luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

backport of commit d0501db90f2b36eb535b2526ed04a364f9f06340 (#23745) 

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-10-19 15:49:58 -04:00 committed by GitHub
parent cc0963f22a
commit bd3434837c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
builtin/logical/transit/backend.go
View File

@ -273,6 +273,11 @@ func (b *backend) rotateIfRequired(ctx context.Context, req *logical.Request, ke
return nil
}
// We can't auto-rotate managed keys
if p.Type == keysutil.KeyType_MANAGED_KEY {
return nil
}
// Retrieve the latest version of the policy and determine if it is time to rotate.
latestKey := p.Keys[strconv.Itoa(p.LatestVersion)]
if time.Now().After(latestKey.CreationTime.Add(p.AutoRotatePeriod)) {

19
builtin/logical/transit/path_datakey.go
View File

@ -7,6 +7,7 @@ import (
"context"
"crypto/rand"
"encoding/base64"
"errors"
"fmt"
"github.com/hashicorp/vault/helper/constants"
@ -141,7 +142,23 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d
return nil, err
}
ciphertext, err := p.Encrypt(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey))
var managedKeyFactory ManagedKeyFactory
if p.Type == keysutil.KeyType_MANAGED_KEY {
managedKeySystemView, ok := b.System().(logical.ManagedKeySystemView)
if !ok {
return nil, errors.New("unsupported system view")
}
managedKeyFactory = ManagedKeyFactory{
managedKeyParams: keysutil.ManagedKeyParameters{
ManagedKeySystemView: managedKeySystemView,
BackendUUID: b.backendUUID,
Context: ctx,
},
}
}
ciphertext, err := p.EncryptWithFactory(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey), nil, managedKeyFactory)
if err != nil {
switch err.(type) {
case errutil.UserError:

4
builtin/logical/transit/path_keys_config.go
View File

@ -218,6 +218,10 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
p.AutoRotatePeriod = autoRotatePeriod
persistNeeded = true
}
if p.Type == keysutil.KeyType_MANAGED_KEY && autoRotatePeriod != 0 {
return logical.ErrorResponse("Auto rotation can not be set for managed keys"), nil
}
}
if !persistNeeded {

3
changelog/23723.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
secrets/transit: Do not allow auto rotation on managed_key key types
```