Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: PKI: Unset the SignatureAlgorithm for cross-signing of different key types #8157

Closed
wants to merge 1 commit into from
Closed

WIP: PKI: Unset the SignatureAlgorithm for cross-signing of different key types #8157

wants to merge 1 commit into from

Conversation

catsby
Copy link
Member

@catsby catsby commented Jan 15, 2020

WIP / Draft: Do not merge

This implements the request from #7709 by unsetting the received certificates signing algorithm, allowing cross-signing of different key types (ex: RSA cross-signs and EC type cert). The obvious trade-off is that the x509.CreateCertificate function will no longer verify the signing algorithms match, so this feels like something that should be gated behind an additional flag or required parameter, so that this behavior is opt-in as opposed to performing this on every cert.

I'd like feedback on some items:

  • Is this a bad idea
  • Is this something Vault should offer
    • If yes, are there any additional things we should test here?
    • If yes, should this be gated behind a opt-in flag like skip-type-verify

jefferai
jefferai reviewed Feb 10, 2020
View reviewed changes
builtin/logical/pki/path_root.go
@@ -429,6 +429,10 @@ func (b *backend) pathCASignSelfIssued(ctx context.Context, req *logical.Request
cert.CRLDistributionPoints = urls.CRLDistributionPoints
cert.OCSPServer = urls.OCSPServers

// clear out the signature algorithm. This allows cross-signing certificates
// of different key types, at the cost of verifying the algorithm used.
cert.SignatureAlgorithm = x509.UnknownSignatureAlgorithm
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be a better idea to look at the public key from the certificate to be signed and set appropriately?

@markan
Copy link

markan commented Aug 9, 2021

Hello from the Consul team!
We were looking at hashicorp/consul#9268 and found this PR by way of issue #7709. We've verified that this change does seem to fix the consul issue.

What is needed to merge this PR? Does this approach seem reasonable to the vault team?

@sgmiller sgmiller mentioned this pull request Sep 8, 2021
Merged
@catsby catsby closed this Apr 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jefferai jefferai jefferai left review comments

@briankassouf briankassouf Awaiting requested review from briankassouf

Assignees
No one assigned
Labels
secret/pki
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@catsby @markan @jefferai @tyrannosaurus-becks