certutil: select appropriate hash algorithm for ECDSA signature #11216

oncilla · 2021-03-26T19:58:48Z

Select the appropriate signature algorithm for certificates signed
with an ECDSA private key.

The algorithm is selected based on the curve:

P-256 -> x509.ECDSAWithSHA256
P-384 -> x509.ECDSAWithSHA384
P-521 -> x509.ECDSAWithSHA512
Other -> x509.ECDSAWithSHA256

fixes #11006

This change is

hashicorp-cla · 2021-03-26T19:58:51Z

All committers have signed the CLA.

sgmiller · 2021-10-19T18:01:33Z

@oncilla : Do you mind resolving the conflicts?

oncilla · 2021-10-19T19:26:35Z

@sgmiller done.

sgmiller · 2021-10-25T23:04:46Z

Just failing one test:

`=== RUN TestBackend_SignSelfIssued_DifferentTypes
--- FAIL: TestBackend_SignSelfIssued_DifferentTypes (0.01s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0xa61d6f]

goroutine 11330 [running]:
testing.tRunner.func1.2(0x25c7620, 0x4156440)
/usr/local/go/src/testing/testing.go:1143 +0x332
testing.tRunner.func1(0xc002604f00)
/usr/local/go/src/testing/testing.go:1146 +0x4b6
panic(0x25c7620, 0x4156440)
/usr/local/go/src/runtime/panic.go:965 +0x1b9
github.com/hashicorp/vault/sdk/helper/certutil.createCertificate(0xc001632858, 0x2f30780, 0xc0000fc1e0, 0x0, 0x0, 0x0)
/go/src/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:676 +0xd8f
github.com/hashicorp/vault/sdk/helper/certutil.CreateCertificateWithRandomSource(...)`

Select the appropriate signature algorithm for certificates signed with an ECDSA private key. The algorithm is selected based on the curve: - P-256 -> x509.ECDSAWithSHA256 - P-384 -> x509.ECDSAWithSHA384 - P-521 -> x509.ECDSAWithSHA512 - Other -> x509.ECDSAWithSHA256 fixes hashicorp#11006

oncilla · 2021-11-03T20:35:37Z

@sgmiller should be fixed now

* certutil: select appropriate hash algorithm for ECDSA signature Select the appropriate signature algorithm for certificates signed with an ECDSA private key. The algorithm is selected based on the curve: - P-256 -> x509.ECDSAWithSHA256 - P-384 -> x509.ECDSAWithSHA384 - P-521 -> x509.ECDSAWithSHA512 - Other -> x509.ECDSAWithSHA256 fixes #11006

…) (#13096) * certutil: select appropriate hash algorithm for ECDSA signature Select the appropriate signature algorithm for certificates signed with an ECDSA private key. The algorithm is selected based on the curve: - P-256 -> x509.ECDSAWithSHA256 - P-384 -> x509.ECDSAWithSHA384 - P-521 -> x509.ECDSAWithSHA512 - Other -> x509.ECDSAWithSHA256 fixes #11006 Co-authored-by: Dominik Roos <domi.roos@gmail.com>

…icorp#11216) * certutil: select appropriate hash algorithm for ECDSA signature Select the appropriate signature algorithm for certificates signed with an ECDSA private key. The algorithm is selected based on the curve: - P-256 -> x509.ECDSAWithSHA256 - P-384 -> x509.ECDSAWithSHA384 - P-521 -> x509.ECDSAWithSHA512 - Other -> x509.ECDSAWithSHA256 fixes hashicorp#11006

vercel bot temporarily deployed to Preview – vault March 26, 2021 19:58 Inactive

vercel bot temporarily deployed to Preview – vault-storybook March 26, 2021 19:58 Inactive

vercel bot temporarily deployed to Preview – vault-storybook March 26, 2021 20:03 Inactive

vercel bot temporarily deployed to Preview – vault March 26, 2021 20:03 Inactive

pmmukh added the cryptosec label Sep 9, 2021

sgmiller approved these changes Oct 19, 2021

View reviewed changes

oncilla force-pushed the select-sig-algo branch from d0a01ec to 3cf8e2a Compare October 19, 2021 19:25

vercel bot temporarily deployed to Preview – vault October 19, 2021 19:25 Inactive

vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 19:25 Inactive

oncilla mentioned this pull request Oct 19, 2021

pki: select appropriate hash algorithm for ecdsa signed certificates #11006

Closed

cipherboy mentioned this pull request Oct 19, 2021

Restrict ECDSA/NIST P-Curve hash function sizes for cert signing #12872

Merged

oncilla added 2 commits November 3, 2021 21:24

fix panic

6539489

oncilla force-pushed the select-sig-algo branch from 3cf8e2a to 6539489 Compare November 3, 2021 20:35

vercel bot temporarily deployed to Preview – vault-storybook November 3, 2021 20:35 Inactive

vercel bot temporarily deployed to Preview – vault November 3, 2021 20:35 Inactive

add changelog

a76ca83

vercel bot temporarily deployed to Preview – vault-storybook November 3, 2021 21:37 Inactive

vercel bot temporarily deployed to Preview – vault November 3, 2021 21:37 Inactive

Tweak changelog.

627280d

vercel bot temporarily deployed to Preview – vault-storybook November 4, 2021 15:28 Inactive

vercel bot temporarily deployed to Preview – vault November 4, 2021 15:28 Inactive

victorr merged commit 1869a69 into hashicorp:main Nov 4, 2021

oncilla deleted the select-sig-algo branch November 13, 2021 12:25

thiskevinwang mentioned this pull request Apr 25, 2022

fix release/1.9.x deploy previews #15157

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

certutil: select appropriate hash algorithm for ECDSA signature #11216

certutil: select appropriate hash algorithm for ECDSA signature #11216

oncilla commented Mar 26, 2021 •

edited

hashicorp-cla commented Mar 26, 2021 •

edited

sgmiller commented Oct 19, 2021

oncilla commented Oct 19, 2021

sgmiller commented Oct 25, 2021

oncilla commented Nov 3, 2021

certutil: select appropriate hash algorithm for ECDSA signature #11216

certutil: select appropriate hash algorithm for ECDSA signature #11216

Conversation

oncilla commented Mar 26, 2021 • edited

hashicorp-cla commented Mar 26, 2021 • edited

sgmiller commented Oct 19, 2021

oncilla commented Oct 19, 2021

sgmiller commented Oct 25, 2021

oncilla commented Nov 3, 2021

oncilla commented Mar 26, 2021 •

edited

hashicorp-cla commented Mar 26, 2021 •

edited