Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Fix handling of default zero SignatureBits value with Any key type in PKI Secrets Engine into release/1.10.x #14892

Closed
wants to merge 1 commit into from
Closed

Backport of Fix handling of default zero SignatureBits value with Any key type in PKI Secrets Engine into release/1.10.x #14892

wants to merge 1 commit into from

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #14875 to be assessed for backporting due to the inclusion of the label backport/1.10.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

The below text is copied from the body of the original PR.

When using KeyType="any" on a role (whether explicitly or implicitly
via a sign-verbatim like operation), we need to update the value of
SignatureBits from its new value 0 to a per-key-type default value. This
will allow sign operations on these paths to function correctly, having
the correctly inferred default signature bit length.

Additionally, this allows the computed default value for key type to be
used for minimum size validation in the RSA/ECDSA paths. We additionally
enforce the 2048-minimum in this case as well.

`Signed-off-by: Alexander Scheel [email protected]

Fix defaults and validation of "any" KeyType

When certutil is given the placeholder any keytype, it attempts to
validate and update the default zero value. However, in lacking a
default value for SignatureBits, it cannot update the value from the
zero value, thus causing validation to fail.

Add more awareness to the placeholder "any" value to certutil.

`Signed-off-by: Alexander Scheel [email protected]

Resolves: #14863

This also includes two tests, including one written by @stevendpclark for checking this issue and ensuring we don't regress, one for roles and one for sign-verbatim.

@hashicorp-cla
Copy link

hashicorp-cla commented Apr 4, 2022
edited by hashicorp-cla-app bot
Loading

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

@vercel vercel bot temporarily deployed to Preview – vault-storybook April 4, 2022 19:27 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 4, 2022 19:27 Inactive
@cipherboy
Copy link
Contributor

Closing this and re-opening manually.

@cipherboy cipherboy closed this Apr 4, 2022
@cipherboy cipherboy deleted the backport/cipherboy-fix-signature-bits/perfectly-wanted-garfish branch December 1, 2022 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy Awaiting requested review from cipherboy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hc-github-team-secure-vault-core @hashicorp-cla @cipherboy