From d0a01ec3c728935d5e90582b986b8f9a02c2e5c9 Mon Sep 17 00:00:00 2001 From: Dominik Roos Date: Fri, 26 Mar 2021 21:03:26 +0100 Subject: [PATCH] update vendored certutil --- .../vault/sdk/helper/certutil/helpers.go | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go b/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go index 12198798e8c5c..4b109c902dbc4 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go @@ -600,7 +600,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB case RSAPrivateKey: certTemplate.SignatureAlgorithm = x509.SHA256WithRSA case ECPrivateKey: - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256 + certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(data.SigningBundle.PrivateKey.Public()) } caCert := data.SigningBundle.Certificate @@ -620,7 +620,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB case "rsa": certTemplate.SignatureAlgorithm = x509.SHA256WithRSA case "ec": - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256 + certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(result.PrivateKey.Public()) } certTemplate.AuthorityKeyId = subjKeyID @@ -655,6 +655,23 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB return result, nil } +func selectSignatureAlgorithmForECDSA(pub crypto.PublicKey) x509.SignatureAlgorithm { + key, ok := pub.(*ecdsa.PublicKey) + if !ok { + return x509.ECDSAWithSHA256 + } + switch key.Curve { + case elliptic.P224(), elliptic.P256(): + return x509.ECDSAWithSHA256 + case elliptic.P384(): + return x509.ECDSAWithSHA384 + case elliptic.P521(): + return x509.ECDSAWithSHA512 + default: + return x509.ECDSAWithSHA256 + } +} + var oidExtensionBasicConstraints = []int{2, 5, 29, 19} // CreateCSR creates a CSR with the default rand.Reader to