Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKI: Fix managed key signatures when using specified signature_bits #17328

Merged
merged 2 commits into from
Sep 28, 2022

Conversation

stevendpclark
Copy link
Contributor

  • When calling sign-intermediate and other apis with signature_bits value overridden with a backing managed key we did not use that value as tests for the private key type were not working.
  • This was exposed with GCP managed key testing as we started failing with a backing PSS SHA512 RSA key
vault write  -format=json pki/root/sign-intermediate signature_bits=512 csr=@pki_intermediate.csr use_pss=true \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > intermediate.cert.pem

Error writing data to pki/root/sign-intermediate: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/pki/root/sign-intermediate
Code: 500. Errors:

* 1 error occurred:
	* error signing cert: unable to create certificate: rpc error: code = InvalidArgument desc = The digest SHA256 is not valid for CryptoKeys with algorithm RSA_SIGN_PSS_4096_SHA512.

 - When calling sign-intermediate and other apis with signature_bits
   value overridden with a backing managed key we did not use that
   value as tests for the private key type were not working.
@cipherboy
Copy link
Contributor

In particular, this is safer and matches what we do in storage.go elsewhere.

@stevendpclark stevendpclark added backport/1.10.x bug Used to indicate a potential bug labels Sep 27, 2022
@stevendpclark stevendpclark merged commit f28e921 into main Sep 28, 2022
@stevendpclark stevendpclark deleted the stevendpclark/managed-key-fix branch September 28, 2022 13:08
stevendpclark added a commit that referenced this pull request Sep 28, 2022
…17328)

* PKI: Fix managed key signatures when using specified signature_bits

 - When calling sign-intermediate and other apis with signature_bits
   value overridden with a backing managed key we did not use that
   value as tests for the private key type were not working.

* Add cl
stevendpclark added a commit that referenced this pull request Sep 28, 2022
…17328) (#17341)

* PKI: Fix managed key signatures when using specified signature_bits

 - When calling sign-intermediate and other apis with signature_bits
   value overridden with a backing managed key we did not use that
   value as tests for the private key type were not working.

* Add cl

Co-authored-by: Steven Clark <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug secret/pki
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants