-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault-16367: add support RSA padding scheme pkcs1v15 for encryption #16368
Vault-16367: add support RSA padding scheme pkcs1v15 for encryption #16368
Conversation
…without UI tests (yet).
…rt' into feature/transit_pkcs1v15_support
Hey there @marcellanz -- terribly sorry about the delay. Originally I think there was some discussion over the scope of this and if it fit well with our goals for Transit. The good news is, I'd like to see this land in the next (1.15) release. :-) If you're still up for it, I'd be happy to work with you to get this reviewed and merged! |
Thanks @cipherboy, no worries. We'd still much like to see this merged into a release to be used with an official released version of vault. Let me know how I can help and what to do to go forward with the PR. |
@marcellanz Cool! I think a rebase would be the first step; we've added a few features since then that might be causing these conflicts: managed keys and public-key only asymmetric crypto. I'll add some commentary in the PR :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should get @hellobontempo to review the Transit UI additions but otherwise this is looking good to me with the one API change noted.
Rest are tbh mostly nits.
@@ -818,7 +818,7 @@ func (p *Policy) convergentVersion(ver int) int { | |||
return convergentVersion | |||
} | |||
|
|||
func (p *Policy) Encrypt(ver int, context, nonce []byte, value string) (string, error) { | |||
func (p *Policy) Encrypt(ver int, context, nonce []byte, value string, paddingScheme string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should double check I haven't violated this myself recently, but in general, we wish to avoid modifying these functions as they lie in our public sdk/
space.
I think you could change this to Encrypt->EncryptWithAlgorithm
and have the former call the latter with oaep
by default for consistency perhaps...?
Then if/when we introduce ECEIS based schemes, I think it might make the most sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes perfectly sense for me too. Does the new EncryptWithAlgorithm
have to be documented somewhere then I assume?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I don't think our SDK has much documentation sadly. I think it'd be cool to get better inline godoc in the future, but we don't have much presently.
(If you want to work on this, happy to review such PRs in the future too!)
Type: framework.TypeString, | ||
Description: `The padding scheme to use for decrypt. Currently only applies to RSA key types. | ||
Options are 'oaep' or 'pkcs1v15'. Defaults to 'oaep'`, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'd be great to include Default: "oaep"
here for consistency if we could :-) When you call d.Get(...)
below, it'll populate it with oaep
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This applies in a few places as well below :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I were to nitpick, for consistency with sign/verify I might suggest calling this encryption_algorithm
, as it'll likely be more widely used than just RSA here. padding_scheme
is definitely more precise, but boxes us into a corner w.r.t. EC algorithms.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might suggest calling this
encryption_algorithm
I think too, this makes a lot of sense and is consistent with the existing API.
@marcellanz This is small enough I might try and sneak it in before the release if you can get the SDK change fixed up and then merge it in. |
@cipherboy thanks for the review and comments; I'll have a look this evening on them and make it mergeable. |
👋 I added the |
@cipherboy I've corrected most comments from you above and made it buildable with an up to date branch. I'll push that soon. Open is the naming change from |
@marcellanz Cool, ty! I think this might not make 1.14 sadly at this point, but 1.15 branch is open so I can merge it there when you get the updates pushed. :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for tackling the UI part of this work as well! 🥇 The formatting looks great - thanks for following our current linting patterns! 🤩
I left some comments! Nothing blocking, though. It would be great to see a test added in transit-key-actions-test.js
confirming that padding_scheme
only renders for the desired key type - if that's something you have time to include
@@ -28,6 +30,27 @@ | |||
</div> | |||
</div> | |||
{{/if}} | |||
{{#if (or (eq @key.type "rsa-2048") (eq @key.type "rsa-3072") (eq @key.type "rsa-4096"))}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment here as above ☝️
onchange={{action (mut @padding_scheme) value="target.value"}} | ||
> | ||
{{#each (array "oaep" "pkcs1v15") as |scheme|}} | ||
<option selected={{if @padding_scheme (eq @padding_scheme scheme) (eq scheme "oaep")}} value={{scheme}}> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and here! 😄
@@ -40,6 +47,27 @@ | |||
</div> | |||
</div> | |||
{{/if}} | |||
{{#if (or (eq @key.type "rsa-2048") (eq @key.type "rsa-3072") (eq @key.type "rsa-4096"))}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also this file and line 62
@@ -29,6 +34,27 @@ | |||
</div> | |||
</div> | |||
{{/if}} | |||
{{#if (or (eq @key.type "rsa-2048") (eq @key.type "rsa-3072") (eq @key.type "rsa-4096"))}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
last one!
\o hey @marcellanz -- wanted to let you know 1.14 just GA'd, so we're happy to merge this to 1.15 branch when you get the updates in btw :-) No rush! |
Awesome! Thanks @cipherboy and @hellobontempo – "work work" has kicked in lately, but I will soon catch up here with UI feedback covering and then push a clean state. |
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
📄 Content ChecksUpdated: Thu, 02 Nov 2023 13:05:01 GMT Found 5 error(s)
|
Position | Description | Rule |
---|---|---|
11:9-11:55 |
Unexpected product-relative link: /docs/secrets/transit . Ensure that relative links are fully-qualified Developer paths: /{productSlug}/docs/secrets/transit |
ensure-valid-link-format |
73:14-73:71 |
Unexpected product-relative link: /docs/concepts/duration-format . Ensure that relative links are fully-qualified Developer paths: /{productSlug}/docs/concepts/duration-format |
ensure-valid-link-format |
196:29-196:89 |
Unexpected product-relative link: /docs/secret/transit . Ensure that relative links are fully-qualified Developer paths: /{productSlug}/docs/secret/transit |
ensure-valid-link-format |
394:48-394:105 |
Unexpected product-relative link: /docs/concepts/duration-format . Ensure that relative links are fully-qualified Developer paths: /{productSlug}/docs/concepts/duration-format |
ensure-valid-link-format |
586:119-586:171 |
Unexpected product-relative link: /docs/configuration/listener/tcp . Ensure that relative links are fully-qualified Developer paths: /{productSlug}/docs/configuration/listener/tcp |
ensure-valid-link-format |
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs LGTM, feel free to merge once ENG signs off.
No rush, but once the merge conflicts are resolved I'm happy to give it a final look-over from the UI perspective! |
Hey everyone, is this PR still alive? This feature would be very useful to decrypt data which was encrypted with plain openssl rsautl CLI, which by default use pkcs1v15 so it's not compatible with the current transit engine. If @marcellanz is busy atm, I would be pleased to update it and shave off the pending issues to let it roll forward :) |
Hi @dj-thd2 – alive, planned to continue soon. Let us solve merge conflicts and then seen how it fits. |
Hi there, just wanting to check on this and see how things are going. Thanks! |
Closing this PR out, thanks @marcellanz for all your work on this PR! Your work was incorporated within #25486 and will be available in the future 1.19 version of Vault. |
This PR implements the feature requested by issue: #16367 with support for the transit secrets engine to choose a RSA padding scheme by the
padding_scheme
parameter forencryption
,decryption
,datakey
andrewrap
.This PR includes UI support to choose the padding scheme for RSA keys.