open-vault/sdk
Alexander Scheel cd213f5fca
Restrict ECDSA/NIST P-Curve hash function sizes for cert signing (#12872)
* Restrict ECDSA signatures with NIST P-Curve hashes

When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.

Related: #11245

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to certutil.ValidateKeyTypeSignatureLength(...)

Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to autodetection of signature_bits

This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Select hash function length automatically

Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent invalid Curve size lookups

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch from -1 to 0 as default SignatureBits

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-11-12 12:18:38 -05:00
..
database Update protobuf & grpc libraries and protoc plugins (#12679) 2021-09-29 18:25:15 -07:00
framework Update some SDK dependency versions (#12828) 2021-10-14 09:47:32 -07:00
helper Restrict ECDSA/NIST P-Curve hash function sizes for cert signing (#12872) 2021-11-12 12:18:38 -05:00
logical backport error changes from ent PR (#12926) 2021-10-26 10:11:24 -06:00
physical [VAULT-4034] Revert back to caching nil values (#13013) 2021-11-02 12:00:37 -07:00
plugin Adds ability to define an inline policy and internal metadata on tokens (#12682) 2021-10-07 10:36:22 -07:00
queue Fixed a bunch of typos (#7146) 2019-07-18 21:10:15 -04:00
version 1.10.0-dev version bump (#12987) 2021-11-03 12:50:12 -04:00
go.mod Update some SDK dependency versions (#12828) 2021-10-14 09:47:32 -07:00
go.sum Update some SDK dependency versions (#12828) 2021-10-14 09:47:32 -07:00
README.md Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00

Vault SDK libs

This package provides the sdk package which contains code useful for developing Vault plugins.

Although we try not to break functionality, we reserve the right to reorganize the code at will and may occasionally cause breaks if they are warranted. As such we expect the tag of this module will stay less than v1.0.0.

For any major changes we will try to give advance notice in the CHANGES section of Vault's CHANGELOG.md.