secret/pki: Return correct algorithm type from key fetch API for managed keys (#15468)

* secret/pki: Return correct algorithm type from key fetch api for managed keys - fix an issue that key_type field returned from the key fetch api had the ManagedPrivateKey type instead of the real algorithm of the managed key. * Remove key_type from key list PKI operation. Partial revert of #15435 - The key_type field should be used solely for the key algorithm but as implemented we would be returning the value ManagedPrivateKey for managed keys which is not in sync with the rest of the apis. We also did not want to take the performance hit if many managed keys existed so we will simply remove the field from the list operation
2025-10-31 18:48:08 +00:00 · 2022-05-17 11:36:14 -04:00
parent bddfb9d446
commit 63b1a3f7b3
3 changed files with 41 additions and 8 deletions
--- a/builtin/logical/pki/managed_key_util.go
+++ b/builtin/logical/pki/managed_key_util.go
@@ -36,3 +36,7 @@ func extractManagedKeyId(privateKeyBytes []byte) (UUIDKey, error) {
 func createKmsKeyBundle(ctx context.Context, b *backend, keyId managedKeyId) (certutil.KeyBundle, certutil.PrivateKeyType, error) {
 	return certutil.KeyBundle{}, certutil.UnknownPrivateKey, errEntOnly
 }
 func getManagedKeyInfo(ctx context.Context, b *backend, keyId managedKeyId) (*managedKeyInfo, error) {
 	return nil, errEntOnly
 }
--- a/builtin/logical/pki/path_fetch_keys.go
+++ b/builtin/logical/pki/path_fetch_keys.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -59,7 +61,6 @@ func (b *backend) pathListKeysHandler(ctx context.Context, req *logical.Request,
 		responseInfo[string(identifier)] = map[string]interface{}{
 			keyNameParam: key.Name,
 			"is_default": identifier == config.DefaultKeyId,
 			"key_type":   key.PrivateKeyType,
 		}
 	}
@@ -146,13 +147,31 @@ func (b *backend) pathGetKeyHandler(ctx context.Context, req *logical.Request, d
 		return nil, err
 	}
-	return &logical.Response{
+	respData := map[string]interface{}{
-		Data: map[string]interface{}{
+		keyIdParam:   key.ID,
-			keyIdParam:   key.ID,
+		keyNameParam: key.Name,
-			keyNameParam: key.Name,
+		keyTypeParam: string(key.PrivateKeyType),
-			keyTypeParam: key.PrivateKeyType,
+	}
-		},
+
-	}, nil
+	if key.isManagedPrivateKey() {
 		managedKeyUUID, err := key.getManagedKeyUUID()
 		if err != nil {
 			return nil, errutil.InternalError{Err: fmt.Sprintf("failed extracting managed key uuid from key id %s (%s): %v", key.ID, key.Name, err)}
 		}
 		keyInfo, err := getManagedKeyInfo(ctx, b, managedKeyUUID)
 		if err != nil {
 			return nil, errutil.InternalError{Err: fmt.Sprintf("failed fetching managed key info from key id %s (%s): %v", key.ID, key.Name, err)}
 		}
 		// To remain consistent across the api responses (mainly generate root/intermediate calls), return the actual
 		// type of key, not that it is a managed key.
 		respData[keyTypeParam] = string(keyInfo.keyType)
 		respData[managedKeyIdArg] = string(keyInfo.uuid)
 		respData[managedKeyNameArg] = string(keyInfo.name)
 	}
 	return &logical.Response{Data: respData}, nil
 }
 func (b *backend) pathUpdateKeyHandler(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
--- a/builtin/logical/pki/util.go
+++ b/builtin/logical/pki/util.go
@@ -2,10 +2,13 @@ package pki
 import (
 	"context"
 	"crypto"
 	"fmt"
 	"regexp"
 	"strings"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -74,6 +77,13 @@ func (n NameKey) String() string {
 	return string(n)
 }
 type managedKeyInfo struct {
 	publicKey crypto.PublicKey
 	keyType   certutil.PrivateKeyType
 	name      NameKey
 	uuid      UUIDKey
 }
 // getManagedKeyId returns a NameKey or a UUIDKey, whichever was specified in the
 // request API data.
 func getManagedKeyId(data *framework.FieldData) (managedKeyId, error) {