From d2eb98e2cf294d0c7adfca15e3b6f85e6505e5d5 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 5 Sep 2023 11:00:07 -0400 Subject: [PATCH] backport of commit f150a5259335117632d094bdf33ead0209172654 (#22756) Co-authored-by: Alexander Scheel --- changelog/22753.txt | 3 +++ sdk/helper/keysutil/policy.go | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 changelog/22753.txt diff --git a/changelog/22753.txt b/changelog/22753.txt new file mode 100644 index 000000000..a297337f9 --- /dev/null +++ b/changelog/22753.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/transit: fix panic when providing non-PEM formatted public key for import +``` diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 869733b3e..d3f8bc2e9 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -1531,9 +1531,13 @@ func (p *Policy) ImportPublicOrPrivate(ctx context.Context, storage logical.Stor } } else { pemBlock, _ := pem.Decode(key) + if pemBlock == nil { + return fmt.Errorf("error parsing public key: not in PEM format") + } + parsedKey, err = x509.ParsePKIXPublicKey(pemBlock.Bytes) if err != nil { - return fmt.Errorf("error parsing public key: %s", err) + return fmt.Errorf("error parsing public key: %w", err) } } @@ -2173,6 +2177,9 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical case *ecdsa.PrivateKey: ecdsaKey := parsedPrivateKey.(*ecdsa.PrivateKey) pemBlock, _ := pem.Decode([]byte(keyEntry.FormattedPublicKey)) + if pemBlock == nil { + return fmt.Errorf("failed to parse key entry public key: invalid PEM blob") + } publicKey, err := x509.ParsePKIXPublicKey(pemBlock.Bytes) if err != nil || publicKey == nil { return fmt.Errorf("failed to parse key entry public key: %v", err)