From 85014f98690e4cd7402725e9a4582bab1473d80f Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 16 Oct 2023 16:31:20 -0400 Subject: [PATCH] Fix Transit managed key fixes - OSS (#23676) (#23678) - This is the OSS parts of the greater enterprise PR to address some issues with signing and encryption within Transit using managed keys. Co-authored-by: Steven Clark --- builtin/logical/transit/path_sign_verify.go | 34 +++++++++++++-------- sdk/helper/keysutil/policy.go | 4 +-- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/builtin/logical/transit/path_sign_verify.go b/builtin/logical/transit/path_sign_verify.go index 5ef1dcc026..dab48d25fc 100644 --- a/builtin/logical/transit/path_sign_verify.go +++ b/builtin/logical/transit/path_sign_verify.go @@ -336,10 +336,6 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest } - if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") { - return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest - } - // Get the policy p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{ Storage: req.Storage, @@ -360,6 +356,13 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr return logical.ErrorResponse(fmt.Sprintf("key type %v does not support signing", p.Type)), logical.ErrInvalidRequest } + // Allow managed keys to specify no hash algo without additional conditions. + if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY { + if !prehashed || sigAlgorithm != "pkcs1v15" { + return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest + } + } + batchInputRaw := d.Raw["batch_input"] var batchInputItems []batchRequestSignItem if batchInputRaw != nil { @@ -402,8 +405,10 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr if p.Type.HashSignatureInput() && !prehashed { hf := keysutil.HashFuncMap[hashAlgorithm]() - hf.Write(input) - input = hf.Sum(nil) + if hf != nil { + hf.Write(input) + input = hf.Sum(nil) + } } contextRaw := item["context"] @@ -589,10 +594,6 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d * return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest } - if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") { - return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest - } - // Get the policy p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{ Storage: req.Storage, @@ -613,6 +614,13 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d * return logical.ErrorResponse(fmt.Sprintf("key type %v does not support verification", p.Type)), logical.ErrInvalidRequest } + // Allow managed keys to specify no hash algo without additional conditions. + if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY { + if !prehashed || sigAlgorithm != "pkcs1v15" { + return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest + } + } + response := make([]batchResponseVerifyItem, len(batchInputItems)) for i, item := range batchInputItems { @@ -640,8 +648,10 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d * if p.Type.HashSignatureInput() && !prehashed { hf := keysutil.HashFuncMap[hashAlgorithm]() - hf.Write(input) - input = hf.Sum(nil) + if hf != nil { + hf.Write(input) + input = hf.Sum(nil) + } } contextRaw := item["context"] diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index d67f9f67a9..f17a1f8011 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -33,7 +33,7 @@ import ( "golang.org/x/crypto/hkdf" "github.com/hashicorp/errwrap" - uuid "github.com/hashicorp/go-uuid" + "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/kdf" @@ -142,7 +142,7 @@ func (kt KeyType) SigningSupported() bool { func (kt KeyType) HashSignatureInput() bool { switch kt { - case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096: + case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096, KeyType_MANAGED_KEY: return true } return false