mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-17 20:17:00 +02:00
c36f611e4c
* Restrict ECDSA signatures with NIST P-Curve hashes When using an ECDSA signature with a NIST P-Curve, we should follow recommendations from BIS (Section 4.2) and Mozilla's root store policy (section 5.1.2) to ensure that arbitrary selection of signature_bits does not exceed what the curve is capable of signing. Related: #11245 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Switch to certutil.ValidateKeyTypeSignatureLength(...) Replaces previous calls to certutil.ValidateKeyTypeLength(...) and certutil.ValidateSignatureLength(...) with a single call, allowing for curve<->hash validation. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Switch to autodetection of signature_bits This enables detection of whether the caller manually specified a value for signature_bits or not; when not manually specified, we can provision a value that complies with new NIST P-Curve policy. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Select hash function length automatically Due to our change in behavior (to default to -1 as the value to signature_bits to allow for automatic hash selection), switch ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and provision it with valid default values. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Prevent invalid Curve size lookups Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Switch from -1 to 0 as default SignatureBits Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
64 lines
1.9 KiB
Go
64 lines
1.9 KiB
Go
package pki
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/certutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
func (b *backend) getGenerationParams(
|
|
data *framework.FieldData,
|
|
) (exported bool, format string, role *roleEntry, errorResp *logical.Response) {
|
|
exportedStr := data.Get("exported").(string)
|
|
switch exportedStr {
|
|
case "exported":
|
|
exported = true
|
|
case "internal":
|
|
default:
|
|
errorResp = logical.ErrorResponse(
|
|
`the "exported" path parameter must be "internal" or "exported"`)
|
|
return
|
|
}
|
|
|
|
format = getFormat(data)
|
|
if format == "" {
|
|
errorResp = logical.ErrorResponse(
|
|
`the "format" path parameter must be "pem", "der", "der_pkcs", or "pem_bundle"`)
|
|
return
|
|
}
|
|
|
|
role = &roleEntry{
|
|
TTL: time.Duration(data.Get("ttl").(int)) * time.Second,
|
|
KeyType: data.Get("key_type").(string),
|
|
KeyBits: data.Get("key_bits").(int),
|
|
SignatureBits: data.Get("signature_bits").(int),
|
|
AllowLocalhost: true,
|
|
AllowAnyName: true,
|
|
AllowIPSANs: true,
|
|
EnforceHostnames: false,
|
|
AllowedURISANs: []string{"*"},
|
|
AllowedOtherSANs: []string{"*"},
|
|
AllowedSerialNumbers: []string{"*"},
|
|
OU: data.Get("ou").([]string),
|
|
Organization: data.Get("organization").([]string),
|
|
Country: data.Get("country").([]string),
|
|
Locality: data.Get("locality").([]string),
|
|
Province: data.Get("province").([]string),
|
|
StreetAddress: data.Get("street_address").([]string),
|
|
PostalCode: data.Get("postal_code").([]string),
|
|
}
|
|
|
|
if role.KeyType == "rsa" && role.KeyBits < 2048 {
|
|
errorResp = logical.ErrorResponse("RSA keys < 2048 bits are unsafe and not supported")
|
|
return
|
|
}
|
|
|
|
if err := certutil.ValidateKeyTypeSignatureLength(role.KeyType, role.KeyBits, &role.SignatureBits); err != nil {
|
|
errorResp = logical.ErrorResponse(err.Error())
|
|
}
|
|
|
|
return
|
|
}
|