Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add signature_bits to sign-intermediate, sign-verbatim #16124

Merged
merged 3 commits into from
Jun 23, 2022
Merged

Add signature_bits to sign-intermediate, sign-verbatim #16124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ba14da0
Add signature_bits to sign-intermediate
cipherboy Jun 23, 2022
818e6cb
Add signature_bits to sign-verbatim
cipherboy Jun 23, 2022
70329f9
Add changelog
cipherboy Jun 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 17 additions & 10 deletions builtin/logical/pki/backend_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -574,6 +574,7 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s
Data: map[string]interface{}{
"common_name": "intermediate.cert.com",
"csr": csrPem2048,
"signature_bits": 512,
"format": "der",
"not_before_duration": "2h",
},
Expand All @@ -597,13 +598,15 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s

switch {
case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
return fmt.Errorf("IssuingCertificateURL:\nexpected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
return fmt.Errorf("CRLDistributionPoints:\nexpected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
return fmt.Errorf("OCSPServer:\nexpected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
case !reflect.DeepEqual([]string{"intermediate.cert.com"}, cert.DNSNames):
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", []string{"intermediate.cert.com"}, cert.DNSNames)
return fmt.Errorf("DNSNames\nexpected\n%#v\ngot\n%#v\n", []string{"intermediate.cert.com"}, cert.DNSNames)
case !reflect.DeepEqual(x509.SHA512WithRSA, cert.SignatureAlgorithm):
return fmt.Errorf("Signature Algorithm:\nexpected\n%#v\ngot\n%#v\n", x509.SHA512WithRSA, cert.SignatureAlgorithm)
}

if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
Expand Down Expand Up @@ -2129,13 +2132,17 @@ func runTestSignVerbatim(t *testing.T, keyType string) {
t.Fatal("pem csr is empty")
}

signVerbatimData := map[string]interface{}{
"csr": pemCSR,
}
if keyType == "rsa" {
signVerbatimData["signature_bits"] = 512
}
resp, err = b.HandleRequest(context.Background(), &logical.Request{
Operation: logical.UpdateOperation,
Path: "sign-verbatim",
Storage: storage,
Data: map[string]interface{}{
"csr": pemCSR,
},
Operation: logical.UpdateOperation,
Path: "sign-verbatim",
Storage: storage,
Data: signVerbatimData,
MountPoint: "pki/",
})
if resp != nil && resp.IsError() {
Expand Down
13 changes: 13 additions & 0 deletions builtin/logical/pki/path_issue_sign.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,18 @@ this value to an empty list.`,
Description: `A comma-separated string or list of extended key usage oids.`,
}

ret.Fields["signature_bits"] = &framework.FieldSchema{
Type: framework.TypeInt,
Default: 0,
Description: `The number of bits to use in the signature
algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
SHA-2-512. Defaults to 0 to automatically detect based on key length
(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
DisplayAttrs: &framework.DisplayAttributes{
Value: 0,
},
}

return ret
}

Expand Down Expand Up @@ -198,6 +210,7 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da
KeyUsage: data.Get("key_usage").([]string),
ExtKeyUsage: data.Get("ext_key_usage").([]string),
ExtKeyUsageOIDs: data.Get("ext_key_usage_oids").([]string),
SignatureBits: data.Get("signature_bits").(int),
}
*entry.AllowWildcardCertificates = true

Expand Down
1 change: 1 addition & 0 deletions builtin/logical/pki/path_root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,7 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
AllowWildcardCertificates: new(bool),
EnforceHostnames: false,
KeyType: "any",
SignatureBits: data.Get("signature_bits").(int),
AllowedOtherSANs: []string{"*"},
AllowedSerialNumbers: []string{"*"},
AllowedURISANs: []string{"*"},
Expand Down
12 changes: 12 additions & 0 deletions builtin/logical/pki/path_sign_issuers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,18 @@ the non-repudiation flag;
into the issued certificate.`,
}

fields["signature_bits"] = &framework.FieldSchema{
Type: framework.TypeInt,
Default: 0,
Description: `The number of bits to use in the signature
algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
SHA-2-512. Defaults to 0 to automatically detect based on key length
(SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
DisplayAttrs: &framework.DisplayAttributes{
Value: 0,
},
}

return path
}

Expand Down
3 changes: 3 additions & 0 deletions changelog/16124.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints
```
20 changes: 20 additions & 0 deletions website/content/api-docs/secret/pki.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,16 @@ when signing an externally-owned intermediate.
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
standard devices, `9999-12-31T23:59:59Z`.

- `signature_bits` `(int: 0)` - Specifies the number of bits to use in
the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384,
and 512 for SHA-2-512. Defaults to 0 to automatically detect based
on key length (SHA-2-256 for RSA keys, and matching the curve size
for NIST P-Curves).

~> **Note**: ECDSA and Ed25519 issuers do not follow configuration of the
`signature_bits` value; only RSA issuers will change signature types
based on this parameter.

#### Sample Payload

```json
Expand Down Expand Up @@ -741,6 +751,16 @@ have access.**
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
standard devices, `9999-12-31T23:59:59Z`.

- `signature_bits` `(int: 0)` - Specifies the number of bits to use in
the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384,
and 512 for SHA-2-512. Defaults to 0 to automatically detect based
on key length (SHA-2-256 for RSA keys, and matching the curve size
for NIST P-Curves).

~> **Note**: ECDSA and Ed25519 issuers do not follow configuration of the
`signature_bits` value; only RSA issuers will change signature types
based on this parameter.

#### Sample Payload

```json
Expand Down