From 1f459a2df6de3835489a0382b8f7272a99bc0e38 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Wed, 28 Sep 2022 09:08:23 -0400 Subject: [PATCH] PKI: Fix managed key signatures when using specified signature_bits (#17328) * PKI: Fix managed key signatures when using specified signature_bits - When calling sign-intermediate and other apis with signature_bits value overridden with a backing managed key we did not use that value as tests for the private key type were not working. * Add cl --- changelog/17328.txt | 3 +++ sdk/helper/certutil/helpers.go | 7 ++++++- sdk/helper/certutil/types.go | 12 ++++++------ 3 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 changelog/17328.txt diff --git a/changelog/17328.txt b/changelog/17328.txt new file mode 100644 index 000000000..e10e380b5 --- /dev/null +++ b/changelog/17328.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key +``` diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index 348c85f9d..56ab5324a 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -1127,7 +1127,12 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun certTemplate.NotBefore = time.Now().Add(-1 * data.Params.NotBeforeDuration) } - switch data.SigningBundle.PrivateKeyType { + privateKeyType := data.SigningBundle.PrivateKeyType + if privateKeyType == ManagedPrivateKey { + privateKeyType = GetPrivateKeyTypeFromSigner(data.SigningBundle.PrivateKey) + } + + switch privateKeyType { case RSAPrivateKey: certTemplateSetSigAlgo(certTemplate, data) case ECPrivateKey: diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index 03aba8499..15b816f0c 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -148,16 +148,16 @@ type KeyBundle struct { } func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { - switch signer.(type) { - case *rsa.PrivateKey: + // We look at the public key types to work-around limitations/typing of managed keys. + switch signer.Public().(type) { + case *rsa.PublicKey: return RSAPrivateKey - case *ecdsa.PrivateKey: + case *ecdsa.PublicKey: return ECPrivateKey - case ed25519.PrivateKey: + case ed25519.PublicKey: return Ed25519PrivateKey - default: - return UnknownPrivateKey } + return UnknownPrivateKey } // ToPEMBundle converts a string-based certificate bundle