From 2518cd1d6cbe353889a599252d9a2cc4f0620ec1 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 18 May 2022 09:36:39 -0400 Subject: [PATCH] Remove signature_bits on intermediate generate (#15478) * Remove signature_bits on intermediate generate This extraneous field wasn't respected during intermediate generation and it isn't clear that it should be. Strictly, this field, if it were to exist, would control the CSR's internal signature algorithm (certutil defaults to the sane SHA-256 here). However, there's little value in changing this as the signing authority can and probably will override the final certificate's signature bits value, completely ignoring whatever was in the provided CSR. Removing this field will now cause warnings for those providing the parameter (which already wasn't respected), which is the desired behavior. No breakage should occur as a result of this change. Signed-off-by: Alexander Scheel * Add changelog Signed-off-by: Alexander Scheel --- builtin/logical/pki/path_intermediate.go | 11 +++++++++++ builtin/logical/pki/path_manage_issuers.go | 6 ++++++ changelog/15478.txt | 3 +++ 3 files changed, 20 insertions(+) create mode 100644 changelog/15478.txt diff --git a/builtin/logical/pki/path_intermediate.go b/builtin/logical/pki/path_intermediate.go index 29862dd3e..ce172c97a 100644 --- a/builtin/logical/pki/path_intermediate.go +++ b/builtin/logical/pki/path_intermediate.go @@ -63,6 +63,17 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req data.Raw["exported"] = "existing" } + // Nasty hack part two. :-) For generation of CSRs, certutil presently doesn't + // support configuration of this. However, because we need generation parameters, + // which create a role and attempt to read this parameter, we need to provide + // a value (which will be ignored). Hence, we stub in the missing parameter here, + // including its schema, just enough for it to work.. + data.Schema["signature_bits"] = &framework.FieldSchema{ + Type: framework.TypeInt, + Default: 0, + } + data.Raw["signature_bits"] = 0 + exported, format, role, errorResp := b.getGenerationParams(ctx, req.Storage, data) if errorResp != nil { return errorResp, nil diff --git a/builtin/logical/pki/path_manage_issuers.go b/builtin/logical/pki/path_manage_issuers.go index 9bce9f000..361be59aa 100644 --- a/builtin/logical/pki/path_manage_issuers.go +++ b/builtin/logical/pki/path_manage_issuers.go @@ -78,6 +78,12 @@ workaround in some compatibility scenarios with Active Directory Certificate Services.`, } + // Signature bits isn't respected on intermediate generation, as this + // only impacts the CSR's internal signature and doesn't impact the + // signed certificate's bits (that's on the /sign-intermediate + // endpoints). Remove it from the list of fields to avoid confusion. + delete(ret.Fields, "signature_bits") + return ret } diff --git a/changelog/15478.txt b/changelog/15478.txt new file mode 100644 index 000000000..4e353917e --- /dev/null +++ b/changelog/15478.txt @@ -0,0 +1,3 @@ +```release-note:change +secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA +```