Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of pki: When a role sets key_type to any ignore key_bits value when signing a csr into release/1.11.x #16260

Merged
merged 3 commits into from
Jul 8, 2022
Merged

Backport of pki: When a role sets key_type to any ignore key_bits value when signing a csr into release/1.11.x #16260

merged 3 commits into from
Jul 8, 2022

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #16246 to be assessed for backporting due to the inclusion of the label backport/1.11.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

merge conflict error: POST https://api.github.com/repos/hashicorp/vault/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

This addresses issue #16237.

When signing a CSR using /sign/<:role name> api method we validate that the CSR matches up with the role's key_type and key_bits values. If the key_type is set to any, these checks don't really make sense, and these checks were effectively bypassed when the key_bits value was set to current default value of 0.

The issue that was missed was the default value for created role's key_bits parameter was changed in 1.10 from 2048 to 0. So effectively the fix we previously made within PR#14875 addressed the issue, but only when the role was created in Vault 1.10 and higher.

Now we bypass the validation for the role's key_bits value when signing CSRs if the key_type is set to any. We still validate the key is at least 2048 for RSA backed CSRs as we did in 1.9.x and lower.

Overview of commits

@hashicorp-cla
Copy link

hashicorp-cla commented Jul 8, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@stevendpclark
pki: When a role sets key_type to any ignore key_bits value when sign…
60e8ff2 
…ing a csr (#16246)

* pki: When a role sets key_type to any ignore key_bits value when signing

 - Bypass the validation for the role's key_bits value when signing CSRs
   if the key_type is set to any. We still validate the key is at least
   2048 for RSA backed CSRs as we did in 1.9.x and lower.
@stevendpclark stevendpclark force-pushed the backport/stevendpclark/vault-6913-fix-pki-signing/oddly-darling-walrus branch from 08fbddb to 60e8ff2 Compare July 8, 2022 15:09
@stevendpclark stevendpclark marked this pull request as ready for review July 8, 2022 15:10
@stevendpclark stevendpclark added this to the 1.11.1 milestone Jul 8, 2022
@stevendpclark stevendpclark enabled auto-merge (squash) July 8, 2022 17:41
@stevendpclark stevendpclark merged commit fdffa69 into release/1.11.x Jul 8, 2022
@stevendpclark stevendpclark deleted the backport/stevendpclark/vault-6913-fix-pki-signing/oddly-darling-walrus branch July 8, 2022 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@taoism4504 taoism4504 Awaiting requested review from taoism4504

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.11.1
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hc-github-team-secure-vault-core @hashicorp-cla @stevendpclark