PKI: Fix managed key signatures when using specified signature_bits (#17328)

* PKI: Fix managed key signatures when using specified signature_bits - When calling sign-intermediate and other apis with signature_bits value overridden with a backing managed key we did not use that value as tests for the private key type were not working. * Add cl
2022-09-28 09:08:23 -04:00 · 2022-09-28 09:08:23 -04:00 · 1f459a2df6
parent 542570c289
commit 1f459a2df6
3 changed files with 15 additions and 7 deletions
--- a/changelog/17328.txt
+++ b/changelog/17328.txt
@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key
+```
--- a/sdk/helper/certutil/helpers.go
+++ b/sdk/helper/certutil/helpers.go
@ -1127,7 +1127,12 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun
 		certTemplate.NotBefore = time.Now().Add(-1 * data.Params.NotBeforeDuration)
 	}

-	switch data.SigningBundle.PrivateKeyType {
+	privateKeyType := data.SigningBundle.PrivateKeyType
+	if privateKeyType == ManagedPrivateKey {
+		privateKeyType = GetPrivateKeyTypeFromSigner(data.SigningBundle.PrivateKey)
+	}
+
+	switch privateKeyType {
 	case RSAPrivateKey:
 		certTemplateSetSigAlgo(certTemplate, data)
 	case ECPrivateKey:
--- a/sdk/helper/certutil/types.go
+++ b/sdk/helper/certutil/types.go
@ -148,16 +148,16 @@ type KeyBundle struct {
 }

 func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType {
-	switch signer.(type) {
-	case *rsa.PrivateKey:
+	// We look at the public key types to work-around limitations/typing of managed keys.
+	switch signer.Public().(type) {
+	case *rsa.PublicKey:
 		return RSAPrivateKey
-	case *ecdsa.PrivateKey:
+	case *ecdsa.PublicKey:
 		return ECPrivateKey
-	case ed25519.PrivateKey:
+	case ed25519.PublicKey:
 		return Ed25519PrivateKey
-	default:
-		return UnknownPrivateKey
 	}
+	return UnknownPrivateKey
 }

 // ToPEMBundle converts a string-based certificate bundle