Skip to content

Commit

Permalink
backport of commit bc4be73 (#23679)
Browse files Browse the repository at this point in the history 
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
  • Loading branch information
@hc-github-team-secure-vault-core @stevendpclark
hc-github-team-secure-vault-core and stevendpclark authored Oct 16, 2023
1 parent 3a7643d commit 77f8d45
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 15 deletions.
34 changes: 22 additions & 12 deletions builtin/logical/transit/path_sign_verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -353,10 +353,6 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}

if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}

// Get the policy
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
Storage: req.Storage,
Expand All @@ -377,6 +373,13 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr
return logical.ErrorResponse(fmt.Sprintf("key type %v does not support signing", p.Type)), logical.ErrInvalidRequest
}

// Allow managed keys to specify no hash algo without additional conditions.
if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY {
if !prehashed || sigAlgorithm != "pkcs1v15" {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
}

batchInputRaw := d.Raw["batch_input"]
var batchInputItems []batchRequestSignItem
if batchInputRaw != nil {
Expand Down Expand Up @@ -419,8 +422,10 @@ func (b *backend) pathSignWrite(ctx context.Context, req *logical.Request, d *fr

if p.Type.HashSignatureInput() && !prehashed {
hf := keysutil.HashFuncMap[hashAlgorithm]()
hf.Write(input)
input = hf.Sum(nil)
if hf != nil {
hf.Write(input)
input = hf.Sum(nil)
}
}

contextRaw := item["context"]
Expand Down Expand Up @@ -606,10 +611,6 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}

if hashAlgorithm == keysutil.HashTypeNone && (!prehashed || sigAlgorithm != "pkcs1v15") {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}

// Get the policy
p, _, err := b.GetPolicy(ctx, keysutil.PolicyRequest{
Storage: req.Storage,
Expand All @@ -630,6 +631,13 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *
return logical.ErrorResponse(fmt.Sprintf("key type %v does not support verification", p.Type)), logical.ErrInvalidRequest
}

// Allow managed keys to specify no hash algo without additional conditions.
if hashAlgorithm == keysutil.HashTypeNone && p.Type != keysutil.KeyType_MANAGED_KEY {
if !prehashed || sigAlgorithm != "pkcs1v15" {
return logical.ErrorResponse("hash_algorithm=none requires both prehashed=true and signature_algorithm=pkcs1v15"), logical.ErrInvalidRequest
}
}

response := make([]batchResponseVerifyItem, len(batchInputItems))

for i, item := range batchInputItems {
Expand Down Expand Up @@ -657,8 +665,10 @@ func (b *backend) pathVerifyWrite(ctx context.Context, req *logical.Request, d *

if p.Type.HashSignatureInput() && !prehashed {
hf := keysutil.HashFuncMap[hashAlgorithm]()
hf.Write(input)
input = hf.Sum(nil)
if hf != nil {
hf.Write(input)
input = hf.Sum(nil)
}
}

contextRaw := item["context"]
Expand Down
6 changes: 3 additions & 3 deletions sdk/helper/keysutil/policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ import (
"golang.org/x/crypto/hkdf"

"github.com/hashicorp/errwrap"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/helper/errutil"
"github.com/hashicorp/vault/sdk/helper/jsonutil"
"github.com/hashicorp/vault/sdk/helper/kdf"
Expand Down Expand Up @@ -148,7 +148,7 @@ func (kt KeyType) SigningSupported() bool {

func (kt KeyType) HashSignatureInput() bool {
switch kt {
case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096:
case KeyType_ECDSA_P256, KeyType_ECDSA_P384, KeyType_ECDSA_P521, KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096, KeyType_MANAGED_KEY:
return true
}
return false
Expand Down Expand Up @@ -247,7 +247,7 @@ type KeyEntry struct {
}

func (ke *KeyEntry) IsPrivateKeyMissing() bool {
if ke.RSAKey != nil || ke.EC_D != nil || len(ke.Key) != 0 {
if ke.RSAKey != nil || ke.EC_D != nil || len(ke.Key) != 0 || len(ke.ManagedKeyUUID) != 0 {
return false
}

Expand Down

0 comments on commit 77f8d45

Please sign in to comment.