You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Consul Connect we use sign-self-issued to cross-sign another CA root when transitioning between CAs. If the Vault root is using a different Key type to the new CA root it's cross signing, this endpoint will not allow the signing to take place.
Example response body:
* 1 error occurred:
* error signing self-issued certificate: x509: requested SignatureAlgorithm does not match private key type
I think this is a bug in that it makes this legitimate operation impossible as far as I can see from the code and testing, but there are some subtleties.
It seems to stem from the slightly confusing API of x509.CreateCertificate where you pass it a populated x509.Certificate as a "template". In the case of this endpoint, the certificate to be signed is presumably self-consistent already (i.e. it's SignatureAlgorithm will match the algorithm it used to sign itself with it's own key). But by passing this cert as the template when signing it with the Vault key, we are actually attempting to force x509.CreateCertificate to use the same signature algorithm which will fail if the signing key type is not compatible.
I've considered passing an invalidly doctored certificate that has the SignatureAlgorithm set to the target Vault key type but this is actually hard without re-implementing a bunch of asn1 encoding details from the x509 lib. My feeling is that even if it worked it's a horrible hack because it would result in passing a certificate PEM that is totally invalid and unable to be verified itself (since its SignatureAlgorithm field wouldn't match the actual signature).
I think the correct behaviour here would be to explicitly zero the SignatureAlgorithm field from the certificate "template" passed in here:
If that field is zero, x509 will pick the correct algorithm based on the private key used to sign.
In the built-in Consul CA we explicitly override the SignatureAlgorithm coming from cross-signed CAs or CSRs to match the signing key type although zeroing should have the same effect.
To Reproduce
Steps to reproduce the behavior:
Create a vault PKI root with an RSA 2048 key
Generate a separate self-signed root with an EC key via some means
Submit the EC root to /pki/root/sign-self-issued to be signed. Observe error as noted above.
Expected behavior
Root should be signed using the correct algorithm for the configured private key. In the example above, the EC root should be cross-signed with Vault root's RSA key and x509.SHA256WithRSA.
Environment:
Vault Server Version (retrieve with vault status): Vault v1.2.3 ('c14bd9a2b1d2c20f15b9f93f5c2d487507bb8a2f+CHANGES')
Vault CLI Version (retrieve with vault version): Vault v1.2.3 ('c14bd9a2b1d2c20f15b9f93f5c2d487507bb8a2f+CHANGES')
Server Operating System/Architecture: macOS (dev testing)
The text was updated successfully, but these errors were encountered:
Describe the bug
In Consul Connect we use
sign-self-issued
to cross-sign another CA root when transitioning between CAs. If the Vault root is using a different Key type to the new CA root it's cross signing, this endpoint will not allow the signing to take place.Example response body:
I think this is a bug in that it makes this legitimate operation impossible as far as I can see from the code and testing, but there are some subtleties.
It seems to stem from the slightly confusing API of
x509.CreateCertificate
where you pass it a populatedx509.Certificate
as a "template". In the case of this endpoint, the certificate to be signed is presumably self-consistent already (i.e. it'sSignatureAlgorithm
will match the algorithm it used to sign itself with it's own key). But by passing this cert as thetemplate
when signing it with the Vault key, we are actually attempting to forcex509.CreateCertificate
to use the same signature algorithm which will fail if the signing key type is not compatible.I've considered passing an invalidly doctored certificate that has the
SignatureAlgorithm
set to the target Vault key type but this is actually hard without re-implementing a bunch of asn1 encoding details from the x509 lib. My feeling is that even if it worked it's a horrible hack because it would result in passing a certificate PEM that is totally invalid and unable to be verified itself (since its SignatureAlgorithm field wouldn't match the actual signature).I think the correct behaviour here would be to explicitly zero the
SignatureAlgorithm
field from the certificate "template" passed in here:vault/builtin/logical/pki/path_root.go
Line 432 in 34fd106
If that field is zero,
x509
will pick the correct algorithm based on the private key used to sign.In the built-in Consul CA we explicitly override the
SignatureAlgorithm
coming from cross-signed CAs or CSRs to match the signing key type although zeroing should have the same effect.To Reproduce
Steps to reproduce the behavior:
/pki/root/sign-self-issued
to be signed. Observe error as noted above.Expected behavior
Root should be signed using the correct algorithm for the configured private key. In the example above, the EC root should be cross-signed with Vault root's RSA key and
x509.SHA256WithRSA
.Environment:
vault status
):Vault v1.2.3 ('c14bd9a2b1d2c20f15b9f93f5c2d487507bb8a2f+CHANGES')
vault version
):Vault v1.2.3 ('c14bd9a2b1d2c20f15b9f93f5c2d487507bb8a2f+CHANGES')
macOS
(dev testing)The text was updated successfully, but these errors were encountered: