New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VaultTransitSecretEngine.readKey fails with asymmetric keys #16988
Comments
/cc @vsevel |
@vsevel Hi Vincent, would adding |
@sberyozkin I will be looking at it tonight |
To be clear in the JSON for symmetric keys, the Because of the dynamic nature of the 'type' field (i.e. Vault can add new key types at will), I would imagine a custom deserializer is more appropriate than a scheme based on polymorphic decoding (e.g. |
@kdubb That would require users casting and doing |
…etric keys This fixes the current failure to read asymmetric keys while adding more information in a backwards compatible and futue proof format. Fixes quarkusio#16988 ### DTO Changes * Changes `VaultTransitReadKeyData.keys` to be a list of `VaultTransitKeyVersionData`(which can contain any key data) * Uses custom deserializer on `VaultTransitReadKeyData.keys` to allow `VaultTransitKeyVersionData` values to be deserialized from an integer timestamp or a map of info values. * Added missing `latest_version`, ‘min_available_version` and `type` fields to `VaultTransitReadKeyData` ### API Changes * Made `VaultTransitKeyDetail` abstract, subclasses for symmetric (`VaultTransitSymmetricKeyDetail`) and asymmetric (`VaultTransitAsymmetricKeyDetail`) keys are provided. * Added abstract `versions` to `VaultTransitKeyDetail` which is a `Map<String, ? extends VaultTransitKeyDetail>`, subclasses of `VaultTransitKeyDetail` provide a concrete `versions` property with an unambiguous type. * * E.g. `VaultTransitAsymmetricKeyDetail.versions` is defined as `Map<String, VaultTransitAsymmetricKey>` * * Allows users to test the key detail type once (via `instanceof`) and downcast to a specifically typed list of version data. * Added `latestVersion`, `minAvailableVersion` and `type` properties to `VaultTransitKeyDetail` * Changes are additive and therefore backwards compatible * Deprecates the `keys` property as `versions` provides the same information in a more easily accessible format and is future proof for adding more properties as Vault makes changes to the API. ### Tests * Added integration test cases for reading ECDSA, RSA and AES keys ### Miscellaneous * Added `JavaTimeModule` to the mapper used for vault responses.
…etric keys This fixes the current failure to read asymmetric keys while adding more information in a backwards compatible and futue proof format. Fixes quarkusio#16988 ### DTO Changes * Changes `VaultTransitReadKeyData.keys` to be a list of `VaultTransitKeyVersionData`(which can contain any key data) * Uses custom deserializer on `VaultTransitReadKeyData.keys` to allow `VaultTransitKeyVersionData` values to be deserialized from an integer timestamp or a map of info values. * Added missing `latest_version`, `min_available_version` and `type` fields to `VaultTransitReadKeyData` ### API Changes * Made `VaultTransitKeyDetail` abstract, subclasses for symmetric (`VaultTransitSymmetricKeyDetail`) and asymmetric (`VaultTransitAsymmetricKeyDetail`) keys are provided. * Added abstract `versions` property to `VaultTransitKeyDetail` which is a `Map<String, ? extends VaultTransitKeyVersion>`, subclasses of `VaultTransitKeyDetail` provide a concrete `versions` property with an unambiguous type. * * E.g. `VaultTransitAsymmetricKeyDetail.versions` is defined as `Map<String, VaultTransitAsymmetricKeyVersion>` * * Allows users to test the key detail type once (via `instanceof`) and downcast to a detailt type that has a specifically typed list of versions. * `VaultTransitKeyVersion` is abstract also, with subclasses for asymmetric (`VaultTransitAsymmetricKeyVersion`) and symmetric (`VaultTransitSymmetricKeyVersion`) keys * Added `latestVersion`, `minAvailableVersion` and `type` properties to `VaultTransitKeyDetail` * Changes are additive and therefore backwards compatible * Deprecates the `keys` property as `versions` provides the same information in a more easily accessible format and is future proof for adding more properties as Vault makes changes to the API. ### Tests * Added integration test cases for reading ECDSA, RSA and AES keys ### Miscellaneous * Added `JavaTimeModule` to the mapper used for vault responses.
