Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for importing RSA-PSS keys into Transit #19519

Merged
merged 2 commits into from
Mar 13, 2023
Merged

Add support for importing RSA-PSS keys into Transit #19519

merged 2 commits into from
Mar 13, 2023

Conversation

cipherboy
Copy link
Contributor

RSA-PSS keys would fail with the error:

$ vault transit import transit/keys/OS_key_test2 @newkey-pss.der.b64 type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
failed to call import:Error making API request.

URL: PUT http://localhost:8200/v1/transit/keys/OS_key_test2/import
Code: 500. Errors:

* 1 error occurred:
	* error importing key: error parsing asymmetric key: x509: PKCS#8 wrapping contained private key with unknown algorithm: 1.2.840.113549.1.1.10

This adds custom PKCS8 parsing along the lines of our existing Ed25519 key parsing, though much simpler since the inner structure is simply a PKCS1 blob (which can be decoded by the standard library).

@cipherboy cipherboy added this to the 1.14 milestone Mar 13, 2023
@cipherboy cipherboy requested review from schultz-is, sgmiller and a team March 13, 2023 16:33
@cipherboy
Add support for importing RSA-PSS keys in Transit
fdadaee 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Add changelog entry
77c8616 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy force-pushed the cipherboy-pss-for-transit-byok branch from ea59a94 to 77c8616 Compare March 13, 2023 16:34
schultz-is
schultz-is approved these changes Mar 13, 2023
View reviewed changes
Copy link
Contributor

@schultz-is schultz-is left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cipherboy cipherboy enabled auto-merge (squash) March 13, 2023 16:39
@cipherboy cipherboy merged commit 9e18897 into main Mar 13, 2023
raymonstah pushed a commit that referenced this pull request Mar 17, 2023
@cipherboy @raymonstah
Add support for importing RSA-PSS keys into Transit (#19519)
3e4bc9f 
* Add support for importing RSA-PSS keys in Transit

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy deleted the cipherboy-pss-for-transit-byok branch April 21, 2023 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schultz-is schultz-is schultz-is approved these changes

@sgmiller sgmiller Awaiting requested review from sgmiller

Assignees
No one assigned
Labels
enhancement secret/transit
Projects
None yet
Milestone
1.14
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cipherboy @schultz-is