Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting "key-type=any" on PKI role is silently ignored #7329

Closed
Quuxplusone opened this issue Aug 16, 2019 · 1 comment
Closed

Setting "key-type=any" on PKI role is silently ignored #7329

Quuxplusone opened this issue Aug 16, 2019 · 1 comment

Comments

@Quuxplusone
Copy link

Is your feature request related to a problem? Please describe.

Bug #4595 is related. In that issue, the user reports that writing key-type=any to a role didn't "take"; Vault would just silently ignore the request to set that field. This was fixed back in 2018. But in August 2019, I tried doing the same thing with Vault 1.2.0 (installed with brew install vault), and I observed exactly the same symptom!

$ vault --version
Vault v1.2.0
$ vault delete pki/roles/any-domain
Success! Data deleted (if it existed) at: pki/roles/any-domain
$ vault write pki/roles/any-domain allow_any_name=true key-type=any
Success! Data written to: pki/roles/any-domain
$ vault read pki/roles/any-domain | grep key
ext_key_usage                         []
ext_key_usage_oids                    []
key_bits                              2048
key_type                              rsa
key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]

After sleeping on the problem, I looked again and noticed that the API mostly uses underscores, not dashes. So I tried inputting key_type with an underscore instead of a dash, and lo and behold...

$ vault write pki/roles/any-domain allow_any_name=true key_type=any
Success! Data written to: pki/roles/any-domain
$ vault read pki/roles/any-domain | grep key
ext_key_usage                         []
ext_key_usage_oids                    []
key_bits                              2048
key_type                              any
key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]

Describe the solution you'd like

It would have been SUPER helpful if Vault would have given an error message when I tried to set a nonexistent property. Even better if it would suggest "Did you mean key_type instead of key-type?".

In the same vein, it would be super helpful if Vault would take a firm stance on whether the data did exist or not, instead of printing "Data deleted (if it existed)". Vault knows whether the data was deleted, right? It could just tell me...

Explain any additional use-cases

Turns out Vault doesn't error-check any of its input.

$ vault write pki/roles/any-domain xyzzy=plugh
Success! Data written to: pki/roles/any-domain
@jefferai
Copy link
Member

Closing the issue as key-type is not a valid key.

We've been thinking about whether to do parameter existence checking, not sure if we will do it yet or not though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jefferai @Quuxplusone