open-vault/changelog/13080.txt at 905150ac3c7197c2ec4bb9b2a588b8ecfc595b0c - luxolus/open-vault - Stateless Git Forge

luxolus/open-vault

Alexander Scheel 31ff2be589

Add universal default key_bits value for PKI endpoints (#13080 )

* Allow universal default for key_bits

This allows the key_bits field to take a universal default value, 0,
which, depending on key_type, gets adjusted appropriately into a
specific default value (rsa->2048, ec->256, ignored under ed25519).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Handle universal default key size in certutil

Also move RSA < 2048 error message into certutil directly, instead of in
ca_util/path_roles.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing RSA key sizes to pki/backend_test.go

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to returning updated values

When determining the default, don't pass in pointer types, but instead
return the newly updated value.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Re-add fix for ed25519 from #13254

Ed25519 internally specifies a hash length; by changing the default from
256 to 0, we fail validation in ValidateSignatureLength(...) unless we
specify the key algorithm.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

2021-12-13 15:26:42 -05:00

4 lines

133 B

Plaintext

Raw Blame History

	```release-note:bug
	`secrets/pki: Default value for key_bits changed to 0, enabling key_type=ec key generation with default value`
	```