Backport of pki: When a role sets key_type to any ignore key_bits value when signing a csr into release/1.11.x #16260
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #16246 to be assessed for backporting due to the inclusion of the label backport/1.11.x.
WARNING automatic cherry-pick of commits failed. Commits will require human attention.
The below text is copied from the body of the original PR.
This addresses issue #16237.
When signing a CSR using /sign/<:role name> api method we validate that the CSR matches up with the role's
key_type
andkey_bits
values. If thekey_type
is set toany
, these checks don't really make sense, and these checks were effectively bypassed when thekey_bits
value was set to current default value of 0.The issue that was missed was the default value for created role's
key_bits
parameter was changed in 1.10 from 2048 to 0. So effectively the fix we previously made within PR#14875 addressed the issue, but only when the role was created in Vault 1.10 and higher.Now we bypass the validation for the role's
key_bits
value when signing CSRs if thekey_type
is set toany
. We still validate the key is at least 2048 for RSA backed CSRs as we did in 1.9.x and lower.Overview of commits