scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

backport of commit bc4be73a1c (#23679)

Browse Source 
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core
2023-10-16 17:09:36 -04:00
committed by GitHub
parent 3a7643d315
commit 77f8d45228
2 changed files with 25 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
builtin/logical/transit/path_sign_verify.go
View File

@@ -353,10 +353,6 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
} }
if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
// Get the policy // Get the policy
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{ p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
Storage: req.Storage, Storage: req.Storage,
@@ -377,6 +373,13 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
return logical.ErrorResponse(fmt.Sprintf("key type %v does not support signing", p.Type)), logical.ErrInvalidRequest return logical.ErrorResponse(fmt.Sprintf("key type %v does not support signing", p.Type)), logical.ErrInvalidRequest
} }
// Allow managed keys to specify no hash algo without additional conditions.
if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY {
if !prehashed || sigAlgorithm != "pkcs1v15" {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
}
batchInputRaw := d.Raw["batch_input"] batchInputRaw := d.Raw["batch_input"]
var batchInputItems []batchRequestSignItem var batchInputItems []batchRequestSignItem
if batchInputRaw != nil { if batchInputRaw != nil {
@@ -419,9 +422,11 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
if p.Type.HashSignatureInput() && !prehashed { if p.Type.HashSignatureInput() && !prehashed {
hf := keysutil.HashFuncMap[hashAlgorithm]() hf := keysutil.HashFuncMap[hashAlgorithm]()
if hf != nil {
hf.Write(input) hf.Write(input)
input = hf.Sum(nil) input = hf.Sum(nil)
} }
}
contextRaw := item["context"] contextRaw := item["context"]
var context []byte var context []byte
@@ -606,10 +611,6 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
} }
if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
// Get the policy // Get the policy
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{ p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
Storage: req.Storage, Storage: req.Storage,
@@ -630,6 +631,13 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
return logical.ErrorResponse(fmt.Sprintf("key type %v does not support verification", p.Type)), logical.ErrInvalidRequest return logical.ErrorResponse(fmt.Sprintf("key type %v does not support verification", p.Type)), logical.ErrInvalidRequest
} }
// Allow managed keys to specify no hash algo without additional conditions.
if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY {
if !prehashed || sigAlgorithm != "pkcs1v15" {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
}
response := make([]batchResponseVerifyItem, len(batchInputItems)) response := make([]batchResponseVerifyItem, len(batchInputItems))
for i, item := range batchInputItems { for i, item := range batchInputItems {
@@ -657,9 +665,11 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
if p.Type.HashSignatureInput() && !prehashed { if p.Type.HashSignatureInput() && !prehashed {
hf := keysutil.HashFuncMap[hashAlgorithm]() hf := keysutil.HashFuncMap[hashAlgorithm]()
if hf != nil {
hf.Write(input) hf.Write(input)
input = hf.Sum(nil) input = hf.Sum(nil)
} }
}
contextRaw := item["context"] contextRaw := item["context"]
var context []byte var context []byte

6
sdk/helper/keysutil/policy.go
View File

@@ -37,7 +37,7 @@ import (
"golang.org/x/crypto/hkdf" "golang.org/x/crypto/hkdf"
"github.com/hashicorp/errwrap" "github.com/hashicorp/errwrap"
uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/errutil"
"github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/jsonutil"
"github.com/hashicorp/vault/sdk/helper/kdf" "github.com/hashicorp/vault/sdk/helper/kdf"
@@ -148,7 +148,7 @@ func (kt KeyType) SigningSupported() bool {
func (kt KeyType) HashSignatureInput() bool { func (kt KeyType) HashSignatureInput() bool {
switch kt { switch kt {
case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096: case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096, KeyType_MANAGED_KEY:
return true return true
} }
return false return false
@@ -247,7 +247,7 @@ type KeyEntry struct {
} }
func (ke *KeyEntry) IsPrivateKeyMissing() bool { func (ke *KeyEntry) IsPrivateKeyMissing() bool {
if ke.RSAKey != nil || ke.EC_D != nil || len(ke.Key) != 0 { if ke.RSAKey != nil || ke.EC_D != nil || len(ke.Key) != 0 || len(ke.ManagedKeyUUID) != 0 {
return false return false
} }