Support sha512WithRSAEncryption for PKI

[johnnybubonic]

Describe the bug
Currently, a hardcoded usage of sha256WithRSAEncryption is enforced for created certificates. This should also support SHA512 as a stepping stone to SHA3.

[aphorise]

Key bits is already there in the PKI UI & API /pki/intermediate/generate/:type - have you recently retried this @johnnybubonic ?

---

[johnnybubonic]

@aphorise apologies for the delay. lots of life things happening (all good).

so in X.509, there's the key bit size (which can indeed use 4096; I use it). but i'm talking about the hashing/signature algorithm function, not the key size.

[aphorise]

@johnnybubonic - oh indeed - thank you for the clarity. Hey I'm wondering where you've noticed the sha256WithRSAEncryption hard encoding? - or how do you encounter it via API / CLI steps. All that you can share in due time would be well appreciated for my own understanding at least.

[johnnybubonic]

sure thing- i noticed it in sdk/helper/certutil/helpers.go in the CreateCertificate(data *CreationBundle) func

right after certBytes is initialized, you see an if block. The switches in that if block are where that gets set.

[hsimon-hashicorp]

Hi there! There's an option in the API called signature_bits, but unfortunately we realized during our investigation into this issue that it's not currently documented on the API page. We'll get that sorted, but in the meantime here's what it looks like in the code:
https://github.com/hashicorp/vault/blob/main/builtin/logical/pki/fields.go#L285-L295
I'll close this issue, and we'll fix the docs issue - and if this doesn't solve the problem please feel free to re-open this issue. :)

[cipherboy]

Looks like it was added in #11245 fwiw. :-)

[johnnybubonic]

Confirmed on all fronts. Thanks, y'all!