From 3cc333b64927221d65930e946e73b115d0308d1e Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 21 Oct 2024 14:06:49 -0500 Subject: [PATCH 01/28] Use DRBG based RSA key generation everywhere --- builtin/credential/cert/backend_test.go | 6 +- builtin/logical/database/credentials.go | 4 +- builtin/logical/database/credentials_test.go | 5 +- builtin/logical/pki/backend_test.go | 21 +++---- builtin/logical/pki/ca_test.go | 4 +- builtin/logical/pki/ca_util.go | 4 +- builtin/logical/pki/ca_util_test.go | 4 +- builtin/logical/pki/integration_test.go | 10 ++-- builtin/logical/pki/issuing/sign_cert.go | 6 +- builtin/logical/pki/path_acme_test.go | 22 ++++---- builtin/logical/pki/path_config_acme_test.go | 4 +- builtin/logical/pki/path_revoke.go | 2 +- builtin/logical/pki/path_root.go | 2 +- builtin/logical/pki/path_tidy_test.go | 6 +- builtin/logical/pki/test_helpers.go | 4 +- .../logical/pkiext/pkiext_binary/acme_test.go | 6 +- builtin/logical/ssh/path_config_ca.go | 4 +- builtin/logical/ssh/path_issue_sign.go | 2 +- builtin/logical/ssh/util.go | 4 +- .../logical/transit/path_certificates_test.go | 4 +- builtin/logical/transit/path_export_test.go | 3 +- builtin/logical/transit/path_import_test.go | 18 +++--- .../logical/transit/path_wrapping_key_test.go | 3 +- command/transit_import_key_test.go | 6 +- go.mod | 6 +- go.sum | 2 + helper/pkcs7/decrypt.go | 2 +- helper/pkcs7/encrypt.go | 2 +- helper/pkcs7/pkcs7_test.go | 49 ++++++++-------- .../testhelpers/certhelpers/cert_helpers.go | 9 +-- plugins/database/mongodb/cert_helpers_test.go | 9 +-- sdk/go.mod | 6 +- sdk/go.sum | 2 + sdk/helper/certutil/certutil_test.go | 12 ++-- sdk/helper/certutil/helpers.go | 23 ++++---- sdk/helper/certutil/types.go | 10 ++-- sdk/helper/certutil/types_test.go | 5 +- sdk/helper/keysutil/policy.go | 56 ++++++++++--------- sdk/helper/keysutil/policy_test.go | 20 +++---- sdk/helper/keysutil/util.go | 4 +- vault/identity_store_oidc.go | 4 +- 41 files changed, 195 insertions(+), 180 deletions(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index e4affa3b5296..23412ef9b6dc 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -32,6 +31,7 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" @@ -658,7 +658,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.IPAddresses = []net.IP{parsedIP} // Private key for CA cert - caPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048) + caPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -726,7 +726,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.SerialNumber = big.NewInt(5678) template.KeyUsage = x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign) - issuedPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048) + issuedPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 790dde05a35b..9208e836a3a9 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -6,7 +6,6 @@ package database import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -15,6 +14,7 @@ import ( "strings" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/random" "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/helper/certutil" @@ -133,7 +133,7 @@ func (kg *rsaKeyGenerator) generate(r io.Reader) ([]byte, []byte, error) { return nil, nil, fmt.Errorf("invalid key_bits: %v", kg.KeyBits) } - key, err := rsa.GenerateKey(reader, keyBits) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(reader, keyBits) if err != nil { return nil, nil, err } diff --git a/builtin/logical/database/credentials_test.go b/builtin/logical/database/credentials_test.go index 7f2c4eb3dbb0..7284ab48e03b 100644 --- a/builtin/logical/database/credentials_test.go +++ b/builtin/logical/database/credentials_test.go @@ -6,7 +6,6 @@ package database import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -696,7 +695,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { pub, err := x509.ParsePKIXPublicKey(pubBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, pub) - assert.IsType(t, &rsa.PublicKey{}, pub) + assert.IsType(t, &rsa2.PublicKey{}, pub) // Assert that we can parse the private key PEM block in // the configured format @@ -705,7 +704,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { priv, err := x509.ParsePKCS8PrivateKey(privBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, priv) - assert.IsType(t, &rsa.PrivateKey{}, priv) + assert.IsType(t, &rsa2.PrivateKey{}, priv) default: t.Fatal("unknown format") } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 9292892144cd..a2655b239047 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -12,7 +12,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -38,6 +38,7 @@ import ( "github.com/armon/go-metrics" "github.com/fatih/structs" "github.com/go-test/deep" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api/auth/userpass" @@ -409,7 +410,7 @@ func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUs case "rsa": parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey parsedCertBundle.PrivateKey = key - parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) + parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa2.PrivateKey)) case "ec": parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey parsedCertBundle.PrivateKey = key @@ -510,14 +511,14 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s }, } - priv1024, _ := rsa.GenerateKey(rand.Reader, 1024) + priv1024, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 1024) csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024) csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csr1024, }))) - priv2048, _ := rsa.GenerateKey(rand.Reader, 2048) + priv2048, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048) csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", @@ -699,7 +700,7 @@ func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType str var err error switch keyType { case "rsa": - priv, err = rsa.GenerateKey(rand.Reader, keyBits) + priv, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) case "ec": switch keyBits { case 224: @@ -1180,7 +1181,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep { case "rsa": privKey, ok = generatedRSAKeys[keyBits] if !ok { - privKey, _ = rsa.GenerateKey(rand.Reader, keyBits) + privKey, _ = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) generatedRSAKeys[keyBits] = privKey } @@ -2164,7 +2165,7 @@ func runTestSignVerbatim(t *testing.T, keyType string) { } // create a CSR and key - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2735,7 +2736,7 @@ func TestBackend_SignSelfIssued(t *testing.T) { t.Fatal(err) } - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2879,7 +2880,7 @@ func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) { t.Fatal(err) } - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -3834,7 +3835,7 @@ func setCerts() { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := rsa.GenerateKey(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index 4517604f8a0d..745b1282a8cc 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -9,7 +9,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/json" @@ -21,6 +20,7 @@ import ( "time" "github.com/go-test/deep" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" @@ -98,7 +98,7 @@ func TestBackend_CA_Steps(t *testing.T) { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := rsa.GenerateKey(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go index 2d2478ab8e46..bb2071d8072c 100644 --- a/builtin/logical/pki/ca_util.go +++ b/builtin/logical/pki/ca_util.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/ecdsa" - "crypto/rsa" + rsa2 "crypto/rsa" "errors" "fmt" "io" @@ -229,7 +229,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr var keyBits int switch pubKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: keyType = certutil.RSAPrivateKey keyBits = certutil.GetPublicKeySize(pubKey) case *ecdsa.PublicKey: diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index d4ef64e68fe1..07c56f2dfdf9 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -9,14 +9,14 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/certutil" ) func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) { - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index 1c3da7fa3a1b..b1d152d219d1 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -331,11 +331,11 @@ func TestIntegration_CSRGeneration(t *testing.T) { expectedPublicKeyType crypto.PublicKey expectedSignature x509.SignatureAlgorithm }{ - {"rsa", false, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSA}, - {"rsa", false, 2048, 384, &rsa.PublicKey{}, x509.SHA384WithRSA}, + {"rsa", false, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSA}, + {"rsa", false, 2048, 384, &rsa2.PublicKey{}, x509.SHA384WithRSA}, // Add back once https://github.com/golang/go/issues/45990 is fixed. - // {"rsa", true, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSAPSS}, - // {"rsa", true, 2048, 512, &rsa.PublicKey{}, x509.SHA512WithRSAPSS}, + // {"rsa", true, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSAPSS}, + // {"rsa", true, 2048, 512, &rsa2.PublicKey{}, x509.SHA512WithRSAPSS}, {"ec", false, 224, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 256, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 384, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA384}, diff --git a/builtin/logical/pki/issuing/sign_cert.go b/builtin/logical/pki/issuing/sign_cert.go index c6548f69521e..63633286aaf3 100644 --- a/builtin/logical/pki/issuing/sign_cert.go +++ b/builtin/logical/pki/issuing/sign_cert.go @@ -6,7 +6,7 @@ package issuing import ( "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "fmt" @@ -139,7 +139,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi return nil, nil, errutil.UserError{Err: fmt.Sprintf("role requires keys of type %s", role.KeyType)} } - pubKey, ok := csr.PublicKey.(*rsa.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } @@ -180,7 +180,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi // validate minimums and SignatureBits below. switch csr.PublicKeyAlgorithm { case x509.RSA: - pubKey, ok := csr.PublicKey.(*rsa.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index c1c751f69d8e..c739a9dd73c8 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -26,6 +25,7 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki/dnstest" "github.com/hashicorp/vault/helper/constants" @@ -60,7 +60,7 @@ func TestAcmeBasicWorkflow(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -592,7 +592,7 @@ func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) { defer cluster.Cleanup() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -628,7 +628,7 @@ func TestAcmeEabCrossingDirectoryPath(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -759,7 +759,7 @@ func TestAcmeTruncatesToIssuerExpiry(t *testing.T) { require.NoError(t, err, "failed updating issuer name") baseAcmeURL := "/v1/pki/issuer/short-ca/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -831,7 +831,7 @@ func TestAcmeRoleExtKeyUsage(t *testing.T) { _, err := client.Logical().Write("pki/roles/"+roleName, roleOpt) baseAcmeURL := "/v1/pki/roles/" + roleName + "/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") require.NoError(t, err, "failed creating role test-role") @@ -1100,7 +1100,7 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1432,7 +1432,7 @@ func TestAcmeValidationError(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1540,7 +1540,7 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey1, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient1 := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey1) @@ -1639,7 +1639,7 @@ func TestAcmeMaxTTL(t *testing.T) { require.NoError(t, err, "error configuring acme") // First Create Our Client - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) @@ -1867,7 +1867,7 @@ func TestACMEClientRequestLimits(t *testing.T) { for _, tc := range cases { // First Create Our Client - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index 47ba1f817dec..c02d2f537f1a 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -6,10 +6,10 @@ package pki import ( "context" "crypto/rand" - "crypto/rsa" "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/constants" "github.com/stretchr/testify/require" ) @@ -117,7 +117,7 @@ func TestAcmeConfig(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go index f6c35e67f732..e28e207c8246 100644 --- a/builtin/logical/pki/path_revoke.go +++ b/builtin/logical/pki/path_revoke.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa "crypto/rsa" "crypto/subtle" "crypto/x509" "encoding/pem" diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index 625bcb2946e3..d9c2c5ae0601 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index f32bc880a59e..f64443a2ddc3 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/json" @@ -20,6 +19,7 @@ import ( "time" "github.com/armon/go-metrics" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" @@ -916,7 +916,7 @@ func TestTidyAcmeWithBackdate(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1073,7 +1073,7 @@ func TestTidyAcmeWithSafetyBuffer(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/test_helpers.go b/builtin/logical/pki/test_helpers.go index 2806a5dcafd2..cc79999bde01 100644 --- a/builtin/logical/pki/test_helpers.go +++ b/builtin/logical/pki/test_helpers.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -117,7 +117,7 @@ func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto. require.True(t, areEqual, "public keys mismatched: got: %v, expected: %v", certPubKey, key) } -func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa.PrivateKey) (string, *x509.Certificate) { +func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa2.PrivateKey) (string, *x509.Certificate) { t.Helper() selfSigned, err := x509.CreateCertificate(rand.Reader, subject, issuer, key.Public(), key) if err != nil { diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index f4a7be0c1d83..6477812bd1d3 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -25,6 +24,7 @@ import ( "time" "github.com/hashicorp/go-hclog" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/builtin/logical/pkiext" "github.com/hashicorp/vault/helper/testhelpers" @@ -704,7 +704,7 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI } httpClient := &http.Client{Transport: tr} - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") logger.Trace("Using the following url for the ACME directory", "url", directoryUrl) acmeClient := &acme.Client{ @@ -957,7 +957,7 @@ func SubtestACMEStepDownNode(t *testing.T, cluster *VaultPkiCluster) { DNSNames: []string{hostname, hostname}, } - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") acmeClient := &acme.Client{ diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 6d003c0ae5c0..66a9a4a7956e 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "errors" @@ -18,6 +17,7 @@ import ( "io" multierror "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" "github.com/mikesmitty/edkey" @@ -326,7 +326,7 @@ func generateSSHKeyPair(randomSource io.Reader, keyType string, keyBits int) (st return "", "", fmt.Errorf("refusing to generate weak %v key: %v bits < 2048 bits", keyType, keyBits) } - privateSeed, err := rsa.GenerateKey(randomSource, keyBits) + privateSeed, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(randomSource, keyBits) if err != nil { return "", "", err } diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go index 60c6d44f7ace..630bee13e47b 100644 --- a/builtin/logical/ssh/path_issue_sign.go +++ b/builtin/logical/ssh/path_issue_sign.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/ed25519" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/sha256" "errors" "fmt" diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 89980ada0132..2a94741a82c9 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -6,7 +6,6 @@ package ssh import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" @@ -14,6 +13,7 @@ import ( "net" "strings" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/vault/sdk/logical" "golang.org/x/crypto/ssh" @@ -22,7 +22,7 @@ import ( // Creates a new RSA key pair with the given key length. The private key will be // of pem format and the public key will be of OpenSSH format. func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) { - privateKey, err := rsa.GenerateKey(rand.Reader, keyBits) + privateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) if err != nil { return "", "", fmt.Errorf("error generating RSA key-pair: %w", err) } diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index 9a6305e7a048..e77bac73a7b0 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -6,7 +6,6 @@ package transit import ( "context" cryptoRand "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -14,6 +13,7 @@ import ( "strings" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" vaulthttp "github.com/hashicorp/vault/http" @@ -167,7 +167,7 @@ func testTransit_ImportCertChain(t *testing.T, apiClient *api.Client, keyType st require.NoError(t, err) // Setup a new CSR - privKey, err := rsa.GenerateKey(cryptoRand.Reader, 3072) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(cryptoRand.Reader, 3072) require.NoError(t, err) var csrTemplate x509.CertificateRequest diff --git a/builtin/logical/transit/path_export_test.go b/builtin/logical/transit/path_export_test.go index b91ef47fb420..8a963c15c7f7 100644 --- a/builtin/logical/transit/path_export_test.go +++ b/builtin/logical/transit/path_export_test.go @@ -6,7 +6,6 @@ package transit import ( "context" cryptoRand "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -601,7 +600,7 @@ func testTransit_exportCertificateChain(t *testing.T, apiClient *api.Client, key pubWrappingKey, err := x509.ParsePKIXPublicKey(wrappingKeyPemBlock.Bytes) require.NoError(t, err, "failed to parse wrapping key") - blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa.PublicKey), privKeyBytes, "SHA256") + blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa2.PublicKey), privKeyBytes, "SHA256") // Import key _, err = apiClient.Logical().Write(fmt.Sprintf("/transit/keys/%s/import", keyName), map[string]interface{}{ diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index d26f5ff95f64..5c4fa9861b15 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" @@ -19,6 +18,7 @@ import ( "sync" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/logical" "github.com/tink-crypto/tink-go/v2/kwp/subtle" @@ -162,7 +162,7 @@ func TestTransit_Import(t *testing.T) { t.Run( "import into a key fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := rsa.GenerateKey(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -502,7 +502,7 @@ func TestTransit_ImportVersion(t *testing.T) { t.Run( "import into a key version fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := rsa.GenerateKey(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -948,7 +948,7 @@ func TestTransit_ImportVersionWithPublicKeys(t *testing.T) { ) } -func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { +func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa2.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { t.Helper() // Format target key for wrapping @@ -971,7 +971,7 @@ func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey return wrapTargetPKCS8ForImport(t, wrappingKey, preppedTargetKey, hashFnName) } -func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hashFnName string) string { +func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hashFnName string) string { t.Helper() // Generate an ephemeral AES-256 key @@ -1027,11 +1027,11 @@ func generateKey(keyType string) (interface{}, error) { case "ecdsa-p521": return ecdsa.GenerateKey(elliptic.P521(), rand.Reader) case "rsa-2048": - return rsa.GenerateKey(rand.Reader, 2048) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) case "rsa-3072": - return rsa.GenerateKey(rand.Reader, 3072) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) case "rsa-4096": - return rsa.GenerateKey(rand.Reader, 4096) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) default: return nil, fmt.Errorf("failed to generate unsupported key type: %s", keyType) } @@ -1042,7 +1042,7 @@ func getPublicKey(privateKey crypto.PrivateKey, keyType string) ([]byte, error) var publicKeyBytes []byte switch keyType { case "rsa-2048", "rsa-3072", "rsa-4096": - publicKey = privateKey.(*rsa.PrivateKey).Public() + publicKey = privateKey.(*rsa2.PrivateKey).Public() case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521": publicKey = privateKey.(*ecdsa.PrivateKey).Public() case "ed25519": diff --git a/builtin/logical/transit/path_wrapping_key_test.go b/builtin/logical/transit/path_wrapping_key_test.go index 9ed58e45c284..37328ed0bed1 100644 --- a/builtin/logical/transit/path_wrapping_key_test.go +++ b/builtin/logical/transit/path_wrapping_key_test.go @@ -5,7 +5,6 @@ package transit import ( "context" - "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -51,7 +50,7 @@ func TestTransit_WrappingKey(t *testing.T) { if err != nil { t.Fatalf("failed to parse public wrapping key: %s", err) } - wrappingKey, ok := rawPubKey.(*rsa.PublicKey) + wrappingKey, ok := rawPubKey.(*rsa2.PublicKey) if !ok || wrappingKey.Size() != 512 { t.Fatal("public wrapping key is not a 4096-bit RSA key") } diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 847ab59ff78f..2b030e083877 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -7,12 +7,12 @@ import ( "bytes" "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/stretchr/testify/require" ) @@ -171,7 +171,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { t.Helper() - priv1, err := rsa.GenerateKey(rand.Reader, 2048) + priv1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NotNil(t, priv1, "failed generating RSA 1 key") require.NoError(t, err, "failed generating RSA 1 key") @@ -179,7 +179,7 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 require.NotNil(t, rsa1, "failed marshaling RSA 1 key") require.NoError(t, err, "failed marshaling RSA 1 key") - priv2, err := rsa.GenerateKey(rand.Reader, 2048) + priv2, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") diff --git a/go.mod b/go.mod index 73b9dd9dc8f2..d3e83ba0b379 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ module github.com/hashicorp/vault // semantic related to Go module handling), this comment should be updated to explain that. // // Whenever this value gets updated, sdk/go.mod should be updated to the same value. -go 1.22.5 +go 1.23.0 replace github.com/hashicorp/vault/api => ./api @@ -22,6 +22,8 @@ replace github.com/hashicorp/vault/api/auth/userpass => ./api/auth/userpass replace github.com/hashicorp/vault/sdk => ./sdk +replace github.com/hashicorp/go-secure-stdlib/cryptoutil => ../go-secure-stdlib/cryptoutil + require ( cloud.google.com/go/cloudsqlconn v1.4.3 cloud.google.com/go/monitoring v1.21.0 @@ -235,7 +237,9 @@ require ( github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-viper/mapstructure/v2 v2.1.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect + github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/userns v0.1.0 // indirect diff --git a/go.sum b/go.sum index 63222a153e7c..36866e0e69b6 100644 --- a/go.sum +++ b/go.sum @@ -1406,6 +1406,8 @@ github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39 github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 h1:kBoJV4Xl5FLtBfnBjDvBxeNSy2IRITSGs73HQsFUEjY= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6/go.mod h1:y+HSOcOGB48PkUxNyLAiCiY6rEENu+E+Ss4LG8QHwf4= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= diff --git a/helper/pkcs7/decrypt.go b/helper/pkcs7/decrypt.go index acedb1ec92af..a34bb5a65748 100644 --- a/helper/pkcs7/decrypt.go +++ b/helper/pkcs7/decrypt.go @@ -7,7 +7,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "encoding/asn1" "errors" diff --git a/helper/pkcs7/encrypt.go b/helper/pkcs7/encrypt.go index 90da67e4eed2..dfe8bc0a492c 100644 --- a/helper/pkcs7/encrypt.go +++ b/helper/pkcs7/encrypt.go @@ -6,7 +6,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" diff --git a/helper/pkcs7/pkcs7_test.go b/helper/pkcs7/pkcs7_test.go index 7753c174b200..21f4616d3bf1 100644 --- a/helper/pkcs7/pkcs7_test.go +++ b/helper/pkcs7/pkcs7_test.go @@ -6,7 +6,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -17,11 +16,11 @@ import ( "time" ) -var test1024Key, test2048Key, test3072Key, test4096Key *rsa.PrivateKey +var test1024Key, test2048Key, test3072Key, test4096Key *rsa2.PrivateKey func init() { - test1024Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test1024Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("123024078101403810516614073341068864574068590522569345017786163424062310013967742924377390210586226651760719671658568413826602264886073432535341149584680111145880576802262550990305759285883150470245429547886689754596541046564560506544976611114898883158121012232676781340602508151730773214407220733898059285561"), E: 65537, }, @@ -32,8 +31,8 @@ func init() { }, } test1024Key.Precompute() - test2048Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test2048Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("14314132931241006650998084889274020608918049032671858325988396851334124245188214251956198731333464217832226406088020736932173064754214329009979944037640912127943488972644697423190955557435910767690712778463524983667852819010259499695177313115447116110358524558307947613422897787329221478860907963827160223559690523660574329011927531289655711860504630573766609239332569210831325633840174683944553667352219670930408593321661375473885147973879086994006440025257225431977751512374815915392249179976902953721486040787792801849818254465486633791826766873076617116727073077821584676715609985777563958286637185868165868520557"), E: 3, }, @@ -44,8 +43,8 @@ func init() { }, } test2048Key.Precompute() - test3072Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test3072Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("4799422180968749215324244710281712119910779465109490663934897082847293004098645365195947978124390029272750644394844443980065532911010718425428791498896288210928474905407341584968381379157418577471272697781778686372450913810019702928839200328075568223462554606149618941566459398862673532997592879359280754226882565483298027678735544377401276021471356093819491755877827249763065753555051973844057308627201762456191918852016986546071426986328720794061622370410645440235373576002278045257207695462423797272017386006110722769072206022723167102083033531426777518054025826800254337147514768377949097720074878744769255210076910190151785807232805749219196645305822228090875616900385866236956058984170647782567907618713309775105943700661530312800231153745705977436176908325539234432407050398510090070342851489496464612052853185583222422124535243967989533830816012180864309784486694786581956050902756173889941244024888811572094961378021"), E: 65537, }, @@ -56,8 +55,8 @@ func init() { }, } test3072Key.Precompute() - test4096Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test4096Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("633335480064287130853997429184971616419051348693342219741748040433588285601270210251206421401040394238592139790962887290698043839174341843721930134010306454716566698330215646704263665452264344664385995704186692432827662862845900348526672531755932642433662686500295989783595767573119607065791980381547677840410600100715146047382485989885183858757974681241303484641390718944520330953604501686666386926996348457928415093305041429178744778762826377713889019740060910363468343855830206640274442887621960581569183233822878661711798998132931623726434336448716605363514220760343097572198620479297583609779817750646169845195672483600293522186340560792255595411601450766002877850696008003794520089358819042318331840490155176019070646738739580486357084733208876620846449161909966690602374519398451042362690200166144326179405976024265116931974936425064291406950542193873313447617169603706868220189295654943247311295475722243471700112334609817776430552541319671117235957754556272646031356496763094955985615723596562217985372503002989591679252640940571608314743271809251568670314461039035793703429977801961867815257832671786542212589906513979094156334941265621017752516999186481477500481433634914622735206243841674973785078408289183000133399026553"), E: 65537, }, @@ -128,7 +127,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA256WithRSA: priv = test2048Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -138,7 +137,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA384WithRSA: priv = test3072Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -148,7 +147,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA512WithRSA: priv = test4096Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -161,7 +160,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -174,7 +173,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -187,7 +186,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -208,19 +207,19 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 log.Println("creating cert", name, "issued by", issuerCert.Subject.CommonName, "with sigalg", sigAlg) switch priv.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: switch issuerKey.(type) { - case *rsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) + case *rsa2.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) case *ecdsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) } case *ecdsa.PrivateKey: switch issuerKey.(type) { - case *rsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) + case *rsa2.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: @@ -229,7 +228,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case *dsa.PrivateKey: pub := &priv.(*dsa.PrivateKey).PublicKey switch issuerKey := issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, pub, issuerKey) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*dsa.PublicKey), issuerKey) @@ -257,7 +256,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 type TestFixture struct { Input []byte Certificate *x509.Certificate - PrivateKey *rsa.PrivateKey + PrivateKey *rsa2.PrivateKey } func UnmarshalTestFixture(testPEMBlock string) TestFixture { diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index d9c89735c618..0d75fc9c9a89 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto" "crypto/rand" - "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -18,6 +17,8 @@ import ( "strings" "testing" "time" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) type CertBuilder struct { @@ -25,7 +26,7 @@ type CertBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa.PrivateKey + parentKey *rsa2.PrivateKey isCA bool } @@ -159,14 +160,14 @@ func NewCert(t *testing.T, opts ...CertOpt) (cert Certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type KeyWrapper struct { - PrivKey *rsa.PrivateKey + PrivKey *rsa2.PrivateKey Pem []byte } func NewPrivateKey(t *testing.T) (key KeyWrapper) { t.Helper() - privKey, err := rsa.GenerateKey(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 3a8f3afcb84f..9d38220c1a38 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto" "crypto/rand" - "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -17,6 +16,8 @@ import ( "strings" "testing" "time" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) type certBuilder struct { @@ -24,7 +25,7 @@ type certBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa.PrivateKey + parentKey *rsa2.PrivateKey isCA bool } @@ -147,14 +148,14 @@ func newCert(t *testing.T, opts ...certOpt) (cert certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type keyWrapper struct { - privKey *rsa.PrivateKey + privKey *rsa2.PrivateKey pem []byte } func newPrivateKey(t *testing.T) (key keyWrapper) { t.Helper() - privKey, err := rsa.GenerateKey(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/sdk/go.mod b/sdk/go.mod index dae54216b653..b73ca01ed0c9 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -1,6 +1,8 @@ module github.com/hashicorp/vault/sdk -go 1.22 +go 1.23.0 + +replace github.com/hashicorp/go-secure-stdlib/cryptoutil => ../../go-secure-stdlib/cryptoutil require ( cloud.google.com/go/cloudsqlconn v1.4.3 @@ -58,6 +60,8 @@ require ( github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect diff --git a/sdk/go.sum b/sdk/go.sum index 55705f4931ac..80f540c50e7e 100644 --- a/sdk/go.sum +++ b/sdk/go.sum @@ -237,6 +237,8 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 h1:kBoJV4Xl5FLtBfnBjDvBxeNSy2IRITSGs73HQsFUEjY= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6/go.mod h1:y+HSOcOGB48PkUxNyLAiCiY6rEENu+E+Ss4LG8QHwf4= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 4ebab01827d2..72f97990318b 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -26,6 +25,7 @@ import ( "time" "github.com/fatih/structs" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) // Tests converting back and forth between a CertBundle and a ParsedCertBundle. @@ -465,11 +465,11 @@ vitin0L6nprauWkKO38XgM4T75qKZpqtiOcT } func TestGetPublicKeySize(t *testing.T) { - rsa, err := rsa.GenerateKey(rand.Reader, 3072) + rsa, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) if err != nil { t.Fatal(err) } - if GetPublicKeySize(&rsa.PublicKey) != 3072 { + if GetPublicKeySize(&rsa2.PublicKey) != 3072 { t.Fatal("unexpected rsa key size") } ecdsa, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) @@ -735,7 +735,7 @@ func setCerts() { // RSA generation { - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } @@ -1101,8 +1101,8 @@ func TestIgnoreCSRSigning(t *testing.T) { }) } -func genRsaKey(t *testing.T) *rsa.PrivateKey { - key, err := rsa.GenerateKey(rand.Reader, 2048) +func genRsaKey(t *testing.T) *rsa2.PrivateKey { + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index 1c673b058acd..e9096ac1237e 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -11,7 +11,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -30,6 +30,7 @@ import ( "time" "github.com/hashicorp/errwrap" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/mitchellh/mapstructure" @@ -156,7 +157,7 @@ func getSubjectKeyIDFromBundle(data *CreationBundle) ([]byte, error) { func GetSubjectKeyID(pub interface{}) ([]byte, error) { var publicKeyBytes []byte switch pub := pub.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: type pkcs1PublicKey struct { N *big.Int E int @@ -233,7 +234,7 @@ func ParseDERKey(privateKeyBytes []byte) (signer crypto.Signer, format BlockType var rawKey interface{} if rawKey, thirdError = x509.ParsePKCS8PrivateKey(privateKeyBytes); thirdError == nil { switch rawSigner := rawKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: signer = rawSigner case *ecdsa.PrivateKey: signer = rawSigner @@ -368,11 +369,11 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = rsa.GenerateKey(randReader, keyBits) + privateKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } - privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey)) + privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa2.PrivateKey)) case "ec": privateKeyType = ECPrivateKey var curve elliptic.Curve @@ -450,9 +451,9 @@ func ComparePublicKeysAndType(key1Iface, key2Iface crypto.PublicKey) (bool, erro // returns an error if public key types are mismatched, or they are an unsupported key type. func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) { switch key1Iface.(type) { - case *rsa.PublicKey: - key1 := key1Iface.(*rsa.PublicKey) - key2, ok := key2Iface.(*rsa.PublicKey) + case *rsa2.PublicKey: + key1 := key1Iface.(*rsa2.PublicKey) + key2, ok := key2Iface.(*rsa2.PublicKey) if !ok { return false, fmt.Errorf("key types do not match: %T and %T", key1Iface, key2Iface) } @@ -516,7 +517,7 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) { } switch key := rawKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return key, nil case *ecdsa.PublicKey: return key, nil @@ -1422,7 +1423,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { // GetPublicKeySize returns the key size in bits for a given arbitrary crypto.PublicKey // Returns -1 for an unsupported key type. func GetPublicKeySize(key crypto.PublicKey) int { - if key, ok := key.(*rsa.PublicKey); ok { + if key, ok := key.(*rsa2.PublicKey); ok { return key.Size() * 8 } if key, ok := key.(*ecdsa.PublicKey); ok { @@ -2049,7 +2050,7 @@ func FindBitLength(publicKey any) int { return 0 } switch pub := publicKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return pub.N.BitLen() case *ecdsa.PublicKey: switch pub.Curve { diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index cdfc912e9289..b0759f172251 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -16,7 +16,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -153,7 +153,7 @@ type KeyBundle struct { func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // We look at the public key types to work-around limitations/typing of managed keys. switch signer.Public().(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -167,7 +167,7 @@ func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // that would be associated with it, returning UnknownPrivateKey for unsupported types func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType { switch pubKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -449,7 +449,7 @@ func (p *ParsedCertBundle) getSigner() (crypto.Signer, error) { case PKCS8Block: if k, err := x509.ParsePKCS8PrivateKey(p.PrivateKeyBytes); err == nil { switch k := k.(type) { - case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: + case *rsa2.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: return k.(crypto.Signer), nil default: return nil, errutil.UserError{Err: "Found unknown private key type in pkcs#8 wrapping"} @@ -478,7 +478,7 @@ func getPKCS8Type(bs []byte) (PrivateKeyType, error) { switch k.(type) { case *ecdsa.PrivateKey: return ECPrivateKey, nil - case *rsa.PrivateKey: + case *rsa2.PrivateKey: return RSAPrivateKey, nil case ed25519.PrivateKey: return Ed25519PrivateKey, nil diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index 2cf383afaa02..a76741b20460 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -9,12 +9,13 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "testing" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 234b4413cfe2..ade6d44b03af 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -13,7 +13,7 @@ import ( "crypto/elliptic" "crypto/hmac" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/asn1" @@ -32,6 +32,8 @@ import ( "sync/atomic" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/helper/errutil" @@ -287,8 +289,8 @@ type KeyEntry struct { EC_Y *big.Int `json:"ec_y"` EC_D *big.Int `json:"ec_d"` - RSAKey *rsa.PrivateKey `json:"rsa_key"` - RSAPublicKey *rsa.PublicKey `json:"rsa_public_key"` + RSAKey *rsa2.PrivateKey `json:"rsa_key"` + RSAPublicKey *rsa2.PublicKey `json:"rsa_public_key"` // The public key in an appropriate format for the type of key FormattedPublicKey string `json:"public_key"` @@ -425,7 +427,7 @@ func LoadPolicy(ctx context.Context, s logical.Storage, path string) (*Policy, e case KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096: for _, entry := range policy.Keys { if entry.RSAPublicKey == nil && entry.RSAKey != nil { - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) } } } @@ -1079,9 +1081,9 @@ func (p *Policy) DecryptWithFactory(context, nonce []byte, value string, factori switch paddingScheme { case PaddingScheme_PKCS1v15: - plain, err = rsa.DecryptPKCS1v15(rand.Reader, key, decoded) + plain, err = rsa2.DecryptPKCS1v15(rand.Reader, key, decoded) case PaddingScheme_OAEP: - plain, err = rsa.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) + plain, err = rsa2.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -1167,14 +1169,14 @@ func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, si return p.SignWithOptions(ver, context, input, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa.PSSSaltLengthAuto, + SaltLength: rsa2.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } func (p *Policy) minRSAPSSSaltLength() int { // https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/crypto/rsa/pss.go;l=247 - return rsa.PSSSaltLengthEqualsHash + return rsa2.PSSSaltLengthEqualsHash } func (p *Policy) maxRSAPSSSaltLength(keyBitLen int, hash crypto.Hash) int { @@ -1324,12 +1326,12 @@ func (p *Policy) SignWithOptions(ver int, context, input []byte, options *Signin if !p.validRSAPSSSaltLength(key.N.BitLen(), algo, saltLength) { return nil, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - sig, err = rsa.SignPSS(rand.Reader, key, algo, input, &rsa.PSSOptions{SaltLength: saltLength}) + sig, err = rsa2.SignPSS(rand.Reader, key, algo, input, &rsa2.PSSOptions{SaltLength: saltLength}) if err != nil { return nil, err } case "pkcs1v15": - sig, err = rsa.SignPKCS1v15(rand.Reader, key, algo, input) + sig, err = rsa2.SignPKCS1v15(rand.Reader, key, algo, input) if err != nil { return nil, err } @@ -1372,7 +1374,7 @@ func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType, return p.VerifySignatureWithOptions(context, input, sig, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa.PSSSaltLengthAuto, + SaltLength: rsa2.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } @@ -1524,13 +1526,13 @@ func (p *Policy) VerifySignatureWithOptions(context, input []byte, sig string, o if !p.validRSAPSSSaltLength(publicKey.N.BitLen(), algo, saltLength) { return false, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - err = rsa.VerifyPSS(publicKey, algo, input, sigBytes, &rsa.PSSOptions{SaltLength: saltLength}) + err = rsa2.VerifyPSS(publicKey, algo, input, sigBytes, &rsa2.PSSOptions{SaltLength: saltLength}) case "pkcs1v15": publicKey := keyEntry.RSAPublicKey if !keyEntry.IsPrivateKeyMissing() { publicKey = &keyEntry.RSAKey.PublicKey } - err = rsa.VerifyPKCS1v15(publicKey, algo, input, sigBytes) + err = rsa2.VerifyPKCS1v15(publicKey, algo, input, sigBytes) default: return false, errutil.InternalError{Err: fmt.Sprintf("unsupported rsa signature algorithm %s", sigAlgorithm)} } @@ -1790,12 +1792,12 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) { bitSize = 4096 } - entry.RSAKey, err = rsa.GenerateKey(randReader, bitSize) + entry.RSAKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, bitSize) if err != nil { return err } - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) } if p.ConvergentEncryption { @@ -2178,7 +2180,7 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value if err != nil { return "", err } - var publicKey *rsa.PublicKey + var publicKey *rsa2.PublicKey if keyEntry.RSAKey != nil { publicKey = &keyEntry.RSAKey.PublicKey } else { @@ -2186,9 +2188,9 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value } switch paddingScheme { case PaddingScheme_PKCS1v15: - ciphertext, err = rsa.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) + ciphertext, err = rsa2.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) case PaddingScheme_OAEP: - ciphertext, err = rsa.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) + ciphertext, err = rsa2.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -2317,8 +2319,8 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical if !publicKey.(*ecdsa.PublicKey).Equal(&ecdsaKey.PublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } - case *rsa.PrivateKey: - rsaKey := parsedPrivateKey.(*rsa.PrivateKey) + case *rsa2.PrivateKey: + rsaKey := parsedPrivateKey.(*rsa2.PrivateKey) if !rsaKey.PublicKey.Equal(keyEntry.RSAPublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } @@ -2413,7 +2415,7 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { publicKey := parsedKey.(ed25519.PublicKey) ke.FormattedPublicKey = base64.StdEncoding.EncodeToString(publicKey) } - case *rsa.PrivateKey, *rsa.PublicKey: + case *rsa2.PrivateKey, *rsa2.PublicKey: if PolKeyType != KeyType_RSA2048 && PolKeyType != KeyType_RSA3072 && PolKeyType != KeyType_RSA4096 { return fmt.Errorf("invalid key type: expected %s, got %T", PolKeyType, parsedKey) } @@ -2425,15 +2427,15 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { keyBytes = 512 } - rsaKey, ok := parsedKey.(*rsa.PrivateKey) + rsaKey, ok := parsedKey.(*rsa2.PrivateKey) if ok { if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } ke.RSAKey = rsaKey - ke.RSAPublicKey = rsaKey.Public().(*rsa.PublicKey) + ke.RSAPublicKey = rsaKey.Public().(*rsa2.PublicKey) } else { - rsaKey := parsedKey.(*rsa.PublicKey) + rsaKey := parsedKey.(*rsa2.PublicKey) if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } @@ -2501,7 +2503,7 @@ func (ke *KeyEntry) WrapKey(targetKey any, targetKeyType KeyType, hash hash.Hash return result, nil } -func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { +func wrapTargetPKCS8ForImport(wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { // Generate an ephemeral AES-256 key ephKey, err := uuid.GenerateRandomBytes(32) if err != nil { @@ -2509,7 +2511,7 @@ func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byt } // Wrap ephemeral AES key with public wrapping key - ephKeyWrapped, err := rsa.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) + ephKeyWrapped, err := rsa2.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) if err != nil { return "", fmt.Errorf("failed to encrypt ephemeral wrapping key with public key: %w", err) } @@ -2661,7 +2663,7 @@ func (p *Policy) ValidateLeafCertKeyMatch(keyVersion int, certPublicKeyAlgorithm return publicKey.Equal(certPublicKey), nil case x509.RSA: - certPublicKey := certPublicKey.(*rsa.PublicKey) + certPublicKey := certPublicKey.(*rsa2.PublicKey) publicKey := keyEntry.RSAKey.PublicKey return publicKey.Equal(certPublicKey), nil diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index cd921a52065b..7c260371eec1 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "errors" @@ -22,6 +21,7 @@ import ( "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" @@ -810,7 +810,7 @@ func Test_Import(t *testing.T) { func generateTestKeys() (map[KeyType][]byte, error) { keyMap := make(map[KeyType][]byte) - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { return nil, err } @@ -820,7 +820,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA2048] = rsaKeyBytes - rsaKey, err = rsa.GenerateKey(rand.Reader, 3072) + rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) if err != nil { return nil, err } @@ -830,7 +830,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA3072] = rsaKeyBytes - rsaKey, err = rsa.GenerateKey(rand.Reader, 4096) + rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { return nil, err } @@ -969,7 +969,7 @@ func Test_RSA_PSS(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, + test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1084,7 +1084,7 @@ func Test_RSA_PSS(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { @@ -1117,7 +1117,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, padding PaddingScheme) { + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, padding PaddingScheme) { // 1. Make a signature with the given key size and hash algorithm. t.Log(tabs[3], "Make an automatic signature") ct, err := p.EncryptWithFactory(0, nil, nil, string(input), padding) @@ -1152,7 +1152,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) for _, padding := range []PaddingScheme{PaddingScheme_OAEP, PaddingScheme_PKCS1v15, ""} { t.Run(fmt.Sprintf("%s/%s", rsaKeyType.String(), padding), func(t *testing.T) { test_RSA_PKCS1(t, p, rsaKey, padding) }) } @@ -1173,7 +1173,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1229,7 +1229,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { diff --git a/sdk/helper/keysutil/util.go b/sdk/helper/keysutil/util.go index dbba7ec1fb70..cb3a0821d0ca 100644 --- a/sdk/helper/keysutil/util.go +++ b/sdk/helper/keysutil/util.go @@ -68,7 +68,7 @@ func isEd25519OID(oid asn1.ObjectIdentifier) bool { // ParsePKCS8Ed25519PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form. // -// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". @@ -125,7 +125,7 @@ func ParsePKCS8Ed25519PrivateKey(der []byte) (key interface{}, err error) { // // This helper only supports RSA/PSS keys (with OID 1.2.840.113549.1.1.10). // -// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 5b34631f2d7d..27cece13158f 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "encoding/base64" "encoding/json" "errors" @@ -24,6 +23,7 @@ import ( "github.com/go-jose/go-jose/v3/jwt" "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/base62" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/identity" @@ -1762,7 +1762,7 @@ func generateKeys(algorithm string) (*jose.JSONWebKey, error) { switch algorithm { case "RS256", "RS384", "RS512": // 2048 bits is recommended by RSA Laboratories as a minimum post 2015 - if key, err = rsa.GenerateKey(rand.Reader, 2048); err != nil { + if key, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048); err != nil { return nil, err } case "ES256", "ES384", "ES512": From eaa1bae6c4b223a67b3361920ade90c5c9466510 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Fri, 25 Oct 2024 12:56:52 -0500 Subject: [PATCH 02/28] switch to the conditional generator --- Makefile | 8 ++++---- builtin/credential/cert/backend_test.go | 4 ++-- builtin/logical/database/credentials.go | 2 +- builtin/logical/pki/backend_test.go | 16 +++++++-------- builtin/logical/pki/ca_test.go | 2 +- builtin/logical/pki/ca_util_test.go | 2 +- builtin/logical/pki/cert_util.go | 13 ++++++++++-- builtin/logical/pki/path_acme_test.go | 20 +++++++++---------- builtin/logical/pki/path_config_acme_test.go | 2 +- builtin/logical/pki/path_tidy_test.go | 4 ++-- .../logical/pkiext/pkiext_binary/acme_test.go | 4 ++-- builtin/logical/ssh/path_config_ca.go | 2 +- builtin/logical/ssh/util.go | 2 +- .../logical/transit/path_certificates_test.go | 2 +- builtin/logical/transit/path_import_test.go | 10 +++++----- command/transit_import_key_test.go | 4 ++-- .../testhelpers/certhelpers/cert_helpers.go | 2 +- plugins/database/mongodb/cert_helpers_test.go | 2 +- sdk/helper/certutil/certutil_test.go | 6 +++--- sdk/helper/certutil/helpers.go | 3 +-- sdk/helper/certutil/types_test.go | 2 +- sdk/helper/keysutil/policy.go | 2 +- sdk/helper/keysutil/policy_test.go | 6 +++--- vault/identity_store_oidc.go | 2 +- 24 files changed, 65 insertions(+), 57 deletions(-) diff --git a/Makefile b/Makefile index ba499ad7407f..f7fcd03cf9db 100644 --- a/Makefile +++ b/Makefile @@ -164,11 +164,11 @@ protolint: prep check-tools-external # now run as a pre-commit hook (and there's little value in # making every build run the formatter), we've removed that # dependency. -prep: check-go-version clean +prep: check-go-version @echo "==> Running go generate..." - @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) - @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) - @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) +# @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) +# @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) +# @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) # Git doesn't allow us to store shared hooks in .git. Instead, we make sure they're up-to-date # whenever a make target is invoked. diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index 23412ef9b6dc..dd92b2df07d8 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -658,7 +658,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.IPAddresses = []net.IP{parsedIP} // Private key for CA cert - caPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + caPrivateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -726,7 +726,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.SerialNumber = big.NewInt(5678) template.KeyUsage = x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign) - issuedPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + issuedPrivateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 9208e836a3a9..08836d5aaaca 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -133,7 +133,7 @@ func (kg *rsaKeyGenerator) generate(r io.Reader) ([]byte, []byte, error) { return nil, nil, fmt.Errorf("invalid key_bits: %v", kg.KeyBits) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(reader, keyBits) + key, err := cryptoutil.GenerateRSAKey(reader, keyBits) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index a2655b239047..ba5e1feb310a 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -511,14 +511,14 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s }, } - priv1024, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 1024) + priv1024, _ := cryptoutil.GenerateRSAKey(rand.Reader, 1024) csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024) csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csr1024, }))) - priv2048, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv2048, _ := cryptoutil.GenerateRSAKey(rand.Reader, 2048) csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048) csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", @@ -700,7 +700,7 @@ func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType str var err error switch keyType { case "rsa": - priv, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + priv, err = cryptoutil.GenerateRSAKey(rand.Reader, keyBits) case "ec": switch keyBits { case 224: @@ -1181,7 +1181,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep { case "rsa": privKey, ok = generatedRSAKeys[keyBits] if !ok { - privKey, _ = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + privKey, _ = cryptoutil.GenerateRSAKey(rand.Reader, keyBits) generatedRSAKeys[keyBits] = privKey } @@ -2165,7 +2165,7 @@ func runTestSignVerbatim(t *testing.T, keyType string) { } // create a CSR and key - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2736,7 +2736,7 @@ func TestBackend_SignSelfIssued(t *testing.T) { t.Fatal(err) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2880,7 +2880,7 @@ func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) { t.Fatal(err) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -3835,7 +3835,7 @@ func setCerts() { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index 745b1282a8cc..aa2a15f3cb55 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -98,7 +98,7 @@ func TestBackend_CA_Steps(t *testing.T) { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index 07c56f2dfdf9..66413ce5eb4a 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -16,7 +16,7 @@ import ( ) func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) { - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index ae5d3504d465..ac5e4dd91420 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -321,6 +321,15 @@ func validateSerialNumber(data *inputBundle, serialNumber string) string { return issuing.ValidateSerialNumber(data.role, serialNumber) } +type slowRand struct { + r io.Reader +} + +func (s *slowRand) Read(p []byte) (n int, err error) { + time.Sleep(50 * time.Millisecond) + return s.r.Read(p) +} + func generateCert(sc *storageContext, input *inputBundle, caSign *certutil.CAInfoBundle, @@ -333,7 +342,7 @@ func generateCert(sc *storageContext, return nil, nil, errutil.InternalError{Err: "no role found in data bundle"} } - if input.role.KeyType == "rsa" && input.role.KeyBits < 2048 { + if input.role.KeyType == "rsa" && input.role.KeyBits < 1024 { return nil, nil, errutil.UserError{Err: "RSA keys < 2048 bits are unsafe and not supported"} } @@ -391,7 +400,7 @@ func generateCert(sc *storageContext, } } - parsedBundle, err := generateCABundle(sc, input, data, randomSource) + parsedBundle, err := generateCABundle(sc, input, data, &slowRand{randomSource}) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index c739a9dd73c8..d03fe04a59ba 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -60,7 +60,7 @@ func TestAcmeBasicWorkflow(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -592,7 +592,7 @@ func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) { defer cluster.Cleanup() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -628,7 +628,7 @@ func TestAcmeEabCrossingDirectoryPath(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -759,7 +759,7 @@ func TestAcmeTruncatesToIssuerExpiry(t *testing.T) { require.NoError(t, err, "failed updating issuer name") baseAcmeURL := "/v1/pki/issuer/short-ca/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -831,7 +831,7 @@ func TestAcmeRoleExtKeyUsage(t *testing.T) { _, err := client.Logical().Write("pki/roles/"+roleName, roleOpt) baseAcmeURL := "/v1/pki/roles/" + roleName + "/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") require.NoError(t, err, "failed creating role test-role") @@ -1100,7 +1100,7 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1432,7 +1432,7 @@ func TestAcmeValidationError(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1540,7 +1540,7 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient1 := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey1) @@ -1639,7 +1639,7 @@ func TestAcmeMaxTTL(t *testing.T) { require.NoError(t, err, "error configuring acme") // First Create Our Client - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) @@ -1867,7 +1867,7 @@ func TestACMEClientRequestLimits(t *testing.T) { for _, tc := range cases { // First Create Our Client - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index c02d2f537f1a..5eee3a2195b8 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -117,7 +117,7 @@ func TestAcmeConfig(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index f64443a2ddc3..fc46b6e84718 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -916,7 +916,7 @@ func TestTidyAcmeWithBackdate(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1073,7 +1073,7 @@ func TestTidyAcmeWithSafetyBuffer(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index 6477812bd1d3..efda8241f2f0 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -704,7 +704,7 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI } httpClient := &http.Client{Transport: tr} - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") logger.Trace("Using the following url for the ACME directory", "url", directoryUrl) acmeClient := &acme.Client{ @@ -957,7 +957,7 @@ func SubtestACMEStepDownNode(t *testing.T, cluster *VaultPkiCluster) { DNSNames: []string{hostname, hostname}, } - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") acmeClient := &acme.Client{ diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 66a9a4a7956e..9018f88fc816 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -326,7 +326,7 @@ func generateSSHKeyPair(randomSource io.Reader, keyType string, keyBits int) (st return "", "", fmt.Errorf("refusing to generate weak %v key: %v bits < 2048 bits", keyType, keyBits) } - privateSeed, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(randomSource, keyBits) + privateSeed, err := cryptoutil.GenerateRSAKey(randomSource, keyBits) if err != nil { return "", "", err } diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 2a94741a82c9..fff7402672cf 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -22,7 +22,7 @@ import ( // Creates a new RSA key pair with the given key length. The private key will be // of pem format and the public key will be of OpenSSH format. func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) { - privateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + privateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, keyBits) if err != nil { return "", "", fmt.Errorf("error generating RSA key-pair: %w", err) } diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index e77bac73a7b0..a81f9ec24cae 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -167,7 +167,7 @@ func testTransit_ImportCertChain(t *testing.T, apiClient *api.Client, keyType st require.NoError(t, err) // Setup a new CSR - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(cryptoRand.Reader, 3072) + privKey, err := cryptoutil.GenerateRSAKey(cryptoRand.Reader, 3072) require.NoError(t, err) var csrTemplate x509.CertificateRequest diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 5c4fa9861b15..9b0f03e2f2a1 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -162,7 +162,7 @@ func TestTransit_Import(t *testing.T) { t.Run( "import into a key fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -502,7 +502,7 @@ func TestTransit_ImportVersion(t *testing.T) { t.Run( "import into a key version fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -1027,11 +1027,11 @@ func generateKey(keyType string) (interface{}, error) { case "ecdsa-p521": return ecdsa.GenerateKey(elliptic.P521(), rand.Reader) case "rsa-2048": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + return cryptoutil.GenerateRSAKey(rand.Reader, 2048) case "rsa-3072": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + return cryptoutil.GenerateRSAKey(rand.Reader, 3072) case "rsa-4096": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + return cryptoutil.GenerateRSAKey(rand.Reader, 4096) default: return nil, fmt.Errorf("failed to generate unsupported key type: %s", keyType) } diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 2b030e083877..6ea4c9985dfa 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -171,7 +171,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { t.Helper() - priv1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NotNil(t, priv1, "failed generating RSA 1 key") require.NoError(t, err, "failed generating RSA 1 key") @@ -179,7 +179,7 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 require.NotNil(t, rsa1, "failed marshaling RSA 1 key") require.NoError(t, err, "failed marshaling RSA 1 key") - priv2, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv2, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index 0d75fc9c9a89..171421c3b240 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -167,7 +167,7 @@ type KeyWrapper struct { func NewPrivateKey(t *testing.T) (key KeyWrapper) { t.Helper() - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 9d38220c1a38..8ae0fe16b019 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -155,7 +155,7 @@ type keyWrapper struct { func newPrivateKey(t *testing.T) (key keyWrapper) { t.Helper() - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 72f97990318b..2aa1622db746 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -465,7 +465,7 @@ vitin0L6nprauWkKO38XgM4T75qKZpqtiOcT } func TestGetPublicKeySize(t *testing.T) { - rsa, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + rsa, err := cryptoutil.GenerateRSAKey(rand.Reader, 3072) if err != nil { t.Fatal(err) } @@ -735,7 +735,7 @@ func setCerts() { // RSA generation { - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } @@ -1102,7 +1102,7 @@ func TestIgnoreCSRSigning(t *testing.T) { } func genRsaKey(t *testing.T) *rsa2.PrivateKey { - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index e9096ac1237e..ad7e2e544b8d 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -30,7 +30,6 @@ import ( "time" "github.com/hashicorp/errwrap" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/mitchellh/mapstructure" @@ -369,7 +368,7 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, keyBits) + privateKey, err = rsa2.GenerateKey(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index a76741b20460..5e08e8a1fe12 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -15,7 +15,7 @@ import ( ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index ade6d44b03af..247014cbf6c4 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -1792,7 +1792,7 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) { bitSize = 4096 } - entry.RSAKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, bitSize) + entry.RSAKey, err = cryptoutil.GenerateRSAKey(randReader, bitSize) if err != nil { return err } diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index 7c260371eec1..fe2f7300e51c 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -810,7 +810,7 @@ func Test_Import(t *testing.T) { func generateTestKeys() (map[KeyType][]byte, error) { keyMap := make(map[KeyType][]byte) - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { return nil, err } @@ -820,7 +820,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA2048] = rsaKeyBytes - rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + rsaKey, err = cryptoutil.GenerateRSAKey(rand.Reader, 3072) if err != nil { return nil, err } @@ -830,7 +830,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA3072] = rsaKeyBytes - rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + rsaKey, err = cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { return nil, err } diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 27cece13158f..406b61de3948 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -1762,7 +1762,7 @@ func generateKeys(algorithm string) (*jose.JSONWebKey, error) { switch algorithm { case "RS256", "RS384", "RS512": // 2048 bits is recommended by RSA Laboratories as a minimum post 2015 - if key, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048); err != nil { + if key, err = cryptoutil.GenerateRSAKey(rand.Reader, 2048); err != nil { return nil, err } case "ES256", "ES384", "ES512": From 1d632fc015288a5d8096e090be340f85e1727768 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 21 Oct 2024 14:06:49 -0500 Subject: [PATCH 03/28] Use DRBG based RSA key generation everywhere --- builtin/credential/cert/backend_test.go | 6 +- builtin/logical/database/credentials.go | 4 +- builtin/logical/database/credentials_test.go | 5 +- builtin/logical/pki/backend_test.go | 21 +++---- builtin/logical/pki/ca_test.go | 4 +- builtin/logical/pki/ca_util.go | 4 +- builtin/logical/pki/ca_util_test.go | 4 +- builtin/logical/pki/integration_test.go | 10 ++-- builtin/logical/pki/issuing/sign_cert.go | 6 +- builtin/logical/pki/path_acme_test.go | 22 ++++---- builtin/logical/pki/path_config_acme_test.go | 4 +- builtin/logical/pki/path_revoke.go | 2 +- builtin/logical/pki/path_root.go | 2 +- builtin/logical/pki/path_tidy_test.go | 6 +- builtin/logical/pki/test_helpers.go | 4 +- .../logical/pkiext/pkiext_binary/acme_test.go | 6 +- builtin/logical/ssh/path_config_ca.go | 4 +- builtin/logical/ssh/path_issue_sign.go | 2 +- builtin/logical/ssh/util.go | 4 +- .../logical/transit/path_certificates_test.go | 4 +- builtin/logical/transit/path_export_test.go | 3 +- builtin/logical/transit/path_import_test.go | 18 +++--- .../logical/transit/path_wrapping_key_test.go | 3 +- command/transit_import_key_test.go | 6 +- go.mod | 6 +- go.sum | 2 + helper/pkcs7/decrypt.go | 2 +- helper/pkcs7/encrypt.go | 2 +- helper/pkcs7/pkcs7_test.go | 49 ++++++++-------- .../testhelpers/certhelpers/cert_helpers.go | 9 +-- plugins/database/mongodb/cert_helpers_test.go | 9 +-- sdk/go.mod | 6 +- sdk/go.sum | 2 + sdk/helper/certutil/certutil_test.go | 12 ++-- sdk/helper/certutil/helpers.go | 23 ++++---- sdk/helper/certutil/types.go | 10 ++-- sdk/helper/certutil/types_test.go | 5 +- sdk/helper/keysutil/policy.go | 56 ++++++++++--------- sdk/helper/keysutil/policy_test.go | 20 +++---- sdk/helper/keysutil/util.go | 4 +- vault/identity_store_oidc.go | 4 +- 41 files changed, 195 insertions(+), 180 deletions(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index e4affa3b5296..23412ef9b6dc 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -32,6 +31,7 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" @@ -658,7 +658,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.IPAddresses = []net.IP{parsedIP} // Private key for CA cert - caPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048) + caPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -726,7 +726,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.SerialNumber = big.NewInt(5678) template.KeyUsage = x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign) - issuedPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048) + issuedPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 790dde05a35b..9208e836a3a9 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -6,7 +6,6 @@ package database import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -15,6 +14,7 @@ import ( "strings" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/random" "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/helper/certutil" @@ -133,7 +133,7 @@ func (kg *rsaKeyGenerator) generate(r io.Reader) ([]byte, []byte, error) { return nil, nil, fmt.Errorf("invalid key_bits: %v", kg.KeyBits) } - key, err := rsa.GenerateKey(reader, keyBits) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(reader, keyBits) if err != nil { return nil, nil, err } diff --git a/builtin/logical/database/credentials_test.go b/builtin/logical/database/credentials_test.go index 7f2c4eb3dbb0..7284ab48e03b 100644 --- a/builtin/logical/database/credentials_test.go +++ b/builtin/logical/database/credentials_test.go @@ -6,7 +6,6 @@ package database import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -696,7 +695,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { pub, err := x509.ParsePKIXPublicKey(pubBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, pub) - assert.IsType(t, &rsa.PublicKey{}, pub) + assert.IsType(t, &rsa2.PublicKey{}, pub) // Assert that we can parse the private key PEM block in // the configured format @@ -705,7 +704,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { priv, err := x509.ParsePKCS8PrivateKey(privBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, priv) - assert.IsType(t, &rsa.PrivateKey{}, priv) + assert.IsType(t, &rsa2.PrivateKey{}, priv) default: t.Fatal("unknown format") } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 9292892144cd..a2655b239047 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -12,7 +12,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -38,6 +38,7 @@ import ( "github.com/armon/go-metrics" "github.com/fatih/structs" "github.com/go-test/deep" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api/auth/userpass" @@ -409,7 +410,7 @@ func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUs case "rsa": parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey parsedCertBundle.PrivateKey = key - parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) + parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa2.PrivateKey)) case "ec": parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey parsedCertBundle.PrivateKey = key @@ -510,14 +511,14 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s }, } - priv1024, _ := rsa.GenerateKey(rand.Reader, 1024) + priv1024, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 1024) csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024) csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csr1024, }))) - priv2048, _ := rsa.GenerateKey(rand.Reader, 2048) + priv2048, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048) csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", @@ -699,7 +700,7 @@ func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType str var err error switch keyType { case "rsa": - priv, err = rsa.GenerateKey(rand.Reader, keyBits) + priv, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) case "ec": switch keyBits { case 224: @@ -1180,7 +1181,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep { case "rsa": privKey, ok = generatedRSAKeys[keyBits] if !ok { - privKey, _ = rsa.GenerateKey(rand.Reader, keyBits) + privKey, _ = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) generatedRSAKeys[keyBits] = privKey } @@ -2164,7 +2165,7 @@ func runTestSignVerbatim(t *testing.T, keyType string) { } // create a CSR and key - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2735,7 +2736,7 @@ func TestBackend_SignSelfIssued(t *testing.T) { t.Fatal(err) } - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2879,7 +2880,7 @@ func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) { t.Fatal(err) } - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -3834,7 +3835,7 @@ func setCerts() { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := rsa.GenerateKey(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index 4517604f8a0d..745b1282a8cc 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -9,7 +9,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/json" @@ -21,6 +20,7 @@ import ( "time" "github.com/go-test/deep" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" @@ -98,7 +98,7 @@ func TestBackend_CA_Steps(t *testing.T) { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := rsa.GenerateKey(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go index 2d2478ab8e46..bb2071d8072c 100644 --- a/builtin/logical/pki/ca_util.go +++ b/builtin/logical/pki/ca_util.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/ecdsa" - "crypto/rsa" + rsa2 "crypto/rsa" "errors" "fmt" "io" @@ -229,7 +229,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr var keyBits int switch pubKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: keyType = certutil.RSAPrivateKey keyBits = certutil.GetPublicKeySize(pubKey) case *ecdsa.PublicKey: diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index d4ef64e68fe1..07c56f2dfdf9 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -9,14 +9,14 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/certutil" ) func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) { - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index 1c3da7fa3a1b..b1d152d219d1 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -331,11 +331,11 @@ func TestIntegration_CSRGeneration(t *testing.T) { expectedPublicKeyType crypto.PublicKey expectedSignature x509.SignatureAlgorithm }{ - {"rsa", false, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSA}, - {"rsa", false, 2048, 384, &rsa.PublicKey{}, x509.SHA384WithRSA}, + {"rsa", false, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSA}, + {"rsa", false, 2048, 384, &rsa2.PublicKey{}, x509.SHA384WithRSA}, // Add back once https://github.com/golang/go/issues/45990 is fixed. - // {"rsa", true, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSAPSS}, - // {"rsa", true, 2048, 512, &rsa.PublicKey{}, x509.SHA512WithRSAPSS}, + // {"rsa", true, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSAPSS}, + // {"rsa", true, 2048, 512, &rsa2.PublicKey{}, x509.SHA512WithRSAPSS}, {"ec", false, 224, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 256, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 384, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA384}, diff --git a/builtin/logical/pki/issuing/sign_cert.go b/builtin/logical/pki/issuing/sign_cert.go index c6548f69521e..63633286aaf3 100644 --- a/builtin/logical/pki/issuing/sign_cert.go +++ b/builtin/logical/pki/issuing/sign_cert.go @@ -6,7 +6,7 @@ package issuing import ( "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "fmt" @@ -139,7 +139,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi return nil, nil, errutil.UserError{Err: fmt.Sprintf("role requires keys of type %s", role.KeyType)} } - pubKey, ok := csr.PublicKey.(*rsa.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } @@ -180,7 +180,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi // validate minimums and SignatureBits below. switch csr.PublicKeyAlgorithm { case x509.RSA: - pubKey, ok := csr.PublicKey.(*rsa.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index c1c751f69d8e..c739a9dd73c8 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -26,6 +25,7 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki/dnstest" "github.com/hashicorp/vault/helper/constants" @@ -60,7 +60,7 @@ func TestAcmeBasicWorkflow(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -592,7 +592,7 @@ func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) { defer cluster.Cleanup() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -628,7 +628,7 @@ func TestAcmeEabCrossingDirectoryPath(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -759,7 +759,7 @@ func TestAcmeTruncatesToIssuerExpiry(t *testing.T) { require.NoError(t, err, "failed updating issuer name") baseAcmeURL := "/v1/pki/issuer/short-ca/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -831,7 +831,7 @@ func TestAcmeRoleExtKeyUsage(t *testing.T) { _, err := client.Logical().Write("pki/roles/"+roleName, roleOpt) baseAcmeURL := "/v1/pki/roles/" + roleName + "/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") require.NoError(t, err, "failed creating role test-role") @@ -1100,7 +1100,7 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1432,7 +1432,7 @@ func TestAcmeValidationError(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1540,7 +1540,7 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey1, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient1 := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey1) @@ -1639,7 +1639,7 @@ func TestAcmeMaxTTL(t *testing.T) { require.NoError(t, err, "error configuring acme") // First Create Our Client - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) @@ -1867,7 +1867,7 @@ func TestACMEClientRequestLimits(t *testing.T) { for _, tc := range cases { // First Create Our Client - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index 47ba1f817dec..c02d2f537f1a 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -6,10 +6,10 @@ package pki import ( "context" "crypto/rand" - "crypto/rsa" "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/constants" "github.com/stretchr/testify/require" ) @@ -117,7 +117,7 @@ func TestAcmeConfig(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go index f6c35e67f732..e28e207c8246 100644 --- a/builtin/logical/pki/path_revoke.go +++ b/builtin/logical/pki/path_revoke.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa "crypto/rsa" "crypto/subtle" "crypto/x509" "encoding/pem" diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index 625bcb2946e3..d9c2c5ae0601 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index f32bc880a59e..f64443a2ddc3 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/json" @@ -20,6 +19,7 @@ import ( "time" "github.com/armon/go-metrics" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" @@ -916,7 +916,7 @@ func TestTidyAcmeWithBackdate(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1073,7 +1073,7 @@ func TestTidyAcmeWithSafetyBuffer(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/test_helpers.go b/builtin/logical/pki/test_helpers.go index 2806a5dcafd2..cc79999bde01 100644 --- a/builtin/logical/pki/test_helpers.go +++ b/builtin/logical/pki/test_helpers.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -117,7 +117,7 @@ func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto. require.True(t, areEqual, "public keys mismatched: got: %v, expected: %v", certPubKey, key) } -func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa.PrivateKey) (string, *x509.Certificate) { +func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa2.PrivateKey) (string, *x509.Certificate) { t.Helper() selfSigned, err := x509.CreateCertificate(rand.Reader, subject, issuer, key.Public(), key) if err != nil { diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index f4a7be0c1d83..6477812bd1d3 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -25,6 +24,7 @@ import ( "time" "github.com/hashicorp/go-hclog" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/builtin/logical/pkiext" "github.com/hashicorp/vault/helper/testhelpers" @@ -704,7 +704,7 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI } httpClient := &http.Client{Transport: tr} - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") logger.Trace("Using the following url for the ACME directory", "url", directoryUrl) acmeClient := &acme.Client{ @@ -957,7 +957,7 @@ func SubtestACMEStepDownNode(t *testing.T, cluster *VaultPkiCluster) { DNSNames: []string{hostname, hostname}, } - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") acmeClient := &acme.Client{ diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 6d003c0ae5c0..66a9a4a7956e 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "errors" @@ -18,6 +17,7 @@ import ( "io" multierror "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" "github.com/mikesmitty/edkey" @@ -326,7 +326,7 @@ func generateSSHKeyPair(randomSource io.Reader, keyType string, keyBits int) (st return "", "", fmt.Errorf("refusing to generate weak %v key: %v bits < 2048 bits", keyType, keyBits) } - privateSeed, err := rsa.GenerateKey(randomSource, keyBits) + privateSeed, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(randomSource, keyBits) if err != nil { return "", "", err } diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go index 60c6d44f7ace..630bee13e47b 100644 --- a/builtin/logical/ssh/path_issue_sign.go +++ b/builtin/logical/ssh/path_issue_sign.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/ed25519" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/sha256" "errors" "fmt" diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 89980ada0132..2a94741a82c9 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -6,7 +6,6 @@ package ssh import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" @@ -14,6 +13,7 @@ import ( "net" "strings" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/vault/sdk/logical" "golang.org/x/crypto/ssh" @@ -22,7 +22,7 @@ import ( // Creates a new RSA key pair with the given key length. The private key will be // of pem format and the public key will be of OpenSSH format. func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) { - privateKey, err := rsa.GenerateKey(rand.Reader, keyBits) + privateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) if err != nil { return "", "", fmt.Errorf("error generating RSA key-pair: %w", err) } diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index 9a6305e7a048..e77bac73a7b0 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -6,7 +6,6 @@ package transit import ( "context" cryptoRand "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -14,6 +13,7 @@ import ( "strings" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" vaulthttp "github.com/hashicorp/vault/http" @@ -167,7 +167,7 @@ func testTransit_ImportCertChain(t *testing.T, apiClient *api.Client, keyType st require.NoError(t, err) // Setup a new CSR - privKey, err := rsa.GenerateKey(cryptoRand.Reader, 3072) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(cryptoRand.Reader, 3072) require.NoError(t, err) var csrTemplate x509.CertificateRequest diff --git a/builtin/logical/transit/path_export_test.go b/builtin/logical/transit/path_export_test.go index b91ef47fb420..8a963c15c7f7 100644 --- a/builtin/logical/transit/path_export_test.go +++ b/builtin/logical/transit/path_export_test.go @@ -6,7 +6,6 @@ package transit import ( "context" cryptoRand "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -601,7 +600,7 @@ func testTransit_exportCertificateChain(t *testing.T, apiClient *api.Client, key pubWrappingKey, err := x509.ParsePKIXPublicKey(wrappingKeyPemBlock.Bytes) require.NoError(t, err, "failed to parse wrapping key") - blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa.PublicKey), privKeyBytes, "SHA256") + blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa2.PublicKey), privKeyBytes, "SHA256") // Import key _, err = apiClient.Logical().Write(fmt.Sprintf("/transit/keys/%s/import", keyName), map[string]interface{}{ diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index d26f5ff95f64..5c4fa9861b15 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" @@ -19,6 +18,7 @@ import ( "sync" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/logical" "github.com/tink-crypto/tink-go/v2/kwp/subtle" @@ -162,7 +162,7 @@ func TestTransit_Import(t *testing.T) { t.Run( "import into a key fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := rsa.GenerateKey(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -502,7 +502,7 @@ func TestTransit_ImportVersion(t *testing.T) { t.Run( "import into a key version fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := rsa.GenerateKey(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -948,7 +948,7 @@ func TestTransit_ImportVersionWithPublicKeys(t *testing.T) { ) } -func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { +func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa2.