Backport of Fix transit import/export of hmac-only keys into release/1.12.x #20900
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
cipherboy
force-pushed
the
backport/cipherboy-fix-transit-import-export-hmac-keys/supposedly-adjusted-mongoose
branch
from
829b679 to
f72226c
Compare
cipherboy
approved these changes
May 31, 2023
Removed byok test; this is unfortunate as it was the strongest exerciser of this, but sadly it doesn't exist in 1.13 and previous versions. Signed-off-by: Alexander Scheel <[email protected]>
cipherboy
force-pushed
the
backport/cipherboy-fix-transit-import-export-hmac-keys/supposedly-adjusted-mongoose
branch
from
f72226c to
70dc3f3
Compare
cipherboy
approved these changes
May 31, 2023
…ort-export-hmac-keys/supposedly-adjusted-mongoose
cipherboy
deleted the
backport/cipherboy-fix-transit-import-export-hmac-keys/supposedly-adjusted-mongoose
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #20864 to be assessed for backporting due to the inclusion of the label backport/1.12.x.
🚨
The person who merged in the original PR is:
@cipherboy
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Fundamentally the second commit is the important one: we need to ensure HMAC-only keys exposes the same interface as non-HMAC keys, that is, the HMAC key is in
.HMACKeyand the "real" key is in.Key-- but in our case, HMAC should be the same value across both in case anyone is using the field directly in applications.The first is more or less a duplicate, for backwards compatibility: we won't nuke the existing HMAC keys with different-HMACKey-field-values, so we'll want to export the real one under
export/hmac-keys/.... For anyone who inadvertently used the wrong HMAC key, they can use a plaintext backup (and/orsys/raw) to import the separate, incorrect versions as proper versions into this key.Related: #20804
Jira: VAULT-16702
Overview of commits