Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying key type during issuance #209

Merged
merged 1 commit into from
Mar 19, 2024
Merged

Allow specifying key type during issuance #209

merged 1 commit into from
Mar 19, 2024

Conversation

cipherboy
Copy link
Member

@cipherboy cipherboy commented Mar 16, 2024
edited
Loading

When a role explicitly allows any key type, certificates of any type or size can be issued via the pki/sign/:role endpoint. However, issuing with OpenBao-generated key material isn't possible as OpenBao doesn't know what key type to assign. Thus, introduce new key_type and key_bits parameters, letting callers opt-in to specific certificate types.

Resolves: #188

@cipherboy cipherboy force-pushed the pki-any-key-type-issuance branch 2 times, most recently from 126a868 to 9acd8c5 Compare March 16, 2024 15:18
@naphelps naphelps self-requested a review March 18, 2024 13:32
@cipherboy @naphelps
Allow specifying key type during issuance
1eb9a91 
When a role explicitly allows any key type, certificates of any type or
size can be issued via the pki/sign/:role endpoint. However, issuing
with OpenBao-generated key material isn't possible as OpenBao doesn't
know what key type to assign. Thus, introduce new key_type and key_bits
parameters, letting callers opt-in to specific certificate types.

Resolves: openbao#188

Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
@cipherboy
Copy link
Member Author

Never seen this flake before, it seems unrelated as it is in Core (unmodified):

2024-03-19T21:19:27.5496884Z 
2024-03-19T21:19:27.5497203Z ##[endgroup]
2024-03-19T21:19:27.5947224Z ##[group]�[31mFAIL�[0m vault.TestOIDC_PeriodicFunc/test-key-nil-next-signing-key (4.25s)
2024-03-19T21:19:27.5948616Z 2024-03-19T21:19:23.240Z [INFO]  TestOIDC_PeriodicFunc/test-key-nil-next-signing-key: creating error injector
2024-03-19T21:19:27.5950325Z     identity_store_oidc_test.go:1165: For key: test-key-nil-next-signing-key at cycle: 2 expected namedKey's KeyRing to be at least of length 3 but was: 2
2024-03-19T21:19:27.5952325Z     identity_store_oidc_test.go:1176: For key: test-key-nil-next-signing-key at cycle: 2 expected public keys to be at least of length 3 but was: 2

@naphelps naphelps merged commit eebb2a4 into openbao:main Mar 19, 2024
73 of 74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naphelps naphelps naphelps approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PKI - Allow issuance with key_type=any
2 participants
@cipherboy @naphelps