Allow configuring the possible salt lengths for RSA PSS signatures #16549
Conversation
There was a problem hiding this comment.
Thanks for the contribution @trishankatdatadog!
We've discussed it a bit internally and would like to move forward to get this improvement into Vault but would like a few modifications first.
I've made a few comments on the PR itself but the main change we would like is the ability for an end-user to specify a number of bytes on top of allowing the string values "auto" or "hash" within the new field. The new field would need some customized validation, substituting auto, hash for the PSS constants defined in go, or if the string is not blank, attempt to parse as a number and if successful, validate that it is >0 as well as replicate the same upper bounds validation as done in pss.go.
Some tests, documentation updates and a changelog entry would also be appreciated.
Please let me know if anything is unclear and once again thanks for taking the time to submit this improvement!
|
Thanks @stevendpclark! Happy to address these comments. However, I see another PR #16227 along the same lines which I haven't taken a deep look at yet from @monomosc. How should we go about this? |
Great, please let me know if anything is unclear.
That is unfortunate. At the time that I had started looking at your PR, they had yet to sign the CLA so their PR couldn't be used. I'll leave it up to you if you wish to work with them on this PR together or finish this one up yourself, but in my mind at this time, you have first dibs on the PR. |
Sounds good. Let me see whether I can use some of their work here. Of course, if I do end up using it, I will credit them accordingly. |
|
@stevendpclark is b1e3beb0671597c81a07d9e73130d5d8f151e159 better? |
@trishankatdatadog Yes thanks! I'm not sure if you are working up to this but remember that one of the big things we would like to see in this PR is for an end-user to specify a number of bytes on top of allowing the string values "auto" or "hash" within the new field. So with that said I wouldn't define a custom map/type for SaltLength at least within the SDK. I'd keep it as an int within your new |
My bad, I did recall reading it somewhere, but somehow missed finding the original comment. Let me look into this tonight. |
Hi, you are of course free to use code from my (older) PR for this subject if you want. #16549 High level, my PR added the I have also added some sanity unit-tests; I suggest copying them as well. Lastly there is an open question as to how to handle invalid salt lengths. Every RSA-Key-Size corresponds to a maximum legal salt length; exceeding it willr esult in a |
Thanks! I am writing something independently now, so let me finish it, and we'll compare and see 🙂 I think we are basically using the same approach. |
|
@stevendpclark @monomosc Generalised the salt length to an int, and have fairly comprehensive unit tests. Pls let me know what you think, thx. |
|
Your tests now do fail though; I (as a customer) would be happy with the solution though. |
There was a problem hiding this comment.
@trishankatdatadog thanks for the unit tests and changes to the SDK. I've added a few more comments, sorry if I wasn't clear previously, my comments were directed to the SDK api only not the end-user facing api.
Glad you like it. Let me address @stevendpclark's comments, and then I think we'll all be happy (well, after I also look at the failing tests, could be a red herring). |
- Found by @trishankatdatadog in PR #16549, we were masking errors coming out of the rsa verification calls as verfication errors and not returning when they were usage errors.
…16695) - Found by @trishankatdatadog in PR #16549, we were masking errors coming out of the rsa verification calls as verfication errors and not returning when they were usage errors.
trishankatdatadog
force-pushed
the
trishankatdatadog/rsassa-pss-salt-lengths
branch
2 times, most recently
from
bef8669 to
4ff3817
Compare
|
@stevendpclark ok, almost done: just want to add a unit test (if not already there) for being able to automatically verify RSA PSS signatures from previous versions of Vault (shouldn't be a problem, but still). |
|
@stevendpclark OK, I have added about every unit test I can think of for both the SDK and HTTP API. Of course, just like everyone else, I want to make sure we don't even accidentally break verification of signatures from previous versions of Vault, but I'm fairly certain that these unit tests already cover that case. Please advise. Thanks! |
There was a problem hiding this comment.
Sorry for a bit of delay, took some PTO time and been playing catch up. This looks absolutely great, wonderful work! I have one small nit about a test, see comment below.
Other then that all that is missing is a documentation update to the api docs (see https://github.com/hashicorp/vault/blob/main/website/content/api-docs/secret/transit.mdx) and a changelog entry (see https://github.com/hashicorp/vault/blob/main/CONTRIBUTING.md#changelog-entries)
trishankatdatadog
force-pushed
the
trishankatdatadog/rsassa-pss-salt-lengths
branch
from
1c7c4a0 to
6a250ee
Compare
|
@stevendpclark Done, PTAL, thanks! |
|
Hi @trishankatdatadog, this looks great! I have no additional comments. Would you be able to rebase this on top of the current main branch to pull in the fixes for the |
This reverts commit 8adfc15fe3303b8fdf9f094ea246945ab1364077.
also, add marshaling for both SDK and HTTP requests
trishankatdatadog
force-pushed
the
trishankatdatadog/rsassa-pss-salt-lengths
branch
from
2820548 to
0ec0679
Compare
No problem, and looks like it worked! Only Vercel left 🙂 |
|
Thanks for the contribution @trishankatdatadog and being so great with all the feedback, much appreciated! |
trishankatdatadog
deleted the
trishankatdatadog/rsassa-pss-salt-lengths
branch
Thank you for being so responsive and shepherding the process to help us fix the issue, much appreciated too 🙂 |
|
Oh, BTW: in which release could we expect this code? |
It will make it out into the next major release of Vault so 1.12... |
|
When is 1.12 expected to be released? |
Hi @ofek, rc1 for Vault 1.12.0 is out now if you would like to test this, binaries available at: https://releases.hashicorp.com/vault/1.12.0-rc1/ |
The Golang
crypto/rsapackage allows for using at least two possible salt lengths (autoandhashfor want better terminology) when creating/verifying RSA PSS signatures. However, these options are currently not exposed via the Vault Transit Secrets Engine. These options would allow for cross-platform signature verification without modifying downstream clients (e.g., the securesystemslib package, used by the python-tuf and python-in-toto supply chain security frameworks, which currently assumes a different salt length by default than Vault does).This fixes issue #7531.