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { t.Helper() // Format target key for wrapping @@ -971,7 +971,7 @@ func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey return wrapTargetPKCS8ForImport(t, wrappingKey, preppedTargetKey, hashFnName) } -func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hashFnName string) string { +func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hashFnName string) string { t.Helper() // Generate an ephemeral AES-256 key @@ -1027,11 +1027,11 @@ func generateKey(keyType string) (interface{}, error) { case "ecdsa-p521": return ecdsa.GenerateKey(elliptic.P521(), rand.Reader) case "rsa-2048": - return rsa.GenerateKey(rand.Reader, 2048) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) case "rsa-3072": - return rsa.GenerateKey(rand.Reader, 3072) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) case "rsa-4096": - return rsa.GenerateKey(rand.Reader, 4096) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) default: return nil, fmt.Errorf("failed to generate unsupported key type: %s", keyType) } @@ -1042,7 +1042,7 @@ func getPublicKey(privateKey crypto.PrivateKey, keyType string) ([]byte, error) var publicKeyBytes []byte switch keyType { case "rsa-2048", "rsa-3072", "rsa-4096": - publicKey = privateKey.(*rsa.PrivateKey).Public() + publicKey = privateKey.(*rsa2.PrivateKey).Public() case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521": publicKey = privateKey.(*ecdsa.PrivateKey).Public() case "ed25519": diff --git a/builtin/logical/transit/path_wrapping_key_test.go b/builtin/logical/transit/path_wrapping_key_test.go index 9ed58e45c284..37328ed0bed1 100644 --- a/builtin/logical/transit/path_wrapping_key_test.go +++ b/builtin/logical/transit/path_wrapping_key_test.go @@ -5,7 +5,6 @@ package transit import ( "context" - "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -51,7 +50,7 @@ func TestTransit_WrappingKey(t *testing.T) { if err != nil { t.Fatalf("failed to parse public wrapping key: %s", err) } - wrappingKey, ok := rawPubKey.(*rsa.PublicKey) + wrappingKey, ok := rawPubKey.(*rsa2.PublicKey) if !ok || wrappingKey.Size() != 512 { t.Fatal("public wrapping key is not a 4096-bit RSA key") } diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 847ab59ff78f..2b030e083877 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -7,12 +7,12 @@ import ( "bytes" "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/stretchr/testify/require" ) @@ -171,7 +171,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { t.Helper() - priv1, err := rsa.GenerateKey(rand.Reader, 2048) + priv1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NotNil(t, priv1, "failed generating RSA 1 key") require.NoError(t, err, "failed generating RSA 1 key") @@ -179,7 +179,7 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 require.NotNil(t, rsa1, "failed marshaling RSA 1 key") require.NoError(t, err, "failed marshaling RSA 1 key") - priv2, err := rsa.GenerateKey(rand.Reader, 2048) + priv2, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") diff --git a/go.mod b/go.mod index a5e9ddad6740..b5ad2d076508 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ module github.com/hashicorp/vault // semantic related to Go module handling), this comment should be updated to explain that. // // Whenever this value gets updated, sdk/go.mod should be updated to the same value. -go 1.22.5 +go 1.23.0 replace github.com/hashicorp/vault/api => ./api @@ -22,6 +22,8 @@ replace github.com/hashicorp/vault/api/auth/userpass => ./api/auth/userpass replace github.com/hashicorp/vault/sdk => ./sdk +replace github.com/hashicorp/go-secure-stdlib/cryptoutil => ../go-secure-stdlib/cryptoutil + require ( cloud.google.com/go/cloudsqlconn v1.4.3 cloud.google.com/go/monitoring v1.21.0 @@ -235,7 +237,9 @@ require ( github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-viper/mapstructure/v2 v2.1.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect + github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/userns v0.1.0 // indirect diff --git a/go.sum b/go.sum index de9850af0861..8dd6558912a5 100644 --- a/go.sum +++ b/go.sum @@ -1406,6 +1406,8 @@ github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39 github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 h1:kBoJV4Xl5FLtBfnBjDvBxeNSy2IRITSGs73HQsFUEjY= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6/go.mod h1:y+HSOcOGB48PkUxNyLAiCiY6rEENu+E+Ss4LG8QHwf4= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= diff --git a/helper/pkcs7/decrypt.go b/helper/pkcs7/decrypt.go index acedb1ec92af..a34bb5a65748 100644 --- a/helper/pkcs7/decrypt.go +++ b/helper/pkcs7/decrypt.go @@ -7,7 +7,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "encoding/asn1" "errors" diff --git a/helper/pkcs7/encrypt.go b/helper/pkcs7/encrypt.go index 90da67e4eed2..dfe8bc0a492c 100644 --- a/helper/pkcs7/encrypt.go +++ b/helper/pkcs7/encrypt.go @@ -6,7 +6,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" diff --git a/helper/pkcs7/pkcs7_test.go b/helper/pkcs7/pkcs7_test.go index 7753c174b200..21f4616d3bf1 100644 --- a/helper/pkcs7/pkcs7_test.go +++ b/helper/pkcs7/pkcs7_test.go @@ -6,7 +6,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -17,11 +16,11 @@ import ( "time" ) -var test1024Key, test2048Key, test3072Key, test4096Key *rsa.PrivateKey +var test1024Key, test2048Key, test3072Key, test4096Key *rsa2.PrivateKey func init() { - test1024Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test1024Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("123024078101403810516614073341068864574068590522569345017786163424062310013967742924377390210586226651760719671658568413826602264886073432535341149584680111145880576802262550990305759285883150470245429547886689754596541046564560506544976611114898883158121012232676781340602508151730773214407220733898059285561"), E: 65537, }, @@ -32,8 +31,8 @@ func init() { }, } test1024Key.Precompute() - test2048Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test2048Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("14314132931241006650998084889274020608918049032671858325988396851334124245188214251956198731333464217832226406088020736932173064754214329009979944037640912127943488972644697423190955557435910767690712778463524983667852819010259499695177313115447116110358524558307947613422897787329221478860907963827160223559690523660574329011927531289655711860504630573766609239332569210831325633840174683944553667352219670930408593321661375473885147973879086994006440025257225431977751512374815915392249179976902953721486040787792801849818254465486633791826766873076617116727073077821584676715609985777563958286637185868165868520557"), E: 3, }, @@ -44,8 +43,8 @@ func init() { }, } test2048Key.Precompute() - test3072Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test3072Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("4799422180968749215324244710281712119910779465109490663934897082847293004098645365195947978124390029272750644394844443980065532911010718425428791498896288210928474905407341584968381379157418577471272697781778686372450913810019702928839200328075568223462554606149618941566459398862673532997592879359280754226882565483298027678735544377401276021471356093819491755877827249763065753555051973844057308627201762456191918852016986546071426986328720794061622370410645440235373576002278045257207695462423797272017386006110722769072206022723167102083033531426777518054025826800254337147514768377949097720074878744769255210076910190151785807232805749219196645305822228090875616900385866236956058984170647782567907618713309775105943700661530312800231153745705977436176908325539234432407050398510090070342851489496464612052853185583222422124535243967989533830816012180864309784486694786581956050902756173889941244024888811572094961378021"), E: 65537, }, @@ -56,8 +55,8 @@ func init() { }, } test3072Key.Precompute() - test4096Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test4096Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("633335480064287130853997429184971616419051348693342219741748040433588285601270210251206421401040394238592139790962887290698043839174341843721930134010306454716566698330215646704263665452264344664385995704186692432827662862845900348526672531755932642433662686500295989783595767573119607065791980381547677840410600100715146047382485989885183858757974681241303484641390718944520330953604501686666386926996348457928415093305041429178744778762826377713889019740060910363468343855830206640274442887621960581569183233822878661711798998132931623726434336448716605363514220760343097572198620479297583609779817750646169845195672483600293522186340560792255595411601450766002877850696008003794520089358819042318331840490155176019070646738739580486357084733208876620846449161909966690602374519398451042362690200166144326179405976024265116931974936425064291406950542193873313447617169603706868220189295654943247311295475722243471700112334609817776430552541319671117235957754556272646031356496763094955985615723596562217985372503002989591679252640940571608314743271809251568670314461039035793703429977801961867815257832671786542212589906513979094156334941265621017752516999186481477500481433634914622735206243841674973785078408289183000133399026553"), E: 65537, }, @@ -128,7 +127,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA256WithRSA: priv = test2048Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -138,7 +137,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA384WithRSA: priv = test3072Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -148,7 +147,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA512WithRSA: priv = test4096Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -161,7 +160,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -174,7 +173,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -187,7 +186,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -208,19 +207,19 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 log.Println("creating cert", name, "issued by", issuerCert.Subject.CommonName, "with sigalg", sigAlg) switch priv.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: switch issuerKey.(type) { - case *rsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) + case *rsa2.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) case *ecdsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) } case *ecdsa.PrivateKey: switch issuerKey.(type) { - case *rsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) + case *rsa2.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: @@ -229,7 +228,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case *dsa.PrivateKey: pub := &priv.(*dsa.PrivateKey).PublicKey switch issuerKey := issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, pub, issuerKey) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*dsa.PublicKey), issuerKey) @@ -257,7 +256,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 type TestFixture struct { Input []byte Certificate *x509.Certificate - PrivateKey *rsa.PrivateKey + PrivateKey *rsa2.PrivateKey } func UnmarshalTestFixture(testPEMBlock string) TestFixture { diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index d9c89735c618..0d75fc9c9a89 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto" "crypto/rand" - "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -18,6 +17,8 @@ import ( "strings" "testing" "time" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) type CertBuilder struct { @@ -25,7 +26,7 @@ type CertBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa.PrivateKey + parentKey *rsa2.PrivateKey isCA bool } @@ -159,14 +160,14 @@ func NewCert(t *testing.T, opts ...CertOpt) (cert Certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type KeyWrapper struct { - PrivKey *rsa.PrivateKey + PrivKey *rsa2.PrivateKey Pem []byte } func NewPrivateKey(t *testing.T) (key KeyWrapper) { t.Helper() - privKey, err := rsa.GenerateKey(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 3a8f3afcb84f..9d38220c1a38 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto" "crypto/rand" - "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -17,6 +16,8 @@ import ( "strings" "testing" "time" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) type certBuilder struct { @@ -24,7 +25,7 @@ type certBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa.PrivateKey + parentKey *rsa2.PrivateKey isCA bool } @@ -147,14 +148,14 @@ func newCert(t *testing.T, opts ...certOpt) (cert certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type keyWrapper struct { - privKey *rsa.PrivateKey + privKey *rsa2.PrivateKey pem []byte } func newPrivateKey(t *testing.T) (key keyWrapper) { t.Helper() - privKey, err := rsa.GenerateKey(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/sdk/go.mod b/sdk/go.mod index dae54216b653..b73ca01ed0c9 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -1,6 +1,8 @@ module github.com/hashicorp/vault/sdk -go 1.22 +go 1.23.0 + +replace github.com/hashicorp/go-secure-stdlib/cryptoutil => ../../go-secure-stdlib/cryptoutil require ( cloud.google.com/go/cloudsqlconn v1.4.3 @@ -58,6 +60,8 @@ require ( github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect diff --git a/sdk/go.sum b/sdk/go.sum index 55705f4931ac..80f540c50e7e 100644 --- a/sdk/go.sum +++ b/sdk/go.sum @@ -237,6 +237,8 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 h1:kBoJV4Xl5FLtBfnBjDvBxeNSy2IRITSGs73HQsFUEjY= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6/go.mod h1:y+HSOcOGB48PkUxNyLAiCiY6rEENu+E+Ss4LG8QHwf4= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 4ebab01827d2..72f97990318b 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -26,6 +25,7 @@ import ( "time" "github.com/fatih/structs" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) // Tests converting back and forth between a CertBundle and a ParsedCertBundle. @@ -465,11 +465,11 @@ vitin0L6nprauWkKO38XgM4T75qKZpqtiOcT } func TestGetPublicKeySize(t *testing.T) { - rsa, err := rsa.GenerateKey(rand.Reader, 3072) + rsa, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) if err != nil { t.Fatal(err) } - if GetPublicKeySize(&rsa.PublicKey) != 3072 { + if GetPublicKeySize(&rsa2.PublicKey) != 3072 { t.Fatal("unexpected rsa key size") } ecdsa, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) @@ -735,7 +735,7 @@ func setCerts() { // RSA generation { - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } @@ -1101,8 +1101,8 @@ func TestIgnoreCSRSigning(t *testing.T) { }) } -func genRsaKey(t *testing.T) *rsa.PrivateKey { - key, err := rsa.GenerateKey(rand.Reader, 2048) +func genRsaKey(t *testing.T) *rsa2.PrivateKey { + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index 1c673b058acd..e9096ac1237e 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -11,7 +11,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -30,6 +30,7 @@ import ( "time" "github.com/hashicorp/errwrap" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/mitchellh/mapstructure" @@ -156,7 +157,7 @@ func getSubjectKeyIDFromBundle(data *CreationBundle) ([]byte, error) { func GetSubjectKeyID(pub interface{}) ([]byte, error) { var publicKeyBytes []byte switch pub := pub.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: type pkcs1PublicKey struct { N *big.Int E int @@ -233,7 +234,7 @@ func ParseDERKey(privateKeyBytes []byte) (signer crypto.Signer, format BlockType var rawKey interface{} if rawKey, thirdError = x509.ParsePKCS8PrivateKey(privateKeyBytes); thirdError == nil { switch rawSigner := rawKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: signer = rawSigner case *ecdsa.PrivateKey: signer = rawSigner @@ -368,11 +369,11 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = rsa.GenerateKey(randReader, keyBits) + privateKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } - privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey)) + privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa2.PrivateKey)) case "ec": privateKeyType = ECPrivateKey var curve elliptic.Curve @@ -450,9 +451,9 @@ func ComparePublicKeysAndType(key1Iface, key2Iface crypto.PublicKey) (bool, erro // returns an error if public key types are mismatched, or they are an unsupported key type. func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) { switch key1Iface.(type) { - case *rsa.PublicKey: - key1 := key1Iface.(*rsa.PublicKey) - key2, ok := key2Iface.(*rsa.PublicKey) + case *rsa2.PublicKey: + key1 := key1Iface.(*rsa2.PublicKey) + key2, ok := key2Iface.(*rsa2.PublicKey) if !ok { return false, fmt.Errorf("key types do not match: %T and %T", key1Iface, key2Iface) } @@ -516,7 +517,7 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) { } switch key := rawKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return key, nil case *ecdsa.PublicKey: return key, nil @@ -1422,7 +1423,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { // GetPublicKeySize returns the key size in bits for a given arbitrary crypto.PublicKey // Returns -1 for an unsupported key type. func GetPublicKeySize(key crypto.PublicKey) int { - if key, ok := key.(*rsa.PublicKey); ok { + if key, ok := key.(*rsa2.PublicKey); ok { return key.Size() * 8 } if key, ok := key.(*ecdsa.PublicKey); ok { @@ -2049,7 +2050,7 @@ func FindBitLength(publicKey any) int { return 0 } switch pub := publicKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return pub.N.BitLen() case *ecdsa.PublicKey: switch pub.Curve { diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index cdfc912e9289..b0759f172251 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -16,7 +16,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -153,7 +153,7 @@ type KeyBundle struct { func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // We look at the public key types to work-around limitations/typing of managed keys. switch signer.Public().(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -167,7 +167,7 @@ func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // that would be associated with it, returning UnknownPrivateKey for unsupported types func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType { switch pubKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -449,7 +449,7 @@ func (p *ParsedCertBundle) getSigner() (crypto.Signer, error) { case PKCS8Block: if k, err := x509.ParsePKCS8PrivateKey(p.PrivateKeyBytes); err == nil { switch k := k.(type) { - case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: + case *rsa2.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: return k.(crypto.Signer), nil default: return nil, errutil.UserError{Err: "Found unknown private key type in pkcs#8 wrapping"} @@ -478,7 +478,7 @@ func getPKCS8Type(bs []byte) (PrivateKeyType, error) { switch k.(type) { case *ecdsa.PrivateKey: return ECPrivateKey, nil - case *rsa.PrivateKey: + case *rsa2.PrivateKey: return RSAPrivateKey, nil case ed25519.PrivateKey: return Ed25519PrivateKey, nil diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index 2cf383afaa02..a76741b20460 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -9,12 +9,13 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "testing" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 234b4413cfe2..ade6d44b03af 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -13,7 +13,7 @@ import ( "crypto/elliptic" "crypto/hmac" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/asn1" @@ -32,6 +32,8 @@ import ( "sync/atomic" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/helper/errutil" @@ -287,8 +289,8 @@ type KeyEntry struct { EC_Y *big.Int `json:"ec_y"` EC_D *big.Int `json:"ec_d"` - RSAKey *rsa.PrivateKey `json:"rsa_key"` - RSAPublicKey *rsa.PublicKey `json:"rsa_public_key"` + RSAKey *rsa2.PrivateKey `json:"rsa_key"` + RSAPublicKey *rsa2.PublicKey `json:"rsa_public_key"` // The public key in an appropriate format for the type of key FormattedPublicKey string `json:"public_key"` @@ -425,7 +427,7 @@ func LoadPolicy(ctx context.Context, s logical.Storage, path string) (*Policy, e case KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096: for _, entry := range policy.Keys { if entry.RSAPublicKey == nil && entry.RSAKey != nil { - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) } } } @@ -1079,9 +1081,9 @@ func (p *Policy) DecryptWithFactory(context, nonce []byte, value string, factori switch paddingScheme { case PaddingScheme_PKCS1v15: - plain, err = rsa.DecryptPKCS1v15(rand.Reader, key, decoded) + plain, err = rsa2.DecryptPKCS1v15(rand.Reader, key, decoded) case PaddingScheme_OAEP: - plain, err = rsa.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) + plain, err = rsa2.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -1167,14 +1169,14 @@ func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, si return p.SignWithOptions(ver, context, input, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa.PSSSaltLengthAuto, + SaltLength: rsa2.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } func (p *Policy) minRSAPSSSaltLength() int { // https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/crypto/rsa/pss.go;l=247 - return rsa.PSSSaltLengthEqualsHash + return rsa2.PSSSaltLengthEqualsHash } func (p *Policy) maxRSAPSSSaltLength(keyBitLen int, hash crypto.Hash) int { @@ -1324,12 +1326,12 @@ func (p *Policy) SignWithOptions(ver int, context, input []byte, options *Signin if !p.validRSAPSSSaltLength(key.N.BitLen(), algo, saltLength) { return nil, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - sig, err = rsa.SignPSS(rand.Reader, key, algo, input, &rsa.PSSOptions{SaltLength: saltLength}) + sig, err = rsa2.SignPSS(rand.Reader, key, algo, input, &rsa2.PSSOptions{SaltLength: saltLength}) if err != nil { return nil, err } case "pkcs1v15": - sig, err = rsa.SignPKCS1v15(rand.Reader, key, algo, input) + sig, err = rsa2.SignPKCS1v15(rand.Reader, key, algo, input) if err != nil { return nil, err } @@ -1372,7 +1374,7 @@ func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType, return p.VerifySignatureWithOptions(context, input, sig, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa.PSSSaltLengthAuto, + SaltLength: rsa2.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } @@ -1524,13 +1526,13 @@ func (p *Policy) VerifySignatureWithOptions(context, input []byte, sig string, o if !p.validRSAPSSSaltLength(publicKey.N.BitLen(), algo, saltLength) { return false, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - err = rsa.VerifyPSS(publicKey, algo, input, sigBytes, &rsa.PSSOptions{SaltLength: saltLength}) + err = rsa2.VerifyPSS(publicKey, algo, input, sigBytes, &rsa2.PSSOptions{SaltLength: saltLength}) case "pkcs1v15": publicKey := keyEntry.RSAPublicKey if !keyEntry.IsPrivateKeyMissing() { publicKey = &keyEntry.RSAKey.PublicKey } - err = rsa.VerifyPKCS1v15(publicKey, algo, input, sigBytes) + err = rsa2.VerifyPKCS1v15(publicKey, algo, input, sigBytes) default: return false, errutil.InternalError{Err: fmt.Sprintf("unsupported rsa signature algorithm %s", sigAlgorithm)} } @@ -1790,12 +1792,12 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) { bitSize = 4096 } - entry.RSAKey, err = rsa.GenerateKey(randReader, bitSize) + entry.RSAKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, bitSize) if err != nil { return err } - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) } if p.ConvergentEncryption { @@ -2178,7 +2180,7 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value if err != nil { return "", err } - var publicKey *rsa.PublicKey + var publicKey *rsa2.PublicKey if keyEntry.RSAKey != nil { publicKey = &keyEntry.RSAKey.PublicKey } else { @@ -2186,9 +2188,9 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value } switch paddingScheme { case PaddingScheme_PKCS1v15: - ciphertext, err = rsa.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) + ciphertext, err = rsa2.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) case PaddingScheme_OAEP: - ciphertext, err = rsa.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) + ciphertext, err = rsa2.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -2317,8 +2319,8 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical if !publicKey.(*ecdsa.PublicKey).Equal(&ecdsaKey.PublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } - case *rsa.PrivateKey: - rsaKey := parsedPrivateKey.(*rsa.PrivateKey) + case *rsa2.PrivateKey: + rsaKey := parsedPrivateKey.(*rsa2.PrivateKey) if !rsaKey.PublicKey.Equal(keyEntry.RSAPublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } @@ -2413,7 +2415,7 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { publicKey := parsedKey.(ed25519.PublicKey) ke.FormattedPublicKey = base64.StdEncoding.EncodeToString(publicKey) } - case *rsa.PrivateKey, *rsa.PublicKey: + case *rsa2.PrivateKey, *rsa2.PublicKey: if PolKeyType != KeyType_RSA2048 && PolKeyType != KeyType_RSA3072 && PolKeyType != KeyType_RSA4096 { return fmt.Errorf("invalid key type: expected %s, got %T", PolKeyType, parsedKey) } @@ -2425,15 +2427,15 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { keyBytes = 512 } - rsaKey, ok := parsedKey.(*rsa.PrivateKey) + rsaKey, ok := parsedKey.(*rsa2.PrivateKey) if ok { if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } ke.RSAKey = rsaKey - ke.RSAPublicKey = rsaKey.Public().(*rsa.PublicKey) + ke.RSAPublicKey = rsaKey.Public().(*rsa2.PublicKey) } else { - rsaKey := parsedKey.(*rsa.PublicKey) + rsaKey := parsedKey.(*rsa2.PublicKey) if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } @@ -2501,7 +2503,7 @@ func (ke *KeyEntry) WrapKey(targetKey any, targetKeyType KeyType, hash hash.Hash return result, nil } -func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { +func wrapTargetPKCS8ForImport(wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { // Generate an ephemeral AES-256 key ephKey, err := uuid.GenerateRandomBytes(32) if err != nil { @@ -2509,7 +2511,7 @@ func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byt } // Wrap ephemeral AES key with public wrapping key - ephKeyWrapped, err := rsa.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) + ephKeyWrapped, err := rsa2.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) if err != nil { return "", fmt.Errorf("failed to encrypt ephemeral wrapping key with public key: %w", err) } @@ -2661,7 +2663,7 @@ func (p *Policy) ValidateLeafCertKeyMatch(keyVersion int, certPublicKeyAlgorithm return publicKey.Equal(certPublicKey), nil case x509.RSA: - certPublicKey := certPublicKey.(*rsa.PublicKey) + certPublicKey := certPublicKey.(*rsa2.PublicKey) publicKey := keyEntry.RSAKey.PublicKey return publicKey.Equal(certPublicKey), nil diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index cd921a52065b..7c260371eec1 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "errors" @@ -22,6 +21,7 @@ import ( "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" @@ -810,7 +810,7 @@ func Test_Import(t *testing.T) { func generateTestKeys() (map[KeyType][]byte, error) { keyMap := make(map[KeyType][]byte) - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { return nil, err } @@ -820,7 +820,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA2048] = rsaKeyBytes - rsaKey, err = rsa.GenerateKey(rand.Reader, 3072) + rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) if err != nil { return nil, err } @@ -830,7 +830,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA3072] = rsaKeyBytes - rsaKey, err = rsa.GenerateKey(rand.Reader, 4096) + rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { return nil, err } @@ -969,7 +969,7 @@ func Test_RSA_PSS(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, + test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1084,7 +1084,7 @@ func Test_RSA_PSS(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { @@ -1117,7 +1117,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, padding PaddingScheme) { + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, padding PaddingScheme) { // 1. Make a signature with the given key size and hash algorithm. t.Log(tabs[3], "Make an automatic signature") ct, err := p.EncryptWithFactory(0, nil, nil, string(input), padding) @@ -1152,7 +1152,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) for _, padding := range []PaddingScheme{PaddingScheme_OAEP, PaddingScheme_PKCS1v15, ""} { t.Run(fmt.Sprintf("%s/%s", rsaKeyType.String(), padding), func(t *testing.T) { test_RSA_PKCS1(t, p, rsaKey, padding) }) } @@ -1173,7 +1173,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1229,7 +1229,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { diff --git a/sdk/helper/keysutil/util.go b/sdk/helper/keysutil/util.go index dbba7ec1fb70..cb3a0821d0ca 100644 --- a/sdk/helper/keysutil/util.go +++ b/sdk/helper/keysutil/util.go @@ -68,7 +68,7 @@ func isEd25519OID(oid asn1.ObjectIdentifier) bool { // ParsePKCS8Ed25519PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form. // -// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". @@ -125,7 +125,7 @@ func ParsePKCS8Ed25519PrivateKey(der []byte) (key interface{}, err error) { // // This helper only supports RSA/PSS keys (with OID 1.2.840.113549.1.1.10). // -// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 5b34631f2d7d..27cece13158f 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "encoding/base64" "encoding/json" "errors" @@ -24,6 +23,7 @@ import ( "github.com/go-jose/go-jose/v3/jwt" "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/base62" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/identity" @@ -1762,7 +1762,7 @@ func generateKeys(algorithm string) (*jose.JSONWebKey, error) { switch algorithm { case "RS256", "RS384", "RS512": // 2048 bits is recommended by RSA Laboratories as a minimum post 2015 - if key, err = rsa.GenerateKey(rand.Reader, 2048); err != nil { + if key, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048); err != nil { return nil, err } case "ES256", "ES384", "ES512": From 6150e1bf3da43c11257c2464e92de558473e2227 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Fri, 25 Oct 2024 12:56:52 -0500 Subject: [PATCH 04/28] switch to the conditional generator --- Makefile | 8 ++++---- builtin/credential/cert/backend_test.go | 4 ++-- builtin/logical/database/credentials.go | 2 +- builtin/logical/pki/backend_test.go | 16 +++++++-------- builtin/logical/pki/ca_test.go | 2 +- builtin/logical/pki/ca_util_test.go | 2 +- builtin/logical/pki/cert_util.go | 13 ++++++++++-- builtin/logical/pki/path_acme_test.go | 20 +++++++++---------- builtin/logical/pki/path_config_acme_test.go | 2 +- builtin/logical/pki/path_tidy_test.go | 4 ++-- .../logical/pkiext/pkiext_binary/acme_test.go | 4 ++-- builtin/logical/ssh/path_config_ca.go | 2 +- builtin/logical/ssh/util.go | 2 +- .../logical/transit/path_certificates_test.go | 2 +- builtin/logical/transit/path_import_test.go | 10 +++++----- command/transit_import_key_test.go | 4 ++-- .../testhelpers/certhelpers/cert_helpers.go | 2 +- plugins/database/mongodb/cert_helpers_test.go | 2 +- sdk/helper/certutil/certutil_test.go | 6 +++--- sdk/helper/certutil/helpers.go | 3 +-- sdk/helper/certutil/types_test.go | 2 +- sdk/helper/keysutil/policy.go | 2 +- sdk/helper/keysutil/policy_test.go | 6 +++--- vault/identity_store_oidc.go | 2 +- 24 files changed, 65 insertions(+), 57 deletions(-) diff --git a/Makefile b/Makefile index 40022f25a8fd..2fd392c3b5f9 100644 --- a/Makefile +++ b/Makefile @@ -164,11 +164,11 @@ protolint: prep check-tools-external # now run as a pre-commit hook (and there's little value in # making every build run the formatter), we've removed that # dependency. -prep: check-go-version clean +prep: check-go-version @echo "==> Running go generate..." - @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) - @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) - @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) +# @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) +# @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) +# @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) # Git doesn't allow us to store shared hooks in .git. Instead, we make sure they're up-to-date # whenever a make target is invoked. diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index 23412ef9b6dc..dd92b2df07d8 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -658,7 +658,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.IPAddresses = []net.IP{parsedIP} // Private key for CA cert - caPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + caPrivateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -726,7 +726,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.SerialNumber = big.NewInt(5678) template.KeyUsage = x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign) - issuedPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + issuedPrivateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 9208e836a3a9..08836d5aaaca 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -133,7 +133,7 @@ func (kg *rsaKeyGenerator) generate(r io.Reader) ([]byte, []byte, error) { return nil, nil, fmt.Errorf("invalid key_bits: %v", kg.KeyBits) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(reader, keyBits) + key, err := cryptoutil.GenerateRSAKey(reader, keyBits) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index a2655b239047..ba5e1feb310a 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -511,14 +511,14 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s }, } - priv1024, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 1024) + priv1024, _ := cryptoutil.GenerateRSAKey(rand.Reader, 1024) csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024) csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csr1024, }))) - priv2048, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv2048, _ := cryptoutil.GenerateRSAKey(rand.Reader, 2048) csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048) csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", @@ -700,7 +700,7 @@ func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType str var err error switch keyType { case "rsa": - priv, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + priv, err = cryptoutil.GenerateRSAKey(rand.Reader, keyBits) case "ec": switch keyBits { case 224: @@ -1181,7 +1181,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep { case "rsa": privKey, ok = generatedRSAKeys[keyBits] if !ok { - privKey, _ = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + privKey, _ = cryptoutil.GenerateRSAKey(rand.Reader, keyBits) generatedRSAKeys[keyBits] = privKey } @@ -2165,7 +2165,7 @@ func runTestSignVerbatim(t *testing.T, keyType string) { } // create a CSR and key - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2736,7 +2736,7 @@ func TestBackend_SignSelfIssued(t *testing.T) { t.Fatal(err) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2880,7 +2880,7 @@ func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) { t.Fatal(err) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -3835,7 +3835,7 @@ func setCerts() { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index 745b1282a8cc..aa2a15f3cb55 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -98,7 +98,7 @@ func TestBackend_CA_Steps(t *testing.T) { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index 07c56f2dfdf9..66413ce5eb4a 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -16,7 +16,7 @@ import ( ) func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) { - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index ae5d3504d465..ac5e4dd91420 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -321,6 +321,15 @@ func validateSerialNumber(data *inputBundle, serialNumber string) string { return issuing.ValidateSerialNumber(data.role, serialNumber) } +type slowRand struct { + r io.Reader +} + +func (s *slowRand) Read(p []byte) (n int, err error) { + time.Sleep(50 * time.Millisecond) + return s.r.Read(p) +} + func generateCert(sc *storageContext, input *inputBundle, caSign *certutil.CAInfoBundle, @@ -333,7 +342,7 @@ func generateCert(sc *storageContext, return nil, nil, errutil.InternalError{Err: "no role found in data bundle"} } - if input.role.KeyType == "rsa" && input.role.KeyBits < 2048 { + if input.role.KeyType == "rsa" && input.role.KeyBits < 1024 { return nil, nil, errutil.UserError{Err: "RSA keys < 2048 bits are unsafe and not supported"} } @@ -391,7 +400,7 @@ func generateCert(sc *storageContext, } } - parsedBundle, err := generateCABundle(sc, input, data, randomSource) + parsedBundle, err := generateCABundle(sc, input, data, &slowRand{randomSource}) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index c739a9dd73c8..d03fe04a59ba 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -60,7 +60,7 @@ func TestAcmeBasicWorkflow(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -592,7 +592,7 @@ func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) { defer cluster.Cleanup() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -628,7 +628,7 @@ func TestAcmeEabCrossingDirectoryPath(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -759,7 +759,7 @@ func TestAcmeTruncatesToIssuerExpiry(t *testing.T) { require.NoError(t, err, "failed updating issuer name") baseAcmeURL := "/v1/pki/issuer/short-ca/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -831,7 +831,7 @@ func TestAcmeRoleExtKeyUsage(t *testing.T) { _, err := client.Logical().Write("pki/roles/"+roleName, roleOpt) baseAcmeURL := "/v1/pki/roles/" + roleName + "/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") require.NoError(t, err, "failed creating role test-role") @@ -1100,7 +1100,7 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1432,7 +1432,7 @@ func TestAcmeValidationError(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1540,7 +1540,7 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient1 := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey1) @@ -1639,7 +1639,7 @@ func TestAcmeMaxTTL(t *testing.T) { require.NoError(t, err, "error configuring acme") // First Create Our Client - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) @@ -1867,7 +1867,7 @@ func TestACMEClientRequestLimits(t *testing.T) { for _, tc := range cases { // First Create Our Client - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index c02d2f537f1a..5eee3a2195b8 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -117,7 +117,7 @@ func TestAcmeConfig(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index f64443a2ddc3..fc46b6e84718 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -916,7 +916,7 @@ func TestTidyAcmeWithBackdate(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1073,7 +1073,7 @@ func TestTidyAcmeWithSafetyBuffer(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index 6477812bd1d3..efda8241f2f0 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -704,7 +704,7 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI } httpClient := &http.Client{Transport: tr} - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") logger.Trace("Using the following url for the ACME directory", "url", directoryUrl) acmeClient := &acme.Client{ @@ -957,7 +957,7 @@ func SubtestACMEStepDownNode(t *testing.T, cluster *VaultPkiCluster) { DNSNames: []string{hostname, hostname}, } - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") acmeClient := &acme.Client{ diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 66a9a4a7956e..9018f88fc816 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -326,7 +326,7 @@ func generateSSHKeyPair(randomSource io.Reader, keyType string, keyBits int) (st return "", "", fmt.Errorf("refusing to generate weak %v key: %v bits < 2048 bits", keyType, keyBits) } - privateSeed, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(randomSource, keyBits) + privateSeed, err := cryptoutil.GenerateRSAKey(randomSource, keyBits) if err != nil { return "", "", err } diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 2a94741a82c9..fff7402672cf 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -22,7 +22,7 @@ import ( // Creates a new RSA key pair with the given key length. The private key will be // of pem format and the public key will be of OpenSSH format. func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) { - privateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + privateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, keyBits) if err != nil { return "", "", fmt.Errorf("error generating RSA key-pair: %w", err) } diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index e77bac73a7b0..a81f9ec24cae 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -167,7 +167,7 @@ func testTransit_ImportCertChain(t *testing.T, apiClient *api.Client, keyType st require.NoError(t, err) // Setup a new CSR - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(cryptoRand.Reader, 3072) + privKey, err := cryptoutil.GenerateRSAKey(cryptoRand.Reader, 3072) require.NoError(t, err) var csrTemplate x509.CertificateRequest diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 5c4fa9861b15..9b0f03e2f2a1 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -162,7 +162,7 @@ func TestTransit_Import(t *testing.T) { t.Run( "import into a key fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -502,7 +502,7 @@ func TestTransit_ImportVersion(t *testing.T) { t.Run( "import into a key version fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -1027,11 +1027,11 @@ func generateKey(keyType string) (interface{}, error) { case "ecdsa-p521": return ecdsa.GenerateKey(elliptic.P521(), rand.Reader) case "rsa-2048": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + return cryptoutil.GenerateRSAKey(rand.Reader, 2048) case "rsa-3072": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + return cryptoutil.GenerateRSAKey(rand.Reader, 3072) case "rsa-4096": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + return cryptoutil.GenerateRSAKey(rand.Reader, 4096) default: return nil, fmt.Errorf("failed to generate unsupported key type: %s", keyType) } diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 2b030e083877..6ea4c9985dfa 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -171,7 +171,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { t.Helper() - priv1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NotNil(t, priv1, "failed generating RSA 1 key") require.NoError(t, err, "failed generating RSA 1 key") @@ -179,7 +179,7 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 require.NotNil(t, rsa1, "failed marshaling RSA 1 key") require.NoError(t, err, "failed marshaling RSA 1 key") - priv2, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv2, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index 0d75fc9c9a89..171421c3b240 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -167,7 +167,7 @@ type KeyWrapper struct { func NewPrivateKey(t *testing.T) (key KeyWrapper) { t.Helper() - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 9d38220c1a38..8ae0fe16b019 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -155,7 +155,7 @@ type keyWrapper struct { func newPrivateKey(t *testing.T) (key keyWrapper) { t.Helper() - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 72f97990318b..2aa1622db746 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -465,7 +465,7 @@ vitin0L6nprauWkKO38XgM4T75qKZpqtiOcT } func TestGetPublicKeySize(t *testing.T) { - rsa, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + rsa, err := cryptoutil.GenerateRSAKey(rand.Reader, 3072) if err != nil { t.Fatal(err) } @@ -735,7 +735,7 @@ func setCerts() { // RSA generation { - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } @@ -1102,7 +1102,7 @@ func TestIgnoreCSRSigning(t *testing.T) { } func genRsaKey(t *testing.T) *rsa2.PrivateKey { - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index e9096ac1237e..ad7e2e544b8d 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -30,7 +30,6 @@ import ( "time" "github.com/hashicorp/errwrap" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/mitchellh/mapstructure" @@ -369,7 +368,7 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, keyBits) + privateKey, err = rsa2.GenerateKey(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index a76741b20460..5e08e8a1fe12 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -15,7 +15,7 @@ import ( ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index ade6d44b03af..247014cbf6c4 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -1792,7 +1792,7 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) { bitSize = 4096 } - entry.RSAKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, bitSize) + entry.RSAKey, err = cryptoutil.GenerateRSAKey(randReader, bitSize) if err != nil { return err } diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index 7c260371eec1..fe2f7300e51c 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -810,7 +810,7 @@ func Test_Import(t *testing.T) { func generateTestKeys() (map[KeyType][]byte, error) { keyMap := make(map[KeyType][]byte) - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { return nil, err } @@ -820,7 +820,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA2048] = rsaKeyBytes - rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + rsaKey, err = cryptoutil.GenerateRSAKey(rand.Reader, 3072) if err != nil { return nil, err } @@ -830,7 +830,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA3072] = rsaKeyBytes - rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + rsaKey, err = cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { return nil, err } diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 27cece13158f..406b61de3948 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -1762,7 +1762,7 @@ func generateKeys(algorithm string) (*jose.JSONWebKey, error) { switch algorithm { case "RS256", "RS384", "RS512": // 2048 bits is recommended by RSA Laboratories as a minimum post 2015 - if key, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048); err != nil { + if key, err = cryptoutil.GenerateRSAKey(rand.Reader, 2048); err != nil { return nil, err } case "ES256", "ES384", "ES512": From a0a63a0a09f862a67793b993ce81a9ef62f731b7 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Thu, 14 Nov 2024 11:00:49 -0600 Subject: [PATCH 05/28] Add an ENV var to disable the DRBG in a pinch --- builtin/credential/cert/backend_test.go | 2 +- builtin/logical/database/credentials.go | 2 +- builtin/logical/pki/backend_test.go | 2 +- builtin/logical/pki/ca_test.go | 2 +- builtin/logical/pki/ca_util_test.go | 2 +- builtin/logical/pki/path_acme_test.go | 2 +- builtin/logical/pki/path_config_acme_test.go | 2 +- builtin/logical/pki/path_tidy_test.go | 2 +- .../logical/pkiext/pkiext_binary/acme_test.go | 2 +- builtin/logical/ssh/path_config_ca.go | 2 +- builtin/logical/ssh/util.go | 2 +- .../logical/transit/path_certificates_test.go | 2 +- builtin/logical/transit/path_import_test.go | 2 +- command/transit_import_key_test.go | 2 +- go.mod | 4 +-- helper/cryptoutil/rsa.go | 31 +++++++++++++++++++ .../testhelpers/certhelpers/cert_helpers.go | 2 +- plugins/database/mongodb/cert_helpers_test.go | 2 +- sdk/go.mod | 2 +- sdk/helper/certutil/certutil_test.go | 2 +- sdk/helper/certutil/types_test.go | 2 +- sdk/helper/keysutil/policy.go | 2 +- sdk/helper/keysutil/policy_test.go | 2 +- vault/identity_store_oidc.go | 2 +- 24 files changed, 55 insertions(+), 24 deletions(-) create mode 100644 helper/cryptoutil/rsa.go diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index dd92b2df07d8..4ec407892ba5 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -31,10 +31,10 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" + "github.com/hashicorp/vault/helper/cryptoutil" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/framework" diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 08836d5aaaca..9a5867745eda 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -14,7 +14,7 @@ import ( "strings" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/random" "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index ba5e1feb310a..8b4bf255dc46 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -38,7 +38,6 @@ import ( "github.com/armon/go-metrics" "github.com/fatih/structs" "github.com/go-test/deep" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api/auth/userpass" @@ -46,6 +45,7 @@ import ( "github.com/hashicorp/vault/builtin/logical/pki/issuing" "github.com/hashicorp/vault/builtin/logical/pki/parsing" "github.com/hashicorp/vault/builtin/logical/pki/pki_backend" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" "github.com/hashicorp/vault/helper/testhelpers/teststorage" diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index aa2a15f3cb55..30650d48b136 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -20,8 +20,8 @@ import ( "time" "github.com/go-test/deep" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/helper/cryptoutil" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" "github.com/hashicorp/vault/sdk/logical" diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index 66413ce5eb4a..fc70feeb7993 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -11,7 +11,7 @@ import ( "crypto/rand" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/certutil" ) diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index d03fe04a59ba..5928d6fd6a8d 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -25,10 +25,10 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki/dnstest" "github.com/hashicorp/vault/helper/constants" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index 5eee3a2195b8..ed554932d27c 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -9,8 +9,8 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/constants" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/stretchr/testify/require" ) diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index fc46b6e84718..e50ccdabc5c8 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -19,8 +19,8 @@ import ( "time" "github.com/armon/go-metrics" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/jsonutil" diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index efda8241f2f0..e38ab7c2a7e6 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -24,9 +24,9 @@ import ( "time" "github.com/hashicorp/go-hclog" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/builtin/logical/pkiext" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 9018f88fc816..99271dae3e62 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -17,7 +17,7 @@ import ( "io" multierror "github.com/hashicorp/go-multierror" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" "github.com/mikesmitty/edkey" diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index fff7402672cf..ec59db87245b 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -13,8 +13,8 @@ import ( "net" "strings" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/parseutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "golang.org/x/crypto/ssh" ) diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index a81f9ec24cae..9d1ed6f5c1d3 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -13,9 +13,9 @@ import ( "strings" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" + "github.com/hashicorp/vault/helper/cryptoutil" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 9b0f03e2f2a1..8cd7982d8fa6 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -18,8 +18,8 @@ import ( "sync" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" uuid "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "github.com/tink-crypto/tink-go/v2/kwp/subtle" ) diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 6ea4c9985dfa..0c670f81493d 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -12,8 +12,8 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/stretchr/testify/require" ) diff --git a/go.mod b/go.mod index b5ad2d076508..69710369fed9 100644 --- a/go.mod +++ b/go.mod @@ -102,6 +102,7 @@ require ( github.com/hashicorp/go-rootcerts v1.0.2 github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2 github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 @@ -239,7 +240,6 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect - github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/userns v0.1.0 // indirect @@ -529,7 +529,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/mod v0.21.0 // indirect - golang.org/x/time v0.6.0 // indirect + golang.org/x/time v0.6.0 google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect; indirect\ diff --git a/helper/cryptoutil/rsa.go b/helper/cryptoutil/rsa.go new file mode 100644 index 000000000000..bc3af3a801d0 --- /dev/null +++ b/helper/cryptoutil/rsa.go @@ -0,0 +1,31 @@ +package cryptoutil + +import ( + "crypto/rsa" + "io" + "os" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/parseutil" +) + +var disabled bool + +func init() { + s := os.Getenv("VAULT_DISABLE_RSA_DRBG") + var err error + disabled, err = parseutil.ParseBool(s) + if err != nil { + // Assume it's a typo and disable + disabled = true + } +} + +// Uses go-secure-stdlib's GenerateRSAKey routine conditionally. This exists to be able to disable the feature +// via an ENV var in a pinch +func GenerateRSAKey(randomSource io.Reader, bits int) (*rsa.PrivateKey, error) { + if disabled { + return rsa.GenerateKey(randomSource, bits) + } + return cryptoutil.GenerateRSAKey(randomSource, bits) +} diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index 171421c3b240..06f756e0088d 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -18,7 +18,7 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) type CertBuilder struct { diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 8ae0fe16b019..129ec51dac4f 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -17,7 +17,7 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) type certBuilder struct { diff --git a/sdk/go.mod b/sdk/go.mod index b73ca01ed0c9..eee9a5be7192 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -28,6 +28,7 @@ require ( github.com/hashicorp/go-plugin v1.6.1 github.com/hashicorp/go-retryablehttp v0.7.7 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 github.com/hashicorp/go-secure-stdlib/password v0.1.1 @@ -61,7 +62,6 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/go-jose/go-jose/v4 v4.0.1 // indirect github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect - github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 2aa1622db746..7160047dda2d 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -25,7 +25,7 @@ import ( "time" "github.com/fatih/structs" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) // Tests converting back and forth between a CertBundle and a ParsedCertBundle. diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index 5e08e8a1fe12..94eba14dbe66 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -11,7 +11,7 @@ import ( "crypto/rand" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 247014cbf6c4..cedca5c7a6a4 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -32,7 +32,7 @@ import ( "sync/atomic" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index fe2f7300e51c..0da44fa4ea37 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -21,7 +21,7 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 406b61de3948..5495bebae946 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -23,9 +23,9 @@ import ( "github.com/go-jose/go-jose/v3/jwt" "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/base62" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/sdk/framework" From e0700b3c6436e0b2b905f91a43620ee700abcac8 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Fri, 15 Nov 2024 14:05:59 -0600 Subject: [PATCH 06/28] update go.mod --- go.mod | 1 - sdk/helper/keysutil/policy.go | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 688a242d5ba1..69710369fed9 100644 --- a/go.mod +++ b/go.mod @@ -240,7 +240,6 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect - github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/userns v0.1.0 // indirect diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index df15de5b8d0c..0465b563148b 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -32,9 +32,9 @@ import ( "sync/atomic" "time" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/kdf" From b7562464f3284bbf09187d5a41a9aad144b48dfd Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 21 Oct 2024 14:06:49 -0500 Subject: [PATCH 07/28] Use DRBG based RSA key generation everywhere --- builtin/credential/cert/backend_test.go | 6 +- builtin/logical/database/credentials.go | 4 +- builtin/logical/database/credentials_test.go | 5 +- builtin/logical/pki/backend_test.go | 21 +++---- builtin/logical/pki/ca_test.go | 4 +- builtin/logical/pki/ca_util.go | 4 +- builtin/logical/pki/ca_util_test.go | 4 +- builtin/logical/pki/integration_test.go | 10 ++-- builtin/logical/pki/issuing/sign_cert.go | 6 +- builtin/logical/pki/path_acme_test.go | 22 ++++---- builtin/logical/pki/path_config_acme_test.go | 4 +- builtin/logical/pki/path_revoke.go | 2 +- builtin/logical/pki/path_root.go | 2 +- builtin/logical/pki/path_tidy_test.go | 6 +- builtin/logical/pki/test_helpers.go | 4 +- .../logical/pkiext/pkiext_binary/acme_test.go | 6 +- builtin/logical/ssh/path_config_ca.go | 4 +- builtin/logical/ssh/path_issue_sign.go | 2 +- builtin/logical/ssh/util.go | 4 +- .../logical/transit/path_certificates_test.go | 4 +- builtin/logical/transit/path_export_test.go | 3 +- builtin/logical/transit/path_import_test.go | 18 +++--- .../logical/transit/path_wrapping_key_test.go | 3 +- command/transit_import_key_test.go | 6 +- go.mod | 4 ++ go.sum | 2 + helper/pkcs7/decrypt.go | 2 +- helper/pkcs7/encrypt.go | 2 +- helper/pkcs7/pkcs7_test.go | 49 ++++++++-------- .../testhelpers/certhelpers/cert_helpers.go | 9 +-- plugins/database/mongodb/cert_helpers_test.go | 9 +-- sdk/go.mod | 2 + sdk/go.sum | 4 ++ sdk/helper/certutil/certutil_test.go | 12 ++-- sdk/helper/certutil/helpers.go | 23 ++++---- sdk/helper/certutil/types.go | 10 ++-- sdk/helper/certutil/types_test.go | 5 +- sdk/helper/keysutil/policy.go | 56 ++++++++++--------- sdk/helper/keysutil/policy_test.go | 20 +++---- sdk/helper/keysutil/util.go | 4 +- vault/identity_store_oidc.go | 4 +- 41 files changed, 193 insertions(+), 178 deletions(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index e4affa3b5296..23412ef9b6dc 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -32,6 +31,7 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" @@ -658,7 +658,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.IPAddresses = []net.IP{parsedIP} // Private key for CA cert - caPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048) + caPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -726,7 +726,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.SerialNumber = big.NewInt(5678) template.KeyUsage = x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign) - issuedPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048) + issuedPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 790dde05a35b..9208e836a3a9 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -6,7 +6,6 @@ package database import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -15,6 +14,7 @@ import ( "strings" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/random" "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/helper/certutil" @@ -133,7 +133,7 @@ func (kg *rsaKeyGenerator) generate(r io.Reader) ([]byte, []byte, error) { return nil, nil, fmt.Errorf("invalid key_bits: %v", kg.KeyBits) } - key, err := rsa.GenerateKey(reader, keyBits) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(reader, keyBits) if err != nil { return nil, nil, err } diff --git a/builtin/logical/database/credentials_test.go b/builtin/logical/database/credentials_test.go index 7f2c4eb3dbb0..7284ab48e03b 100644 --- a/builtin/logical/database/credentials_test.go +++ b/builtin/logical/database/credentials_test.go @@ -6,7 +6,6 @@ package database import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -696,7 +695,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { pub, err := x509.ParsePKIXPublicKey(pubBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, pub) - assert.IsType(t, &rsa.PublicKey{}, pub) + assert.IsType(t, &rsa2.PublicKey{}, pub) // Assert that we can parse the private key PEM block in // the configured format @@ -705,7 +704,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { priv, err := x509.ParsePKCS8PrivateKey(privBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, priv) - assert.IsType(t, &rsa.PrivateKey{}, priv) + assert.IsType(t, &rsa2.PrivateKey{}, priv) default: t.Fatal("unknown format") } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 3cdd73833eb5..2029f8a28613 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -12,7 +12,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -38,6 +38,7 @@ import ( "github.com/armon/go-metrics" "github.com/fatih/structs" "github.com/go-test/deep" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api/auth/userpass" @@ -409,7 +410,7 @@ func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUs case "rsa": parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey parsedCertBundle.PrivateKey = key - parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) + parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa2.PrivateKey)) case "ec": parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey parsedCertBundle.PrivateKey = key @@ -510,14 +511,14 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s }, } - priv1024, _ := rsa.GenerateKey(rand.Reader, 1024) + priv1024, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 1024) csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024) csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csr1024, }))) - priv2048, _ := rsa.GenerateKey(rand.Reader, 2048) + priv2048, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048) csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", @@ -699,7 +700,7 @@ func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType str var err error switch keyType { case "rsa": - priv, err = rsa.GenerateKey(rand.Reader, keyBits) + priv, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) case "ec": switch keyBits { case 224: @@ -1180,7 +1181,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep { case "rsa": privKey, ok = generatedRSAKeys[keyBits] if !ok { - privKey, _ = rsa.GenerateKey(rand.Reader, keyBits) + privKey, _ = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) generatedRSAKeys[keyBits] = privKey } @@ -2164,7 +2165,7 @@ func runTestSignVerbatim(t *testing.T, keyType string) { } // create a CSR and key - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2735,7 +2736,7 @@ func TestBackend_SignSelfIssued(t *testing.T) { t.Fatal(err) } - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2879,7 +2880,7 @@ func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) { t.Fatal(err) } - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -3834,7 +3835,7 @@ func setCerts() { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := rsa.GenerateKey(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index 4517604f8a0d..745b1282a8cc 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -9,7 +9,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/json" @@ -21,6 +20,7 @@ import ( "time" "github.com/go-test/deep" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" @@ -98,7 +98,7 @@ func TestBackend_CA_Steps(t *testing.T) { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := rsa.GenerateKey(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go index 2d2478ab8e46..bb2071d8072c 100644 --- a/builtin/logical/pki/ca_util.go +++ b/builtin/logical/pki/ca_util.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/ecdsa" - "crypto/rsa" + rsa2 "crypto/rsa" "errors" "fmt" "io" @@ -229,7 +229,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr var keyBits int switch pubKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: keyType = certutil.RSAPrivateKey keyBits = certutil.GetPublicKeySize(pubKey) case *ecdsa.PublicKey: diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index d4ef64e68fe1..07c56f2dfdf9 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -9,14 +9,14 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/certutil" ) func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) { - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index 1c3da7fa3a1b..b1d152d219d1 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -331,11 +331,11 @@ func TestIntegration_CSRGeneration(t *testing.T) { expectedPublicKeyType crypto.PublicKey expectedSignature x509.SignatureAlgorithm }{ - {"rsa", false, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSA}, - {"rsa", false, 2048, 384, &rsa.PublicKey{}, x509.SHA384WithRSA}, + {"rsa", false, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSA}, + {"rsa", false, 2048, 384, &rsa2.PublicKey{}, x509.SHA384WithRSA}, // Add back once https://github.com/golang/go/issues/45990 is fixed. - // {"rsa", true, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSAPSS}, - // {"rsa", true, 2048, 512, &rsa.PublicKey{}, x509.SHA512WithRSAPSS}, + // {"rsa", true, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSAPSS}, + // {"rsa", true, 2048, 512, &rsa2.PublicKey{}, x509.SHA512WithRSAPSS}, {"ec", false, 224, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 256, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 384, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA384}, diff --git a/builtin/logical/pki/issuing/sign_cert.go b/builtin/logical/pki/issuing/sign_cert.go index c6548f69521e..63633286aaf3 100644 --- a/builtin/logical/pki/issuing/sign_cert.go +++ b/builtin/logical/pki/issuing/sign_cert.go @@ -6,7 +6,7 @@ package issuing import ( "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "fmt" @@ -139,7 +139,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi return nil, nil, errutil.UserError{Err: fmt.Sprintf("role requires keys of type %s", role.KeyType)} } - pubKey, ok := csr.PublicKey.(*rsa.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } @@ -180,7 +180,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi // validate minimums and SignatureBits below. switch csr.PublicKeyAlgorithm { case x509.RSA: - pubKey, ok := csr.PublicKey.(*rsa.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index 493a601c985e..95647ea9ecad 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -26,6 +25,7 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki/dnstest" "github.com/hashicorp/vault/helper/constants" @@ -60,7 +60,7 @@ func TestAcmeBasicWorkflow(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -592,7 +592,7 @@ func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) { defer cluster.Cleanup() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -628,7 +628,7 @@ func TestAcmeEabCrossingDirectoryPath(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -838,7 +838,7 @@ func TestAcmeTruncatesToIssuerExpiry(t *testing.T) { require.NoError(t, err, "failed updating issuer name") baseAcmeURL := "/v1/pki/issuer/short-ca/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -910,7 +910,7 @@ func TestAcmeRoleExtKeyUsage(t *testing.T) { _, err := client.Logical().Write("pki/roles/"+roleName, roleOpt) baseAcmeURL := "/v1/pki/roles/" + roleName + "/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") require.NoError(t, err, "failed creating role test-role") @@ -1179,7 +1179,7 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1511,7 +1511,7 @@ func TestAcmeValidationError(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1619,7 +1619,7 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey1, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient1 := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey1) @@ -1718,7 +1718,7 @@ func TestAcmeMaxTTL(t *testing.T) { require.NoError(t, err, "error configuring acme") // First Create Our Client - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) @@ -1946,7 +1946,7 @@ func TestACMEClientRequestLimits(t *testing.T) { for _, tc := range cases { // First Create Our Client - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index 47ba1f817dec..c02d2f537f1a 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -6,10 +6,10 @@ package pki import ( "context" "crypto/rand" - "crypto/rsa" "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/constants" "github.com/stretchr/testify/require" ) @@ -117,7 +117,7 @@ func TestAcmeConfig(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go index f6c35e67f732..e28e207c8246 100644 --- a/builtin/logical/pki/path_revoke.go +++ b/builtin/logical/pki/path_revoke.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa "crypto/rsa" "crypto/subtle" "crypto/x509" "encoding/pem" diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index a4ce2d25108b..3cc2cbc061e8 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index f32bc880a59e..f64443a2ddc3 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/json" @@ -20,6 +19,7 @@ import ( "time" "github.com/armon/go-metrics" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" @@ -916,7 +916,7 @@ func TestTidyAcmeWithBackdate(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1073,7 +1073,7 @@ func TestTidyAcmeWithSafetyBuffer(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/test_helpers.go b/builtin/logical/pki/test_helpers.go index 2806a5dcafd2..cc79999bde01 100644 --- a/builtin/logical/pki/test_helpers.go +++ b/builtin/logical/pki/test_helpers.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -117,7 +117,7 @@ func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto. require.True(t, areEqual, "public keys mismatched: got: %v, expected: %v", certPubKey, key) } -func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa.PrivateKey) (string, *x509.Certificate) { +func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa2.PrivateKey) (string, *x509.Certificate) { t.Helper() selfSigned, err := x509.CreateCertificate(rand.Reader, subject, issuer, key.Public(), key) if err != nil { diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index f4a7be0c1d83..6477812bd1d3 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -25,6 +24,7 @@ import ( "time" "github.com/hashicorp/go-hclog" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/builtin/logical/pkiext" "github.com/hashicorp/vault/helper/testhelpers" @@ -704,7 +704,7 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI } httpClient := &http.Client{Transport: tr} - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") logger.Trace("Using the following url for the ACME directory", "url", directoryUrl) acmeClient := &acme.Client{ @@ -957,7 +957,7 @@ func SubtestACMEStepDownNode(t *testing.T, cluster *VaultPkiCluster) { DNSNames: []string{hostname, hostname}, } - accountKey, err := rsa.GenerateKey(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") acmeClient := &acme.Client{ diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 6d003c0ae5c0..66a9a4a7956e 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "errors" @@ -18,6 +17,7 @@ import ( "io" multierror "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" "github.com/mikesmitty/edkey" @@ -326,7 +326,7 @@ func generateSSHKeyPair(randomSource io.Reader, keyType string, keyBits int) (st return "", "", fmt.Errorf("refusing to generate weak %v key: %v bits < 2048 bits", keyType, keyBits) } - privateSeed, err := rsa.GenerateKey(randomSource, keyBits) + privateSeed, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(randomSource, keyBits) if err != nil { return "", "", err } diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go index 60c6d44f7ace..630bee13e47b 100644 --- a/builtin/logical/ssh/path_issue_sign.go +++ b/builtin/logical/ssh/path_issue_sign.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/ed25519" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/sha256" "errors" "fmt" diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 89980ada0132..2a94741a82c9 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -6,7 +6,6 @@ package ssh import ( "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" @@ -14,6 +13,7 @@ import ( "net" "strings" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/vault/sdk/logical" "golang.org/x/crypto/ssh" @@ -22,7 +22,7 @@ import ( // Creates a new RSA key pair with the given key length. The private key will be // of pem format and the public key will be of OpenSSH format. func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) { - privateKey, err := rsa.GenerateKey(rand.Reader, keyBits) + privateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) if err != nil { return "", "", fmt.Errorf("error generating RSA key-pair: %w", err) } diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index 9a6305e7a048..e77bac73a7b0 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -6,7 +6,6 @@ package transit import ( "context" cryptoRand "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -14,6 +13,7 @@ import ( "strings" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" vaulthttp "github.com/hashicorp/vault/http" @@ -167,7 +167,7 @@ func testTransit_ImportCertChain(t *testing.T, apiClient *api.Client, keyType st require.NoError(t, err) // Setup a new CSR - privKey, err := rsa.GenerateKey(cryptoRand.Reader, 3072) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(cryptoRand.Reader, 3072) require.NoError(t, err) var csrTemplate x509.CertificateRequest diff --git a/builtin/logical/transit/path_export_test.go b/builtin/logical/transit/path_export_test.go index b91ef47fb420..8a963c15c7f7 100644 --- a/builtin/logical/transit/path_export_test.go +++ b/builtin/logical/transit/path_export_test.go @@ -6,7 +6,6 @@ package transit import ( "context" cryptoRand "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -601,7 +600,7 @@ func testTransit_exportCertificateChain(t *testing.T, apiClient *api.Client, key pubWrappingKey, err := x509.ParsePKIXPublicKey(wrappingKeyPemBlock.Bytes) require.NoError(t, err, "failed to parse wrapping key") - blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa.PublicKey), privKeyBytes, "SHA256") + blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa2.PublicKey), privKeyBytes, "SHA256") // Import key _, err = apiClient.Logical().Write(fmt.Sprintf("/transit/keys/%s/import", keyName), map[string]interface{}{ diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index d26f5ff95f64..5c4fa9861b15 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" @@ -19,6 +18,7 @@ import ( "sync" "testing" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/logical" "github.com/tink-crypto/tink-go/v2/kwp/subtle" @@ -162,7 +162,7 @@ func TestTransit_Import(t *testing.T) { t.Run( "import into a key fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := rsa.GenerateKey(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -502,7 +502,7 @@ func TestTransit_ImportVersion(t *testing.T) { t.Run( "import into a key version fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := rsa.GenerateKey(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -948,7 +948,7 @@ func TestTransit_ImportVersionWithPublicKeys(t *testing.T) { ) } -func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { +func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa2.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { t.Helper() // Format target key for wrapping @@ -971,7 +971,7 @@ func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey return wrapTargetPKCS8ForImport(t, wrappingKey, preppedTargetKey, hashFnName) } -func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hashFnName string) string { +func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hashFnName string) string { t.Helper() // Generate an ephemeral AES-256 key @@ -1027,11 +1027,11 @@ func generateKey(keyType string) (interface{}, error) { case "ecdsa-p521": return ecdsa.GenerateKey(elliptic.P521(), rand.Reader) case "rsa-2048": - return rsa.GenerateKey(rand.Reader, 2048) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) case "rsa-3072": - return rsa.GenerateKey(rand.Reader, 3072) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) case "rsa-4096": - return rsa.GenerateKey(rand.Reader, 4096) + return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) default: return nil, fmt.Errorf("failed to generate unsupported key type: %s", keyType) } @@ -1042,7 +1042,7 @@ func getPublicKey(privateKey crypto.PrivateKey, keyType string) ([]byte, error) var publicKeyBytes []byte switch keyType { case "rsa-2048", "rsa-3072", "rsa-4096": - publicKey = privateKey.(*rsa.PrivateKey).Public() + publicKey = privateKey.(*rsa2.PrivateKey).Public() case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521": publicKey = privateKey.(*ecdsa.PrivateKey).Public() case "ed25519": diff --git a/builtin/logical/transit/path_wrapping_key_test.go b/builtin/logical/transit/path_wrapping_key_test.go index 9ed58e45c284..37328ed0bed1 100644 --- a/builtin/logical/transit/path_wrapping_key_test.go +++ b/builtin/logical/transit/path_wrapping_key_test.go @@ -5,7 +5,6 @@ package transit import ( "context" - "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -51,7 +50,7 @@ func TestTransit_WrappingKey(t *testing.T) { if err != nil { t.Fatalf("failed to parse public wrapping key: %s", err) } - wrappingKey, ok := rawPubKey.(*rsa.PublicKey) + wrappingKey, ok := rawPubKey.(*rsa2.PublicKey) if !ok || wrappingKey.Size() != 512 { t.Fatal("public wrapping key is not a 4096-bit RSA key") } diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 847ab59ff78f..2b030e083877 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -7,12 +7,12 @@ import ( "bytes" "context" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/stretchr/testify/require" ) @@ -171,7 +171,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { t.Helper() - priv1, err := rsa.GenerateKey(rand.Reader, 2048) + priv1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NotNil(t, priv1, "failed generating RSA 1 key") require.NoError(t, err, "failed generating RSA 1 key") @@ -179,7 +179,7 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 require.NotNil(t, rsa1, "failed marshaling RSA 1 key") require.NoError(t, err, "failed marshaling RSA 1 key") - priv2, err := rsa.GenerateKey(rand.Reader, 2048) + priv2, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") diff --git a/go.mod b/go.mod index a925a63d8777..de877ccdc95e 100644 --- a/go.mod +++ b/go.mod @@ -22,6 +22,8 @@ replace github.com/hashicorp/vault/api/auth/userpass => ./api/auth/userpass replace github.com/hashicorp/vault/sdk => ./sdk +replace github.com/hashicorp/go-secure-stdlib/cryptoutil => ../go-secure-stdlib/cryptoutil + require ( cloud.google.com/go/cloudsqlconn v1.4.3 cloud.google.com/go/monitoring v1.21.0 @@ -99,6 +101,7 @@ require ( github.com/hashicorp/go-rootcerts v1.0.2 github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2 github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 @@ -234,6 +237,7 @@ require ( github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-viper/mapstructure/v2 v2.1.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect + github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect diff --git a/go.sum b/go.sum index c7c0b38e6cba..eb9b8e6e2ef6 100644 --- a/go.sum +++ b/go.sum @@ -1404,6 +1404,8 @@ github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39 github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 h1:kBoJV4Xl5FLtBfnBjDvBxeNSy2IRITSGs73HQsFUEjY= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6/go.mod h1:y+HSOcOGB48PkUxNyLAiCiY6rEENu+E+Ss4LG8QHwf4= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= diff --git a/helper/pkcs7/decrypt.go b/helper/pkcs7/decrypt.go index acedb1ec92af..a34bb5a65748 100644 --- a/helper/pkcs7/decrypt.go +++ b/helper/pkcs7/decrypt.go @@ -7,7 +7,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "encoding/asn1" "errors" diff --git a/helper/pkcs7/encrypt.go b/helper/pkcs7/encrypt.go index 90da67e4eed2..dfe8bc0a492c 100644 --- a/helper/pkcs7/encrypt.go +++ b/helper/pkcs7/encrypt.go @@ -6,7 +6,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - "crypto/rsa" + rsa "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" diff --git a/helper/pkcs7/pkcs7_test.go b/helper/pkcs7/pkcs7_test.go index 7753c174b200..21f4616d3bf1 100644 --- a/helper/pkcs7/pkcs7_test.go +++ b/helper/pkcs7/pkcs7_test.go @@ -6,7 +6,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -17,11 +16,11 @@ import ( "time" ) -var test1024Key, test2048Key, test3072Key, test4096Key *rsa.PrivateKey +var test1024Key, test2048Key, test3072Key, test4096Key *rsa2.PrivateKey func init() { - test1024Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test1024Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("123024078101403810516614073341068864574068590522569345017786163424062310013967742924377390210586226651760719671658568413826602264886073432535341149584680111145880576802262550990305759285883150470245429547886689754596541046564560506544976611114898883158121012232676781340602508151730773214407220733898059285561"), E: 65537, }, @@ -32,8 +31,8 @@ func init() { }, } test1024Key.Precompute() - test2048Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test2048Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("14314132931241006650998084889274020608918049032671858325988396851334124245188214251956198731333464217832226406088020736932173064754214329009979944037640912127943488972644697423190955557435910767690712778463524983667852819010259499695177313115447116110358524558307947613422897787329221478860907963827160223559690523660574329011927531289655711860504630573766609239332569210831325633840174683944553667352219670930408593321661375473885147973879086994006440025257225431977751512374815915392249179976902953721486040787792801849818254465486633791826766873076617116727073077821584676715609985777563958286637185868165868520557"), E: 3, }, @@ -44,8 +43,8 @@ func init() { }, } test2048Key.Precompute() - test3072Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test3072Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("4799422180968749215324244710281712119910779465109490663934897082847293004098645365195947978124390029272750644394844443980065532911010718425428791498896288210928474905407341584968381379157418577471272697781778686372450913810019702928839200328075568223462554606149618941566459398862673532997592879359280754226882565483298027678735544377401276021471356093819491755877827249763065753555051973844057308627201762456191918852016986546071426986328720794061622370410645440235373576002278045257207695462423797272017386006110722769072206022723167102083033531426777518054025826800254337147514768377949097720074878744769255210076910190151785807232805749219196645305822228090875616900385866236956058984170647782567907618713309775105943700661530312800231153745705977436176908325539234432407050398510090070342851489496464612052853185583222422124535243967989533830816012180864309784486694786581956050902756173889941244024888811572094961378021"), E: 65537, }, @@ -56,8 +55,8 @@ func init() { }, } test3072Key.Precompute() - test4096Key = &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ + test4096Key = &rsa2.PrivateKey{ + PublicKey: rsa2.PublicKey{ N: fromBase10("633335480064287130853997429184971616419051348693342219741748040433588285601270210251206421401040394238592139790962887290698043839174341843721930134010306454716566698330215646704263665452264344664385995704186692432827662862845900348526672531755932642433662686500295989783595767573119607065791980381547677840410600100715146047382485989885183858757974681241303484641390718944520330953604501686666386926996348457928415093305041429178744778762826377713889019740060910363468343855830206640274442887621960581569183233822878661711798998132931623726434336448716605363514220760343097572198620479297583609779817750646169845195672483600293522186340560792255595411601450766002877850696008003794520089358819042318331840490155176019070646738739580486357084733208876620846449161909966690602374519398451042362690200166144326179405976024265116931974936425064291406950542193873313447617169603706868220189295654943247311295475722243471700112334609817776430552541319671117235957754556272646031356496763094955985615723596562217985372503002989591679252640940571608314743271809251568670314461039035793703429977801961867815257832671786542212589906513979094156334941265621017752516999186481477500481433634914622735206243841674973785078408289183000133399026553"), E: 65537, }, @@ -128,7 +127,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA256WithRSA: priv = test2048Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -138,7 +137,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA384WithRSA: priv = test3072Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -148,7 +147,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA512WithRSA: priv = test4096Key switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -161,7 +160,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -174,7 +173,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -187,7 +186,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -208,19 +207,19 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 log.Println("creating cert", name, "issued by", issuerCert.Subject.CommonName, "with sigalg", sigAlg) switch priv.