Remove signature_bits on intermediate generate (#15478)

* Remove signature_bits on intermediate generate This extraneous field wasn't respected during intermediate generation and it isn't clear that it should be. Strictly, this field, if it were to exist, would control the CSR's internal signature algorithm (certutil defaults to the sane SHA-256 here). However, there's little value in changing this as the signing authority can and probably will override the final certificate's signature bits value, completely ignoring whatever was in the provided CSR. Removing this field will now cause warnings for those providing the parameter (which already wasn't respected), which is the desired behavior. No breakage should occur as a result of this change. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 09:36:39 -04:00 · 2022-05-18 09:36:39 -04:00 · 2518cd1d6c
parent 1bb40eee16
commit 2518cd1d6c
3 changed files with 20 additions and 0 deletions
--- a/builtin/logical/pki/path_intermediate.go
+++ b/builtin/logical/pki/path_intermediate.go
@ -63,6 +63,17 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 		data.Raw["exported"] = "existing"
 	}

+	// Nasty hack part two. :-) For generation of CSRs, certutil presently doesn't
+	// support configuration of this. However, because we need generation parameters,
+	// which create a role and attempt to read this parameter, we need to provide
+	// a value (which will be ignored). Hence, we stub in the missing parameter here,
+	// including its schema, just enough for it to work..
+	data.Schema["signature_bits"] = &framework.FieldSchema{
+		Type:    framework.TypeInt,
+		Default: 0,
+	}
+	data.Raw["signature_bits"] = 0
+
 	exported, format, role, errorResp := b.getGenerationParams(ctx, req.Storage, data)
 	if errorResp != nil {
 		return errorResp, nil
--- a/builtin/logical/pki/path_manage_issuers.go
+++ b/builtin/logical/pki/path_manage_issuers.go
@ -78,6 +78,12 @@ workaround in some compatibility scenarios
 with Active Directory Certificate Services.`,
 	}

+	// Signature bits isn't respected on intermediate generation, as this
+	// only impacts the CSR's internal signature and doesn't impact the
+	// signed certificate's bits (that's on the /sign-intermediate
+	// endpoints). Remove it from the list of fields to avoid confusion.
+	delete(ret.Fields, "signature_bits")
+
 	return ret
 }

--- a/changelog/15478.txt
+++ b/changelog/15478.txt
@ -0,0 +1,3 @@
+```release-note:change
+secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA
+```