From 0588924a68fc6de395bc139a64fda104e68912d3 Mon Sep 17 00:00:00 2001 From: Steve Clark Date: Wed, 18 Oct 2023 13:55:34 -0400 Subject: [PATCH 1/2] Forbid setting auto_rotate_period on transit managed keys - Prevent and guard against auto-rotating managed keys as we generate an invalid key version without the uuid field set. - Hook in the datakey generation api into managed key encryption. --- builtin/logical/transit/backend.go | 5 +++++ builtin/logical/transit/path_datakey.go | 19 ++++++++++++++++++- builtin/logical/transit/path_keys_config.go | 4 ++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/builtin/logical/transit/backend.go b/builtin/logical/transit/backend.go index 2399ec7a62dd..62703e6af0af 100644 --- a/builtin/logical/transit/backend.go +++ b/builtin/logical/transit/backend.go @@ -275,6 +275,11 @@ func (b *backend) rotateIfRequired(ctx context.Context, req *logical.Request, ke return nil } + // We can't auto-rotate managed keys + if p.Type == keysutil.KeyType_MANAGED_KEY { + return nil + } + // Retrieve the latest version of the policy and determine if it is time to rotate. latestKey := p.Keys[strconv.Itoa(p.LatestVersion)] if time.Now().After(latestKey.CreationTime.Add(p.AutoRotatePeriod)) { diff --git a/builtin/logical/transit/path_datakey.go b/builtin/logical/transit/path_datakey.go index ad3887e0e3d7..53aff54690bb 100644 --- a/builtin/logical/transit/path_datakey.go +++ b/builtin/logical/transit/path_datakey.go @@ -7,6 +7,7 @@ import ( "context" "crypto/rand" "encoding/base64" + "errors" "fmt" "github.com/hashicorp/vault/helper/constants" @@ -141,7 +142,23 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d return nil, err } - ciphertext, err := p.Encrypt(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey)) + var managedKeyFactory ManagedKeyFactory + if p.Type == keysutil.KeyType_MANAGED_KEY { + managedKeySystemView, ok := b.System().(logical.ManagedKeySystemView) + if !ok { + return nil, errors.New("unsupported system view") + } + + managedKeyFactory = ManagedKeyFactory{ + managedKeyParams: keysutil.ManagedKeyParameters{ + ManagedKeySystemView: managedKeySystemView, + BackendUUID: b.backendUUID, + Context: ctx, + }, + } + } + + ciphertext, err := p.EncryptWithFactory(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey), nil, managedKeyFactory) if err != nil { switch err.(type) { case errutil.UserError: diff --git a/builtin/logical/transit/path_keys_config.go b/builtin/logical/transit/path_keys_config.go index d1e522c44252..ed91d236dc92 100644 --- a/builtin/logical/transit/path_keys_config.go +++ b/builtin/logical/transit/path_keys_config.go @@ -218,6 +218,10 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request, p.AutoRotatePeriod = autoRotatePeriod persistNeeded = true } + + if p.Type == keysutil.KeyType_MANAGED_KEY && autoRotatePeriod != 0 { + return logical.ErrorResponse("Auto rotation can not be set for managed keys"), nil + } } if !persistNeeded { From c744750783e580e87c5f906a7672ebf2abc2c733 Mon Sep 17 00:00:00 2001 From: Steve Clark Date: Wed, 18 Oct 2023 14:04:06 -0400 Subject: [PATCH 2/2] Add cl --- changelog/23723.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/23723.txt diff --git a/changelog/23723.txt b/changelog/23723.txt new file mode 100644 index 000000000000..25828f99655d --- /dev/null +++ b/changelog/23723.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/transit: Do not allow auto rotation on managed_key key types +```