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: switch issuerKey.(type) { - case *rsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) + case *rsa2.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) case *ecdsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) } case *ecdsa.PrivateKey: switch issuerKey.(type) { - case *rsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) + case *rsa2.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: @@ -229,7 +228,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case *dsa.PrivateKey: pub := &priv.(*dsa.PrivateKey).PublicKey switch issuerKey := issuerKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, pub, issuerKey) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*dsa.PublicKey), issuerKey) @@ -257,7 +256,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 type TestFixture struct { Input []byte Certificate *x509.Certificate - PrivateKey *rsa.PrivateKey + PrivateKey *rsa2.PrivateKey } func UnmarshalTestFixture(testPEMBlock string) TestFixture { diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index d9c89735c618..0d75fc9c9a89 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto" "crypto/rand" - "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -18,6 +17,8 @@ import ( "strings" "testing" "time" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) type CertBuilder struct { @@ -25,7 +26,7 @@ type CertBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa.PrivateKey + parentKey *rsa2.PrivateKey isCA bool } @@ -159,14 +160,14 @@ func NewCert(t *testing.T, opts ...CertOpt) (cert Certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type KeyWrapper struct { - PrivKey *rsa.PrivateKey + PrivKey *rsa2.PrivateKey Pem []byte } func NewPrivateKey(t *testing.T) (key KeyWrapper) { t.Helper() - privKey, err := rsa.GenerateKey(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 3a8f3afcb84f..9d38220c1a38 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -7,7 +7,6 @@ import ( "bytes" "crypto" "crypto/rand" - "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -17,6 +16,8 @@ import ( "strings" "testing" "time" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) type certBuilder struct { @@ -24,7 +25,7 @@ type certBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa.PrivateKey + parentKey *rsa2.PrivateKey isCA bool } @@ -147,14 +148,14 @@ func newCert(t *testing.T, opts ...certOpt) (cert certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type keyWrapper struct { - privKey *rsa.PrivateKey + privKey *rsa2.PrivateKey pem []byte } func newPrivateKey(t *testing.T) (key keyWrapper) { t.Helper() - privKey, err := rsa.GenerateKey(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/sdk/go.mod b/sdk/go.mod index 68f13ce14ea7..5ca7f8704095 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -26,6 +26,7 @@ require ( github.com/hashicorp/go-plugin v1.6.1 github.com/hashicorp/go-retryablehttp v0.7.7 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 github.com/hashicorp/go-secure-stdlib/password v0.1.1 @@ -58,6 +59,7 @@ require ( github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect diff --git a/sdk/go.sum b/sdk/go.sum index 55705f4931ac..eca23df25d91 100644 --- a/sdk/go.sum +++ b/sdk/go.sum @@ -237,6 +237,8 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 h1:kBoJV4Xl5FLtBfnBjDvBxeNSy2IRITSGs73HQsFUEjY= +github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6/go.mod h1:y+HSOcOGB48PkUxNyLAiCiY6rEENu+E+Ss4LG8QHwf4= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= @@ -255,6 +257,8 @@ github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5O github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a h1:ErXVzNyN1fr8V/ovbi9ioM8YXZLBxfe5hPlmBGn5sXY= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index c872454f155d..ccd82ac42ca8 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -10,7 +10,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -26,6 +25,7 @@ import ( "time" "github.com/fatih/structs" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) // Tests converting back and forth between a CertBundle and a ParsedCertBundle. @@ -465,11 +465,11 @@ vitin0L6nprauWkKO38XgM4T75qKZpqtiOcT } func TestGetPublicKeySize(t *testing.T) { - rsa, err := rsa.GenerateKey(rand.Reader, 3072) + rsa, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) if err != nil { t.Fatal(err) } - if GetPublicKeySize(&rsa.PublicKey) != 3072 { + if GetPublicKeySize(&rsa2.PublicKey) != 3072 { t.Fatal("unexpected rsa key size") } ecdsa, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) @@ -735,7 +735,7 @@ func setCerts() { // RSA generation { - key, err := rsa.GenerateKey(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { panic(err) } @@ -1105,8 +1105,8 @@ func TestIgnoreCSRSigning(t *testing.T) { }) } -func genRsaKey(t *testing.T) *rsa.PrivateKey { - key, err := rsa.GenerateKey(rand.Reader, 2048) +func genRsaKey(t *testing.T) *rsa2.PrivateKey { + key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index 1c673b058acd..e9096ac1237e 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -11,7 +11,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -30,6 +30,7 @@ import ( "time" "github.com/hashicorp/errwrap" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/mitchellh/mapstructure" @@ -156,7 +157,7 @@ func getSubjectKeyIDFromBundle(data *CreationBundle) ([]byte, error) { func GetSubjectKeyID(pub interface{}) ([]byte, error) { var publicKeyBytes []byte switch pub := pub.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: type pkcs1PublicKey struct { N *big.Int E int @@ -233,7 +234,7 @@ func ParseDERKey(privateKeyBytes []byte) (signer crypto.Signer, format BlockType var rawKey interface{} if rawKey, thirdError = x509.ParsePKCS8PrivateKey(privateKeyBytes); thirdError == nil { switch rawSigner := rawKey.(type) { - case *rsa.PrivateKey: + case *rsa2.PrivateKey: signer = rawSigner case *ecdsa.PrivateKey: signer = rawSigner @@ -368,11 +369,11 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = rsa.GenerateKey(randReader, keyBits) + privateKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } - privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey)) + privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa2.PrivateKey)) case "ec": privateKeyType = ECPrivateKey var curve elliptic.Curve @@ -450,9 +451,9 @@ func ComparePublicKeysAndType(key1Iface, key2Iface crypto.PublicKey) (bool, erro // returns an error if public key types are mismatched, or they are an unsupported key type. func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) { switch key1Iface.(type) { - case *rsa.PublicKey: - key1 := key1Iface.(*rsa.PublicKey) - key2, ok := key2Iface.(*rsa.PublicKey) + case *rsa2.PublicKey: + key1 := key1Iface.(*rsa2.PublicKey) + key2, ok := key2Iface.(*rsa2.PublicKey) if !ok { return false, fmt.Errorf("key types do not match: %T and %T", key1Iface, key2Iface) } @@ -516,7 +517,7 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) { } switch key := rawKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return key, nil case *ecdsa.PublicKey: return key, nil @@ -1422,7 +1423,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { // GetPublicKeySize returns the key size in bits for a given arbitrary crypto.PublicKey // Returns -1 for an unsupported key type. func GetPublicKeySize(key crypto.PublicKey) int { - if key, ok := key.(*rsa.PublicKey); ok { + if key, ok := key.(*rsa2.PublicKey); ok { return key.Size() * 8 } if key, ok := key.(*ecdsa.PublicKey); ok { @@ -2049,7 +2050,7 @@ func FindBitLength(publicKey any) int { return 0 } switch pub := publicKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return pub.N.BitLen() case *ecdsa.PublicKey: switch pub.Curve { diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index 4f16659c1dd6..a0a53dcd084e 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -16,7 +16,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -153,7 +153,7 @@ type KeyBundle struct { func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // We look at the public key types to work-around limitations/typing of managed keys. switch signer.Public().(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -167,7 +167,7 @@ func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // that would be associated with it, returning UnknownPrivateKey for unsupported types func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType { switch pubKey.(type) { - case *rsa.PublicKey: + case *rsa2.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -449,7 +449,7 @@ func (p *ParsedCertBundle) getSigner() (crypto.Signer, error) { case PKCS8Block: if k, err := x509.ParsePKCS8PrivateKey(p.PrivateKeyBytes); err == nil { switch k := k.(type) { - case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: + case *rsa2.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: return k.(crypto.Signer), nil default: return nil, errutil.UserError{Err: "Found unknown private key type in pkcs#8 wrapping"} @@ -478,7 +478,7 @@ func getPKCS8Type(bs []byte) (PrivateKeyType, error) { switch k.(type) { case *ecdsa.PrivateKey: return ECPrivateKey, nil - case *rsa.PrivateKey: + case *rsa2.PrivateKey: return RSAPrivateKey, nil case ed25519.PrivateKey: return Ed25519PrivateKey, nil diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index 2cf383afaa02..a76741b20460 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -9,12 +9,13 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "testing" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 138918eb8cb3..b7ae3e82c8fa 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -14,7 +14,7 @@ import ( "crypto/elliptic" "crypto/hmac" "crypto/rand" - "crypto/rsa" + rsa2 "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/asn1" @@ -33,6 +33,8 @@ import ( "sync/atomic" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/helper/errutil" @@ -323,8 +325,8 @@ type KeyEntry struct { EC_Y *big.Int `json:"ec_y"` EC_D *big.Int `json:"ec_d"` - RSAKey *rsa.PrivateKey `json:"rsa_key"` - RSAPublicKey *rsa.PublicKey `json:"rsa_public_key"` + RSAKey *rsa2.PrivateKey `json:"rsa_key"` + RSAPublicKey *rsa2.PublicKey `json:"rsa_public_key"` // The public key in an appropriate format for the type of key FormattedPublicKey string `json:"public_key"` @@ -465,7 +467,7 @@ func LoadPolicy(ctx context.Context, s logical.Storage, path string) (*Policy, e case KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096: for _, entry := range policy.Keys { if entry.RSAPublicKey == nil && entry.RSAKey != nil { - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) } } } @@ -1122,9 +1124,9 @@ func (p *Policy) DecryptWithFactory(context, nonce []byte, value string, factori switch paddingScheme { case PaddingScheme_PKCS1v15: - plain, err = rsa.DecryptPKCS1v15(rand.Reader, key, decoded) + plain, err = rsa2.DecryptPKCS1v15(rand.Reader, key, decoded) case PaddingScheme_OAEP: - plain, err = rsa.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) + plain, err = rsa2.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -1210,14 +1212,14 @@ func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, si return p.SignWithOptions(ver, context, input, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa.PSSSaltLengthAuto, + SaltLength: rsa2.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } func (p *Policy) minRSAPSSSaltLength() int { // https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/crypto/rsa/pss.go;l=247 - return rsa.PSSSaltLengthEqualsHash + return rsa2.PSSSaltLengthEqualsHash } func (p *Policy) maxRSAPSSSaltLength(keyBitLen int, hash crypto.Hash) int { @@ -1370,12 +1372,12 @@ func (p *Policy) SignWithOptions(ver int, context, input []byte, options *Signin if !p.validRSAPSSSaltLength(key.N.BitLen(), algo, saltLength) { return nil, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - sig, err = rsa.SignPSS(rand.Reader, key, algo, input, &rsa.PSSOptions{SaltLength: saltLength}) + sig, err = rsa2.SignPSS(rand.Reader, key, algo, input, &rsa2.PSSOptions{SaltLength: saltLength}) if err != nil { return nil, err } case "pkcs1v15": - sig, err = rsa.SignPKCS1v15(rand.Reader, key, algo, input) + sig, err = rsa2.SignPKCS1v15(rand.Reader, key, algo, input) if err != nil { return nil, err } @@ -1406,7 +1408,7 @@ func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType, return p.VerifySignatureWithOptions(context, input, sig, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa.PSSSaltLengthAuto, + SaltLength: rsa2.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } @@ -1567,13 +1569,13 @@ func (p *Policy) VerifySignatureWithOptions(context, input []byte, sig string, o if !p.validRSAPSSSaltLength(publicKey.N.BitLen(), algo, saltLength) { return false, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - err = rsa.VerifyPSS(publicKey, algo, input, sigBytes, &rsa.PSSOptions{SaltLength: saltLength}) + err = rsa2.VerifyPSS(publicKey, algo, input, sigBytes, &rsa2.PSSOptions{SaltLength: saltLength}) case "pkcs1v15": publicKey := keyEntry.RSAPublicKey if !keyEntry.IsPrivateKeyMissing() { publicKey = &keyEntry.RSAKey.PublicKey } - err = rsa.VerifyPKCS1v15(publicKey, algo, input, sigBytes) + err = rsa2.VerifyPKCS1v15(publicKey, algo, input, sigBytes) default: return false, errutil.InternalError{Err: fmt.Sprintf("unsupported rsa signature algorithm %s", sigAlgorithm)} } @@ -1825,12 +1827,12 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) { bitSize = 4096 } - entry.RSAKey, err = rsa.GenerateKey(randReader, bitSize) + entry.RSAKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, bitSize) if err != nil { return err } - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) default: if err := entRotateInMemory(p, &entry, randReader); err != nil { @@ -2218,7 +2220,7 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value if err != nil { return "", err } - var publicKey *rsa.PublicKey + var publicKey *rsa2.PublicKey if keyEntry.RSAKey != nil { publicKey = &keyEntry.RSAKey.PublicKey } else { @@ -2226,9 +2228,9 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value } switch paddingScheme { case PaddingScheme_PKCS1v15: - ciphertext, err = rsa.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) + ciphertext, err = rsa2.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) case PaddingScheme_OAEP: - ciphertext, err = rsa.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) + ciphertext, err = rsa2.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -2357,8 +2359,8 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical if !publicKey.(*ecdsa.PublicKey).Equal(&ecdsaKey.PublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } - case *rsa.PrivateKey: - rsaKey := parsedPrivateKey.(*rsa.PrivateKey) + case *rsa2.PrivateKey: + rsaKey := parsedPrivateKey.(*rsa2.PrivateKey) if !rsaKey.PublicKey.Equal(keyEntry.RSAPublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } @@ -2453,7 +2455,7 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { publicKey := parsedKey.(ed25519.PublicKey) ke.FormattedPublicKey = base64.StdEncoding.EncodeToString(publicKey) } - case *rsa.PrivateKey, *rsa.PublicKey: + case *rsa2.PrivateKey, *rsa2.PublicKey: if PolKeyType != KeyType_RSA2048 && PolKeyType != KeyType_RSA3072 && PolKeyType != KeyType_RSA4096 { return fmt.Errorf("invalid key type: expected %s, got %T", PolKeyType, parsedKey) } @@ -2465,15 +2467,15 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { keyBytes = 512 } - rsaKey, ok := parsedKey.(*rsa.PrivateKey) + rsaKey, ok := parsedKey.(*rsa2.PrivateKey) if ok { if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } ke.RSAKey = rsaKey - ke.RSAPublicKey = rsaKey.Public().(*rsa.PublicKey) + ke.RSAPublicKey = rsaKey.Public().(*rsa2.PublicKey) } else { - rsaKey := parsedKey.(*rsa.PublicKey) + rsaKey := parsedKey.(*rsa2.PublicKey) if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } @@ -2541,7 +2543,7 @@ func (ke *KeyEntry) WrapKey(targetKey any, targetKeyType KeyType, hash hash.Hash return result, nil } -func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { +func wrapTargetPKCS8ForImport(wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { // Generate an ephemeral AES-256 key ephKey, err := uuid.GenerateRandomBytes(32) if err != nil { @@ -2549,7 +2551,7 @@ func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byt } // Wrap ephemeral AES key with public wrapping key - ephKeyWrapped, err := rsa.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) + ephKeyWrapped, err := rsa2.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) if err != nil { return "", fmt.Errorf("failed to encrypt ephemeral wrapping key with public key: %w", err) } @@ -2701,7 +2703,7 @@ func (p *Policy) ValidateLeafCertKeyMatch(keyVersion int, certPublicKeyAlgorithm return publicKey.Equal(certPublicKey), nil case x509.RSA: - certPublicKey := certPublicKey.(*rsa.PublicKey) + certPublicKey := certPublicKey.(*rsa2.PublicKey) publicKey := keyEntry.RSAKey.PublicKey return publicKey.Equal(certPublicKey), nil diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index 5e3ce1ee9d99..64de155aa31c 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -9,7 +9,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "encoding/base64" "errors" @@ -22,6 +21,7 @@ import ( "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" @@ -810,7 +810,7 @@ func Test_Import(t *testing.T) { func generateTestKeys() (map[KeyType][]byte, error) { keyMap := make(map[KeyType][]byte) - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) if err != nil { return nil, err } @@ -820,7 +820,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA2048] = rsaKeyBytes - rsaKey, err = rsa.GenerateKey(rand.Reader, 3072) + rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) if err != nil { return nil, err } @@ -830,7 +830,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA3072] = rsaKeyBytes - rsaKey, err = rsa.GenerateKey(rand.Reader, 4096) + rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) if err != nil { return nil, err } @@ -969,7 +969,7 @@ func Test_RSA_PSS(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, + test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1084,7 +1084,7 @@ func Test_RSA_PSS(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { @@ -1117,7 +1117,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, padding PaddingScheme) { + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, padding PaddingScheme) { // 1. Make a signature with the given key size and hash algorithm. t.Log(tabs[3], "Make an automatic signature") ct, err := p.EncryptWithFactory(0, nil, nil, string(input), padding) @@ -1152,7 +1152,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) for _, padding := range []PaddingScheme{PaddingScheme_OAEP, PaddingScheme_PKCS1v15, ""} { t.Run(fmt.Sprintf("%s/%s", rsaKeyType.String(), padding), func(t *testing.T) { test_RSA_PKCS1(t, p, rsaKey, padding) }) } @@ -1173,7 +1173,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1229,7 +1229,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa.PrivateKey) + rsaKey := rsaKeyAny.(*rsa2.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { diff --git a/sdk/helper/keysutil/util.go b/sdk/helper/keysutil/util.go index dbba7ec1fb70..cb3a0821d0ca 100644 --- a/sdk/helper/keysutil/util.go +++ b/sdk/helper/keysutil/util.go @@ -68,7 +68,7 @@ func isEd25519OID(oid asn1.ObjectIdentifier) bool { // ParsePKCS8Ed25519PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form. // -// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". @@ -125,7 +125,7 @@ func ParsePKCS8Ed25519PrivateKey(der []byte) (key interface{}, err error) { // // This helper only supports RSA/PSS keys (with OID 1.2.840.113549.1.1.10). // -// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 5b34631f2d7d..27cece13158f 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -8,7 +8,6 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/rsa" "encoding/base64" "encoding/json" "errors" @@ -24,6 +23,7 @@ import ( "github.com/go-jose/go-jose/v3/jwt" "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/base62" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/identity" @@ -1762,7 +1762,7 @@ func generateKeys(algorithm string) (*jose.JSONWebKey, error) { switch algorithm { case "RS256", "RS384", "RS512": // 2048 bits is recommended by RSA Laboratories as a minimum post 2015 - if key, err = rsa.GenerateKey(rand.Reader, 2048); err != nil { + if key, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048); err != nil { return nil, err } case "ES256", "ES384", "ES512": From 4c2f9d4182efe86fe3aeeb9acb1f7ac56bd42be8 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Fri, 25 Oct 2024 12:56:52 -0500 Subject: [PATCH 08/28] switch to the conditional generator --- Makefile | 8 ++++---- builtin/credential/cert/backend_test.go | 4 ++-- builtin/logical/database/credentials.go | 2 +- builtin/logical/pki/backend_test.go | 16 +++++++-------- builtin/logical/pki/ca_test.go | 2 +- builtin/logical/pki/ca_util_test.go | 2 +- builtin/logical/pki/cert_util.go | 13 ++++++++++-- builtin/logical/pki/path_acme_test.go | 20 +++++++++---------- builtin/logical/pki/path_config_acme_test.go | 2 +- builtin/logical/pki/path_tidy_test.go | 4 ++-- .../logical/pkiext/pkiext_binary/acme_test.go | 4 ++-- builtin/logical/ssh/path_config_ca.go | 2 +- builtin/logical/ssh/util.go | 2 +- .../logical/transit/path_certificates_test.go | 2 +- builtin/logical/transit/path_import_test.go | 10 +++++----- command/transit_import_key_test.go | 4 ++-- .../testhelpers/certhelpers/cert_helpers.go | 2 +- plugins/database/mongodb/cert_helpers_test.go | 2 +- sdk/helper/certutil/certutil_test.go | 6 +++--- sdk/helper/certutil/helpers.go | 3 +-- sdk/helper/certutil/types_test.go | 2 +- sdk/helper/keysutil/policy.go | 2 +- sdk/helper/keysutil/policy_test.go | 6 +++--- vault/identity_store_oidc.go | 2 +- 24 files changed, 65 insertions(+), 57 deletions(-) diff --git a/Makefile b/Makefile index cce68dd54185..e9c46b437592 100644 --- a/Makefile +++ b/Makefile @@ -170,11 +170,11 @@ protolint: prep check-tools-external # now run as a pre-commit hook (and there's little value in # making every build run the formatter), we've removed that # dependency. -prep: check-go-version clean +prep: check-go-version @echo "==> Running go generate..." - @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) - @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) - @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) +# @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) +# @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) +# @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) # Git doesn't allow us to store shared hooks in .git. Instead, we make sure they're up-to-date # whenever a make target is invoked. diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index 23412ef9b6dc..dd92b2df07d8 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -658,7 +658,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.IPAddresses = []net.IP{parsedIP} // Private key for CA cert - caPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + caPrivateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -726,7 +726,7 @@ func TestBackend_NonCAExpiry(t *testing.T) { template.SerialNumber = big.NewInt(5678) template.KeyUsage = x509.KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign) - issuedPrivateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + issuedPrivateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 9208e836a3a9..08836d5aaaca 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -133,7 +133,7 @@ func (kg *rsaKeyGenerator) generate(r io.Reader) ([]byte, []byte, error) { return nil, nil, fmt.Errorf("invalid key_bits: %v", kg.KeyBits) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(reader, keyBits) + key, err := cryptoutil.GenerateRSAKey(reader, keyBits) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 2029f8a28613..82b1211ec6c3 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -511,14 +511,14 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s }, } - priv1024, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 1024) + priv1024, _ := cryptoutil.GenerateRSAKey(rand.Reader, 1024) csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024) csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csr1024, }))) - priv2048, _ := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv2048, _ := cryptoutil.GenerateRSAKey(rand.Reader, 2048) csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048) csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", @@ -700,7 +700,7 @@ func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType str var err error switch keyType { case "rsa": - priv, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + priv, err = cryptoutil.GenerateRSAKey(rand.Reader, keyBits) case "ec": switch keyBits { case 224: @@ -1181,7 +1181,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep { case "rsa": privKey, ok = generatedRSAKeys[keyBits] if !ok { - privKey, _ = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + privKey, _ = cryptoutil.GenerateRSAKey(rand.Reader, keyBits) generatedRSAKeys[keyBits] = privKey } @@ -2165,7 +2165,7 @@ func runTestSignVerbatim(t *testing.T, keyType string) { } // create a CSR and key - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2736,7 +2736,7 @@ func TestBackend_SignSelfIssued(t *testing.T) { t.Fatal(err) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -2880,7 +2880,7 @@ func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) { t.Fatal(err) } - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -3835,7 +3835,7 @@ func setCerts() { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index 745b1282a8cc..aa2a15f3cb55 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -98,7 +98,7 @@ func TestBackend_CA_Steps(t *testing.T) { } ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) - rak, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rak, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index 07c56f2dfdf9..66413ce5eb4a 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -16,7 +16,7 @@ import ( ) func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) { - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index ae5d3504d465..ac5e4dd91420 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -321,6 +321,15 @@ func validateSerialNumber(data *inputBundle, serialNumber string) string { return issuing.ValidateSerialNumber(data.role, serialNumber) } +type slowRand struct { + r io.Reader +} + +func (s *slowRand) Read(p []byte) (n int, err error) { + time.Sleep(50 * time.Millisecond) + return s.r.Read(p) +} + func generateCert(sc *storageContext, input *inputBundle, caSign *certutil.CAInfoBundle, @@ -333,7 +342,7 @@ func generateCert(sc *storageContext, return nil, nil, errutil.InternalError{Err: "no role found in data bundle"} } - if input.role.KeyType == "rsa" && input.role.KeyBits < 2048 { + if input.role.KeyType == "rsa" && input.role.KeyBits < 1024 { return nil, nil, errutil.UserError{Err: "RSA keys < 2048 bits are unsafe and not supported"} } @@ -391,7 +400,7 @@ func generateCert(sc *storageContext, } } - parsedBundle, err := generateCABundle(sc, input, data, randomSource) + parsedBundle, err := generateCABundle(sc, input, data, &slowRand{randomSource}) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index 95647ea9ecad..bc7ecc0348af 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -60,7 +60,7 @@ func TestAcmeBasicWorkflow(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -592,7 +592,7 @@ func TestAcmeAccountsCrossingDirectoryPath(t *testing.T) { defer cluster.Cleanup() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -628,7 +628,7 @@ func TestAcmeEabCrossingDirectoryPath(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") testCtx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) @@ -838,7 +838,7 @@ func TestAcmeTruncatesToIssuerExpiry(t *testing.T) { require.NoError(t, err, "failed updating issuer name") baseAcmeURL := "/v1/pki/issuer/short-ca/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -910,7 +910,7 @@ func TestAcmeRoleExtKeyUsage(t *testing.T) { _, err := client.Logical().Write("pki/roles/"+roleName, roleOpt) baseAcmeURL := "/v1/pki/roles/" + roleName + "/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") require.NoError(t, err, "failed creating role test-role") @@ -1179,7 +1179,7 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1511,7 +1511,7 @@ func TestAcmeValidationError(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1619,7 +1619,7 @@ func TestAcmeRevocationAcrossAccounts(t *testing.T) { defer cancel() baseAcmeURL := "/v1/pki/acme/" - accountKey1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient1 := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey1) @@ -1718,7 +1718,7 @@ func TestAcmeMaxTTL(t *testing.T) { require.NoError(t, err, "error configuring acme") // First Create Our Client - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) @@ -1946,7 +1946,7 @@ func TestACMEClientRequestLimits(t *testing.T) { for _, tc := range cases { // First Create Our Client - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, "/v1/pki/acme/", accountKey) diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index c02d2f537f1a..5eee3a2195b8 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -117,7 +117,7 @@ func TestAcmeConfig(t *testing.T) { require.NoError(t, err) baseAcmeURL := "/v1/pki/" + tc.prefixUrl - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index f64443a2ddc3..fc46b6e84718 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -916,7 +916,7 @@ func TestTidyAcmeWithBackdate(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) @@ -1073,7 +1073,7 @@ func TestTidyAcmeWithSafetyBuffer(t *testing.T) { // Register an Account, do nothing with it baseAcmeURL := "/v1/pki/acme/" - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa key") acmeClient := getAcmeClientForCluster(t, cluster, baseAcmeURL, accountKey) diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index 6477812bd1d3..efda8241f2f0 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -704,7 +704,7 @@ func doAcmeValidationWithGoLibrary(t *testing.T, directoryUrl string, acmeOrderI } httpClient := &http.Client{Transport: tr} - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") logger.Trace("Using the following url for the ACME directory", "url", directoryUrl) acmeClient := &acme.Client{ @@ -957,7 +957,7 @@ func SubtestACMEStepDownNode(t *testing.T, cluster *VaultPkiCluster) { DNSNames: []string{hostname, hostname}, } - accountKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + accountKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err, "failed creating rsa account key") acmeClient := &acme.Client{ diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 66a9a4a7956e..9018f88fc816 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -326,7 +326,7 @@ func generateSSHKeyPair(randomSource io.Reader, keyType string, keyBits int) (st return "", "", fmt.Errorf("refusing to generate weak %v key: %v bits < 2048 bits", keyType, keyBits) } - privateSeed, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(randomSource, keyBits) + privateSeed, err := cryptoutil.GenerateRSAKey(randomSource, keyBits) if err != nil { return "", "", err } diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 2a94741a82c9..fff7402672cf 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -22,7 +22,7 @@ import ( // Creates a new RSA key pair with the given key length. The private key will be // of pem format and the public key will be of OpenSSH format. func generateRSAKeys(keyBits int) (publicKeyRsa string, privateKeyRsa string, err error) { - privateKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, keyBits) + privateKey, err := cryptoutil.GenerateRSAKey(rand.Reader, keyBits) if err != nil { return "", "", fmt.Errorf("error generating RSA key-pair: %w", err) } diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index e77bac73a7b0..a81f9ec24cae 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -167,7 +167,7 @@ func testTransit_ImportCertChain(t *testing.T, apiClient *api.Client, keyType st require.NoError(t, err) // Setup a new CSR - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(cryptoRand.Reader, 3072) + privKey, err := cryptoutil.GenerateRSAKey(cryptoRand.Reader, 3072) require.NoError(t, err) var csrTemplate x509.CertificateRequest diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 5c4fa9861b15..9b0f03e2f2a1 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -162,7 +162,7 @@ func TestTransit_Import(t *testing.T) { t.Run( "import into a key fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -502,7 +502,7 @@ func TestTransit_ImportVersion(t *testing.T) { t.Run( "import into a key version fails before wrapping key is read", func(t *testing.T) { - fakeWrappingKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + fakeWrappingKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { t.Fatalf("failed to generate fake wrapping key: %s", err) } @@ -1027,11 +1027,11 @@ func generateKey(keyType string) (interface{}, error) { case "ecdsa-p521": return ecdsa.GenerateKey(elliptic.P521(), rand.Reader) case "rsa-2048": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + return cryptoutil.GenerateRSAKey(rand.Reader, 2048) case "rsa-3072": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + return cryptoutil.GenerateRSAKey(rand.Reader, 3072) case "rsa-4096": - return cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + return cryptoutil.GenerateRSAKey(rand.Reader, 4096) default: return nil, fmt.Errorf("failed to generate unsupported key type: %s", keyType) } diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 2b030e083877..6ea4c9985dfa 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -171,7 +171,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { t.Helper() - priv1, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NotNil(t, priv1, "failed generating RSA 1 key") require.NoError(t, err, "failed generating RSA 1 key") @@ -179,7 +179,7 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 require.NotNil(t, rsa1, "failed marshaling RSA 1 key") require.NoError(t, err, "failed marshaling RSA 1 key") - priv2, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + priv2, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index 0d75fc9c9a89..171421c3b240 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -167,7 +167,7 @@ type KeyWrapper struct { func NewPrivateKey(t *testing.T) (key KeyWrapper) { t.Helper() - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 9d38220c1a38..8ae0fe16b019 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -155,7 +155,7 @@ type keyWrapper struct { func newPrivateKey(t *testing.T) (key keyWrapper) { t.Helper() - privKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + privKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("Unable to generate key for cert: %s", err) } diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index ccd82ac42ca8..8540183f2de0 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -465,7 +465,7 @@ vitin0L6nprauWkKO38XgM4T75qKZpqtiOcT } func TestGetPublicKeySize(t *testing.T) { - rsa, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + rsa, err := cryptoutil.GenerateRSAKey(rand.Reader, 3072) if err != nil { t.Fatal(err) } @@ -735,7 +735,7 @@ func setCerts() { // RSA generation { - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { panic(err) } @@ -1106,7 +1106,7 @@ func TestIgnoreCSRSigning(t *testing.T) { } func genRsaKey(t *testing.T) *rsa2.PrivateKey { - key, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index e9096ac1237e..ad7e2e544b8d 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -30,7 +30,6 @@ import ( "time" "github.com/hashicorp/errwrap" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/mitchellh/mapstructure" @@ -369,7 +368,7 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, keyBits) + privateKey, err = rsa2.GenerateKey(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index a76741b20460..5e08e8a1fe12 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -15,7 +15,7 @@ import ( ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatalf("error generating rsa key: %s", err) } diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index b7ae3e82c8fa..59fd3dcbe3af 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -1827,7 +1827,7 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) { bitSize = 4096 } - entry.RSAKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(randReader, bitSize) + entry.RSAKey, err = cryptoutil.GenerateRSAKey(randReader, bitSize) if err != nil { return err } diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index 64de155aa31c..d83be7250de8 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -810,7 +810,7 @@ func Test_Import(t *testing.T) { func generateTestKeys() (map[KeyType][]byte, error) { keyMap := make(map[KeyType][]byte) - rsaKey, err := cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048) + rsaKey, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { return nil, err } @@ -820,7 +820,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA2048] = rsaKeyBytes - rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 3072) + rsaKey, err = cryptoutil.GenerateRSAKey(rand.Reader, 3072) if err != nil { return nil, err } @@ -830,7 +830,7 @@ func generateTestKeys() (map[KeyType][]byte, error) { } keyMap[KeyType_RSA3072] = rsaKeyBytes - rsaKey, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 4096) + rsaKey, err = cryptoutil.GenerateRSAKey(rand.Reader, 4096) if err != nil { return nil, err } diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 27cece13158f..406b61de3948 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -1762,7 +1762,7 @@ func generateKeys(algorithm string) (*jose.JSONWebKey, error) { switch algorithm { case "RS256", "RS384", "RS512": // 2048 bits is recommended by RSA Laboratories as a minimum post 2015 - if key, err = cryptoutil.GenerateRSAKeyWithHMACDRBG(rand.Reader, 2048); err != nil { + if key, err = cryptoutil.GenerateRSAKey(rand.Reader, 2048); err != nil { return nil, err } case "ES256", "ES384", "ES512": From e6baaa7e69ca6ccda776fa61d7d67e16ecdb6a02 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Thu, 14 Nov 2024 11:00:49 -0600 Subject: [PATCH 09/28] Add an ENV var to disable the DRBG in a pinch --- builtin/credential/cert/backend_test.go | 2 +- builtin/logical/database/credentials.go | 2 +- builtin/logical/pki/backend_test.go | 2 +- builtin/logical/pki/ca_test.go | 2 +- builtin/logical/pki/ca_util_test.go | 2 +- builtin/logical/pki/path_acme_test.go | 2 +- builtin/logical/pki/path_config_acme_test.go | 2 +- builtin/logical/pki/path_tidy_test.go | 2 +- .../logical/pkiext/pkiext_binary/acme_test.go | 2 +- builtin/logical/ssh/path_config_ca.go | 2 +- builtin/logical/ssh/util.go | 2 +- .../logical/transit/path_certificates_test.go | 2 +- builtin/logical/transit/path_import_test.go | 2 +- command/transit_import_key_test.go | 2 +- helper/cryptoutil/rsa.go | 31 +++++++++++++++++++ .../testhelpers/certhelpers/cert_helpers.go | 2 +- plugins/database/mongodb/cert_helpers_test.go | 2 +- sdk/helper/certutil/certutil_test.go | 2 +- sdk/helper/certutil/types_test.go | 2 +- sdk/helper/keysutil/policy.go | 2 +- sdk/helper/keysutil/policy_test.go | 2 +- vault/identity_store_oidc.go | 2 +- 22 files changed, 52 insertions(+), 21 deletions(-) create mode 100644 helper/cryptoutil/rsa.go diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index dd92b2df07d8..4ec407892ba5 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -31,10 +31,10 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" + "github.com/hashicorp/vault/helper/cryptoutil" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/framework" diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 08836d5aaaca..9a5867745eda 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -14,7 +14,7 @@ import ( "strings" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/random" "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 82b1211ec6c3..73c6858a5696 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -38,7 +38,6 @@ import ( "github.com/armon/go-metrics" "github.com/fatih/structs" "github.com/go-test/deep" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api/auth/userpass" @@ -46,6 +45,7 @@ import ( "github.com/hashicorp/vault/builtin/logical/pki/issuing" "github.com/hashicorp/vault/builtin/logical/pki/parsing" "github.com/hashicorp/vault/builtin/logical/pki/pki_backend" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" "github.com/hashicorp/vault/helper/testhelpers/teststorage" diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index aa2a15f3cb55..30650d48b136 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -20,8 +20,8 @@ import ( "time" "github.com/go-test/deep" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/helper/cryptoutil" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" "github.com/hashicorp/vault/sdk/logical" diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index 66413ce5eb4a..fc70feeb7993 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -11,7 +11,7 @@ import ( "crypto/rand" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/certutil" ) diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index bc7ecc0348af..c441c4e322a1 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -25,10 +25,10 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki/dnstest" "github.com/hashicorp/vault/helper/constants" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index 5eee3a2195b8..ed554932d27c 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -9,8 +9,8 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/constants" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/stretchr/testify/require" ) diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index fc46b6e84718..e50ccdabc5c8 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -19,8 +19,8 @@ import ( "time" "github.com/armon/go-metrics" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/jsonutil" diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index