From bd3434837cdbf711249e8f3044bb9b3bbe7f7a30 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Thu, 19 Oct 2023 15:49:58 -0400
Subject: [PATCH] backport of commit d0501db90f2b36eb535b2526ed04a364f9f06340
 (#23745)

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---
 builtin/logical/transit/backend.go          |  5 +++++
 builtin/logical/transit/path_datakey.go     | 19 ++++++++++++++++++-
 builtin/logical/transit/path_keys_config.go |  4 ++++
 changelog/23723.txt                         |  3 +++
 4 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 changelog/23723.txt

diff --git a/builtin/logical/transit/backend.go b/builtin/logical/transit/backend.go
index 03c3b2fda..4b4d4a27a 100644
--- a/builtin/logical/transit/backend.go
+++ b/builtin/logical/transit/backend.go
@@ -273,6 +273,11 @@ func (b *backend) rotateIfRequired(ctx context.Context, req *logical.Request, ke
 		return nil
 	}
 
+	// We can't auto-rotate managed keys
+	if p.Type == keysutil.KeyType_MANAGED_KEY {
+		return nil
+	}
+
 	// Retrieve the latest version of the policy and determine if it is time to rotate.
 	latestKey := p.Keys[strconv.Itoa(p.LatestVersion)]
 	if time.Now().After(latestKey.CreationTime.Add(p.AutoRotatePeriod)) {
diff --git a/builtin/logical/transit/path_datakey.go b/builtin/logical/transit/path_datakey.go
index 774ffd480..ddb5c7612 100644
--- a/builtin/logical/transit/path_datakey.go
+++ b/builtin/logical/transit/path_datakey.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
+	"errors"
 	"fmt"
 
 	"github.com/hashicorp/vault/helper/constants"
@@ -141,7 +142,23 @@ func (b *backend) pathDatakeyWrite(ctx context.Context, req *logical.Request, d
 		return nil, err
 	}
 
-	ciphertext, err := p.Encrypt(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey))
+	var managedKeyFactory ManagedKeyFactory
+	if p.Type == keysutil.KeyType_MANAGED_KEY {
+		managedKeySystemView, ok := b.System().(logical.ManagedKeySystemView)
+		if !ok {
+			return nil, errors.New("unsupported system view")
+		}
+
+		managedKeyFactory = ManagedKeyFactory{
+			managedKeyParams: keysutil.ManagedKeyParameters{
+				ManagedKeySystemView: managedKeySystemView,
+				BackendUUID:          b.backendUUID,
+				Context:              ctx,
+			},
+		}
+	}
+
+	ciphertext, err := p.EncryptWithFactory(ver, context, nonce, base64.StdEncoding.EncodeToString(newKey), nil, managedKeyFactory)
 	if err != nil {
 		switch err.(type) {
 		case errutil.UserError:
diff --git a/builtin/logical/transit/path_keys_config.go b/builtin/logical/transit/path_keys_config.go
index 722d39c1e..7b8516172 100644
--- a/builtin/logical/transit/path_keys_config.go
+++ b/builtin/logical/transit/path_keys_config.go
@@ -218,6 +218,10 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 			p.AutoRotatePeriod = autoRotatePeriod
 			persistNeeded = true
 		}
+
+		if p.Type == keysutil.KeyType_MANAGED_KEY && autoRotatePeriod != 0 {
+			return logical.ErrorResponse("Auto rotation can not be set for managed keys"), nil
+		}
 	}
 
 	if !persistNeeded {
diff --git a/changelog/23723.txt b/changelog/23723.txt
new file mode 100644
index 000000000..25828f996
--- /dev/null
+++ b/changelog/23723.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Do not allow auto rotation on managed_key key types
+```