Remove signature_bits on intermediate generate #15478
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This extraneous field wasn't respected during intermediate generation and it isn't clear that it should be. Strictly, this field, if it were to exist, would control the CSR's internal signature algorithm (certutil defaults to the sane SHA-256 here). However, there's little value in changing this as the signing authority can and probably will override the final certificate's signature bits value, completely ignoring whatever was in the provided CSR. Removing this field will now cause warnings for those providing the parameter (which already wasn't respected), which is the desired behavior. No breakage should occur as a result of this change. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
force-pushed
the
cipherboy-remove-signature-bits-intermediate-csr
branch
from
4767233
to
5a57881
Compare
stevendpclark
approved these changes
May 18, 2022
Gabrielopesantos
pushed a commit
to Gabrielopesantos/vault
that referenced
this pull request
Jun 6, 2022
* Remove signature_bits on intermediate generate This extraneous field wasn't respected during intermediate generation and it isn't clear that it should be. Strictly, this field, if it were to exist, would control the CSR's internal signature algorithm (certutil defaults to the sane SHA-256 here). However, there's little value in changing this as the signing authority can and probably will override the final certificate's signature bits value, completely ignoring whatever was in the provided CSR. Removing this field will now cause warnings for those providing the parameter (which already wasn't respected), which is the desired behavior. No breakage should occur as a result of this change. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
added a commit
that referenced
this pull request
Jun 23, 2022
This endpoint was lacking the signature_bits field like all the other endpoints. Notably, in #15478, the ability to customize the intermediate CSR's signature bits was removed without checking for the ability to customize the final (root-signed) intermediate certificate's value. This adds in that missing ability, bringing us parity with root generation and role-based signing. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
added a commit
that referenced
this pull request
Jun 23, 2022
* Add signature_bits to sign-intermediate This endpoint was lacking the signature_bits field like all the other endpoints. Notably, in #15478, the ability to customize the intermediate CSR's signature bits was removed without checking for the ability to customize the final (root-signed) intermediate certificate's value. This adds in that missing ability, bringing us parity with root generation and role-based signing. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add signature_bits to sign-verbatim This endpoint was also lacking the signature_bits field, preventing other signature hash functions from being utilized here. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This extraneous field wasn't respected during intermediate generation
and it isn't clear that it should be. Strictly, this field, if it were
to exist, would control the CSR's internal signature algorithm (certutil
defaults to the sane SHA-256 here). However, there's little value in
changing this as the signing authority can and probably will override
the final certificate's signature bits value, completely ignoring
whatever was in the provided CSR.
Removing this field will now cause warnings for those providing the
parameter (which already wasn't respected), which is the desired
behavior. No breakage should occur as a result of this change.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>By removing this field, we now get a warning when it is specified:
Note this removes the path-help; no API docs for this parameter existed (it probably should for root generation though).