efda8241f2f0..e38ab7c2a7e6 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -24,9 +24,9 @@ import ( "time" "github.com/hashicorp/go-hclog" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/builtin/logical/pkiext" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 9018f88fc816..99271dae3e62 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -17,7 +17,7 @@ import ( "io" multierror "github.com/hashicorp/go-multierror" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" "github.com/mikesmitty/edkey" diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index fff7402672cf..ec59db87245b 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -13,8 +13,8 @@ import ( "net" "strings" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/parseutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "golang.org/x/crypto/ssh" ) diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index a81f9ec24cae..9d1ed6f5c1d3 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -13,9 +13,9 @@ import ( "strings" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" + "github.com/hashicorp/vault/helper/cryptoutil" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 9b0f03e2f2a1..8cd7982d8fa6 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -18,8 +18,8 @@ import ( "sync" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" uuid "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "github.com/tink-crypto/tink-go/v2/kwp/subtle" ) diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 6ea4c9985dfa..0c670f81493d 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -12,8 +12,8 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/stretchr/testify/require" ) diff --git a/helper/cryptoutil/rsa.go b/helper/cryptoutil/rsa.go new file mode 100644 index 000000000000..bc3af3a801d0 --- /dev/null +++ b/helper/cryptoutil/rsa.go @@ -0,0 +1,31 @@ +package cryptoutil + +import ( + "crypto/rsa" + "io" + "os" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/parseutil" +) + +var disabled bool + +func init() { + s := os.Getenv("VAULT_DISABLE_RSA_DRBG") + var err error + disabled, err = parseutil.ParseBool(s) + if err != nil { + // Assume it's a typo and disable + disabled = true + } +} + +// Uses go-secure-stdlib's GenerateRSAKey routine conditionally. This exists to be able to disable the feature +// via an ENV var in a pinch +func GenerateRSAKey(randomSource io.Reader, bits int) (*rsa.PrivateKey, error) { + if disabled { + return rsa.GenerateKey(randomSource, bits) + } + return cryptoutil.GenerateRSAKey(randomSource, bits) +} diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index 171421c3b240..06f756e0088d 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -18,7 +18,7 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) type CertBuilder struct { diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 8ae0fe16b019..129ec51dac4f 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -17,7 +17,7 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) type certBuilder struct { diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 8540183f2de0..5c317e8704fe 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -25,7 +25,7 @@ import ( "time" "github.com/fatih/structs" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) // Tests converting back and forth between a CertBundle and a ParsedCertBundle. diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index 5e08e8a1fe12..94eba14dbe66 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -11,7 +11,7 @@ import ( "crypto/rand" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 59fd3dcbe3af..d72d085a3e86 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -33,7 +33,7 @@ import ( "sync/atomic" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index d83be7250de8..05b68202c9cf 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -21,7 +21,7 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 406b61de3948..5495bebae946 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -23,9 +23,9 @@ import ( "github.com/go-jose/go-jose/v3/jwt" "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/base62" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/sdk/framework" From 5a55c894e22293ec6857a5c003c7392128d1b1d0 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 21 Oct 2024 14:06:49 -0500 Subject: [PATCH 10/28] Use DRBG based RSA key generation everywhere --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index de877ccdc95e..aabd45d7c77a 100644 --- a/go.mod +++ b/go.mod @@ -239,6 +239,7 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/userns v0.1.0 // indirect From bd8f56568e4983f5b31d83b48a1e837d14f366da Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Fri, 15 Nov 2024 14:05:59 -0600 Subject: [PATCH 11/28] update go.mod --- go.mod | 1 - sdk/helper/keysutil/policy.go | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/go.mod b/go.mod index aabd45d7c77a..de877ccdc95e 100644 --- a/go.mod +++ b/go.mod @@ -239,7 +239,6 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect - github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-00010101000000-000000000000 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/userns v0.1.0 // indirect diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index d72d085a3e86..1ca9bca1e974 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -33,10 +33,9 @@ import ( "sync/atomic" "time" - "github.com/hashicorp/vault/helper/cryptoutil" - "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/kdf" From afb7027b239216e2c882feed420144c8496aa019 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 12:45:16 -0600 Subject: [PATCH 12/28] fix import --- builtin/credential/cert/backend_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index 4ec407892ba5..b6ce5189a782 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -28,13 +28,14 @@ import ( "testing" "time" + "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" - "github.com/hashicorp/vault/helper/cryptoutil" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/framework" From 2fd9552d84883acf4c1f1a8253b598b346ce990e Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 12:54:33 -0600 Subject: [PATCH 13/28] Remove rsa2 alias, remove test code --- builtin/credential/cert/backend_test.go | 3 +- builtin/logical/database/credentials_test.go | 4 +- builtin/logical/pki/backend_test.go | 4 +- builtin/logical/pki/ca_util.go | 4 +- builtin/logical/pki/cert_util.go | 11 +--- builtin/logical/pki/integration_test.go | 10 ++-- builtin/logical/pki/issuing/sign_cert.go | 6 +-- builtin/logical/pki/path_revoke.go | 2 +- builtin/logical/pki/path_root.go | 2 +- builtin/logical/pki/test_helpers.go | 4 +- builtin/logical/ssh/path_issue_sign.go | 2 +- builtin/logical/transit/path_export_test.go | 2 +- builtin/logical/transit/path_import_test.go | 6 +-- .../logical/transit/path_wrapping_key_test.go | 2 +- command/transit_import_key_test.go | 20 +++---- helper/pkcs7/decrypt.go | 2 +- helper/pkcs7/encrypt.go | 2 +- helper/pkcs7/pkcs7_test.go | 48 ++++++++--------- .../testhelpers/certhelpers/cert_helpers.go | 4 +- plugins/database/mongodb/cert_helpers_test.go | 4 +- sdk/helper/certutil/certutil_test.go | 8 +-- sdk/helper/certutil/helpers.go | 22 ++++---- sdk/helper/certutil/types.go | 10 ++-- sdk/helper/keysutil/policy.go | 52 +++++++++---------- sdk/helper/keysutil/policy_test.go | 12 ++--- sdk/helper/keysutil/util.go | 4 +- 26 files changed, 120 insertions(+), 130 deletions(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index b6ce5189a782..4ec407892ba5 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -28,14 +28,13 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" - "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" + "github.com/hashicorp/vault/helper/cryptoutil" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/framework" diff --git a/builtin/logical/database/credentials_test.go b/builtin/logical/database/credentials_test.go index 7284ab48e03b..cd7dae27e662 100644 --- a/builtin/logical/database/credentials_test.go +++ b/builtin/logical/database/credentials_test.go @@ -695,7 +695,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { pub, err := x509.ParsePKIXPublicKey(pubBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, pub) - assert.IsType(t, &rsa2.PublicKey{}, pub) + assert.IsType(t, &rsa.PublicKey{}, pub) // Assert that we can parse the private key PEM block in // the configured format @@ -704,7 +704,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { priv, err := x509.ParsePKCS8PrivateKey(privBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, priv) - assert.IsType(t, &rsa2.PrivateKey{}, priv) + assert.IsType(t, &rsa.PrivateKey{}, priv) default: t.Fatal("unknown format") } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 73c6858a5696..c409ff44d98a 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -12,7 +12,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -410,7 +410,7 @@ func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUs case "rsa": parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey parsedCertBundle.PrivateKey = key - parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa2.PrivateKey)) + parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) case "ec": parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey parsedCertBundle.PrivateKey = key diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go index bb2071d8072c..2d2478ab8e46 100644 --- a/builtin/logical/pki/ca_util.go +++ b/builtin/logical/pki/ca_util.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/ecdsa" - rsa2 "crypto/rsa" + "crypto/rsa" "errors" "fmt" "io" @@ -229,7 +229,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr var keyBits int switch pubKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: keyType = certutil.RSAPrivateKey keyBits = certutil.GetPublicKeySize(pubKey) case *ecdsa.PublicKey: diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index ac5e4dd91420..53129264eafd 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -321,15 +321,6 @@ func validateSerialNumber(data *inputBundle, serialNumber string) string { return issuing.ValidateSerialNumber(data.role, serialNumber) } -type slowRand struct { - r io.Reader -} - -func (s *slowRand) Read(p []byte) (n int, err error) { - time.Sleep(50 * time.Millisecond) - return s.r.Read(p) -} - func generateCert(sc *storageContext, input *inputBundle, caSign *certutil.CAInfoBundle, @@ -400,7 +391,7 @@ func generateCert(sc *storageContext, } } - parsedBundle, err := generateCABundle(sc, input, data, &slowRand{randomSource}) + parsedBundle, err := generateCABundle(sc, input, data, randomSource) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index b1d152d219d1..1c3da7fa3a1b 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -331,11 +331,11 @@ func TestIntegration_CSRGeneration(t *testing.T) { expectedPublicKeyType crypto.PublicKey expectedSignature x509.SignatureAlgorithm }{ - {"rsa", false, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSA}, - {"rsa", false, 2048, 384, &rsa2.PublicKey{}, x509.SHA384WithRSA}, + {"rsa", false, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSA}, + {"rsa", false, 2048, 384, &rsa.PublicKey{}, x509.SHA384WithRSA}, // Add back once https://github.com/golang/go/issues/45990 is fixed. - // {"rsa", true, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSAPSS}, - // {"rsa", true, 2048, 512, &rsa2.PublicKey{}, x509.SHA512WithRSAPSS}, + // {"rsa", true, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSAPSS}, + // {"rsa", true, 2048, 512, &rsa.PublicKey{}, x509.SHA512WithRSAPSS}, {"ec", false, 224, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 256, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 384, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA384}, diff --git a/builtin/logical/pki/issuing/sign_cert.go b/builtin/logical/pki/issuing/sign_cert.go index 63633286aaf3..c6548f69521e 100644 --- a/builtin/logical/pki/issuing/sign_cert.go +++ b/builtin/logical/pki/issuing/sign_cert.go @@ -6,7 +6,7 @@ package issuing import ( "crypto/ecdsa" "crypto/ed25519" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "fmt" @@ -139,7 +139,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi return nil, nil, errutil.UserError{Err: fmt.Sprintf("role requires keys of type %s", role.KeyType)} } - pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } @@ -180,7 +180,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi // validate minimums and SignatureBits below. switch csr.PublicKeyAlgorithm { case x509.RSA: - pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go index e28e207c8246..f6c35e67f732 100644 --- a/builtin/logical/pki/path_revoke.go +++ b/builtin/logical/pki/path_revoke.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - rsa "crypto/rsa" + "crypto/rsa" "crypto/subtle" "crypto/x509" "encoding/pem" diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index 3cc2cbc061e8..a4ce2d25108b 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" diff --git a/builtin/logical/pki/test_helpers.go b/builtin/logical/pki/test_helpers.go index cc79999bde01..2806a5dcafd2 100644 --- a/builtin/logical/pki/test_helpers.go +++ b/builtin/logical/pki/test_helpers.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -117,7 +117,7 @@ func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto. require.True(t, areEqual, "public keys mismatched: got: %v, expected: %v", certPubKey, key) } -func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa2.PrivateKey) (string, *x509.Certificate) { +func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa.PrivateKey) (string, *x509.Certificate) { t.Helper() selfSigned, err := x509.CreateCertificate(rand.Reader, subject, issuer, key.Public(), key) if err != nil { diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go index 630bee13e47b..60c6d44f7ace 100644 --- a/builtin/logical/ssh/path_issue_sign.go +++ b/builtin/logical/ssh/path_issue_sign.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/ed25519" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/sha256" "errors" "fmt" diff --git a/builtin/logical/transit/path_export_test.go b/builtin/logical/transit/path_export_test.go index 8a963c15c7f7..cde1e5d82898 100644 --- a/builtin/logical/transit/path_export_test.go +++ b/builtin/logical/transit/path_export_test.go @@ -600,7 +600,7 @@ func testTransit_exportCertificateChain(t *testing.T, apiClient *api.Client, key pubWrappingKey, err := x509.ParsePKIXPublicKey(wrappingKeyPemBlock.Bytes) require.NoError(t, err, "failed to parse wrapping key") - blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa2.PublicKey), privKeyBytes, "SHA256") + blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa.PublicKey), privKeyBytes, "SHA256") // Import key _, err = apiClient.Logical().Write(fmt.Sprintf("/transit/keys/%s/import", keyName), map[string]interface{}{ diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 8cd7982d8fa6..1f8cf3f230a8 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -948,7 +948,7 @@ func TestTransit_ImportVersionWithPublicKeys(t *testing.T) { ) } -func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa2.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { +func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { t.Helper() // Format target key for wrapping @@ -971,7 +971,7 @@ func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa2.PublicKey, targetKey return wrapTargetPKCS8ForImport(t, wrappingKey, preppedTargetKey, hashFnName) } -func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hashFnName string) string { +func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hashFnName string) string { t.Helper() // Generate an ephemeral AES-256 key @@ -1042,7 +1042,7 @@ func getPublicKey(privateKey crypto.PrivateKey, keyType string) ([]byte, error) var publicKeyBytes []byte switch keyType { case "rsa-2048", "rsa-3072", "rsa-4096": - publicKey = privateKey.(*rsa2.PrivateKey).Public() + publicKey = privateKey.(*rsa.PrivateKey).Public() case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521": publicKey = privateKey.(*ecdsa.PrivateKey).Public() case "ed25519": diff --git a/builtin/logical/transit/path_wrapping_key_test.go b/builtin/logical/transit/path_wrapping_key_test.go index 37328ed0bed1..e1acea3d2d78 100644 --- a/builtin/logical/transit/path_wrapping_key_test.go +++ b/builtin/logical/transit/path_wrapping_key_test.go @@ -50,7 +50,7 @@ func TestTransit_WrappingKey(t *testing.T) { if err != nil { t.Fatalf("failed to parse public wrapping key: %s", err) } - wrappingKey, ok := rawPubKey.(*rsa2.PublicKey) + wrappingKey, ok := rawPubKey.(*rsa.PublicKey) if !ok || wrappingKey.Size() != 512 { t.Fatal("public wrapping key is not a 4096-bit RSA key") } diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 0c670f81493d..5a03b7be9a2a 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -39,7 +39,7 @@ func TestTransitImport(t *testing.T) { t.Fatalf("transit failed generating wrapping key: %#v", err) } - rsa1, rsa2, aes128, aes256 := generateKeys(t) + rsa1, rsa, aes128, aes256 := generateKeys(t) type testCase struct { variant string @@ -59,28 +59,28 @@ func TestTransitImport(t *testing.T) { { "import", "transit/keys/rsa1", - rsa2, + rsa, []string{"type=rsa-2048"}, true, /* already exists */ }, { "import-version", "transit/keys/rsa1", - rsa2, + rsa, []string{"type=rsa-2048"}, false, /* new version */ }, { "import", - "transit/keys/rsa2", - rsa2, + "transit/keys/rsa", + rsa, []string{"type=rsa-4096"}, true, /* wrong type */ }, { "import", - "transit/keys/rsa2", - rsa2, + "transit/keys/rsa", + rsa, []string{"type=rsa-2048"}, false, /* new name */ }, @@ -168,7 +168,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str } } -func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { +func generateKeys(t *testing.T) (rsa1 []byte, rsa []byte, aes128 []byte, aes256 []byte) { t.Helper() priv1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) @@ -183,8 +183,8 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") - rsa2, err = x509.MarshalPKCS8PrivateKey(priv2) - require.NotNil(t, rsa2, "failed marshaling RSA 2 key") + rsa, err = x509.MarshalPKCS8PrivateKey(priv2) + require.NotNil(t, rsa, "failed marshaling RSA 2 key") require.NoError(t, err, "failed marshaling RSA 2 key") aes128 = make([]byte, 128/8) diff --git a/helper/pkcs7/decrypt.go b/helper/pkcs7/decrypt.go index a34bb5a65748..acedb1ec92af 100644 --- a/helper/pkcs7/decrypt.go +++ b/helper/pkcs7/decrypt.go @@ -7,7 +7,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/x509" "encoding/asn1" "errors" diff --git a/helper/pkcs7/encrypt.go b/helper/pkcs7/encrypt.go index dfe8bc0a492c..90da67e4eed2 100644 --- a/helper/pkcs7/encrypt.go +++ b/helper/pkcs7/encrypt.go @@ -6,7 +6,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" diff --git a/helper/pkcs7/pkcs7_test.go b/helper/pkcs7/pkcs7_test.go index 21f4616d3bf1..35df329f94b7 100644 --- a/helper/pkcs7/pkcs7_test.go +++ b/helper/pkcs7/pkcs7_test.go @@ -16,11 +16,11 @@ import ( "time" ) -var test1024Key, test2048Key, test3072Key, test4096Key *rsa2.PrivateKey +var test1024Key, test2048Key, test3072Key, test4096Key *rsa.PrivateKey func init() { - test1024Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test1024Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("123024078101403810516614073341068864574068590522569345017786163424062310013967742924377390210586226651760719671658568413826602264886073432535341149584680111145880576802262550990305759285883150470245429547886689754596541046564560506544976611114898883158121012232676781340602508151730773214407220733898059285561"), E: 65537, }, @@ -31,8 +31,8 @@ func init() { }, } test1024Key.Precompute() - test2048Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test2048Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("14314132931241006650998084889274020608918049032671858325988396851334124245188214251956198731333464217832226406088020736932173064754214329009979944037640912127943488972644697423190955557435910767690712778463524983667852819010259499695177313115447116110358524558307947613422897787329221478860907963827160223559690523660574329011927531289655711860504630573766609239332569210831325633840174683944553667352219670930408593321661375473885147973879086994006440025257225431977751512374815915392249179976902953721486040787792801849818254465486633791826766873076617116727073077821584676715609985777563958286637185868165868520557"), E: 3, }, @@ -43,8 +43,8 @@ func init() { }, } test2048Key.Precompute() - test3072Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test3072Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("4799422180968749215324244710281712119910779465109490663934897082847293004098645365195947978124390029272750644394844443980065532911010718425428791498896288210928474905407341584968381379157418577471272697781778686372450913810019702928839200328075568223462554606149618941566459398862673532997592879359280754226882565483298027678735544377401276021471356093819491755877827249763065753555051973844057308627201762456191918852016986546071426986328720794061622370410645440235373576002278045257207695462423797272017386006110722769072206022723167102083033531426777518054025826800254337147514768377949097720074878744769255210076910190151785807232805749219196645305822228090875616900385866236956058984170647782567907618713309775105943700661530312800231153745705977436176908325539234432407050398510090070342851489496464612052853185583222422124535243967989533830816012180864309784486694786581956050902756173889941244024888811572094961378021"), E: 65537, }, @@ -55,8 +55,8 @@ func init() { }, } test3072Key.Precompute() - test4096Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test4096Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("633335480064287130853997429184971616419051348693342219741748040433588285601270210251206421401040394238592139790962887290698043839174341843721930134010306454716566698330215646704263665452264344664385995704186692432827662862845900348526672531755932642433662686500295989783595767573119607065791980381547677840410600100715146047382485989885183858757974681241303484641390718944520330953604501686666386926996348457928415093305041429178744778762826377713889019740060910363468343855830206640274442887621960581569183233822878661711798998132931623726434336448716605363514220760343097572198620479297583609779817750646169845195672483600293522186340560792255595411601450766002877850696008003794520089358819042318331840490155176019070646738739580486357084733208876620846449161909966690602374519398451042362690200166144326179405976024265116931974936425064291406950542193873313447617169603706868220189295654943247311295475722243471700112334609817776430552541319671117235957754556272646031356496763094955985615723596562217985372503002989591679252640940571608314743271809251568670314461039035793703429977801961867815257832671786542212589906513979094156334941265621017752516999186481477500481433634914622735206243841674973785078408289183000133399026553"), E: 65537, }, @@ -127,7 +127,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA256WithRSA: priv = test2048Key switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -137,7 +137,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA384WithRSA: priv = test3072Key switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -147,7 +147,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA512WithRSA: priv = test4096Key switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -160,7 +160,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -173,7 +173,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -186,7 +186,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -207,19 +207,19 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 log.Println("creating cert", name, "issued by", issuerCert.Subject.CommonName, "with sigalg", sigAlg) switch priv.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: switch issuerKey.(type) { - case *rsa2.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) + case *rsa.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) case *ecdsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) } case *ecdsa.PrivateKey: switch issuerKey.(type) { - case *rsa2.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) + case *rsa.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: @@ -228,7 +228,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case *dsa.PrivateKey: pub := &priv.(*dsa.PrivateKey).PublicKey switch issuerKey := issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, pub, issuerKey) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*dsa.PublicKey), issuerKey) @@ -256,7 +256,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 type TestFixture struct { Input []byte Certificate *x509.Certificate - PrivateKey *rsa2.PrivateKey + PrivateKey *rsa.PrivateKey } func UnmarshalTestFixture(testPEMBlock string) TestFixture { diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index 06f756e0088d..8864991a6065 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -26,7 +26,7 @@ type CertBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa2.PrivateKey + parentKey *rsa.PrivateKey isCA bool } @@ -160,7 +160,7 @@ func NewCert(t *testing.T, opts ...CertOpt) (cert Certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type KeyWrapper struct { - PrivKey *rsa2.PrivateKey + PrivKey *rsa.PrivateKey Pem []byte } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 129ec51dac4f..5ea29931f439 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -25,7 +25,7 @@ type certBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa2.PrivateKey + parentKey *rsa.PrivateKey isCA bool } @@ -148,7 +148,7 @@ func newCert(t *testing.T, opts ...certOpt) (cert certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type keyWrapper struct { - privKey *rsa2.PrivateKey + privKey *rsa.PrivateKey pem []byte } diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 5c317e8704fe..bf67d3ebf879 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -469,7 +469,7 @@ func TestGetPublicKeySize(t *testing.T) { if err != nil { t.Fatal(err) } - if GetPublicKeySize(&rsa2.PublicKey) != 3072 { + if GetPublicKeySize(&rsa.PublicKey) != 3072 { t.Fatal("unexpected rsa key size") } ecdsa, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) @@ -864,7 +864,7 @@ func setCerts() { func TestComparePublicKeysAndType(t *testing.T) { rsa1 := genRsaKey(t).Public() - rsa2 := genRsaKey(t).Public() + rsa := genRsaKey(t).Public() eddsa1 := genEdDSA(t).Public() eddsa2 := genEdDSA(t).Public() ed25519_1, _ := genEd25519Key(t) @@ -881,7 +881,7 @@ func TestComparePublicKeysAndType(t *testing.T) { wantErr bool }{ {name: "RSA_Equal", args: args{key1Iface: rsa1, key2Iface: rsa1}, want: true, wantErr: false}, - {name: "RSA_NotEqual", args: args{key1Iface: rsa1, key2Iface: rsa2}, want: false, wantErr: false}, + {name: "RSA_NotEqual", args: args{key1Iface: rsa1, key2Iface: rsa}, want: false, wantErr: false}, {name: "EDDSA_Equal", args: args{key1Iface: eddsa1, key2Iface: eddsa1}, want: true, wantErr: false}, {name: "EDDSA_NotEqual", args: args{key1Iface: eddsa1, key2Iface: eddsa2}, want: false, wantErr: false}, {name: "ED25519_Equal", args: args{key1Iface: ed25519_1, key2Iface: ed25519_1}, want: true, wantErr: false}, @@ -1105,7 +1105,7 @@ func TestIgnoreCSRSigning(t *testing.T) { }) } -func genRsaKey(t *testing.T) *rsa2.PrivateKey { +func genRsaKey(t *testing.T) *rsa.PrivateKey { key, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) if err != nil { t.Fatal(err) diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index ad7e2e544b8d..1c673b058acd 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -11,7 +11,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -156,7 +156,7 @@ func getSubjectKeyIDFromBundle(data *CreationBundle) ([]byte, error) { func GetSubjectKeyID(pub interface{}) ([]byte, error) { var publicKeyBytes []byte switch pub := pub.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: type pkcs1PublicKey struct { N *big.Int E int @@ -233,7 +233,7 @@ func ParseDERKey(privateKeyBytes []byte) (signer crypto.Signer, format BlockType var rawKey interface{} if rawKey, thirdError = x509.ParsePKCS8PrivateKey(privateKeyBytes); thirdError == nil { switch rawSigner := rawKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: signer = rawSigner case *ecdsa.PrivateKey: signer = rawSigner @@ -368,11 +368,11 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = rsa2.GenerateKey(randReader, keyBits) + privateKey, err = rsa.GenerateKey(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } - privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa2.PrivateKey)) + privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey)) case "ec": privateKeyType = ECPrivateKey var curve elliptic.Curve @@ -450,9 +450,9 @@ func ComparePublicKeysAndType(key1Iface, key2Iface crypto.PublicKey) (bool, erro // returns an error if public key types are mismatched, or they are an unsupported key type. func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) { switch key1Iface.(type) { - case *rsa2.PublicKey: - key1 := key1Iface.(*rsa2.PublicKey) - key2, ok := key2Iface.(*rsa2.PublicKey) + case *rsa.PublicKey: + key1 := key1Iface.(*rsa.PublicKey) + key2, ok := key2Iface.(*rsa.PublicKey) if !ok { return false, fmt.Errorf("key types do not match: %T and %T", key1Iface, key2Iface) } @@ -516,7 +516,7 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) { } switch key := rawKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return key, nil case *ecdsa.PublicKey: return key, nil @@ -1422,7 +1422,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { // GetPublicKeySize returns the key size in bits for a given arbitrary crypto.PublicKey // Returns -1 for an unsupported key type. func GetPublicKeySize(key crypto.PublicKey) int { - if key, ok := key.(*rsa2.PublicKey); ok { + if key, ok := key.(*rsa.PublicKey); ok { return key.Size() * 8 } if key, ok := key.(*ecdsa.PublicKey); ok { @@ -2049,7 +2049,7 @@ func FindBitLength(publicKey any) int { return 0 } switch pub := publicKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return pub.N.BitLen() case *ecdsa.PublicKey: switch pub.Curve { diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index a0a53dcd084e..4f16659c1dd6 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -16,7 +16,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -153,7 +153,7 @@ type KeyBundle struct { func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // We look at the public key types to work-around limitations/typing of managed keys. switch signer.Public().(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -167,7 +167,7 @@ func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // that would be associated with it, returning UnknownPrivateKey for unsupported types func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType { switch pubKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -449,7 +449,7 @@ func (p *ParsedCertBundle) getSigner() (crypto.Signer, error) { case PKCS8Block: if k, err := x509.ParsePKCS8PrivateKey(p.PrivateKeyBytes); err == nil { switch k := k.(type) { - case *rsa2.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: + case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: return k.(crypto.Signer), nil default: return nil, errutil.UserError{Err: "Found unknown private key type in pkcs#8 wrapping"} @@ -478,7 +478,7 @@ func getPKCS8Type(bs []byte) (PrivateKeyType, error) { switch k.(type) { case *ecdsa.PrivateKey: return ECPrivateKey, nil - case *rsa2.PrivateKey: + case *rsa.PrivateKey: return RSAPrivateKey, nil case ed25519.PrivateKey: return Ed25519PrivateKey, nil diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 1ca9bca1e974..632db2643faf 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -14,7 +14,7 @@ import ( "crypto/elliptic" "crypto/hmac" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/asn1" @@ -324,8 +324,8 @@ type KeyEntry struct { EC_Y *big.Int `json:"ec_y"` EC_D *big.Int `json:"ec_d"` - RSAKey *rsa2.PrivateKey `json:"rsa_key"` - RSAPublicKey *rsa2.PublicKey `json:"rsa_public_key"` + RSAKey *rsa.PrivateKey `json:"rsa_key"` + RSAPublicKey *rsa.PublicKey `json:"rsa_public_key"` // The public key in an appropriate format for the type of key FormattedPublicKey string `json:"public_key"` @@ -466,7 +466,7 @@ func LoadPolicy(ctx context.Context, s logical.Storage, path string) (*Policy, e case KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096: for _, entry := range policy.Keys { if entry.RSAPublicKey == nil && entry.RSAKey != nil { - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) } } } @@ -1123,9 +1123,9 @@ func (p *Policy) DecryptWithFactory(context, nonce []byte, value string, factori switch paddingScheme { case PaddingScheme_PKCS1v15: - plain, err = rsa2.DecryptPKCS1v15(rand.Reader, key, decoded) + plain, err = rsa.DecryptPKCS1v15(rand.Reader, key, decoded) case PaddingScheme_OAEP: - plain, err = rsa2.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) + plain, err = rsa.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -1211,14 +1211,14 @@ func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, si return p.SignWithOptions(ver, context, input, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa2.PSSSaltLengthAuto, + SaltLength: rsa.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } func (p *Policy) minRSAPSSSaltLength() int { // https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/crypto/rsa/pss.go;l=247 - return rsa2.PSSSaltLengthEqualsHash + return rsa.PSSSaltLengthEqualsHash } func (p *Policy) maxRSAPSSSaltLength(keyBitLen int, hash crypto.Hash) int { @@ -1371,12 +1371,12 @@ func (p *Policy) SignWithOptions(ver int, context, input []byte, options *Signin if !p.validRSAPSSSaltLength(key.N.BitLen(), algo, saltLength) { return nil, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - sig, err = rsa2.SignPSS(rand.Reader, key, algo, input, &rsa2.PSSOptions{SaltLength: saltLength}) + sig, err = rsa.SignPSS(rand.Reader, key, algo, input, &rsa.PSSOptions{SaltLength: saltLength}) if err != nil { return nil, err } case "pkcs1v15": - sig, err = rsa2.SignPKCS1v15(rand.Reader, key, algo, input) + sig, err = rsa.SignPKCS1v15(rand.Reader, key, algo, input) if err != nil { return nil, err } @@ -1407,7 +1407,7 @@ func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType, return p.VerifySignatureWithOptions(context, input, sig, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa2.PSSSaltLengthAuto, + SaltLength: rsa.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } @@ -1568,13 +1568,13 @@ func (p *Policy) VerifySignatureWithOptions(context, input []byte, sig string, o if !p.validRSAPSSSaltLength(publicKey.N.BitLen(), algo, saltLength) { return false, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - err = rsa2.VerifyPSS(publicKey, algo, input, sigBytes, &rsa2.PSSOptions{SaltLength: saltLength}) + err = rsa.VerifyPSS(publicKey, algo, input, sigBytes, &rsa.PSSOptions{SaltLength: saltLength}) case "pkcs1v15": publicKey := keyEntry.RSAPublicKey if !keyEntry.IsPrivateKeyMissing() { publicKey = &keyEntry.RSAKey.PublicKey } - err = rsa2.VerifyPKCS1v15(publicKey, algo, input, sigBytes) + err = rsa.VerifyPKCS1v15(publicKey, algo, input, sigBytes) default: return false, errutil.InternalError{Err: fmt.Sprintf("unsupported rsa signature algorithm %s", sigAlgorithm)} } @@ -1831,7 +1831,7 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) { return err } - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) default: if err := entRotateInMemory(p, &entry, randReader); err != nil { @@ -2219,7 +2219,7 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value if err != nil { return "", err } - var publicKey *rsa2.PublicKey + var publicKey *rsa.PublicKey if keyEntry.RSAKey != nil { publicKey = &keyEntry.RSAKey.PublicKey } else { @@ -2227,9 +2227,9 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value } switch paddingScheme { case PaddingScheme_PKCS1v15: - ciphertext, err = rsa2.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) + ciphertext, err = rsa.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) case PaddingScheme_OAEP: - ciphertext, err = rsa2.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) + ciphertext, err = rsa.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -2358,8 +2358,8 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical if !publicKey.(*ecdsa.PublicKey).Equal(&ecdsaKey.PublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } - case *rsa2.PrivateKey: - rsaKey := parsedPrivateKey.(*rsa2.PrivateKey) + case *rsa.PrivateKey: + rsaKey := parsedPrivateKey.(*rsa.PrivateKey) if !rsaKey.PublicKey.Equal(keyEntry.RSAPublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } @@ -2454,7 +2454,7 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { publicKey := parsedKey.(ed25519.PublicKey) ke.FormattedPublicKey = base64.StdEncoding.EncodeToString(publicKey) } - case *rsa2.PrivateKey, *rsa2.PublicKey: + case *rsa.PrivateKey, *rsa.PublicKey: if PolKeyType != KeyType_RSA2048 && PolKeyType != KeyType_RSA3072 && PolKeyType != KeyType_RSA4096 { return fmt.Errorf("invalid key type: expected %s, got %T", PolKeyType, parsedKey) } @@ -2466,15 +2466,15 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { keyBytes = 512 } - rsaKey, ok := parsedKey.(*rsa2.PrivateKey) + rsaKey, ok := parsedKey.(*rsa.PrivateKey) if ok { if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } ke.RSAKey = rsaKey - ke.RSAPublicKey = rsaKey.Public().(*rsa2.PublicKey) + ke.RSAPublicKey = rsaKey.Public().(*rsa.PublicKey) } else { - rsaKey := parsedKey.(*rsa2.PublicKey) + rsaKey := parsedKey.(*rsa.PublicKey) if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } @@ -2542,7 +2542,7 @@ func (ke *KeyEntry) WrapKey(targetKey any, targetKeyType KeyType, hash hash.Hash return result, nil } -func wrapTargetPKCS8ForImport(wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { +func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { // Generate an ephemeral AES-256 key ephKey, err := uuid.GenerateRandomBytes(32) if err != nil { @@ -2550,7 +2550,7 @@ func wrapTargetPKCS8ForImport(wrappingKey *rsa2.PublicKey, preppedTargetKey []by } // Wrap ephemeral AES key with public wrapping key - ephKeyWrapped, err := rsa2.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) + ephKeyWrapped, err := rsa.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) if err != nil { return "", fmt.Errorf("failed to encrypt ephemeral wrapping key with public key: %w", err) } @@ -2702,7 +2702,7 @@ func (p *Policy) ValidateLeafCertKeyMatch(keyVersion int, certPublicKeyAlgorithm return publicKey.Equal(certPublicKey), nil case x509.RSA: - certPublicKey := certPublicKey.(*rsa2.PublicKey) + certPublicKey := certPublicKey.(*rsa.PublicKey) publicKey := keyEntry.RSAKey.PublicKey return publicKey.Equal(certPublicKey), nil diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index 05b68202c9cf..ebc004d4e937 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -969,7 +969,7 @@ func Test_RSA_PSS(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, + test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1084,7 +1084,7 @@ func Test_RSA_PSS(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa2.PrivateKey) + rsaKey := rsaKeyAny.(*rsa.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { @@ -1117,7 +1117,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, padding PaddingScheme) { + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, padding PaddingScheme) { // 1. Make a signature with the given key size and hash algorithm. t.Log(tabs[3], "Make an automatic signature") ct, err := p.EncryptWithFactory(0, nil, nil, string(input), padding) @@ -1152,7 +1152,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa2.PrivateKey) + rsaKey := rsaKeyAny.(*rsa.PrivateKey) for _, padding := range []PaddingScheme{PaddingScheme_OAEP, PaddingScheme_PKCS1v15, ""} { t.Run(fmt.Sprintf("%s/%s", rsaKeyType.String(), padding), func(t *testing.T) { test_RSA_PKCS1(t, p, rsaKey, padding) }) } @@ -1173,7 +1173,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1229,7 +1229,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa2.PrivateKey) + rsaKey := rsaKeyAny.(*rsa.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { diff --git a/sdk/helper/keysutil/util.go b/sdk/helper/keysutil/util.go index cb3a0821d0ca..dbba7ec1fb70 100644 --- a/sdk/helper/keysutil/util.go +++ b/sdk/helper/keysutil/util.go @@ -68,7 +68,7 @@ func isEd25519OID(oid asn1.ObjectIdentifier) bool { // ParsePKCS8Ed25519PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form. // -// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". @@ -125,7 +125,7 @@ func ParsePKCS8Ed25519PrivateKey(der []byte) (key interface{}, err error) { // // This helper only supports RSA/PSS keys (with OID 1.2.840.113549.1.1.10). // -// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". From 19f23bb282d8a19ef1aacef08b4641c1e5aa3122 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 13:03:17 -0600 Subject: [PATCH 14/28] move cryptoutil/rsa.go to sdk --- builtin/logical/database/credentials.go | 3 +- builtin/logical/pki/ca_util_test.go | 3 +- builtin/logical/ssh/path_config_ca.go | 3 +- builtin/logical/ssh/util.go | 4 +- go.sum | 2 + .../testhelpers/certhelpers/cert_helpers.go | 2 +- plugins/database/mongodb/cert_helpers_test.go | 2 +- {helper => sdk/helper}/cryptoutil/rsa.go | 0 sdk/helper/keysutil/policy.go | 52 +++++++++---------- 9 files changed, 38 insertions(+), 33 deletions(-) rename {helper => sdk/helper}/cryptoutil/rsa.go (100%) diff --git a/builtin/logical/database/credentials.go b/builtin/logical/database/credentials.go index 9a5867745eda..89e5b438a219 100644 --- a/builtin/logical/database/credentials.go +++ b/builtin/logical/database/credentials.go @@ -14,7 +14,8 @@ import ( "strings" "time" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" + "github.com/hashicorp/vault/helper/random" "github.com/hashicorp/vault/sdk/database/dbplugin/v5" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/pki/ca_util_test.go b/builtin/logical/pki/ca_util_test.go index fc70feeb7993..96d60e2c302d 100644 --- a/builtin/logical/pki/ca_util_test.go +++ b/builtin/logical/pki/ca_util_test.go @@ -11,7 +11,8 @@ import ( "crypto/rand" "testing" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/certutil" ) diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index 99271dae3e62..e89b3d302896 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -16,8 +16,9 @@ import ( "fmt" "io" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" + multierror "github.com/hashicorp/go-multierror" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/logical" "github.com/mikesmitty/edkey" diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go index 2e1bc0794d53..5ba5633761e5 100644 --- a/builtin/logical/ssh/util.go +++ b/builtin/logical/ssh/util.go @@ -13,9 +13,9 @@ import ( "net" "strings" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" + "github.com/hashicorp/go-secure-stdlib/parseutil" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "golang.org/x/crypto/ssh" ) diff --git a/go.sum b/go.sum index eb9b8e6e2ef6..0c97310baa4b 100644 --- a/go.sum +++ b/go.sum @@ -1453,6 +1453,8 @@ github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 h1:I8bynUKMh9I7JdwtW9voJ0xm github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a h1:ErXVzNyN1fr8V/ovbi9ioM8YXZLBxfe5hPlmBGn5sXY= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0 h1:f2mwVgMJjXuX/+eWD6ZW30+oIRgCofL+XMWknFkB1WM= github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0/go.mod h1:uwcr2oga9pN5+OkHZyTN5MDk3+1YHOuMukhpnPaQAoI= github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 h1:9um9R8i0+HbRHS9d64kdvWR0/LJvo12sIonvR9zr1+U= diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index 06f756e0088d..ac5858d0d4b4 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -18,7 +18,7 @@ import ( "testing" "time" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" ) type CertBuilder struct { diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 129ec51dac4f..3811fc8f6d15 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -17,7 +17,7 @@ import ( "testing" "time" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" ) type certBuilder struct { diff --git a/helper/cryptoutil/rsa.go b/sdk/helper/cryptoutil/rsa.go similarity index 100% rename from helper/cryptoutil/rsa.go rename to sdk/helper/cryptoutil/rsa.go diff --git a/sdk/helper/keysutil/policy.go b/sdk/helper/keysutil/policy.go index 90cc265f4b74..3e4be8b1cd71 100644 --- a/sdk/helper/keysutil/policy.go +++ b/sdk/helper/keysutil/policy.go @@ -14,7 +14,7 @@ import ( "crypto/elliptic" "crypto/hmac" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/asn1" @@ -35,7 +35,7 @@ import ( "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/kdf" @@ -324,8 +324,8 @@ type KeyEntry struct { EC_Y *big.Int `json:"ec_y"` EC_D *big.Int `json:"ec_d"` - RSAKey *rsa2.PrivateKey `json:"rsa_key"` - RSAPublicKey *rsa2.PublicKey `json:"rsa_public_key"` + RSAKey *rsa.PrivateKey `json:"rsa_key"` + RSAPublicKey *rsa.PublicKey `json:"rsa_public_key"` // The public key in an appropriate format for the type of key FormattedPublicKey string `json:"public_key"` @@ -466,7 +466,7 @@ func LoadPolicy(ctx context.Context, s logical.Storage, path string) (*Policy, e case KeyType_RSA2048, KeyType_RSA3072, KeyType_RSA4096: for _, entry := range policy.Keys { if entry.RSAPublicKey == nil && entry.RSAKey != nil { - entry.RSAPublicKey = entry.RSAKey.Public().(*rsa2.PublicKey) + entry.RSAPublicKey = entry.RSAKey.Public().(*rsa.PublicKey) } } } @@ -1123,9 +1123,9 @@ func (p *Policy) DecryptWithFactory(context, nonce []byte, value string, factori switch paddingScheme { case PaddingScheme_PKCS1v15: - plain, err = rsa2.DecryptPKCS1v15(rand.Reader, key, decoded) + plain, err = rsa.DecryptPKCS1v15(rand.Reader, key, decoded) case PaddingScheme_OAEP: - plain, err = rsa2.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) + plain, err = rsa.DecryptOAEP(sha256.New(), rand.Reader, key, decoded, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -1211,14 +1211,14 @@ func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, si return p.SignWithOptions(ver, context, input, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa2.PSSSaltLengthAuto, + SaltLength: rsa.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } func (p *Policy) minRSAPSSSaltLength() int { // https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/crypto/rsa/pss.go;l=247 - return rsa2.PSSSaltLengthEqualsHash + return rsa.PSSSaltLengthEqualsHash } func (p *Policy) maxRSAPSSSaltLength(keyBitLen int, hash crypto.Hash) int { @@ -1371,12 +1371,12 @@ func (p *Policy) SignWithOptions(ver int, context, input []byte, options *Signin if !p.validRSAPSSSaltLength(key.N.BitLen(), algo, saltLength) { return nil, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - sig, err = rsa2.SignPSS(rand.Reader, key, algo, input, &rsa2.PSSOptions{SaltLength: saltLength}) + sig, err = rsa.SignPSS(rand.Reader, key, algo, input, &rsa.PSSOptions{SaltLength: saltLength}) if err != nil { return nil, err } case "pkcs1v15": - sig, err = rsa2.SignPKCS1v15(rand.Reader, key, algo, input) + sig, err = rsa.SignPKCS1v15(rand.Reader, key, algo, input) if err != nil { return nil, err } @@ -1407,7 +1407,7 @@ func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType, return p.VerifySignatureWithOptions(context, input, sig, &SigningOptions{ HashAlgorithm: hashAlgorithm, Marshaling: marshaling, - SaltLength: rsa2.PSSSaltLengthAuto, + SaltLength: rsa.PSSSaltLengthAuto, SigAlgorithm: sigAlgorithm, }) } @@ -1568,13 +1568,13 @@ func (p *Policy) VerifySignatureWithOptions(context, input []byte, sig string, o if !p.validRSAPSSSaltLength(publicKey.N.BitLen(), algo, saltLength) { return false, errutil.UserError{Err: fmt.Sprintf("requested salt length %d is invalid", saltLength)} } - err = rsa2.VerifyPSS(publicKey, algo, input, sigBytes, &rsa2.PSSOptions{SaltLength: saltLength}) + err = rsa.VerifyPSS(publicKey, algo, input, sigBytes, &rsa.PSSOptions{SaltLength: saltLength}) case "pkcs1v15": publicKey := keyEntry.RSAPublicKey if !keyEntry.IsPrivateKeyMissing() { publicKey = &keyEntry.RSAKey.PublicKey } - err = rsa2.VerifyPKCS1v15(publicKey, algo, input, sigBytes) + err = rsa.VerifyPKCS1v15(publicKey, algo, input, sigBytes) default: return false, errutil.InternalError{Err: fmt.Sprintf("unsupported rsa signature algorithm %s", sigAlgorithm)} } @@ -2219,7 +2219,7 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value if err != nil { return "", err } - var publicKey *rsa2.PublicKey + var publicKey *rsa.PublicKey if keyEntry.RSAKey != nil { publicKey = &keyEntry.RSAKey.PublicKey } else { @@ -2227,9 +2227,9 @@ func (p *Policy) EncryptWithFactory(ver int, context []byte, nonce []byte, value } switch paddingScheme { case PaddingScheme_PKCS1v15: - ciphertext, err = rsa2.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) + ciphertext, err = rsa.EncryptPKCS1v15(rand.Reader, publicKey, plaintext) case PaddingScheme_OAEP: - ciphertext, err = rsa2.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) + ciphertext, err = rsa.EncryptOAEP(sha256.New(), rand.Reader, publicKey, plaintext, nil) default: return "", errutil.InternalError{Err: fmt.Sprintf("unsupported RSA padding scheme %s", paddingScheme)} } @@ -2358,8 +2358,8 @@ func (p *Policy) ImportPrivateKeyForVersion(ctx context.Context, storage logical if !publicKey.(*ecdsa.PublicKey).Equal(&ecdsaKey.PublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } - case *rsa2.PrivateKey: - rsaKey := parsedPrivateKey.(*rsa2.PrivateKey) + case *rsa.PrivateKey: + rsaKey := parsedPrivateKey.(*rsa.PrivateKey) if !rsaKey.PublicKey.Equal(keyEntry.RSAPublicKey) { return fmt.Errorf("cannot import key, key pair does not match") } @@ -2454,7 +2454,7 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { publicKey := parsedKey.(ed25519.PublicKey) ke.FormattedPublicKey = base64.StdEncoding.EncodeToString(publicKey) } - case *rsa2.PrivateKey, *rsa2.PublicKey: + case *rsa.PrivateKey, *rsa.PublicKey: if PolKeyType != KeyType_RSA2048 && PolKeyType != KeyType_RSA3072 && PolKeyType != KeyType_RSA4096 { return fmt.Errorf("invalid key type: expected %s, got %T", PolKeyType, parsedKey) } @@ -2466,15 +2466,15 @@ func (ke *KeyEntry) parseFromKey(PolKeyType KeyType, parsedKey any) error { keyBytes = 512 } - rsaKey, ok := parsedKey.(*rsa2.PrivateKey) + rsaKey, ok := parsedKey.(*rsa.PrivateKey) if ok { if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } ke.RSAKey = rsaKey - ke.RSAPublicKey = rsaKey.Public().(*rsa2.PublicKey) + ke.RSAPublicKey = rsaKey.Public().(*rsa.PublicKey) } else { - rsaKey := parsedKey.(*rsa2.PublicKey) + rsaKey := parsedKey.(*rsa.PublicKey) if rsaKey.Size() != keyBytes { return fmt.Errorf("invalid key size: expected %d bytes, got %d bytes", keyBytes, rsaKey.Size()) } @@ -2542,7 +2542,7 @@ func (ke *KeyEntry) WrapKey(targetKey any, targetKeyType KeyType, hash hash.Hash return result, nil } -func wrapTargetPKCS8ForImport(wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { +func wrapTargetPKCS8ForImport(wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hash hash.Hash) (string, error) { // Generate an ephemeral AES-256 key ephKey, err := uuid.GenerateRandomBytes(32) if err != nil { @@ -2550,7 +2550,7 @@ func wrapTargetPKCS8ForImport(wrappingKey *rsa2.PublicKey, preppedTargetKey []by } // Wrap ephemeral AES key with public wrapping key - ephKeyWrapped, err := rsa2.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) + ephKeyWrapped, err := rsa.EncryptOAEP(hash, rand.Reader, wrappingKey, ephKey, []byte{} /* label */) if err != nil { return "", fmt.Errorf("failed to encrypt ephemeral wrapping key with public key: %w", err) } @@ -2702,7 +2702,7 @@ func (p *Policy) ValidateLeafCertKeyMatch(keyVersion int, certPublicKeyAlgorithm return publicKey.Equal(certPublicKey), nil case x509.RSA: - certPublicKey := certPublicKey.(*rsa2.PublicKey) + certPublicKey := certPublicKey.(*rsa.PublicKey) publicKey := keyEntry.RSAKey.PublicKey return publicKey.Equal(certPublicKey), nil From 1df8a42987b1423ed9c31661f7ea2ef213d0cda4 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 13:05:24 -0600 Subject: [PATCH 15/28] move imports too --- builtin/credential/cert/backend_test.go | 2 +- builtin/logical/pki/backend_test.go | 2 +- builtin/logical/pki/ca_test.go | 2 +- builtin/logical/pki/path_acme_test.go | 2 +- builtin/logical/pki/path_config_acme_test.go | 2 +- builtin/logical/pki/path_tidy_test.go | 2 +- builtin/logical/pkiext/pkiext_binary/acme_test.go | 2 +- builtin/logical/transit/path_certificates_test.go | 2 +- builtin/logical/transit/path_import_test.go | 2 +- command/transit_import_key_test.go | 2 +- sdk/helper/certutil/certutil_test.go | 2 +- sdk/helper/certutil/types_test.go | 2 +- sdk/helper/keysutil/policy_test.go | 2 +- vault/identity_store_oidc.go | 3 +-- 14 files changed, 14 insertions(+), 15 deletions(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index a6e74f1e02c0..d585e69cf8d8 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -35,11 +35,11 @@ import ( "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" - "github.com/hashicorp/vault/helper/cryptoutil" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/certutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/tokenutil" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 3ff3ce237b24..af44ed745ffb 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -46,12 +46,12 @@ import ( "github.com/hashicorp/vault/builtin/logical/pki/issuing" "github.com/hashicorp/vault/builtin/logical/pki/parsing" "github.com/hashicorp/vault/builtin/logical/pki/pki_backend" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical" "github.com/hashicorp/vault/helper/testhelpers/teststorage" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/testhelpers/schema" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index f3b472262713..c725ef245a0e 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -22,9 +22,9 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" - "github.com/hashicorp/vault/helper/cryptoutil" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" ) diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index ba7d326ea290..ce7e47dd81e3 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -29,10 +29,10 @@ import ( "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki/dnstest" "github.com/hashicorp/vault/helper/constants" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index d1f905a54d65..b83a1374a3bb 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -11,7 +11,7 @@ import ( "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/constants" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/stretchr/testify/require" ) diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index e8a06911005b..7f90ea12b135 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -21,9 +21,9 @@ import ( "github.com/armon/go-metrics" "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/testhelpers/schema" "github.com/hashicorp/vault/sdk/logical" diff --git a/builtin/logical/pkiext/pkiext_binary/acme_test.go b/builtin/logical/pkiext/pkiext_binary/acme_test.go index 5883792830ed..d40b05a91929 100644 --- a/builtin/logical/pkiext/pkiext_binary/acme_test.go +++ b/builtin/logical/pkiext/pkiext_binary/acme_test.go @@ -27,10 +27,10 @@ import ( "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/builtin/logical/pkiext" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/testhelpers" "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/sdk/helper/certutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" hDocker "github.com/hashicorp/vault/sdk/helper/docker" "github.com/stretchr/testify/require" "golang.org/x/crypto/acme" diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index 95e27784c0c9..2b4529e22719 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -16,8 +16,8 @@ import ( "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" - "github.com/hashicorp/vault/helper/cryptoutil" vaulthttp "github.com/hashicorp/vault/http" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" "github.com/stretchr/testify/require" diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 7324ff99ff47..f758c50a1c2d 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -20,7 +20,7 @@ import ( "github.com/hashicorp/go-secure-stdlib/cryptoutil" uuid "github.com/hashicorp/go-uuid" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "github.com/tink-crypto/tink-go/v2/kwp/subtle" ) diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index b8476f0c0e08..01ee800f31b2 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -14,7 +14,7 @@ import ( "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/stretchr/testify/require" ) diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 14ed72ea3187..9015ecda96bb 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -25,7 +25,7 @@ import ( "time" "github.com/fatih/structs" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" ) // Tests converting back and forth between a CertBundle and a ParsedCertBundle. diff --git a/sdk/helper/certutil/types_test.go b/sdk/helper/certutil/types_test.go index 94eba14dbe66..02288d17d77a 100644 --- a/sdk/helper/certutil/types_test.go +++ b/sdk/helper/certutil/types_test.go @@ -11,7 +11,7 @@ import ( "crypto/rand" "testing" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" ) func TestGetPrivateKeyTypeFromPublicKey(t *testing.T) { diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index 05b68202c9cf..eb0b6a66ffb9 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -21,7 +21,7 @@ import ( "testing" "time" - "github.com/hashicorp/vault/helper/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/errutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/logical" diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index a23b75c4de8d..a5c487456b2e 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -23,14 +23,13 @@ import ( "github.com/go-jose/go-jose/v3/jwt" "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/base62" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-uuid" - "github.com/hashicorp/vault/helper/cryptoutil" "github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/consts" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/helper/identitytpl" "github.com/hashicorp/vault/sdk/logical" "github.com/patrickmn/go-cache" From 6fff9ecae3996a98c332411decfcb606dc3fec86 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 13:15:45 -0600 Subject: [PATCH 16/28] remove makefile change --- Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index e9c46b437592..cce68dd54185 100644 --- a/Makefile +++ b/Makefile @@ -170,11 +170,11 @@ protolint: prep check-tools-external # now run as a pre-commit hook (and there's little value in # making every build run the formatter), we've removed that # dependency. -prep: check-go-version +prep: check-go-version clean @echo "==> Running go generate..." -# @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) -# @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) -# @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) + @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) + @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) + @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) # Git doesn't allow us to store shared hooks in .git. Instead, we make sure they're up-to-date # whenever a make target is invoked. From b56cd5d769be9a68a00524c20e8d0313667a7373 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 13:17:22 -0600 Subject: [PATCH 17/28] rsa2->rsa --- builtin/logical/database/credentials_test.go | 5 +++-- builtin/logical/pki/backend_test.go | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/builtin/logical/database/credentials_test.go b/builtin/logical/database/credentials_test.go index 7284ab48e03b..7f2c4eb3dbb0 100644 --- a/builtin/logical/database/credentials_test.go +++ b/builtin/logical/database/credentials_test.go @@ -6,6 +6,7 @@ package database import ( "context" "crypto/rand" + "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -695,7 +696,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { pub, err := x509.ParsePKIXPublicKey(pubBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, pub) - assert.IsType(t, &rsa2.PublicKey{}, pub) + assert.IsType(t, &rsa.PublicKey{}, pub) // Assert that we can parse the private key PEM block in // the configured format @@ -704,7 +705,7 @@ func Test_rsaKeyGenerator_generate(t *testing.T) { priv, err := x509.ParsePKCS8PrivateKey(privBlock.Bytes) assert.NoError(t, err) assert.NotNil(t, priv) - assert.IsType(t, &rsa2.PrivateKey{}, priv) + assert.IsType(t, &rsa.PrivateKey{}, priv) default: t.Fatal("unknown format") } diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index af44ed745ffb..7dafb781a5c2 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -12,7 +12,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" @@ -411,7 +411,7 @@ func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUs case "rsa": parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey parsedCertBundle.PrivateKey = key - parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa2.PrivateKey)) + parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) case "ec": parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey parsedCertBundle.PrivateKey = key From a68bb6e85d86e18e05911db9994a6bf6ef238135 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 13:25:37 -0600 Subject: [PATCH 18/28] more rsa2->rsa, remove test code --- builtin/logical/pki/ca_util.go | 4 +- builtin/logical/pki/cert_util.go | 13 +---- builtin/logical/pki/integration_test.go | 10 ++-- builtin/logical/pki/issuing/sign_cert.go | 6 +-- builtin/logical/pki/test_helpers.go | 4 +- builtin/logical/transit/path_export_test.go | 3 +- builtin/logical/transit/path_import_test.go | 7 +-- .../logical/transit/path_wrapping_key_test.go | 3 +- helper/pkcs7/pkcs7_test.go | 49 ++++++++++--------- .../testhelpers/certhelpers/cert_helpers.go | 5 +- plugins/database/mongodb/cert_helpers_test.go | 5 +- sdk/helper/certutil/certutil_test.go | 3 +- sdk/helper/certutil/helpers.go | 22 ++++----- sdk/helper/certutil/types.go | 10 ++-- sdk/helper/keysutil/policy_test.go | 13 ++--- sdk/helper/keysutil/util.go | 4 +- 16 files changed, 80 insertions(+), 81 deletions(-) diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go index bb2071d8072c..2d2478ab8e46 100644 --- a/builtin/logical/pki/ca_util.go +++ b/builtin/logical/pki/ca_util.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/ecdsa" - rsa2 "crypto/rsa" + "crypto/rsa" "errors" "fmt" "io" @@ -229,7 +229,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr var keyBits int switch pubKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: keyType = certutil.RSAPrivateKey keyBits = certutil.GetPublicKeySize(pubKey) case *ecdsa.PublicKey: diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index ac5e4dd91420..ae5d3504d465 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -321,15 +321,6 @@ func validateSerialNumber(data *inputBundle, serialNumber string) string { return issuing.ValidateSerialNumber(data.role, serialNumber) } -type slowRand struct { - r io.Reader -} - -func (s *slowRand) Read(p []byte) (n int, err error) { - time.Sleep(50 * time.Millisecond) - return s.r.Read(p) -} - func generateCert(sc *storageContext, input *inputBundle, caSign *certutil.CAInfoBundle, @@ -342,7 +333,7 @@ func generateCert(sc *storageContext, return nil, nil, errutil.InternalError{Err: "no role found in data bundle"} } - if input.role.KeyType == "rsa" && input.role.KeyBits < 1024 { + if input.role.KeyType == "rsa" && input.role.KeyBits < 2048 { return nil, nil, errutil.UserError{Err: "RSA keys < 2048 bits are unsafe and not supported"} } @@ -400,7 +391,7 @@ func generateCert(sc *storageContext, } } - parsedBundle, err := generateCABundle(sc, input, data, &slowRand{randomSource}) + parsedBundle, err := generateCABundle(sc, input, data, randomSource) if err != nil { return nil, nil, err } diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index b1d152d219d1..1c3da7fa3a1b 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -331,11 +331,11 @@ func TestIntegration_CSRGeneration(t *testing.T) { expectedPublicKeyType crypto.PublicKey expectedSignature x509.SignatureAlgorithm }{ - {"rsa", false, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSA}, - {"rsa", false, 2048, 384, &rsa2.PublicKey{}, x509.SHA384WithRSA}, + {"rsa", false, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSA}, + {"rsa", false, 2048, 384, &rsa.PublicKey{}, x509.SHA384WithRSA}, // Add back once https://github.com/golang/go/issues/45990 is fixed. - // {"rsa", true, 2048, 0, &rsa2.PublicKey{}, x509.SHA256WithRSAPSS}, - // {"rsa", true, 2048, 512, &rsa2.PublicKey{}, x509.SHA512WithRSAPSS}, + // {"rsa", true, 2048, 0, &rsa.PublicKey{}, x509.SHA256WithRSAPSS}, + // {"rsa", true, 2048, 512, &rsa.PublicKey{}, x509.SHA512WithRSAPSS}, {"ec", false, 224, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 256, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA256}, {"ec", false, 384, 0, &ecdsa.PublicKey{}, x509.ECDSAWithSHA384}, diff --git a/builtin/logical/pki/issuing/sign_cert.go b/builtin/logical/pki/issuing/sign_cert.go index 63633286aaf3..c6548f69521e 100644 --- a/builtin/logical/pki/issuing/sign_cert.go +++ b/builtin/logical/pki/issuing/sign_cert.go @@ -6,7 +6,7 @@ package issuing import ( "crypto/ecdsa" "crypto/ed25519" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "fmt" @@ -139,7 +139,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi return nil, nil, errutil.UserError{Err: fmt.Sprintf("role requires keys of type %s", role.KeyType)} } - pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } @@ -180,7 +180,7 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi // validate minimums and SignatureBits below. switch csr.PublicKeyAlgorithm { case x509.RSA: - pubKey, ok := csr.PublicKey.(*rsa2.PublicKey) + pubKey, ok := csr.PublicKey.(*rsa.PublicKey) if !ok { return nil, nil, errutil.UserError{Err: "could not parse CSR's public key"} } diff --git a/builtin/logical/pki/test_helpers.go b/builtin/logical/pki/test_helpers.go index cc79999bde01..2806a5dcafd2 100644 --- a/builtin/logical/pki/test_helpers.go +++ b/builtin/logical/pki/test_helpers.go @@ -7,7 +7,7 @@ import ( "context" "crypto" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -117,7 +117,7 @@ func requireMatchingPublicKeys(t *testing.T, cert *x509.Certificate, key crypto. require.True(t, areEqual, "public keys mismatched: got: %v, expected: %v", certPubKey, key) } -func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa2.PrivateKey) (string, *x509.Certificate) { +func getSelfSigned(t *testing.T, subject, issuer *x509.Certificate, key *rsa.PrivateKey) (string, *x509.Certificate) { t.Helper() selfSigned, err := x509.CreateCertificate(rand.Reader, subject, issuer, key.Public(), key) if err != nil { diff --git a/builtin/logical/transit/path_export_test.go b/builtin/logical/transit/path_export_test.go index 8a963c15c7f7..b91ef47fb420 100644 --- a/builtin/logical/transit/path_export_test.go +++ b/builtin/logical/transit/path_export_test.go @@ -6,6 +6,7 @@ package transit import ( "context" cryptoRand "crypto/rand" + "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" @@ -600,7 +601,7 @@ func testTransit_exportCertificateChain(t *testing.T, apiClient *api.Client, key pubWrappingKey, err := x509.ParsePKIXPublicKey(wrappingKeyPemBlock.Bytes) require.NoError(t, err, "failed to parse wrapping key") - blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa2.PublicKey), privKeyBytes, "SHA256") + blob := wrapTargetPKCS8ForImport(t, pubWrappingKey.(*rsa.PublicKey), privKeyBytes, "SHA256") // Import key _, err = apiClient.Logical().Write(fmt.Sprintf("/transit/keys/%s/import", keyName), map[string]interface{}{ diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index f758c50a1c2d..148d398c865f 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -10,6 +10,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" + "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" @@ -949,7 +950,7 @@ func TestTransit_ImportVersionWithPublicKeys(t *testing.T) { ) } -func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa2.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { +func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa.PublicKey, targetKey interface{}, targetKeyType string, hashFnName string) string { t.Helper() // Format target key for wrapping @@ -972,7 +973,7 @@ func wrapTargetKeyForImport(t *testing.T, wrappingKey *rsa2.PublicKey, targetKey return wrapTargetPKCS8ForImport(t, wrappingKey, preppedTargetKey, hashFnName) } -func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa2.PublicKey, preppedTargetKey []byte, hashFnName string) string { +func wrapTargetPKCS8ForImport(t *testing.T, wrappingKey *rsa.PublicKey, preppedTargetKey []byte, hashFnName string) string { t.Helper() // Generate an ephemeral AES-256 key @@ -1043,7 +1044,7 @@ func getPublicKey(privateKey crypto.PrivateKey, keyType string) ([]byte, error) var publicKeyBytes []byte switch keyType { case "rsa-2048", "rsa-3072", "rsa-4096": - publicKey = privateKey.(*rsa2.PrivateKey).Public() + publicKey = privateKey.(*rsa.PrivateKey).Public() case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521": publicKey = privateKey.(*ecdsa.PrivateKey).Public() case "ed25519": diff --git a/builtin/logical/transit/path_wrapping_key_test.go b/builtin/logical/transit/path_wrapping_key_test.go index 37328ed0bed1..9ed58e45c284 100644 --- a/builtin/logical/transit/path_wrapping_key_test.go +++ b/builtin/logical/transit/path_wrapping_key_test.go @@ -5,6 +5,7 @@ package transit import ( "context" + "crypto/rsa" "crypto/x509" "encoding/pem" "testing" @@ -50,7 +51,7 @@ func TestTransit_WrappingKey(t *testing.T) { if err != nil { t.Fatalf("failed to parse public wrapping key: %s", err) } - wrappingKey, ok := rawPubKey.(*rsa2.PublicKey) + wrappingKey, ok := rawPubKey.(*rsa.PublicKey) if !ok || wrappingKey.Size() != 512 { t.Fatal("public wrapping key is not a 4096-bit RSA key") } diff --git a/helper/pkcs7/pkcs7_test.go b/helper/pkcs7/pkcs7_test.go index 21f4616d3bf1..7753c174b200 100644 --- a/helper/pkcs7/pkcs7_test.go +++ b/helper/pkcs7/pkcs7_test.go @@ -6,6 +6,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -16,11 +17,11 @@ import ( "time" ) -var test1024Key, test2048Key, test3072Key, test4096Key *rsa2.PrivateKey +var test1024Key, test2048Key, test3072Key, test4096Key *rsa.PrivateKey func init() { - test1024Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test1024Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("123024078101403810516614073341068864574068590522569345017786163424062310013967742924377390210586226651760719671658568413826602264886073432535341149584680111145880576802262550990305759285883150470245429547886689754596541046564560506544976611114898883158121012232676781340602508151730773214407220733898059285561"), E: 65537, }, @@ -31,8 +32,8 @@ func init() { }, } test1024Key.Precompute() - test2048Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test2048Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("14314132931241006650998084889274020608918049032671858325988396851334124245188214251956198731333464217832226406088020736932173064754214329009979944037640912127943488972644697423190955557435910767690712778463524983667852819010259499695177313115447116110358524558307947613422897787329221478860907963827160223559690523660574329011927531289655711860504630573766609239332569210831325633840174683944553667352219670930408593321661375473885147973879086994006440025257225431977751512374815915392249179976902953721486040787792801849818254465486633791826766873076617116727073077821584676715609985777563958286637185868165868520557"), E: 3, }, @@ -43,8 +44,8 @@ func init() { }, } test2048Key.Precompute() - test3072Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test3072Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("4799422180968749215324244710281712119910779465109490663934897082847293004098645365195947978124390029272750644394844443980065532911010718425428791498896288210928474905407341584968381379157418577471272697781778686372450913810019702928839200328075568223462554606149618941566459398862673532997592879359280754226882565483298027678735544377401276021471356093819491755877827249763065753555051973844057308627201762456191918852016986546071426986328720794061622370410645440235373576002278045257207695462423797272017386006110722769072206022723167102083033531426777518054025826800254337147514768377949097720074878744769255210076910190151785807232805749219196645305822228090875616900385866236956058984170647782567907618713309775105943700661530312800231153745705977436176908325539234432407050398510090070342851489496464612052853185583222422124535243967989533830816012180864309784486694786581956050902756173889941244024888811572094961378021"), E: 65537, }, @@ -55,8 +56,8 @@ func init() { }, } test3072Key.Precompute() - test4096Key = &rsa2.PrivateKey{ - PublicKey: rsa2.PublicKey{ + test4096Key = &rsa.PrivateKey{ + PublicKey: rsa.PublicKey{ N: fromBase10("633335480064287130853997429184971616419051348693342219741748040433588285601270210251206421401040394238592139790962887290698043839174341843721930134010306454716566698330215646704263665452264344664385995704186692432827662862845900348526672531755932642433662686500295989783595767573119607065791980381547677840410600100715146047382485989885183858757974681241303484641390718944520330953604501686666386926996348457928415093305041429178744778762826377713889019740060910363468343855830206640274442887621960581569183233822878661711798998132931623726434336448716605363514220760343097572198620479297583609779817750646169845195672483600293522186340560792255595411601450766002877850696008003794520089358819042318331840490155176019070646738739580486357084733208876620846449161909966690602374519398451042362690200166144326179405976024265116931974936425064291406950542193873313447617169603706868220189295654943247311295475722243471700112334609817776430552541319671117235957754556272646031356496763094955985615723596562217985372503002989591679252640940571608314743271809251568670314461039035793703429977801961867815257832671786542212589906513979094156334941265621017752516999186481477500481433634914622735206243841674973785078408289183000133399026553"), E: 65537, }, @@ -127,7 +128,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA256WithRSA: priv = test2048Key switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -137,7 +138,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA384WithRSA: priv = test3072Key switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -147,7 +148,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case x509.SHA512WithRSA: priv = test4096Key switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -160,7 +161,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA256WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA256 @@ -173,7 +174,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA384WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA384 @@ -186,7 +187,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 return nil, err } switch issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: template.SignatureAlgorithm = x509.SHA512WithRSA case *ecdsa.PrivateKey: template.SignatureAlgorithm = x509.ECDSAWithSHA512 @@ -207,19 +208,19 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 log.Println("creating cert", name, "issued by", issuerCert.Subject.CommonName, "with sigalg", sigAlg) switch priv.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: switch issuerKey.(type) { - case *rsa2.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) + case *rsa.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) case *ecdsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa2.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*rsa.PrivateKey).Public(), issuerKey.(*dsa.PrivateKey)) } case *ecdsa.PrivateKey: switch issuerKey.(type) { - case *rsa2.PrivateKey: - derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa2.PrivateKey)) + case *rsa.PrivateKey: + derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*rsa.PrivateKey)) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*ecdsa.PrivateKey).Public(), issuerKey.(*ecdsa.PrivateKey)) case *dsa.PrivateKey: @@ -228,7 +229,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 case *dsa.PrivateKey: pub := &priv.(*dsa.PrivateKey).PublicKey switch issuerKey := issuerKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, pub, issuerKey) case *ecdsa.PrivateKey: derCert, err = x509.CreateCertificate(rand.Reader, &template, issuerCert, priv.(*dsa.PublicKey), issuerKey) @@ -256,7 +257,7 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509 type TestFixture struct { Input []byte Certificate *x509.Certificate - PrivateKey *rsa2.PrivateKey + PrivateKey *rsa.PrivateKey } func UnmarshalTestFixture(testPEMBlock string) TestFixture { diff --git a/helper/testhelpers/certhelpers/cert_helpers.go b/helper/testhelpers/certhelpers/cert_helpers.go index ac5858d0d4b4..e0b31fcc0e5b 100644 --- a/helper/testhelpers/certhelpers/cert_helpers.go +++ b/helper/testhelpers/certhelpers/cert_helpers.go @@ -7,6 +7,7 @@ import ( "bytes" "crypto" "crypto/rand" + "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -26,7 +27,7 @@ type CertBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa2.PrivateKey + parentKey *rsa.PrivateKey isCA bool } @@ -160,7 +161,7 @@ func NewCert(t *testing.T, opts ...CertOpt) (cert Certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type KeyWrapper struct { - PrivKey *rsa2.PrivateKey + PrivKey *rsa.PrivateKey Pem []byte } diff --git a/plugins/database/mongodb/cert_helpers_test.go b/plugins/database/mongodb/cert_helpers_test.go index 3811fc8f6d15..9082055c643c 100644 --- a/plugins/database/mongodb/cert_helpers_test.go +++ b/plugins/database/mongodb/cert_helpers_test.go @@ -7,6 +7,7 @@ import ( "bytes" "crypto" "crypto/rand" + "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -25,7 +26,7 @@ type certBuilder struct { parentTmpl *x509.Certificate selfSign bool - parentKey *rsa2.PrivateKey + parentKey *rsa.PrivateKey isCA bool } @@ -148,7 +149,7 @@ func newCert(t *testing.T, opts ...certOpt) (cert certificate) { // Private Key // //////////////////////////////////////////////////////////////////////////// type keyWrapper struct { - privKey *rsa2.PrivateKey + privKey *rsa.PrivateKey pem []byte } diff --git a/sdk/helper/certutil/certutil_test.go b/sdk/helper/certutil/certutil_test.go index 9015ecda96bb..5151b37cf6e8 100644 --- a/sdk/helper/certutil/certutil_test.go +++ b/sdk/helper/certutil/certutil_test.go @@ -10,6 +10,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -469,7 +470,7 @@ func TestGetPublicKeySize(t *testing.T) { if err != nil { t.Fatal(err) } - if GetPublicKeySize(&rsa2.PublicKey) != 3072 { + if GetPublicKeySize(&rsa.PublicKey) != 3072 { t.Fatal("unexpected rsa key size") } ecdsa, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index ad7e2e544b8d..1c673b058acd 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -11,7 +11,7 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rand" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/sha1" "crypto/tls" "crypto/x509" @@ -156,7 +156,7 @@ func getSubjectKeyIDFromBundle(data *CreationBundle) ([]byte, error) { func GetSubjectKeyID(pub interface{}) ([]byte, error) { var publicKeyBytes []byte switch pub := pub.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: type pkcs1PublicKey struct { N *big.Int E int @@ -233,7 +233,7 @@ func ParseDERKey(privateKeyBytes []byte) (signer crypto.Signer, format BlockType var rawKey interface{} if rawKey, thirdError = x509.ParsePKCS8PrivateKey(privateKeyBytes); thirdError == nil { switch rawSigner := rawKey.(type) { - case *rsa2.PrivateKey: + case *rsa.PrivateKey: signer = rawSigner case *ecdsa.PrivateKey: signer = rawSigner @@ -368,11 +368,11 @@ func generatePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyC return errutil.InternalError{Err: fmt.Sprintf("insecure bit length for RSA private key: %d", keyBits)} } privateKeyType = RSAPrivateKey - privateKey, err = rsa2.GenerateKey(randReader, keyBits) + privateKey, err = rsa.GenerateKey(randReader, keyBits) if err != nil { return errutil.InternalError{Err: fmt.Sprintf("error generating RSA private key: %v", err)} } - privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa2.PrivateKey)) + privateKeyBytes = x509.MarshalPKCS1PrivateKey(privateKey.(*rsa.PrivateKey)) case "ec": privateKeyType = ECPrivateKey var curve elliptic.Curve @@ -450,9 +450,9 @@ func ComparePublicKeysAndType(key1Iface, key2Iface crypto.PublicKey) (bool, erro // returns an error if public key types are mismatched, or they are an unsupported key type. func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) { switch key1Iface.(type) { - case *rsa2.PublicKey: - key1 := key1Iface.(*rsa2.PublicKey) - key2, ok := key2Iface.(*rsa2.PublicKey) + case *rsa.PublicKey: + key1 := key1Iface.(*rsa.PublicKey) + key2, ok := key2Iface.(*rsa.PublicKey) if !ok { return false, fmt.Errorf("key types do not match: %T and %T", key1Iface, key2Iface) } @@ -516,7 +516,7 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) { } switch key := rawKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return key, nil case *ecdsa.PublicKey: return key, nil @@ -1422,7 +1422,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { // GetPublicKeySize returns the key size in bits for a given arbitrary crypto.PublicKey // Returns -1 for an unsupported key type. func GetPublicKeySize(key crypto.PublicKey) int { - if key, ok := key.(*rsa2.PublicKey); ok { + if key, ok := key.(*rsa.PublicKey); ok { return key.Size() * 8 } if key, ok := key.(*ecdsa.PublicKey); ok { @@ -2049,7 +2049,7 @@ func FindBitLength(publicKey any) int { return 0 } switch pub := publicKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return pub.N.BitLen() case *ecdsa.PublicKey: switch pub.Curve { diff --git a/sdk/helper/certutil/types.go b/sdk/helper/certutil/types.go index a0a53dcd084e..4f16659c1dd6 100644 --- a/sdk/helper/certutil/types.go +++ b/sdk/helper/certutil/types.go @@ -16,7 +16,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - rsa2 "crypto/rsa" + "crypto/rsa" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -153,7 +153,7 @@ type KeyBundle struct { func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // We look at the public key types to work-around limitations/typing of managed keys. switch signer.Public().(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -167,7 +167,7 @@ func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { // that would be associated with it, returning UnknownPrivateKey for unsupported types func GetPrivateKeyTypeFromPublicKey(pubKey crypto.PublicKey) PrivateKeyType { switch pubKey.(type) { - case *rsa2.PublicKey: + case *rsa.PublicKey: return RSAPrivateKey case *ecdsa.PublicKey: return ECPrivateKey @@ -449,7 +449,7 @@ func (p *ParsedCertBundle) getSigner() (crypto.Signer, error) { case PKCS8Block: if k, err := x509.ParsePKCS8PrivateKey(p.PrivateKeyBytes); err == nil { switch k := k.(type) { - case *rsa2.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: + case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: return k.(crypto.Signer), nil default: return nil, errutil.UserError{Err: "Found unknown private key type in pkcs#8 wrapping"} @@ -478,7 +478,7 @@ func getPKCS8Type(bs []byte) (PrivateKeyType, error) { switch k.(type) { case *ecdsa.PrivateKey: return ECPrivateKey, nil - case *rsa2.PrivateKey: + case *rsa.PrivateKey: return RSAPrivateKey, nil case ed25519.PrivateKey: return Ed25519PrivateKey, nil diff --git a/sdk/helper/keysutil/policy_test.go b/sdk/helper/keysutil/policy_test.go index eb0b6a66ffb9..dd125e0b88c1 100644 --- a/sdk/helper/keysutil/policy_test.go +++ b/sdk/helper/keysutil/policy_test.go @@ -9,6 +9,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" + "crypto/rsa" "crypto/x509" "encoding/base64" "errors" @@ -969,7 +970,7 @@ func Test_RSA_PSS(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, + test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1084,7 +1085,7 @@ func Test_RSA_PSS(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa2.PrivateKey) + rsaKey := rsaKeyAny.