scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 02:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix ed25519 key type in ca_util (#27093)

Browse Source 
* fix ed25519 key type

* add changelog

* fix other case and add tests

* add other test

* add headers
This commit is contained in:
Rachel Culpepper
2024-05-22 09:27:45 -05:00
committed by GitHub
parent 20d44279ac
commit 0b02c5d56c
5 changed files with 150 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
builtin/logical/pki/ca_util.go
View File

@@ -235,7 +235,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr
keyBits = certutil.GetPublicKeySize(pubKey) keyBits = certutil.GetPublicKeySize(pubKey)
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
keyType = certutil.ECPrivateKey keyType = certutil.ECPrivateKey
case *ed25519.PublicKey: case ed25519.PublicKey:
keyType = certutil.Ed25519PrivateKey keyType = certutil.Ed25519PrivateKey
default: default:
return certutil.UnknownPrivateKey, 0, fmt.Errorf("unsupported public key: %#v", pubKey) return certutil.UnknownPrivateKey, 0, fmt.Errorf("unsupported public key: %#v", pubKey)

82
builtin/logical/pki/ca_util_test.go Normal file
View File

@@ -0,0 +1,82 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package pki
import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"testing"
"github.com/hashicorp/vault/sdk/helper/certutil"
)
func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) {
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("error generating rsa key: %s", err)
}
ecdsaKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating ecdsa key: %s", err)
}
publicKey, _, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatalf("error generating ed25519 key: %s", err)
}
testCases := map[string]struct {
publicKey crypto.PublicKey
expectedKeyType certutil.PrivateKeyType
expectedKeyBits int
expectError bool
}{
"rsa": {
publicKey: rsaKey.Public(),
expectedKeyType: certutil.RSAPrivateKey,
expectedKeyBits: 2048,
},
"ecdsa": {
publicKey: ecdsaKey.Public(),
expectedKeyType: certutil.ECPrivateKey,
expectedKeyBits: 0,
},
"ed25519": {
publicKey: publicKey,
expectedKeyType: certutil.Ed25519PrivateKey,
expectedKeyBits: 0,
},
"bad key type": {
publicKey: []byte{},
expectedKeyType: certutil.UnknownPrivateKey,
expectedKeyBits: 0,
expectError: true,
},
}
for name, tt := range testCases {
t.Run(name, func(t *testing.T) {
keyType, keyBits, err := getKeyTypeAndBitsFromPublicKeyForRole(tt.publicKey)
if err != nil && !tt.expectError {
t.Fatalf("unexpected error: %s", err)
}
if err == nil && tt.expectError {
t.Fatal("expected error, got nil")
}
if keyType != tt.expectedKeyType {
t.Fatalf("key type mismatch: expected %s, got %s", tt.expectedKeyType, keyType)
}
if keyBits != tt.expectedKeyBits {
t.Fatalf("key bits mismatch: expected %d, got %d", tt.expectedKeyBits, keyBits)
}
})
}
}

3
changelog/27093.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
pki: Fix error in cross-signing using ed25519 keys
```

2
sdk/helper/certutil/types.go
View File

@@ -171,7 +171,7 @@ func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType {
return RSAPrivateKey return RSAPrivateKey
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
return ECPrivateKey return ECPrivateKey
case *ed25519.PublicKey: case ed25519.PublicKey:
return Ed25519PrivateKey return Ed25519PrivateKey
default: default:
return UnknownPrivateKey return UnknownPrivateKey

63
sdk/helper/certutil/types_test.go Normal file
View File

@@ -0,0 +1,63 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package certutil
import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"testing"
)
func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) {
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("error generating rsa key: %s", err)
}
ecdsaKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating ecdsa key: %s", err)
}
publicKey, _, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatalf("error generating ed25519 key: %s", err)
}
testCases := map[string]struct {
publicKey crypto.PublicKey
expectedKeyType PrivateKeyType
}{
"rsa": {
publicKey: rsaKey.Public(),
expectedKeyType: RSAPrivateKey,
},
"ecdsa": {
publicKey: ecdsaKey.Public(),
expectedKeyType: ECPrivateKey,
},
"ed25519": {
publicKey: publicKey,
expectedKeyType: Ed25519PrivateKey,
},
"bad key type": {
publicKey: []byte{},
expectedKeyType: UnknownPrivateKey,
},
}
for name, tt := range testCases {
t.Run(name, func(t *testing.T) {
keyType := GetPrivateKeyTypeFromPublicKey(tt.publicKey)
if keyType != tt.expectedKeyType {
t.Fatalf("key type mismatch: expected %s, got %s", tt.expectedKeyType, keyType)
}
})
}
}