From 84786152175e28f504f11fc26720a1034af81d88 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Wed, 15 Sep 2021 11:59:12 -0500 Subject: [PATCH] Use the system rand reader for CA root and intermediate generation (#12559) * Use the system rand reader for CA root and intermediate generation * changelog --- builtin/logical/pki/cert_util.go | 10 ++++++---- builtin/logical/pki/path_intermediate.go | 2 +- builtin/logical/pki/path_issue_sign.go | 3 ++- builtin/logical/pki/path_root.go | 2 +- changelog/12559.txt | 3 +++ 5 files changed, 13 insertions(+), 7 deletions(-) create mode 100644 changelog/12559.txt diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index 6df174a89d3e8..52f0a33e0c812 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -11,6 +11,7 @@ import ( "encoding/base64" "encoding/pem" "fmt" + "io" "net" "net/url" "regexp" @@ -449,7 +450,8 @@ func generateCert(ctx context.Context, b *backend, input *inputBundle, caSign *certutil.CAInfoBundle, - isCA bool) (*certutil.ParsedCertBundle, error) { + isCA bool, + randomSource io.Reader) (*certutil.ParsedCertBundle, error) { if input.role == nil { return nil, errutil.InternalError{Err: "no role found in data bundle"} @@ -494,7 +496,7 @@ func generateCert(ctx context.Context, } } - parsedBundle, err := certutil.CreateCertificate(data) + parsedBundle, err := certutil.CreateCertificateWithRandomSource(data, randomSource) if err != nil { return nil, err } @@ -504,7 +506,7 @@ func generateCert(ctx context.Context, // N.B.: This is only meant to be used for generating intermediate CAs. // It skips some sanity checks. -func generateIntermediateCSR(b *backend, input *inputBundle) (*certutil.ParsedCSRBundle, error) { +func generateIntermediateCSR(b *backend, input *inputBundle, randomSource io.Reader) (*certutil.ParsedCSRBundle, error) { creation, err := generateCreationBundle(b, input, nil, nil) if err != nil { return nil, err @@ -514,7 +516,7 @@ func generateIntermediateCSR(b *backend, input *inputBundle) (*certutil.ParsedCS } addBasicConstraints := input.apiData != nil && input.apiData.Get("add_basic_constraints").(bool) - parsedBundle, err := certutil.CreateCSR(creation, addBasicConstraints) + parsedBundle, err := certutil.CreateCSRWithRandomSource(creation, addBasicConstraints, randomSource) if err != nil { return nil, err } diff --git a/builtin/logical/pki/path_intermediate.go b/builtin/logical/pki/path_intermediate.go index 7ae17cd973ea3..4b75e2bb75f89 100644 --- a/builtin/logical/pki/path_intermediate.go +++ b/builtin/logical/pki/path_intermediate.go @@ -75,7 +75,7 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req req: req, apiData: data, } - parsedBundle, err := generateIntermediateCSR(b, input) + parsedBundle, err := generateIntermediateCSR(b, input, b.Backend.GetRandomReader()) if err != nil { switch err.(type) { case errutil.UserError: diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 28d3c54b39420..575e6ea104267 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -2,6 +2,7 @@ package pki import ( "context" + "crypto/rand" "encoding/base64" "fmt" "time" @@ -219,7 +220,7 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d if useCSR { parsedBundle, err = signCert(b, input, signingBundle, false, useCSRValues) } else { - parsedBundle, err = generateCert(ctx, b, input, signingBundle, false) + parsedBundle, err = generateCert(ctx, b, input, signingBundle, false, rand.Reader) } if err != nil { switch err.(type) { diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index 1964013d4c963..253168810d0e0 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -155,7 +155,7 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request, apiData: data, role: role, } - parsedBundle, err := generateCert(ctx, b, input, nil, true) + parsedBundle, err := generateCert(ctx, b, input, nil, true, b.Backend.GetRandomReader()) if err != nil { switch err.(type) { case errutil.UserError: diff --git a/changelog/12559.txt b/changelog/12559.txt new file mode 100644 index 0000000000000..9bcd4e8901d52 --- /dev/null +++ b/changelog/12559.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/pki: Use entropy augmentation when available when generating root and intermediate CA key material. +``` \ No newline at end of file