Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore EC PARAMETER blocks during issuer import #16721

Merged
merged 3 commits into from
Aug 15, 2022
Merged

Ignore EC PARAMETER blocks during issuer import #16721

merged 3 commits into from
Aug 15, 2022

Conversation

cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Aug 15, 2022
edited
Loading

While older versions of Vault supported sending this, we broke such
support in 1.11. Ignore them from the manage issuers endpoint (which is
aliased to the old /config/ca path) -- but keep erring in the import
keys paths. The latter is a new endpoint not aliased to anything and
only expects a single PEM block.

Signed-off-by: Alexander Scheel <[email protected]>

Resolves: #16667

@cipherboy
Ignore EC PARAMETER blocks during issuer import
0a7d492 
While older versions of Vault supported sending this, we broke such
support in 1.11. Ignore them from the manage issuers endpoint (which is
aliased to the old /config/ca path) -- but keep erring in the import
keys paths. The latter is a new endpoint not aliased to anything and
only expects a single PEM block.

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy added bug Used to indicate a potential bug secret/pki backport/1.11.x labels Aug 15, 2022
@cipherboy cipherboy added this to the 1.12.0-rc1 milestone Aug 15, 2022
@cipherboy cipherboy marked this pull request as ready for review August 15, 2022 12:55
cipherboy
cipherboy commented Aug 15, 2022
View reviewed changes
Copy link
Contributor Author

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that on Vault 1.10, the parsing code was here: https://github.com/hashicorp/vault/blob/main/sdk/helper/certutil/helpers.go#L258

Since we didn't know the type (and it didn't decode successfully as either a key or a cert), we just dropped it from the bundle. Now we care more about the types of the entries in bundles and so we're wanting to explicitly ignore things we know are safe to ignore, and categorize the rest appropriately.

@cipherboy
Add changelog entry
36d2938 
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy enabled auto-merge (squash) August 15, 2022 15:45
@cipherboy cipherboy merged commit 8c9b4a0 into main Aug 15, 2022
Merged
@cipherboy cipherboy deleted the cipherboy-ignore-ec-params-from-import branch December 1, 2022 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@schultz-is schultz-is schultz-is approved these changes

@kitography kitography Awaiting requested review from kitography

Assignees
No one assigned
Labels
bug Used to indicate a potential bug secret/pki
Projects
None yet
Milestone
1.12.0-rc1
Development

Successfully merging this pull request may close these issues.

Error on parsing pem_bundle parameter
3 participants
@cipherboy @schultz-is @stevendpclark