Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to set key_type "any" on PKI role #4595

Closed
bluecmd opened this issue May 19, 2018 · 6 comments
Closed

Unable to set key_type "any" on PKI role #4595

bluecmd opened this issue May 19, 2018 · 6 comments

Comments

@bluecmd
Copy link
Contributor

bluecmd commented May 19, 2018

Describe the bug
Default for a PKI role seems to be rsa/2048. I want to allow a CSR sign to work for EC and RSA. Trying to set key_type=any (which seems to what the code cares about) results in

* role requires keys of type rsa

To Reproduce

  1. vault write test-pki/roles/user ....
  2. vault read test-pki/roles/user returns:
...
key_bits                              2048
key_type                              rsa
...
  1. Try to sign an EC CSR using vault write test-pki/sign/user.
  2. Get error * role requires keys of type rsa

Expected behavior

  1. Default is key_type = any
  2. If not default, at least setting it should be possible.

Environment:

  • Vault Server Version (retrieve with vault status):
    Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')
  • Vault CLI Version (retrieve with vault version):
    Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')
  • Server Operating System/Architecture:
    Linux Debian testing
@jefferai
Copy link
Member

What is the role write command you are using?

@bluecmd
Copy link
Contributor Author

bluecmd commented May 19, 2018

Example:

vault write browser-pki/roles/user max_ttl=2160h ttl=2160h allow_localhost=false ou=Web server_flag=false allow_any_name=true use_csr_common_name=false use_csr_sans=false

@jefferai
Copy link
Member

key_type=any isn't in your command

@bluecmd
Copy link
Contributor Author

bluecmd commented May 19, 2018

I assumed you meant the writes that succeed to create the role. If I do the above with key_type=any:

root@vault:~/vault# vault write browser-pki/roles/user max_ttl=2160h ttl=2160h allow_localhost=false ou=Web server_flag=false allow_any_name=true use_csr_common_name=false use_csr_sans=false key_type=any
Error writing data to browser-pki/roles/user: Error making API request.

URL: PUT https://[redacted]/v1/browser-pki/roles/user
Code: 400. Errors:

* unknown key type any

@jefferai
Copy link
Member

OK, so that ^ is the actual problem!

jefferai added a commit that referenced this issue May 19, 2018
@jefferai
Fix role writing not allowing key_type of any
a9e2551 
Fixes #4595
@jefferai jefferai mentioned this issue May 19, 2018
Merged
jefferai added a commit that referenced this issue May 19, 2018
@jefferai
Fix role writing not allowing key_type of any (#4596)
157a14e 
Fixes #4595
@bluecmd
Copy link
Contributor Author

bluecmd commented May 19, 2018

Thanks for the quick fix!

@Quuxplusone Quuxplusone mentioned this issue Aug 16, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jefferai @bluecmd