Exporting RSA public keys via transit/export/public-key/<key-name>/<version> causes nil dereference crash

[mark64]

Describe the bug
Vault server panics when attempting to export a specific public key version with RSA key types, but not EC keys.

To Reproduce

Setup a new vault instance:

docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' -p 8200:8200 hashicorp/vault:1.15 server

vault operator init && \
vault operator unseal && \
vault operator unseal && \
vault operator unseal && \
vault login && \
vault secrets enable transit

$ cat test.sh
#!/bin/bash
HEADER="X-Vault-Token: <insert here>"
cat > test.json <<EOF
{
  "type": "rsa-3072",
  "auto_rotate_period": "1h"
}
EOF
curl --header "${HEADER}" --request POST --data @test.json http://localhost:8200/v1/transit/keys/test-key -vvv
curl --header "${HEADER}" http://localhost:8200/v1/transit/export/public-key/test-key/1 -vvv

$ ./test.sh

Results in:

2023-11-02T22:49:30.023Z [INFO]  http: panic serving 172.17.0.1:60694: runtime error: invalid memory address or nil pointer dereference
goroutine 1121 [running]:
net/http.(*conn).serve.func1()
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:1868 +0xb9
panic({0x841a720?, 0x10f1db90?})
	/opt/hostedtoolcache/go/1.21.3/x64/src/runtime/panic.go:920 +0x270
crypto/x509.marshalPublicKey({0x85c0640?, 0x0?})
	/opt/hostedtoolcache/go/1.21.3/x64/src/crypto/x509/x509.go:88 +0x3c5
crypto/x509.MarshalPKIXPublicKey({0x85c0640?, 0x0?})
	/opt/hostedtoolcache/go/1.21.3/x64/src/crypto/x509/x509.go:155 +0x78
github.com/hashicorp/vault/builtin/logical/transit.encodeRSAPublicKey(0xc003f79200?)
	/home/runner/work/vault/vault/builtin/logical/transit/path_export.go:300 +0x2b
github.com/hashicorp/vault/builtin/logical/transit.getExportKey(0x85ce6c0?, 0xc0045e7fe0, {0xc0043bad97, 0xa})
	/home/runner/work/vault/vault/builtin/logical/transit/path_export.go:244 +0x559
github.com/hashicorp/vault/builtin/logical/transit.(*backend).pathPolicyExportRead(0xc0040f2000, {0xb8c78d8, 0xc0043337a0}, 0xc00431a380, 0xffffffffffffffff?)
	/home/runner/work/vault/vault/builtin/logical/transit/path_export.go:145 +0xc25
github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc000443680, {0xb8c78d8, 0xc0043337a0}, 0xc00431a380)
	/home/runner/work/vault/vault/sdk/framework/backend.go:310 +0xa88
github.com/hashicorp/vault/builtin/plugin/v5.(*backend).HandleRequest(0xc003f79240, {0xb8c78d8, 0xc0043337a0}, 0xc00431a380)
	/home/runner/work/vault/vault/builtin/plugin/v5/backend.go:95 +0xc6
github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc002e8a060, {0xb8c78d8, 0xc0043337a0}, 0xc00431a380, 0x0)
	/home/runner/work/vault/vault/vault/router.go:784 +0x1686
github.com/hashicorp/vault/vault.(*Router).Route(...)
	/home/runner/work/vault/vault/vault/router.go:553
github.com/hashicorp/vault/vault.(*Core).doRouting(0xc003f78ac0?, {0xb8c78d8?, 0xc0043337a0?}, 0xc004320150?)
	/home/runner/work/vault/vault/vault/request_handling.go:922 +0x26
github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc002ec0000, {0xb8c78d8, 0xc0043337a0}, 0xc00431a380)
	/home/runner/work/vault/vault/vault/request_handling.go:1139 +0x11cd
github.com/hashicorp/vault/vault.(*Core).handleCancelableRequest(0xc002ec0000, {0xb8c78d8, 0xc0043b9d70}, 0xc00431a380)
	/home/runner/work/vault/vault/vault/request_handling.go:766 +0x15f3
github.com/hashicorp/vault/vault.(*Core).switchedLockHandleRequest(0xc002ec0000, {0xb8c78d8, 0xc0043b9350}, 0xc00431a380, 0x1)
	/home/runner/work/vault/vault/vault/request_handling.go:573 +0x59f
github.com/hashicorp/vault/vault.(*Core).HandleRequest(...)
	/home/runner/work/vault/vault/vault/request_handling.go:530
github.com/hashicorp/vault/http.request(0xc0043bad84?, {0xb8a9770, 0xc0043b9260}, 0xc0047f6400, 0xc00431a380)
	/home/runner/work/vault/vault/http/handler.go:934 +0x7f
github.com/hashicorp/vault/http.handler.handleLogical.handleLogicalInternal.func57({0xb8a9770, 0xc0043b9260}, 0xc0047f6400)
	/home/runner/work/vault/vault/http/logical.go:375 +0x16f
net/http.HandlerFunc.ServeHTTP(0xc002ec0000?, {0xb8a9770?, 0xc0043b9260?}, 0x9b92760?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2136 +0x29
github.com/hashicorp/vault/http.handler.handleRequestForwarding.func36({0xb8a9770, 0xc0043b9260}, 0xc0047f6400)
	/home/runner/work/vault/vault/http/handler.go:859 +0x1e9
net/http.HandlerFunc.ServeHTTP(0xc0043ab508?, {0xb8a9770?, 0xc0043b9260?}, 0x60aea8?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2136 +0x29
net/http.(*ServeMux).ServeHTTP(0xc003736f60?, {0xb8a9770, 0xc0043b9260}, 0xc0047f6400)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2514 +0x142
github.com/hashicorp/vault/http.handler.wrapHelpHandler.func48({0xb8a9770, 0xc0043b9260}, 0xc0047f6400)
	/home/runner/work/vault/vault/http/help.go:28 +0xfd
net/http.HandlerFunc.ServeHTTP(0x8eefd80?, {0xb8a9770?, 0xc0043b9260?}, 0x1cfaa25?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2136 +0x29
github.com/hashicorp/vault/http.handler.wrapCORSHandler.func49({0xb8a9770, 0xc0043b9260}, 0xc0047f6400)
	/home/runner/work/vault/vault/http/cors.go:32 +0x389
net/http.HandlerFunc.ServeHTTP(0xc002ec0000?, {0xb8a9770?, 0xc0043b9260?}, 0xc003908ea0?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2136 +0x29
github.com/hashicorp/vault/http.handler.rateLimitQuotaWrapping.func50({0xb8a9770, 0xc0043b9260}, 0xc0047f6400)
	/home/runner/work/vault/vault/http/util.go:128 +0xb8a
net/http.HandlerFunc.ServeHTTP(0xc14927be8155bfed?, {0xb8a9770?, 0xc0043b9260?}, 0xc004466ff0?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2136 +0x29
github.com/hashicorp/vault/http.wrapGenericHandler.func1({0xb8a8338?, 0xc003f2f960}, 0xc0047f6100)
	/home/runner/work/vault/vault/http/handler.go:453 +0xdef
net/http.HandlerFunc.ServeHTTP(0xc0043bad84?, {0xb8a8338?, 0xc003f2f960?}, 0xc003724af8?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2136 +0x29
github.com/hashicorp/vault/http.handler.PrintablePathCheckHandler.func51({0xb8a8338, 0xc003f2f960}, 0xc0047f6100)
	/home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/handlers.go:42 +0x8f
net/http.HandlerFunc.ServeHTTP(0x10feb680?, {0xb8a8338?, 0xc003f2f960?}, 0xc003724b50?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2136 +0x29
net/http.serverHandler.ServeHTTP({0xc0043b91a0?}, {0xb8a8338?, 0xc003f2f960?}, 0x6?)
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2938 +0x8e
net/http.(*conn).serve(0xc003953290, {0xb8c78d8, 0xc002ede840})
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:2009 +0x5f4
created by net/http.(*Server).Serve in goroutine 39
	/opt/hostedtoolcache/go/1.21.3/x64/src/net/http/server.go:3086 +0x5cb

Expected behavior
I should receive an export of the requested public key version.

This works for ed25519 and ecdsa key types, and if I do vault read transit/keys/<key name> I can see my RSA public keys. But I cannot export specific versions of RSA keys.

Environment:

• Vault Server Version (retrieve with vault status): 1.14.5, 1.15.1
• Vault CLI Version (retrieve with vault version): 1.15.0
• Server Operating System/Architecture: Linux x86_64 docker image

Vault server configuration file(s):

{"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}

[stevendpclark]

Hi @mark64, thanks for reporting the issue.

A fix has been merged into 1.14 and 1.15 release branches which will make it out into the next minor releases, tentatively being 1.14.7 and 1.15.3