intermediate.csr

The output of the last command is:

Error writing data to pki_int_ed25519/intermediate/cross-sign: Error making API request.

URL: PUT http://localhost:8202/v1/pki_int_ed25519/intermediate/cross-sign
Code: 400. Errors:

* unsupported public key: ed25519.PublicKey{0x65, 0xc6, 0x8b, 0x33, 0x9, 0x5d, 0xbc, 0x6b, 0x20, 0x9e, 0x63, 0x3, 0xc8, 0xd, 0xa8, 0x10, 0x92, 0x48, 0x62, 0xa8, 0xbb, 0x3a, 0x4f, 0x49, 0x57, 0xae, 0xc2, 0x67, 0x5a, 0x8c, 0x20, 0xa3}

Expected behavior

Expected a CSR to be generated.

Environment:

• Vault Server Version (retrieve with vault status): 1.15.5, 1.16.0-rc3
• Vault CLI Version (retrieve with vault version): 1.15.6
• Server Operating System/Architecture: Docker/Linux

Vault server configuration file(s):

ui = true

listener "tcp" {
  address     = "0.0.0.0:8202"
  tls_disable = 1
}

storage "file" {
  path = "/vault/file"
}

api_addr = "http://127.0.0.1:8202"

disable_mlock = "true"

log_level = "Trace"

Am I wrong in expecting this to work? Perhaps there's something with ed25519 that makes it not, but seems unlikely.

Very confusing when I try to follow code path, error message seems to originate from getKeyTypeAndBitsFromPublicKeyForRole, but that function does seem to support ed25519.PublicKey