Switch from -1 to 0 as default SignatureBits

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · Nov 8, 2021 · 603ebd1 · 603ebd1
1 parent bf56ef9
commit 603ebd1
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 10 deletions.
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
@@ -698,7 +698,6 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
 		KeyType:       "rsa",
 		KeyBits:       2048,
 		RequireCN:     true,
-		SignatureBits: -1,
 	}
 	issueVals := certutil.IssueData{}
 	ret := []logicaltest.TestStep{}

diff --git a/builtin/logical/pki/fields.go b/builtin/logical/pki/fields.go
@@ -256,13 +256,13 @@ the key_type.`,
 
 	fields["signature_bits"] = &framework.FieldSchema{
 		Type:    framework.TypeInt,
-		Default: -1,
+		Default: 0,
 		Description: `The number of bits to use in the signature
 algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
-SHA-2-512. Defaults to -1 to automatically detect based on key length
+SHA-2-512. Defaults to 0 to automatically detect based on key length
 (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
 		DisplayAttrs: &framework.DisplayAttributes{
-			Value: -1,
+			Value: 0,
 		},
 	}
 

diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go
@@ -207,10 +207,10 @@ the key_type.`,
 
 			"signature_bits": &framework.FieldSchema{
 				Type:    framework.TypeInt,
-				Default: -1,
+				Default: 0,
 				Description: `The number of bits to use in the signature
 algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for
-SHA-2-512. Defaults to -1 to automatically detect based on key length
+SHA-2-512. Defaults to 0 to automatically detect based on key length
 (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).`,
 			},
 

diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go
@@ -548,12 +548,12 @@ func ValidateKeyTypeSignatureLength(keyType string, keyBits int, hashBits *int)
 		// the "ec" key type.
 		expectedHashBits := expectedNISTPCurveHashBits[keyBits]
 
-		if expectedHashBits != *hashBits && *hashBits != -1 {
+		if expectedHashBits != *hashBits && *hashBits != 0 {
 			return fmt.Errorf("unsupported signature hash algorithm length (%d) for NIST P-%d", *hashBits, keyBits)
-		} else if *hashBits == -1 {
+		} else if *hashBits == 0 {
 			*hashBits = expectedHashBits
 		}
-	} else if keyType == "rsa" && *hashBits == -1 {
+	} else if keyType == "rsa" && *hashBits == 0 {
 		// To match previous behavior (and ignoring recommendations of hash
 		// size to match RSA key sizes), default to SHA-2-256.
 		*hashBits = 256
@@ -566,7 +566,7 @@ func ValidateKeyTypeSignatureLength(keyType string, keyBits int, hashBits *int)
 	// Note that this check must come after we've selected a value for
 	// hashBits above, in the event it was left as the default, but we
 	// were allowed to update it.
-	if err := ValidateSignatureLength(*hashBits); err != nil || *hashBits == -1 {
+	if err := ValidateSignatureLength(*hashBits); err != nil || *hashBits == 0 {
 		return err
 	}