From 333bd83a3f11fada18c5d0066a2d91edde79ec2b Mon Sep 17 00:00:00 2001
From: Jeremy Voorhis <jvoorhis@users.noreply.github.com>
Date: Wed, 11 Oct 2017 08:48:51 -0700
Subject: [PATCH] Implement signing of pre-hashed data (#3448)

Transit backend sign and verify endpoints now support algorithm=none
---
 builtin/logical/transit/path_sign_verify.go      | 6 ++++--
 builtin/logical/transit/path_sign_verify_test.go | 4 ++++
 website/source/api/secret/transit/index.html.md  | 2 ++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/builtin/logical/transit/path_sign_verify.go b/builtin/logical/transit/path_sign_verify.go
index 549ae05cdbf8..074f7ff22236 100644
--- a/builtin/logical/transit/path_sign_verify.go
+++ b/builtin/logical/transit/path_sign_verify.go
@@ -37,6 +37,7 @@ derivation is enabled; currently only available with ed25519 keys.`,
 				Default: "sha2-256",
 				Description: `Hash algorithm to use (POST body parameter). Valid values are:
 
+* none
 * sha2-224
 * sha2-256
 * sha2-384
@@ -108,6 +109,7 @@ derivation is enabled; currently only available with ed25519 keys.`,
 				Default: "sha2-256",
 				Description: `Hash algorithm to use (POST body parameter). Valid values are:
 
+* none
 * sha2-224
 * sha2-256
 * sha2-384
@@ -166,7 +168,7 @@ func (b *backend) pathSignWrite(
 		}
 	}
 
-	if p.Type.HashSignatureInput() {
+	if p.Type.HashSignatureInput() && algorithm != "none" {
 		var hf hash.Hash
 		switch algorithm {
 		case "sha2-224":
@@ -259,7 +261,7 @@ func (b *backend) pathVerifyWrite(
 		}
 	}
 
-	if p.Type.HashSignatureInput() {
+	if p.Type.HashSignatureInput() && algorithm != "none" {
 		var hf hash.Hash
 		switch algorithm {
 		case "sha2-224":
diff --git a/builtin/logical/transit/path_sign_verify_test.go b/builtin/logical/transit/path_sign_verify_test.go
index 4abdad62a4cf..1ab994f1da3c 100644
--- a/builtin/logical/transit/path_sign_verify_test.go
+++ b/builtin/logical/transit/path_sign_verify_test.go
@@ -164,6 +164,10 @@ func TestTransit_SignVerify_P256(t *testing.T) {
 	sig = signRequest(req, false, "")
 	verifyRequest(req, false, "", sig)
 
+	req.Data["algorithm"] = "none"
+	sig = signRequest(req, false, "")
+	verifyRequest(req, false, "", sig)
+
 	// Test 512 and save sig for later to ensure we can't validate once min
 	// decryption version is set
 	req.Data["algorithm"] = "sha2-512"
diff --git a/website/source/api/secret/transit/index.html.md b/website/source/api/secret/transit/index.html.md
index 9437b01fe4ed..5520b2493fa1 100644
--- a/website/source/api/secret/transit/index.html.md
+++ b/website/source/api/secret/transit/index.html.md
@@ -779,6 +779,7 @@ supports signing.
   own hash algorithm). This can also be specified as part of the URL.
   Currently-supported algorithms are:
 
+    - `none`
     - `sha2-224`
     - `sha2-256`
     - `sha2-384`
@@ -831,6 +832,7 @@ data.
 - `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
   can also be specified as part of the URL. Currently-supported algorithms are:
 
+    - `none`
     - `sha2-224`
     - `sha2-256`
     - `sha2-384`