scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Transit managed key fixes - OSS (#23676) (#23678)

Browse Source 
- This is the OSS parts of the greater enterprise PR to address some
   issues with signing and encryption within Transit using managed keys.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core
2023-10-16 16:31:20 -04:00
committed by GitHub
parent 5fd86cfe55
commit 85014f9869
2 changed files with 24 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
builtin/logical/transit/path_sign_verify.go
View File

@@ -336,10 +336,6 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
// Get the policy
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
Storage: req.Storage,
@@ -360,6 +356,13 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
return logical.ErrorResponse(fmt.Sprintf("key type %v does not support signing", p.Type)), logical.ErrInvalidRequest
}
// Allow managed keys to specify no hash algo without additional conditions.
if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY {
if !prehashed || sigAlgorithm != "pkcs1v15" {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
}
batchInputRaw := d.Raw["batch_input"]
var batchInputItems []batchRequestSignItem
if batchInputRaw != nil {
@@ -402,8 +405,10 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
if p.Type.HashSignatureInput() && !prehashed {
hf := keysutil.HashFuncMap[hashAlgorithm]()
hf.Write(input)
input = hf.Sum(nil)
if hf != nil {
hf.Write(input)
input = hf.Sum(nil)
}
}
contextRaw := item["context"]
@@ -589,10 +594,6 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
// Get the policy
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
Storage: req.Storage,
@@ -613,6 +614,13 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
return logical.ErrorResponse(fmt.Sprintf("key type %v does not support verification", p.Type)), logical.ErrInvalidRequest
}
// Allow managed keys to specify no hash algo without additional conditions.
if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY {
if !prehashed || sigAlgorithm != "pkcs1v15" {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
}
response := make([]batchResponseVerifyItem, len(batchInputItems))
for i, item := range batchInputItems {
@@ -640,8 +648,10 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
if p.Type.HashSignatureInput() && !prehashed {
hf := keysutil.HashFuncMap[hashAlgorithm]()
hf.Write(input)
input = hf.Sum(nil)
if hf != nil {
hf.Write(input)
input = hf.Sum(nil)
}
}
contextRaw := item["context"]

4
sdk/helper/keysutil/policy.go
View File

@@ -33,7 +33,7 @@ import (
"golang.org/x/crypto/hkdf"
"github.com/hashicorp/errwrap"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/helper/errutil"
"github.com/hashicorp/vault/sdk/helper/jsonutil"
"github.com/hashicorp/vault/sdk/helper/kdf"
@@ -142,7 +142,7 @@ func (kt KeyType) SigningSupported() bool {
func (kt KeyType) HashSignatureInput() bool {
switch kt {
case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096:
case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096, KeyType_MANAGED_KEY:
return true
}
return false