Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ed25519 key type in ca_util #27093

Merged
merged 5 commits into from
May 22, 2024
Merged

Fix ed25519 key type in ca_util #27093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4533e04
fix ed25519 key type
rculpepper May 16, 2024
d6f95b3
add changelog
rculpepper May 16, 2024
73dea5f
fix other case and add tests
rculpepper May 21, 2024
53c29e9
add other test
rculpepper May 21, 2024
70af5cf
add headers
rculpepper May 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion builtin/logical/pki/ca_util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr
keyBits = certutil.GetPublicKeySize(pubKey)
case *ecdsa.PublicKey:
keyType = certutil.ECPrivateKey
case *ed25519.PublicKey:
case ed25519.PublicKey:
keyType = certutil.Ed25519PrivateKey
default:
return certutil.UnknownPrivateKey, 0, fmt.Errorf("unsupported public key: %#v", pubKey)
Expand Down
82 changes: 82 additions & 0 deletions builtin/logical/pki/ca_util_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package pki

import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"testing"

"github.com/hashicorp/vault/sdk/helper/certutil"
)

func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) {

Check failure on line 18 in builtin/logical/pki/ca_util_test.go

View workflow job for this annotation

GitHub Actions / Code checks 

Test TestGetKeyTypeAndBitsFromPublicKeyForRole is missing a go doc
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("error generating rsa key: %s", err)
}

ecdsaKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating ecdsa key: %s", err)
}

publicKey, _, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatalf("error generating ed25519 key: %s", err)
}

testCases := map[string]struct {
publicKey crypto.PublicKey
expectedKeyType certutil.PrivateKeyType
expectedKeyBits int
expectError bool
}{
"rsa": {
publicKey: rsaKey.Public(),
expectedKeyType: certutil.RSAPrivateKey,
expectedKeyBits: 2048,
},
"ecdsa": {
publicKey: ecdsaKey.Public(),
expectedKeyType: certutil.ECPrivateKey,
expectedKeyBits: 0,
},
"ed25519": {
publicKey: publicKey,
expectedKeyType: certutil.Ed25519PrivateKey,
expectedKeyBits: 0,
},
"bad key type": {
publicKey: []byte{},
expectedKeyType: certutil.UnknownPrivateKey,
expectedKeyBits: 0,
expectError: true,
},
}

for name, tt := range testCases {
t.Run(name, func(t *testing.T) {
keyType, keyBits, err := getKeyTypeAndBitsFromPublicKeyForRole(tt.publicKey)
if err != nil && !tt.expectError {
t.Fatalf("unexpected error: %s", err)
}
if err == nil && tt.expectError {
t.Fatal("expected error, got nil")
}

if keyType != tt.expectedKeyType {
t.Fatalf("key type mismatch: expected %s, got %s", tt.expectedKeyType, keyType)
}

if keyBits != tt.expectedKeyBits {
t.Fatalf("key bits mismatch: expected %d, got %d", tt.expectedKeyBits, keyBits)
}
})
}
}
3 changes: 3 additions & 0 deletions changelog/27093.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
pki: Fix error in cross-signing using ed25519 keys
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pki: Fix error in cross-signing using ed25519 keys
secrets/pki: Fix error in cross-signing using ed25519 keys

```
2 changes: 1 addition & 1 deletion sdk/helper/certutil/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType {
return RSAPrivateKey
case *ecdsa.PublicKey:
return ECPrivateKey
case *ed25519.PublicKey:
case ed25519.PublicKey:
return Ed25519PrivateKey
default:
return UnknownPrivateKey
Expand Down
63 changes: 63 additions & 0 deletions sdk/helper/certutil/types_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package certutil

import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"testing"
)

func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) {
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("error generating rsa key: %s", err)
}

ecdsaKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating ecdsa key: %s", err)
}

publicKey, _, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatalf("error generating ed25519 key: %s", err)
}

testCases := map[string]struct {
publicKey crypto.PublicKey
expectedKeyType PrivateKeyType
}{
"rsa": {
publicKey: rsaKey.Public(),
expectedKeyType: RSAPrivateKey,
},
"ecdsa": {
publicKey: ecdsaKey.Public(),
expectedKeyType: ECPrivateKey,
},
"ed25519": {
publicKey: publicKey,
expectedKeyType: Ed25519PrivateKey,
},
"bad key type": {
publicKey: []byte{},
expectedKeyType: UnknownPrivateKey,
},
}

for name, tt := range testCases {
t.Run(name, func(t *testing.T) {
keyType := GetPrivateKeyTypeFromPublicKey(tt.publicKey)

if keyType != tt.expectedKeyType {
t.Fatalf("key type mismatch: expected %s, got %s", tt.expectedKeyType, keyType)
}
})
}
}
Loading