@sberyozkin PR #17024 fixes this issue, it adds a new @vsevel It needs a reviewer but I'm not sure how to add one. |
…etric keys This fixes the current failure to read asymmetric keys while adding more information in a backwards compatible and futue proof format. Fixes quarkusio#16988 ### DTO Changes * Changes `VaultTransitReadKeyData.keys` to be a list of `VaultTransitKeyVersionData`(which can contain any key data) * Uses custom deserializer on `VaultTransitReadKeyData.keys` to allow `VaultTransitKeyVersionData` values to be deserialized from an integer timestamp or a map of info values. * Added missing `latest_version`, `min_available_version` and `type` fields to `VaultTransitReadKeyData` ### API Changes * Made `VaultTransitKeyDetail` abstract, subclasses for symmetric (`VaultTransitSymmetricKeyDetail`) and asymmetric (`VaultTransitAsymmetricKeyDetail`) keys are provided. * Added abstract `versions` property to `VaultTransitKeyDetail` which is a `Map<String, ? extends VaultTransitKeyVersion>`, subclasses of `VaultTransitKeyDetail` provide a concrete `versions` property with an unambiguous type. * * E.g. `VaultTransitAsymmetricKeyDetail.versions` is defined as `Map<String, VaultTransitAsymmetricKeyVersion>` * * Allows users to test the key detail type once (via `instanceof`) and downcast to a detailt type that has a specifically typed list of versions. * `VaultTransitKeyVersion` is abstract also, with subclasses for asymmetric (`VaultTransitAsymmetricKeyVersion`) and symmetric (`VaultTransitSymmetricKeyVersion`) keys * Added `latestVersion`, `minAvailableVersion` and `type` properties to `VaultTransitKeyDetail` * Changes are additive and therefore backwards compatible * Deprecates the `keys` property as `versions` provides the same information in a more easily accessible format and is future proof for adding more properties as Vault makes changes to the API. ### Tests * Added integration test cases for reading ECDSA, RSA and AES keys ### Miscellaneous * Added `JavaTimeModule` to the mapper used for vault responses.
…etric keys This fixes the current failure to read asymmetric keys while adding more information in a backwards compatible and futue proof format. Fixes quarkusio#16988 * Changes `VaultTransitReadKeyData.keys` to be a list of `VaultTransitKeyVersionData`(which can contain any key data) * Uses custom deserializer on `VaultTransitReadKeyData.keys` to allow `VaultTransitKeyVersionData` values to be deserialized from an integer timestamp or a map of info values. * Added missing `latest_version`, `min_available_version` and `type` fields to `VaultTransitReadKeyData` * Made `VaultTransitKeyDetail` abstract, subclasses for symmetric (`VaultTransitSymmetricKeyDetail`) and asymmetric (`VaultTransitAsymmetricKeyDetail`) keys are provided. * Added abstract `versions` property to `VaultTransitKeyDetail` which is a `Map<String, ? extends VaultTransitKeyVersion>`, subclasses of `VaultTransitKeyDetail` provide a concrete `versions` property with an unambiguous type. * * E.g. `VaultTransitAsymmetricKeyDetail.versions` is defined as `Map<String, VaultTransitAsymmetricKeyVersion>` * * Allows users to test the key detail type once (via `instanceof`) and downcast to a detailt type that has a specifically typed list of versions. * `VaultTransitKeyVersion` is abstract also, with subclasses for asymmetric (`VaultTransitAsymmetricKeyVersion`) and symmetric (`VaultTransitSymmetricKeyVersion`) keys * Added `latestVersion`, `minAvailableVersion` and `type` properties to `VaultTransitKeyDetail` * Changes are additive and therefore backwards compatible * Deprecates the `keys` property as `versions` provides the same information in a more easily accessible format and is future proof for adding more properties as Vault makes changes to the API. * Added integration test cases for reading ECDSA, RSA and AES keys * Added `JavaTimeModule` to the mapper used for vault responses.
Describe the bug
Invoking
VaultTransitSecretEngine.readKey
on a key with an asymmetric type (e.g.ecdsa-*
orrsa-*
) fails with a JacksonMismatchedInputException: Cannot deserialize value of type 'java.lang.Integer' from Object value (token 'JsonToken.START_OBJECT')
.This is also a small feature request to provide the extended information that Vault returns for asymmetric keys.
Expected behavior
VaultTransitSecretEngine.readKey
should properly handle asymmetric keys and provide the public key and its parameters (which Vault already includes in the output)Actual behavior
VaultTransitSecretEngine.readKey
assumes that the JSON response'skeys
property is a map of strings to integer timestamps. With asymmetric keys thekeys
property is a map of strings to maps of key info. Each key info map includes the public key (public_key
), creation time (creation_time
), and rsa key size or ecdsa curve (name
).To Reproduce
Steps to reproduce the behavior:
ecdsa-p256
), usingVaultTransitSecretEngine.createKey
is a valid method in addition to using the Vault cli or API.VaultTransitSecretEngine.readKey
Screenshots
Here is a sample response from Vault's
transit/keys/:key-id
endpoint for an asymmetric key.Environment (please complete the following information):
Output of
uname -a
orver
Darwin terminal.local 20.3.0 Darwin Kernel Version 20.3.0: Thu Jan 21 00:07:06 PST 2021; root:xnu-7195.81.3~1/RELEASE_X86_64 x86_64
Output of
java -version
Quarkus version or git rev
1.13.3.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Additional context
(Add any other context about the problem here.)
The text was updated successfully, but these errors were encountered: