New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PSS support to PKI Secrets Engine #16519

Merged

cipherboy merged 12 commits into main from cipherboy-add-pss-support-to-pki

Aug 3, 2022

Contributor

cipherboy commented Aug 1, 2022

Noting that NIST is deprecating PKCS#1v1.5 signatures here at the end of December 2023, we've gone ahead and added PSS support for RSA-typed issuers in the PKI Secrets Mount.

This introduces two changes:

use_pss on roles and signing endpoints (such as /sign-verbatim &c) -- this allows us to create self-signed roots & intermediates using the PSS algorithm.
Setting a revocation_signature_algorithm on the Issuer, allowing us to choose override the default signature on CRLs &c.

This should let us work with PSS-only keys in the future (from say, a HSM) in Vault Enterprise within the PKI mount.

cipherboy requested a review from taoism4504 as a code owner

August 1, 2022 15:02

cipherboy added the secret/pki label

cipherboy added this to the 1.12.0-rc1 milestone

cipherboy force-pushed the cipherboy-add-pss-support-to-pki branch from d3868c8 to e9a2830 Compare

August 1, 2022 15:06

cipherboy requested review from kitography, stevendpclark and a team

August 1, 2022 15:08

cipherboy added the enhancement label

stevendpclark requested changes

View reviewed changes

Contributor

stevendpclark left a comment •

edited

Loading

Overall this looks good, and thanks for the tests! A few nits we can discuss if you feel they are too much.

builtin/logical/pki/path_fetch_issuers.go Outdated Show resolved Hide resolved

builtin/logical/pki/path_manage_issuers.go Show resolved Hide resolved

builtin/logical/pki/path_roles.go Outdated Show resolved Hide resolved

builtin/logical/pki/path_root.go Outdated Show resolved Hide resolved

sdk/helper/certutil/helpers.go Outdated Show resolved Hide resolved

cipherboy force-pushed the cipherboy-add-pss-support-to-pki branch from 68c1449 to de8f8f4 Compare

August 3, 2022 13:46

cipherboy added 10 commits

August 3, 2022 09:46


          Add PSS signature support to Vault PKI engine

4335d78

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Use issuer's RevocationSigAlg for CRL signing

7dc5df5

We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Add use_pss, revocation_signature_algorithm docs

e7fca28

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Add PSS to signature role issuance test matrix

222281c

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Add changelog

ec66c0b

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Allow roots to self-identify revocation alg

67e3fe6

When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.

With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Add clearer error message on failed import

729b79c

When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Add case insensitive SigAlgo matching

d86150b

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Convert UsePSS back to regular bool

a981c4e

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


          Refactor PSS->certTemplate into helper function

585f65e

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

cipherboy force-pushed the cipherboy-add-pss-support-to-pki branch from de8f8f4 to 585f65e Compare

August 3, 2022 13:47

stevendpclark approved these changes

View reviewed changes

Contributor

stevendpclark left a comment

👍


          Proper string output on rev_sig_alg display

3436a74

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

sgmiller reviewed

View reviewed changes

builtin/logical/pki/path_root.go Outdated Show resolved Hide resolved


          Copy root's SignatureAlgorithm for CRL building

cd8c973

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

cipherboy force-pushed the cipherboy-add-pss-support-to-pki branch from ffcc841 to cd8c973 Compare

August 3, 2022 15:50

cipherboy merged commit ce7f0ff into main

Contributor Author

cipherboy commented Aug 3, 2022

Thanks all! Merged...

cipherboy deleted the cipherboy-add-pss-support-to-pki branch

December 1, 2022 14:58

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment