diff --git a/builtin/logical/pki/managed_key_util.go b/builtin/logical/pki/managed_key_util.go index d69b2256db..29ab433813 100644 --- a/builtin/logical/pki/managed_key_util.go +++ b/builtin/logical/pki/managed_key_util.go @@ -36,3 +36,7 @@ func extractManagedKeyId(privateKeyBytes []byte) (UUIDKey, error) { func createKmsKeyBundle(ctx context.Context, b *backend, keyId managedKeyId) (certutil.KeyBundle, certutil.PrivateKeyType, error) { return certutil.KeyBundle{}, certutil.UnknownPrivateKey, errEntOnly } + +func getManagedKeyInfo(ctx context.Context, b *backend, keyId managedKeyId) (*managedKeyInfo, error) { + return nil, errEntOnly +} diff --git a/builtin/logical/pki/path_fetch_keys.go b/builtin/logical/pki/path_fetch_keys.go index d3c379843f..e075a40f44 100644 --- a/builtin/logical/pki/path_fetch_keys.go +++ b/builtin/logical/pki/path_fetch_keys.go @@ -4,6 +4,8 @@ import ( "context" "fmt" + "github.com/hashicorp/vault/sdk/helper/errutil" + "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" ) @@ -59,7 +61,6 @@ func (b *backend) pathListKeysHandler(ctx context.Context, req *logical.Request, responseInfo[string(identifier)] = map[string]interface{}{ keyNameParam: key.Name, "is_default": identifier == config.DefaultKeyId, - "key_type": key.PrivateKeyType, } } @@ -146,13 +147,31 @@ func (b *backend) pathGetKeyHandler(ctx context.Context, req *logical.Request, d return nil, err } - return &logical.Response{ - Data: map[string]interface{}{ - keyIdParam: key.ID, - keyNameParam: key.Name, - keyTypeParam: key.PrivateKeyType, - }, - }, nil + respData := map[string]interface{}{ + keyIdParam: key.ID, + keyNameParam: key.Name, + keyTypeParam: string(key.PrivateKeyType), + } + + if key.isManagedPrivateKey() { + managedKeyUUID, err := key.getManagedKeyUUID() + if err != nil { + return nil, errutil.InternalError{Err: fmt.Sprintf("failed extracting managed key uuid from key id %s (%s): %v", key.ID, key.Name, err)} + } + + keyInfo, err := getManagedKeyInfo(ctx, b, managedKeyUUID) + if err != nil { + return nil, errutil.InternalError{Err: fmt.Sprintf("failed fetching managed key info from key id %s (%s): %v", key.ID, key.Name, err)} + } + + // To remain consistent across the api responses (mainly generate root/intermediate calls), return the actual + // type of key, not that it is a managed key. + respData[keyTypeParam] = string(keyInfo.keyType) + respData[managedKeyIdArg] = string(keyInfo.uuid) + respData[managedKeyNameArg] = string(keyInfo.name) + } + + return &logical.Response{Data: respData}, nil } func (b *backend) pathUpdateKeyHandler(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { diff --git a/builtin/logical/pki/util.go b/builtin/logical/pki/util.go index 420fd2e24b..f855e0d690 100644 --- a/builtin/logical/pki/util.go +++ b/builtin/logical/pki/util.go @@ -2,10 +2,13 @@ package pki import ( "context" + "crypto" "fmt" "regexp" "strings" + "github.com/hashicorp/vault/sdk/helper/certutil" + "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/framework" @@ -74,6 +77,13 @@ func (n NameKey) String() string { return string(n) } +type managedKeyInfo struct { + publicKey crypto.PublicKey + keyType certutil.PrivateKeyType + name NameKey + uuid UUIDKey +} + // getManagedKeyId returns a NameKey or a UUIDKey, whichever was specified in the // request API data. func getManagedKeyId(data *framework.FieldData) (managedKeyId, error) {