Skip to content

Commit

Permalink
Fix ed25519 key type in ca_util (#27093)
Browse files Browse the repository at this point in the history
* fix ed25519 key type

* add changelog

* fix other case and add tests

* add other test

* add headers
  • Loading branch information
rculpepper authored May 22, 2024
1 parent 20d4427 commit 0b02c5d
Show file tree
Hide file tree
Showing 5 changed files with 150 additions and 2 deletions.
2 changes: 1 addition & 1 deletion builtin/logical/pki/ca_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr
keyBits = certutil.GetPublicKeySize(pubKey)
case *ecdsa.PublicKey:
keyType = certutil.ECPrivateKey
case *ed25519.PublicKey:
case ed25519.PublicKey:
keyType = certutil.Ed25519PrivateKey
default:
return certutil.UnknownPrivateKey, 0, fmt.Errorf("unsupported public key: %#v", pubKey)
Expand Down
82 changes: 82 additions & 0 deletions builtin/logical/pki/ca_util_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package pki

import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"testing"

"github.com/hashicorp/vault/sdk/helper/certutil"
)

func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) {
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("error generating rsa key: %s", err)
}

ecdsaKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating ecdsa key: %s", err)
}

publicKey, _, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatalf("error generating ed25519 key: %s", err)
}

testCases := map[string]struct {
publicKey crypto.PublicKey
expectedKeyType certutil.PrivateKeyType
expectedKeyBits int
expectError bool
}{
"rsa": {
publicKey: rsaKey.Public(),
expectedKeyType: certutil.RSAPrivateKey,
expectedKeyBits: 2048,
},
"ecdsa": {
publicKey: ecdsaKey.Public(),
expectedKeyType: certutil.ECPrivateKey,
expectedKeyBits: 0,
},
"ed25519": {
publicKey: publicKey,
expectedKeyType: certutil.Ed25519PrivateKey,
expectedKeyBits: 0,
},
"bad key type": {
publicKey: []byte{},
expectedKeyType: certutil.UnknownPrivateKey,
expectedKeyBits: 0,
expectError: true,
},
}

for name, tt := range testCases {
t.Run(name, func(t *testing.T) {
keyType, keyBits, err := getKeyTypeAndBitsFromPublicKeyForRole(tt.publicKey)
if err != nil && !tt.expectError {
t.Fatalf("unexpected error: %s", err)
}
if err == nil && tt.expectError {
t.Fatal("expected error, got nil")
}

if keyType != tt.expectedKeyType {
t.Fatalf("key type mismatch: expected %s, got %s", tt.expectedKeyType, keyType)
}

if keyBits != tt.expectedKeyBits {
t.Fatalf("key bits mismatch: expected %d, got %d", tt.expectedKeyBits, keyBits)
}
})
}
}
3 changes: 3 additions & 0 deletions changelog/27093.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
pki: Fix error in cross-signing using ed25519 keys
```
2 changes: 1 addition & 1 deletion sdk/helper/certutil/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType {
return RSAPrivateKey
case *ecdsa.PublicKey:
return ECPrivateKey
case *ed25519.PublicKey:
case ed25519.PublicKey:
return Ed25519PrivateKey
default:
return UnknownPrivateKey
Expand Down
63 changes: 63 additions & 0 deletions sdk/helper/certutil/types_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package certutil

import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"testing"
)

func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) {
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("error generating rsa key: %s", err)
}

ecdsaKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating ecdsa key: %s", err)
}

publicKey, _, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
t.Fatalf("error generating ed25519 key: %s", err)
}

testCases := map[string]struct {
publicKey crypto.PublicKey
expectedKeyType PrivateKeyType
}{
"rsa": {
publicKey: rsaKey.Public(),
expectedKeyType: RSAPrivateKey,
},
"ecdsa": {
publicKey: ecdsaKey.Public(),
expectedKeyType: ECPrivateKey,
},
"ed25519": {
publicKey: publicKey,
expectedKeyType: Ed25519PrivateKey,
},
"bad key type": {
publicKey: []byte{},
expectedKeyType: UnknownPrivateKey,
},
}

for name, tt := range testCases {
t.Run(name, func(t *testing.T) {
keyType := GetPrivateKeyTypeFromPublicKey(tt.publicKey)

if keyType != tt.expectedKeyType {
t.Fatalf("key type mismatch: expected %s, got %s", tt.expectedKeyType, keyType)
}
})
}
}

0 comments on commit 0b02c5d

Please sign in to comment.