Use the system rand reader for CA root and intermediate generation (#12559)

* Use the system rand reader for CA root and intermediate generation * changelog
2021-09-15 11:59:12 -05:00 · 2021-09-15 11:59:12 -05:00 · 33d7dc5fb4
parent c42c9993a0
commit 33d7dc5fb4
5 changed files with 13 additions and 7 deletions
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@ -11,6 +11,7 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
+	"io"
 	"net"
 	"net/url"
 	"regexp"
@ -449,7 +450,8 @@ func generateCert(ctx context.Context,
 	b *backend,
 	input *inputBundle,
 	caSign *certutil.CAInfoBundle,
-	isCA bool) (*certutil.ParsedCertBundle, error) {
+	isCA bool,
+	randomSource io.Reader) (*certutil.ParsedCertBundle, error) {

 	if input.role == nil {
 		return nil, errutil.InternalError{Err: "no role found in data bundle"}
@ -494,7 +496,7 @@ func generateCert(ctx context.Context,
 		}
 	}

-	parsedBundle, err := certutil.CreateCertificate(data)
+	parsedBundle, err := certutil.CreateCertificateWithRandomSource(data, randomSource)
 	if err != nil {
 		return nil, err
 	}
@ -504,7 +506,7 @@ func generateCert(ctx context.Context,

 // N.B.: This is only meant to be used for generating intermediate CAs.
 // It skips some sanity checks.
-func generateIntermediateCSR(b *backend, input *inputBundle) (*certutil.ParsedCSRBundle, error) {
+func generateIntermediateCSR(b *backend, input *inputBundle, randomSource io.Reader) (*certutil.ParsedCSRBundle, error) {
 	creation, err := generateCreationBundle(b, input, nil, nil)
 	if err != nil {
 		return nil, err
@ -514,7 +516,7 @@ func generateIntermediateCSR(b *backend, input *inputBundle) (*certutil.ParsedCS
 	}

 	addBasicConstraints := input.apiData != nil && input.apiData.Get("add_basic_constraints").(bool)
-	parsedBundle, err := certutil.CreateCSR(creation, addBasicConstraints)
+	parsedBundle, err := certutil.CreateCSRWithRandomSource(creation, addBasicConstraints, randomSource)
 	if err != nil {
 		return nil, err
 	}
--- a/builtin/logical/pki/path_intermediate.go
+++ b/builtin/logical/pki/path_intermediate.go
@ -75,7 +75,7 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 		req:     req,
 		apiData: data,
 	}
-	parsedBundle, err := generateIntermediateCSR(b, input)
+	parsedBundle, err := generateIntermediateCSR(b, input, b.Backend.GetRandomReader())
 	if err != nil {
 		switch err.(type) {
 		case errutil.UserError:
--- a/builtin/logical/pki/path_issue_sign.go
+++ b/builtin/logical/pki/path_issue_sign.go
@ -2,6 +2,7 @@ package pki

 import (
 	"context"
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
 	"time"
@ -219,7 +220,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 	if useCSR {
 		parsedBundle, err = signCert(b, input, signingBundle, false, useCSRValues)
 	} else {
-		parsedBundle, err = generateCert(ctx, b, input, signingBundle, false)
+		parsedBundle, err = generateCert(ctx, b, input, signingBundle, false, rand.Reader)
 	}
 	if err != nil {
 		switch err.(type) {
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@ -155,7 +155,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
 		apiData: data,
 		role:    role,
 	}
-	parsedBundle, err := generateCert(ctx, b, input, nil, true)
+	parsedBundle, err := generateCert(ctx, b, input, nil, true, b.Backend.GetRandomReader())
 	if err != nil {
 		switch err.(type) {
 		case errutil.UserError:
--- a/changelog/12559.txt
+++ b/changelog/12559.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Use entropy augmentation when available when generating root and intermediate CA key material.
+```