diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 7fc39fa3c491..e72b608517f5 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -2580,24 +2580,6 @@ func TestBackend_Permitted_DNS_Domains(t *testing.T) { if err != nil { t.Fatal(err) } - _, err = client.Logical().Write("root/roles/example", map[string]interface{}{ - "allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com", - "allow_bare_domains": true, - "allow_subdomains": true, - "max_ttl": "2h", - }) - if err != nil { - t.Fatal(err) - } - _, err = client.Logical().Write("int/roles/example", map[string]interface{}{ - "allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com", - "allow_subdomains": true, - "allow_bare_domains": true, - "max_ttl": "2h", - }) - if err != nil { - t.Fatal(err) - } // Direct issuing from root _, err = client.Logical().Write("root/root/generate/internal", map[string]interface{}{ @@ -2625,6 +2607,33 @@ func TestBackend_Permitted_DNS_Domains(t *testing.T) { argMap[currString] = arg } } + // We do this to ensure writing a key type of any is invalid when + // issuing and valid when signing + _, err = client.Logical().Write(path+"roles/example", map[string]interface{}{ + "allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com", + "allow_subdomains": true, + "allow_bare_domains": true, + "max_ttl": "2h", + "key_type": "any", + }) + if err != nil { + t.Fatal(err) + } + _, err = client.Logical().Write(path+"issue/example", argMap) + if err == nil { + t.Fatal("expected err from key_type any") + } + // Now put it back + _, err = client.Logical().Write(path+"roles/example", map[string]interface{}{ + "allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com", + "allow_subdomains": true, + "allow_bare_domains": true, + "max_ttl": "2h", + "key_type": "rsa", + }) + if err != nil { + t.Fatal(err) + } _, err = client.Logical().Write(path+"issue/example", argMap) switch { case valid && err != nil: diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index bf9bee159831..55fc52b90014 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -153,6 +153,7 @@ func validateKeyTypeLength(keyType string, keyBits int) *logical.Response { return logical.ErrorResponse(fmt.Sprintf( "unsupported bit length for EC key: %d", keyBits)) } + case "any": default: return logical.ErrorResponse(fmt.Sprintf( "unknown key type %s", keyType)) diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 654dcc496530..8b5e544d2f36 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -88,7 +88,11 @@ func (b *backend) pathIssue(ctx context.Context, req *logical.Request, data *fra return nil, err } if role == nil { - return logical.ErrorResponse(fmt.Sprintf("Unknown role: %s", roleName)), nil + return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil + } + + if role.KeyType == "any" { + return logical.ErrorResponse("role key type \"any\" not allowed for issuing certificates, only signing"), nil } return b.pathIssueSignCert(ctx, req, data, role, false, false) @@ -105,7 +109,7 @@ func (b *backend) pathSign(ctx context.Context, req *logical.Request, data *fram return nil, err } if role == nil { - return logical.ErrorResponse(fmt.Sprintf("Unknown role: %s", roleName)), nil + return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil } return b.pathIssueSignCert(ctx, req, data, role, true, false)