(*rsa.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { @@ -1117,7 +1118,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, padding PaddingScheme) { + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, padding PaddingScheme) { // 1. Make a signature with the given key size and hash algorithm. t.Log(tabs[3], "Make an automatic signature") ct, err := p.EncryptWithFactory(0, nil, nil, string(input), padding) @@ -1152,7 +1153,7 @@ func Test_RSA_PKCS1Encryption(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa2.PrivateKey) + rsaKey := rsaKeyAny.(*rsa.PrivateKey) for _, padding := range []PaddingScheme{PaddingScheme_OAEP, PaddingScheme_PKCS1v15, ""} { t.Run(fmt.Sprintf("%s/%s", rsaKeyType.String(), padding), func(t *testing.T) { test_RSA_PKCS1(t, p, rsaKey, padding) }) } @@ -1173,7 +1174,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { tabs[i] = strings.Repeat("\t", i) } - test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa2.PrivateKey, hashType HashType, + test_RSA_PKCS1 := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType, marshalingType MarshalingType, ) { unsaltedOptions := SigningOptions{ @@ -1229,7 +1230,7 @@ func Test_RSA_PKCS1Signing(t *testing.T) { if err != nil { t.Fatalf("error parsing test keys: %s", err) } - rsaKey := rsaKeyAny.(*rsa2.PrivateKey) + rsaKey := rsaKeyAny.(*rsa.PrivateKey) // 2. For each hash algorithm... for hashAlgorithm, hashType := range HashTypeMap { diff --git a/sdk/helper/keysutil/util.go b/sdk/helper/keysutil/util.go index cb3a0821d0ca..dbba7ec1fb70 100644 --- a/sdk/helper/keysutil/util.go +++ b/sdk/helper/keysutil/util.go @@ -68,7 +68,7 @@ func isEd25519OID(oid asn1.ObjectIdentifier) bool { // ParsePKCS8Ed25519PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form. // -// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". @@ -125,7 +125,7 @@ func ParsePKCS8Ed25519PrivateKey(der []byte) (key interface{}, err error) { // // This helper only supports RSA/PSS keys (with OID 1.2.840.113549.1.1.10). // -// It returns a *rsa2.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. +// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey. // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". From 3c65e56d486ed113372d77eaf138d9d871061396 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 13:28:37 -0600 Subject: [PATCH 19/28] fix some overzelous search/replace --- builtin/logical/pki/path_revoke.go | 2 +- builtin/logical/pki/path_root.go | 2 +- builtin/logical/ssh/path_config_ca.go | 3 +-- builtin/logical/ssh/path_issue_sign.go | 2 +- command/transit_import_key_test.go | 21 ++++++++++----------- helper/pkcs7/decrypt.go | 2 +- helper/pkcs7/encrypt.go | 2 +- 7 files changed, 16 insertions(+), 18 deletions(-) diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go index e28e207c8246..f6c35e67f732 100644 --- a/builtin/logical/pki/path_revoke.go +++ b/builtin/logical/pki/path_revoke.go @@ -8,7 +8,7 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - rsa "crypto/rsa" + "crypto/rsa" "crypto/subtle" "crypto/x509" "encoding/pem" diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index 3cc2cbc061e8..a4ce2d25108b 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/pem" diff --git a/builtin/logical/ssh/path_config_ca.go b/builtin/logical/ssh/path_config_ca.go index e89b3d302896..d0f0abae1309 100644 --- a/builtin/logical/ssh/path_config_ca.go +++ b/builtin/logical/ssh/path_config_ca.go @@ -16,10 +16,9 @@ import ( "fmt" "io" - "github.com/hashicorp/vault/sdk/helper/cryptoutil" - multierror "github.com/hashicorp/go-multierror" "github.com/hashicorp/vault/sdk/framework" + "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" "github.com/mikesmitty/edkey" "golang.org/x/crypto/ssh" diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go index 630bee13e47b..60c6d44f7ace 100644 --- a/builtin/logical/ssh/path_issue_sign.go +++ b/builtin/logical/ssh/path_issue_sign.go @@ -9,7 +9,7 @@ import ( "crypto/ecdsa" "crypto/ed25519" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/sha256" "errors" "fmt" diff --git a/command/transit_import_key_test.go b/command/transit_import_key_test.go index 01ee800f31b2..5994f91e3372 100644 --- a/command/transit_import_key_test.go +++ b/command/transit_import_key_test.go @@ -12,7 +12,6 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/stretchr/testify/require" @@ -40,7 +39,7 @@ func TestTransitImport(t *testing.T) { t.Fatalf("transit failed generating wrapping key: %#v", err) } - rsa1, rsa, aes128, aes256 := generateKeys(t) + rsa1, rsa2, aes128, aes256 := generateKeys(t) type testCase struct { variant string @@ -60,28 +59,28 @@ func TestTransitImport(t *testing.T) { { "import", "transit/keys/rsa1", - rsa, + rsa2, []string{"type=rsa-2048"}, true, /* already exists */ }, { "import-version", "transit/keys/rsa1", - rsa, + rsa2, []string{"type=rsa-2048"}, false, /* new version */ }, { "import", - "transit/keys/rsa", - rsa, + "transit/keys/rsa2", + rsa2, []string{"type=rsa-4096"}, true, /* wrong type */ }, { "import", - "transit/keys/rsa", - rsa, + "transit/keys/rsa2", + rsa2, []string{"type=rsa-2048"}, false, /* new name */ }, @@ -169,7 +168,7 @@ func execTransitImport(t *testing.T, client *api.Client, method string, path str } } -func generateKeys(t *testing.T) (rsa1 []byte, rsa []byte, aes128 []byte, aes256 []byte) { +func generateKeys(t *testing.T) (rsa1 []byte, rsa2 []byte, aes128 []byte, aes256 []byte) { t.Helper() priv1, err := cryptoutil.GenerateRSAKey(rand.Reader, 2048) @@ -184,8 +183,8 @@ func generateKeys(t *testing.T) (rsa1 []byte, rsa []byte, aes128 []byte, aes256 require.NotNil(t, priv2, "failed generating RSA 2 key") require.NoError(t, err, "failed generating RSA 2 key") - rsa, err = x509.MarshalPKCS8PrivateKey(priv2) - require.NotNil(t, rsa, "failed marshaling RSA 2 key") + rsa2, err = x509.MarshalPKCS8PrivateKey(priv2) + require.NotNil(t, rsa2, "failed marshaling RSA 2 key") require.NoError(t, err, "failed marshaling RSA 2 key") aes128 = make([]byte, 128/8) diff --git a/helper/pkcs7/decrypt.go b/helper/pkcs7/decrypt.go index a34bb5a65748..acedb1ec92af 100644 --- a/helper/pkcs7/decrypt.go +++ b/helper/pkcs7/decrypt.go @@ -7,7 +7,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/x509" "encoding/asn1" "errors" diff --git a/helper/pkcs7/encrypt.go b/helper/pkcs7/encrypt.go index dfe8bc0a492c..90da67e4eed2 100644 --- a/helper/pkcs7/encrypt.go +++ b/helper/pkcs7/encrypt.go @@ -6,7 +6,7 @@ import ( "crypto/cipher" "crypto/des" "crypto/rand" - rsa "crypto/rsa" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" From b7e2af62e58858f8a97284eecc55ec5c96115524 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Mon, 25 Nov 2024 13:32:15 -0600 Subject: [PATCH 20/28] Update to a real tag --- go.mod | 2 +- go.sum | 4 ++-- sdk/go.mod | 2 +- sdk/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 8430b93e4307..7283bee41619 100644 --- a/go.mod +++ b/go.mod @@ -99,7 +99,7 @@ require ( github.com/hashicorp/go-rootcerts v1.0.2 github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 - github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0 github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 github.com/hashicorp/go-secure-stdlib/kv-builder v0.1.2 github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 diff --git a/go.sum b/go.sum index 0c97310baa4b..12f955aca73b 100644 --- a/go.sum +++ b/go.sum @@ -1453,8 +1453,8 @@ github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 h1:I8bynUKMh9I7JdwtW9voJ0xm github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0/go.mod h1:oKHSQs4ivIfZ3fbXGQOop1XuDfdSb8RIsWTGaAanSfg= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= -github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a h1:ErXVzNyN1fr8V/ovbi9ioM8YXZLBxfe5hPlmBGn5sXY= -github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0 h1:4B46+S65WqQUlp0rX2F7TX6/p0HmUZsDD+cVzFTwztw= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0 h1:f2mwVgMJjXuX/+eWD6ZW30+oIRgCofL+XMWknFkB1WM= github.com/hashicorp/go-secure-stdlib/fileutil v0.1.0/go.mod h1:uwcr2oga9pN5+OkHZyTN5MDk3+1YHOuMukhpnPaQAoI= github.com/hashicorp/go-secure-stdlib/gatedwriter v0.1.1 h1:9um9R8i0+HbRHS9d64kdvWR0/LJvo12sIonvR9zr1+U= diff --git a/sdk/go.mod b/sdk/go.mod index 5ca7f8704095..8d306d850a4e 100644 --- a/sdk/go.mod +++ b/sdk/go.mod @@ -26,7 +26,7 @@ require ( github.com/hashicorp/go-plugin v1.6.1 github.com/hashicorp/go-retryablehttp v0.7.7 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 - github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a + github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0 github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 github.com/hashicorp/go-secure-stdlib/password v0.1.1 diff --git a/sdk/go.sum b/sdk/go.sum index eca23df25d91..b226fc928814 100644 --- a/sdk/go.sum +++ b/sdk/go.sum @@ -257,8 +257,8 @@ github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5O github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng= github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= -github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a h1:ErXVzNyN1fr8V/ovbi9ioM8YXZLBxfe5hPlmBGn5sXY= -github.com/hashicorp/go-secure-stdlib/cryptoutil v0.0.0-20241125183314-0047f3e55b0a/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0 h1:4B46+S65WqQUlp0rX2F7TX6/p0HmUZsDD+cVzFTwztw= +github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.0/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= From 8890ef3ff523be39e9370d32a320e249de08e90f Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Tue, 26 Nov 2024 11:41:55 -0600 Subject: [PATCH 21/28] changelog --- changelog/29020.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelog/29020.txt diff --git a/changelog/29020.txt b/changelog/29020.txt new file mode 100644 index 000000000000..928e61d265f0 --- /dev/null +++ b/changelog/29020.txt @@ -0,0 +1,5 @@ +```release-note: improvement +sdk/helper: utitilize a randomly seeded cryptographic determinstic random bit generator for +RSA key generation when using slow random sources, speeding key generation +considerably. +``` From 95aeceb1199d34d58ec8bcee042b23711c1c84e4 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Tue, 26 Nov 2024 11:43:51 -0600 Subject: [PATCH 22/28] copyright --- sdk/helper/cryptoutil/rsa.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk/helper/cryptoutil/rsa.go b/sdk/helper/cryptoutil/rsa.go index bc3af3a801d0..aa128cefb15e 100644 --- a/sdk/helper/cryptoutil/rsa.go +++ b/sdk/helper/cryptoutil/rsa.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + package cryptoutil import ( From 28e484aa94e46a166624b217c74986880c33196d Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Tue, 26 Nov 2024 11:48:57 -0600 Subject: [PATCH 23/28] work around copyright check --- helper/cryptoutil/rsa.go | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 helper/cryptoutil/rsa.go diff --git a/helper/cryptoutil/rsa.go b/helper/cryptoutil/rsa.go new file mode 100644 index 000000000000..aa128cefb15e --- /dev/null +++ b/helper/cryptoutil/rsa.go @@ -0,0 +1,34 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package cryptoutil + +import ( + "crypto/rsa" + "io" + "os" + + "github.com/hashicorp/go-secure-stdlib/cryptoutil" + "github.com/hashicorp/vault/sdk/helper/parseutil" +) + +var disabled bool + +func init() { + s := os.Getenv("VAULT_DISABLE_RSA_DRBG") + var err error + disabled, err = parseutil.ParseBool(s) + if err != nil { + // Assume it's a typo and disable + disabled = true + } +} + +// Uses go-secure-stdlib's GenerateRSAKey routine conditionally. This exists to be able to disable the feature +// via an ENV var in a pinch +func GenerateRSAKey(randomSource io.Reader, bits int) (*rsa.PrivateKey, error) { + if disabled { + return rsa.GenerateKey(randomSource, bits) + } + return cryptoutil.GenerateRSAKey(randomSource, bits) +} From c0dfee736c61a66ec1ef0f432fdf06d87386f651 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Tue, 26 Nov 2024 11:49:18 -0600 Subject: [PATCH 24/28] work around copyright check pt2 --- helper/cryptoutil/rsa.go | 34 ---------------------------------- 1 file changed, 34 deletions(-) delete mode 100644 helper/cryptoutil/rsa.go diff --git a/helper/cryptoutil/rsa.go b/helper/cryptoutil/rsa.go deleted file mode 100644 index aa128cefb15e..000000000000 --- a/helper/cryptoutil/rsa.go +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright (c) HashiCorp, Inc. -// SPDX-License-Identifier: BUSL-1.1 - -package cryptoutil - -import ( - "crypto/rsa" - "io" - "os" - - "github.com/hashicorp/go-secure-stdlib/cryptoutil" - "github.com/hashicorp/vault/sdk/helper/parseutil" -) - -var disabled bool - -func init() { - s := os.Getenv("VAULT_DISABLE_RSA_DRBG") - var err error - disabled, err = parseutil.ParseBool(s) - if err != nil { - // Assume it's a typo and disable - disabled = true - } -} - -// Uses go-secure-stdlib's GenerateRSAKey routine conditionally. This exists to be able to disable the feature -// via an ENV var in a pinch -func GenerateRSAKey(randomSource io.Reader, bits int) (*rsa.PrivateKey, error) { - if disabled { - return rsa.GenerateKey(randomSource, bits) - } - return cryptoutil.GenerateRSAKey(randomSource, bits) -} From 8ba7ea6fc84ec7a62f0b0a5022734d19a070e7ca Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Tue, 26 Nov 2024 12:07:53 -0600 Subject: [PATCH 25/28] bunch of dupe imports --- builtin/credential/cert/backend_test.go | 1 - builtin/logical/pki/backend_test.go | 1 - builtin/logical/pki/ca_test.go | 1 - builtin/logical/pki/path_acme_test.go | 1 - builtin/logical/pki/path_config_acme_test.go | 1 - builtin/logical/pki/path_tidy_test.go | 1 - builtin/logical/transit/path_certificates_test.go | 1 - builtin/logical/transit/path_import_test.go | 1 - 8 files changed, 8 deletions(-) diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index d585e69cf8d8..707bd71f7acb 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -31,7 +31,6 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" "github.com/hashicorp/go-rootcerts" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-sockaddr" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 7dafb781a5c2..5c38989f8f85 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -38,7 +38,6 @@ import ( "github.com/armon/go-metrics" "github.com/fatih/structs" "github.com/go-test/deep" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/vault/api" auth "github.com/hashicorp/vault/api/auth/userpass" diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go index c725ef245a0e..069c5777b9dd 100644 --- a/builtin/logical/pki/ca_test.go +++ b/builtin/logical/pki/ca_test.go @@ -20,7 +20,6 @@ import ( "time" "github.com/go-test/deep" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/certutil" diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index ce7e47dd81e3..917ce6e27adc 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -25,7 +25,6 @@ import ( "github.com/go-test/deep" "github.com/hashicorp/go-cleanhttp" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki/dnstest" "github.com/hashicorp/vault/helper/constants" diff --git a/builtin/logical/pki/path_config_acme_test.go b/builtin/logical/pki/path_config_acme_test.go index b83a1374a3bb..cfc7eeb03f19 100644 --- a/builtin/logical/pki/path_config_acme_test.go +++ b/builtin/logical/pki/path_config_acme_test.go @@ -9,7 +9,6 @@ import ( "testing" "time" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/helper/constants" "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/stretchr/testify/require" diff --git a/builtin/logical/pki/path_tidy_test.go b/builtin/logical/pki/path_tidy_test.go index 7f90ea12b135..911e050dd003 100644 --- a/builtin/logical/pki/path_tidy_test.go +++ b/builtin/logical/pki/path_tidy_test.go @@ -19,7 +19,6 @@ import ( "time" "github.com/armon/go-metrics" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/helper/testhelpers" vaulthttp "github.com/hashicorp/vault/http" diff --git a/builtin/logical/transit/path_certificates_test.go b/builtin/logical/transit/path_certificates_test.go index 2b4529e22719..b50916a07f81 100644 --- a/builtin/logical/transit/path_certificates_test.go +++ b/builtin/logical/transit/path_certificates_test.go @@ -13,7 +13,6 @@ import ( "strings" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/builtin/logical/pki" vaulthttp "github.com/hashicorp/vault/http" diff --git a/builtin/logical/transit/path_import_test.go b/builtin/logical/transit/path_import_test.go index 148d398c865f..861f1fd67acc 100644 --- a/builtin/logical/transit/path_import_test.go +++ b/builtin/logical/transit/path_import_test.go @@ -19,7 +19,6 @@ import ( "sync" "testing" - "github.com/hashicorp/go-secure-stdlib/cryptoutil" uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/sdk/helper/cryptoutil" "github.com/hashicorp/vault/sdk/logical" From 255c1bfe67b52734371e454d3a5bad694ffbaebe Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Tue, 26 Nov 2024 12:22:41 -0600 Subject: [PATCH 26/28] missing import --- builtin/logical/pki/path_acme_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/builtin/logical/pki/path_acme_test.go b/builtin/logical/pki/path_acme_test.go index 917ce6e27adc..ac16c36cc871 100644 --- a/builtin/logical/pki/path_acme_test.go +++ b/builtin/logical/pki/path_acme_test.go @@ -9,6 +9,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" From 54e26b55e2aba9d680f09abf7741a9585d571007 Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Tue, 26 Nov 2024 12:34:56 -0600 Subject: [PATCH 27/28] wrong license --- sdk/helper/cryptoutil/rsa.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/helper/cryptoutil/rsa.go b/sdk/helper/cryptoutil/rsa.go index aa128cefb15e..5c6790ba9c9a 100644 --- a/sdk/helper/cryptoutil/rsa.go +++ b/sdk/helper/cryptoutil/rsa.go @@ -1,5 +1,5 @@ // Copyright (c) HashiCorp, Inc. -// SPDX-License-Identifier: BUSL-1.1 +// SPDX-License-Identifier: MPL-2.0 package cryptoutil From b5234485056c9e0aa0eb8aa5131e9926b04e4fde Mon Sep 17 00:00:00 2001 From: "Scott G. Miller" Date: Wed, 27 Nov 2024 12:11:50 -0600 Subject: [PATCH 28/28] fix go.mod conflict --- go.mod | 98 ++++++++++++++------------ go.sum | 217 +++++++++++++++++++++++++++++++-------------------------- 2 files changed, 174 insertions(+), 141 deletions(-) diff --git a/go.mod b/go.mod index 7283bee41619..9b998cd305a3 100644 --- a/go.mod +++ b/go.mod @@ -24,8 +24,8 @@ replace github.com/hashicorp/vault/sdk => ./sdk require ( cloud.google.com/go/cloudsqlconn v1.4.3 - cloud.google.com/go/monitoring v1.21.0 - cloud.google.com/go/spanner v1.67.0 + cloud.google.com/go/monitoring v1.21.2 + cloud.google.com/go/spanner v1.72.0 cloud.google.com/go/storage v1.43.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 @@ -61,12 +61,13 @@ require ( github.com/go-git/go-git/v5 v5.11.0 github.com/go-jose/go-jose/v3 v3.0.3 github.com/go-ldap/ldap/v3 v3.4.8 - github.com/go-sql-driver/mysql v1.7.1 + github.com/go-sql-driver/mysql v1.8.1 github.com/go-test/deep v1.1.1 github.com/go-zookeeper/zk v1.0.3 github.com/gocql/gocql v1.0.0 - github.com/golang-jwt/jwt/v4 v4.5.0 + github.com/golang-jwt/jwt/v4 v4.5.1 github.com/golang/protobuf v1.5.4 + github.com/google/certificate-transparency-go v1.3.0 github.com/google/go-cmp v0.6.0 github.com/google/go-github v17.0.0+incompatible github.com/google/go-metrics-stackdriver v0.2.0 @@ -164,7 +165,7 @@ require ( github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f github.com/jefferai/jsonx v1.0.1 github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f - github.com/klauspost/compress v1.17.8 + github.com/klauspost/compress v1.17.9 github.com/kr/pretty v0.3.1 github.com/kr/text v0.2.0 github.com/mattn/go-colorable v0.1.13 @@ -178,7 +179,7 @@ require ( github.com/mitchellh/reflectwalk v1.0.2 github.com/ncw/swift v1.0.47 github.com/oklog/run v1.1.0 - github.com/okta/okta-sdk-golang/v2 v2.20.0 + github.com/okta/okta-sdk-golang/v5 v5.0.2 github.com/oracle/oci-go-sdk v24.3.0+incompatible github.com/ory/dockertest v3.3.5+incompatible github.com/ory/dockertest/v3 v3.10.0 @@ -187,7 +188,7 @@ require ( github.com/pkg/errors v0.9.1 github.com/posener/complete v1.2.3 github.com/pquerna/otp v1.2.1-0.20191009055518-468c2dd2b58d - github.com/prometheus/client_golang v1.19.1 + github.com/prometheus/client_golang v1.20.5 github.com/prometheus/common v0.55.0 github.com/rboyer/safeio v0.2.1 github.com/robfig/cron/v3 v3.0.1 @@ -199,9 +200,9 @@ require ( github.com/stretchr/testify v1.9.0 github.com/tink-crypto/tink-go/v2 v2.2.0 go.etcd.io/bbolt v1.4.0-beta.0 - go.etcd.io/etcd/client/pkg/v3 v3.5.13 - go.etcd.io/etcd/client/v2 v2.305.5 - go.etcd.io/etcd/client/v3 v3.5.13 + go.etcd.io/etcd/client/pkg/v3 v3.5.17 + go.etcd.io/etcd/client/v2 v2.305.17 + go.etcd.io/etcd/client/v3 v3.5.17 go.mongodb.org/atlas v0.37.0 go.mongodb.org/mongo-driver v1.16.1 go.opentelemetry.io/otel v1.30.0 @@ -209,18 +210,18 @@ require ( go.opentelemetry.io/otel/trace v1.30.0 go.uber.org/atomic v1.11.0 go.uber.org/goleak v1.3.0 - golang.org/x/crypto v0.27.0 + golang.org/x/crypto v0.29.0 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 - golang.org/x/net v0.29.0 - golang.org/x/oauth2 v0.23.0 - golang.org/x/sync v0.8.0 + golang.org/x/net v0.31.0 + golang.org/x/oauth2 v0.24.0 + golang.org/x/sync v0.9.0 golang.org/x/sys v0.27.0 - golang.org/x/term v0.24.0 - golang.org/x/text v0.18.0 - golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d - google.golang.org/api v0.197.0 - google.golang.org/grpc v1.66.1 - google.golang.org/protobuf v1.34.2 + golang.org/x/term v0.26.0 + golang.org/x/text v0.20.0 + golang.org/x/tools v0.27.0 + google.golang.org/api v0.207.0 + google.golang.org/grpc v1.68.0 + google.golang.org/protobuf v1.35.2 gopkg.in/ory-am/dockertest.v3 v3.3.4 k8s.io/apimachinery v0.31.0 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 @@ -229,29 +230,39 @@ require ( ) require ( - cel.dev/expr v0.15.0 // indirect - cloud.google.com/go/longrunning v0.6.0 // indirect + cel.dev/expr v0.16.1 // indirect + cloud.google.com/go/longrunning v0.6.2 // indirect + filippo.io/edwards25519 v1.1.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-viper/mapstructure/v2 v2.1.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect github.com/hashicorp/go-secure-stdlib/httputil v0.1.0 // indirect + github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect + github.com/lestrrat-go/blackmagic v1.0.2 // indirect + github.com/lestrrat-go/httpcc v1.0.1 // indirect + github.com/lestrrat-go/iter v1.0.2 // indirect + github.com/lestrrat-go/jwx v1.2.29 // indirect + github.com/lestrrat-go/option v1.0.1 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/userns v0.1.0 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/x448/float16 v0.8.4 // indirect + go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.29.0 // indirect golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect ) require ( - cloud.google.com/go v0.115.1 // indirect - cloud.google.com/go/auth v0.9.3 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect - cloud.google.com/go/compute/metadata v0.5.0 // indirect - cloud.google.com/go/iam v1.2.0 // indirect - cloud.google.com/go/kms v1.19.0 // indirect; indirect\ + cloud.google.com/go v0.116.0 // indirect + cloud.google.com/go/auth v0.10.2 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect + cloud.google.com/go/compute/metadata v0.5.2 // indirect + cloud.google.com/go/iam v1.2.2 // indirect + cloud.google.com/go/kms v1.20.1 // indirect; indirect\ dario.cat/mergo v1.0.1 // indirect github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect github.com/99designs/keyring v1.2.2 // indirect @@ -323,12 +334,12 @@ require ( github.com/cjlapao/common-go v0.0.39 // indirect github.com/cloudflare/circl v1.5.0 // indirect github.com/cloudfoundry-community/go-cfclient v0.0.0-20220930021109-9c4e6c59ccf1 // indirect - github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect + github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect github.com/containerd/continuity v0.4.3 // indirect github.com/containerd/log v0.1.0 // indirect github.com/coreos/etcd v3.3.27+incompatible // indirect github.com/coreos/go-oidc/v3 v3.11.0 // indirect - github.com/coreos/go-semver v0.3.0 // indirect + github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf // indirect github.com/couchbase/gocb/v2 v2.9.1 // indirect @@ -350,8 +361,8 @@ require ( github.com/dvsekhvalnov/jose2go v1.6.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/emirpasic/gods v1.18.1 // indirect - github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155 // indirect - github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect + github.com/envoyproxy/go-control-plane v0.13.0 // indirect + github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/gabriel-vasile/mimetype v1.4.2 // indirect @@ -392,7 +403,7 @@ require ( github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect - github.com/googleapis/gax-go/v2 v2.13.0 // indirect + github.com/googleapis/gax-go/v2 v2.14.0 // indirect github.com/gophercloud/gophercloud v0.1.0 // indirect github.com/gorilla/websocket v1.5.1 // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect @@ -420,7 +431,7 @@ require ( github.com/jackc/pgio v1.0.0 // indirect github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgproto3/v2 v2.3.3 // indirect - github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 // indirect + github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect github.com/jackc/pgtype v1.14.3 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jcmturner/aescts/v2 v2.0.0 // indirect @@ -429,7 +440,7 @@ require ( github.com/jcmturner/goidentity/v6 v6.0.1 // indirect github.com/jcmturner/rpc/v2 v2.0.3 // indirect github.com/jeffchao/backoff v0.0.0-20140404060208-9d7fd7aa17f2 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -437,7 +448,6 @@ require ( github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/cpuid/v2 v2.2.5 // indirect github.com/kylelemons/godebug v1.1.0 // indirect - github.com/lib/pq v1.10.9 // indirect github.com/linode/linodego v0.7.1 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/mailru/easyjson v0.7.7 // indirect @@ -488,7 +498,7 @@ require ( github.com/renier/xmlrpc v0.0.0-20170708154548-ce4a1a486c03 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/segmentio/fasthash v1.0.3 // indirect - github.com/sergi/go-diff v1.1.0 // indirect + github.com/sergi/go-diff v1.3.1 // indirect github.com/shopspring/decimal v1.4.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skeema/knownhosts v1.2.1 // indirect @@ -518,18 +528,18 @@ require ( github.com/yusufpapurcu/wmi v1.2.2 // indirect github.com/zclconf/go-cty v1.12.1 // indirect github.com/zeebo/xxh3 v1.0.2 // indirect - go.etcd.io/etcd/api/v3 v3.5.13 // indirect + go.etcd.io/etcd/api/v3 v3.5.17 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect go.opentelemetry.io/otel/metric v1.30.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/mod v0.21.0 // indirect - golang.org/x/time v0.6.0 - google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect; indirect\ + golang.org/x/mod v0.22.0 // indirect + golang.org/x/time v0.8.0 + google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f // indirect; indirect\ gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect diff --git a/go.sum b/go.sum index 12f955aca73b..8c38651d7f1b 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w= -cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg= +cel.dev/expr v0.16.1 h1:NR0+oFYzR1CqLFhTAqg3ql59G9VfN8fKq1TCHJ6gq1g= +cel.dev/expr v0.16.1/go.mod h1:AsGA5zb3WruAEQeQng1RZdGEXmBj0jvMWh6l5SnNuC8= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -39,8 +39,8 @@ cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRY cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= -cloud.google.com/go v0.115.1 h1:Jo0SM9cQnSkYfp44+v+NQXHpcHqlnRJk2qxh6yvxxxQ= -cloud.google.com/go v0.115.1/go.mod h1:DuujITeaufu3gL68/lOFIirVNJwQeyf5UXyi+Wbgknc= +cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE= +cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U= cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4= cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw= cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E= @@ -102,10 +102,10 @@ cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVo cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo= cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0= cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E= -cloud.google.com/go/auth v0.9.3 h1:VOEUIAADkkLtyfr3BLa3R8Ed/j6w1jTBmARx+wb5w5U= -cloud.google.com/go/auth v0.9.3/go.mod h1:7z6VY+7h3KUdRov5F1i8NDP5ZzWKYmEPO842BgCsmTk= -cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY= -cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc= +cloud.google.com/go/auth v0.10.2 h1:oKF7rgBfSHdp/kuhXtqU/tNDr0mZqhYbEh+6SiqzkKo= +cloud.google.com/go/auth v0.10.2/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI= +cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk= +cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8= @@ -187,8 +187,8 @@ cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZ cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY= -cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY= +cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo= +cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY= cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck= cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w= @@ -322,8 +322,8 @@ cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGE cloud.google.com/go/iam v0.11.0/go.mod h1:9PiLDanza5D+oWFZiH1uG+RnRCfEGKoyl6yo4cgWZGY= cloud.google.com/go/iam v0.12.0/go.mod h1:knyHGviacl11zrtZUoDuYpDgLjvr28sLQaG0YB2GYAY= cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= -cloud.google.com/go/iam v1.2.0 h1:kZKMKVNk/IsSSc/udOb83K0hL/Yh/Gcqpz+oAkoIFN8= -cloud.google.com/go/iam v1.2.0/go.mod h1:zITGuWgsLZxd8OwAlX+eMFgZDXzBm7icj1PVTYG766Q= +cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA= +cloud.google.com/go/iam v1.2.2/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY= cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc= cloud.google.com/go/iap v1.5.0/go.mod h1:UH/CGgKd4KyohZL5Pt0jSKE4m3FR51qg6FKQ/z/Ix9A= cloud.google.com/go/iap v1.6.0/go.mod h1:NSuvI9C/j7UdjGjIde7t7HBz+QTwBcapPE07+sSRcLk= @@ -343,8 +343,8 @@ cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4 cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w= cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24= cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI= -cloud.google.com/go/kms v1.19.0 h1:x0OVJDl6UH1BSX4THKlMfdcFWoE4ruh90ZHuilZekrU= -cloud.google.com/go/kms v1.19.0/go.mod h1:e4imokuPJUc17Trz2s6lEXFDt8bgDmvpVynH39bdrHM= +cloud.google.com/go/kms v1.20.1 h1:og29Wv59uf2FVaZlesaiDAqHFzHaoUyHI3HYp9VUHVg= +cloud.google.com/go/kms v1.20.1/go.mod h1:LywpNiVCvzYNJWS9JUcGJSVTNSwPwi0vBAotzDqn2nc= cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE= @@ -358,8 +358,8 @@ cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeN cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE= cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc= cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo= -cloud.google.com/go/longrunning v0.6.0 h1:mM1ZmaNsQsnb+5n1DNPeL0KwQd9jQRqSqSDEkBZr+aI= -cloud.google.com/go/longrunning v0.6.0/go.mod h1:uHzSZqW89h7/pasCWNYdUpwGz3PcVWhrWupreVPYLts= +cloud.google.com/go/longrunning v0.6.2 h1:xjDfh1pQcWPEvnfjZmwjKQEcHnpz6lHjfy7Fo0MK+hc= +cloud.google.com/go/longrunning v0.6.2/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI= cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE= cloud.google.com/go/managedidentities v1.4.0/go.mod h1:NWSBYbEMgqmbZsLIyKvxrYbtqOsxY1ZrGM+9RgDqInM= cloud.google.com/go/managedidentities v1.5.0/go.mod h1:+dWcZ0JlUmpuxpIDfyP5pP5y0bLdRwOS4Lp7gMni/LA= @@ -383,8 +383,8 @@ cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhI cloud.google.com/go/monitoring v1.8.0/go.mod h1:E7PtoMJ1kQXWxPjB6mv2fhC5/15jInuulFdYYtlcvT4= cloud.google.com/go/monitoring v1.12.0/go.mod h1:yx8Jj2fZNEkL/GYZyTLS4ZtZEZN8WtDEiEqG4kLK50w= cloud.google.com/go/monitoring v1.13.0/go.mod h1:k2yMBAB1H9JT/QETjNkgdCGD9bPF712XiLTVr+cBrpw= -cloud.google.com/go/monitoring v1.21.0 h1:EMc0tB+d3lUewT2NzKC/hr8cSR9WsUieVywzIHetGro= -cloud.google.com/go/monitoring v1.21.0/go.mod h1:tuJ+KNDdJbetSsbSGTqnaBvbauS5kr3Q/koy3Up6r+4= +cloud.google.com/go/monitoring v1.21.2 h1:FChwVtClH19E7pJ+e0xUhJPGksctZNVOk2UhMmblmdU= +cloud.google.com/go/monitoring v1.21.2/go.mod h1:hS3pXvaG8KgWTSz+dAdyzPrGUYmi2Q+WFX8g2hqVEZU= cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM= @@ -531,8 +531,8 @@ cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+ cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos= cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk= cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M= -cloud.google.com/go/spanner v1.67.0 h1:h8xfobxh5lQu4qJVMPH+wSiyU+ZM6ZTxRNqGeu9iIVA= -cloud.google.com/go/spanner v1.67.0/go.mod h1:Um+TNmxfcCHqNCKid4rmAMvoe/Iu1vdz6UfxJ9GPxRQ= +cloud.google.com/go/spanner v1.72.0 h1:8hOxGVi0gaOWdxzDxyjYL4g/unjVUy2uje1T3okTgiQ= +cloud.google.com/go/spanner v1.72.0/go.mod h1:mw98ua5ggQXVWwp83yjwggqEmW9t8rjs9Po1ohcUGW4= cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0= @@ -620,6 +620,8 @@ cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcP dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs= @@ -723,6 +725,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dX github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0 h1:oVLqHXhnYtUwM89y9T1fXGaK9wTkXHgNp8/ZNMQzUxE= github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0/go.mod h1:dppbR7CwXD4pgtV9t3wD1812RaLDcBjtblcDF5f1vI0= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 h1:pB2F2JKCj1Znmp2rwxxt1J0Fg0wezTMgWYk5Mpbi1kg= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k= github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo= github.com/Jeffail/gabs/v2 v2.1.0 h1:6dV9GGOjoQgzWTQEltZPXlJdFloxvIq7DwqgxMCbq30= github.com/Jeffail/gabs/v2 v2.1.0/go.mod h1:xCn81vdHKxFUuWWAaD5jCTQDNPBMh5pPs9IJ+NcziBI= @@ -867,8 +871,8 @@ github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= -github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA= -github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8= +github.com/bufbuild/protocompile v0.10.0 h1:+jW/wnLMLxaCEG8AX9lD0bQ5v9h1RUiMKOBOT5ll9dM= +github.com/bufbuild/protocompile v0.10.0/go.mod h1:G9qQIQo0xZ6Uyj6CMNz0saGmx2so+KONo8/KrELABiY= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= @@ -915,8 +919,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw= -github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= github.com/cockroachdb/cockroach-go/v2 v2.3.8 h1:53yoUo4+EtrC1NrAEgnnad4AS3ntNvGup1PAXZ7UmpE= @@ -935,13 +939,12 @@ github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8Nz github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= -github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM= -github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= -github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= @@ -972,6 +975,9 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/denisenkom/go-mssqldb v0.12.3 h1:pBSGx9Tq67pBOTLmxNuirNTeB8Vjmf886Kx+8Y+8shw= github.com/denisenkom/go-mssqldb v0.12.3/go.mod h1:k0mtMFOnU+AihqFxPMiF05rtiDrorD1Vrm1KEz5hxDo= github.com/denverdino/aliyungo v0.0.0-20170926055100-d3308649c661/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= @@ -1027,14 +1033,14 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go. github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34= github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155 h1:IgJPqnrlY2Mr4pYB6oaMKvFvwJ9H+X6CCY5x1vCTcpc= -github.com/envoyproxy/go-control-plane v0.12.1-0.20240621013728-1eb8caab5155/go.mod h1:5Wkq+JduFtdAXihLmeTJf+tRYIT4KBc2vPXDhwVo1pA= +github.com/envoyproxy/go-control-plane v0.13.0 h1:HzkeUz1Knt+3bK+8LG1bxOO/jzWZmdxpwC51i202les= +github.com/envoyproxy/go-control-plane v0.13.0/go.mod h1:GRaKG3dwvFoTg4nj7aXdZnvMg4d7nvT/wl9WgVXn3Q8= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo= github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w= github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss= -github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= -github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= +github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM= +github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4= github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= @@ -1149,8 +1155,8 @@ github.com/go-ozzo/ozzo-validation v3.6.0+incompatible/go.mod h1:gsEKFIVnabGBt6m github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= -github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI= -github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= @@ -1184,8 +1190,9 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= @@ -1240,8 +1247,10 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= -github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= +github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= +github.com/google/certificate-transparency-go v1.3.0 h1:+UhSNQAyA38Ed4CGfwOZeG4sJ030ELQZE4xtMFOxA7U= +github.com/google/certificate-transparency-go v1.3.0/go.mod h1:/xVlT13jyrOuJOXTW5PjCBCrHBtXUq/jT5UeW40xliQ= github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/flatbuffers v23.5.26+incompatible h1:M9dgRyhJemaM4Sw8+66GHBu8ioaQmyPLg1b8VwK5WJg= github.com/google/flatbuffers v23.5.26+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= @@ -1329,8 +1338,8 @@ github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqE github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8= github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= -github.com/googleapis/gax-go/v2 v2.13.0 h1:yitjD5f7jQHhyDsnhKEBU52NdvvdSeGzlAnDPT0hH1s= -github.com/googleapis/gax-go/v2 v2.13.0/go.mod h1:Z/fvTZXF8/uw7Xu5GuslPw+bplx6SS338j1Is2S+B7A= +github.com/googleapis/gax-go/v2 v2.14.0 h1:f+jMrjBPl+DL9nI4IQzLUxMq7XrAqFYB7hBPqMNIe8o= +github.com/googleapis/gax-go/v2 v2.14.0/go.mod h1:lhBCnjdLrWRaPvLWhmc8IS24m9mr07qSYnHncrgo+zk= github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.2.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= @@ -1355,11 +1364,12 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDa github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM= github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU= github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= @@ -1652,8 +1662,8 @@ github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUO github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA= github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E= github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 h1:L0QtFUgDarD7Fpv9jeVMgy/+Ec0mtnmYuImjTz6dtDA= -github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg= github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc= github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw= @@ -1697,14 +1707,15 @@ github.com/jefferai/isbadcipher v0.0.0-20190226160619-51d2077c035f/go.mod h1:3J2 github.com/jefferai/jsonx v1.0.1 h1:GvWkLWihoLqDG0BSP45TUQJH9qsINX50PVrFULgpc/I= github.com/jefferai/jsonx v1.0.1/go.mod h1:yFo3l2fcm7cZVHGq3HKLXE+Pd4RWuRjNBDHksM7XekQ= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= -github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c= -github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo= +github.com/jhump/protoreflect v1.16.0 h1:54fZg+49widqXYQ0b+usAFHbMkBGR4PpXrsHc8+TBDg= +github.com/jhump/protoreflect v1.16.0/go.mod h1:oYPd7nPvcBw/5wlDfm/AVmU9zH9BgqGCI469pGxfj/8= github.com/jimlambrt/gldap v0.1.13 h1:jxmVQn0lfmFbM9jglueoau5LLF/IGRti0SKf0vB753M= github.com/jimlambrt/gldap v0.1.13/go.mod h1:nlC30c7xVphjImg6etk7vg7ZewHCCvl1dfAhO3ZJzPg= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= @@ -1720,7 +1731,6 @@ github.com/joyent/triton-go v1.7.1-0.20200416154420-6801d15b779f/go.mod h1:KDSfL github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= @@ -1741,8 +1751,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE= github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= -github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU= -github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg= github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= @@ -1762,6 +1772,19 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= +github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= +github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k= +github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= +github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= +github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= +github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= +github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= +github.com/lestrrat-go/jwx v1.2.29 h1:QT0utmUJ4/12rmsVQrJ3u55bycPkKqGYuGT4tyRhxSQ= +github.com/lestrrat-go/jwx v1.2.29/go.mod h1:hU8k2l6WF0ncx20uQdOmik/Gjg6E3/wIRtXSNFeZuB8= +github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= +github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= +github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -1911,8 +1934,8 @@ github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA= github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/okta/okta-sdk-golang/v2 v2.20.0 h1:EDKM+uOPfihOMNwgHMdno+NAsIfyXkVnoFAYVPay0YU= -github.com/okta/okta-sdk-golang/v2 v2.20.0/go.mod h1:FMy5hN5G8Rd/VoS0XrfyPPhIfOVo78ZK7lvwiQRS2+U= +github.com/okta/okta-sdk-golang/v5 v5.0.2 h1:eecvycE/XDX56IWTsOVhqfj5txCgqryTXzKy7wKEq78= +github.com/okta/okta-sdk-golang/v5 v5.0.2/go.mod h1:T/vmECtJX33YPZSVD+sorebd8LLhe38Bi/VrFTjgVX0= github.com/olekukonko/tablewriter v0.0.0-20180130162743-b8a9be070da4/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -2002,8 +2025,8 @@ github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -2062,8 +2085,8 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUt github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/segmentio/fasthash v1.0.3 h1:EI9+KE1EwvMLBWwjpRDc+fEM+prwxDYbslddQGtrmhM= github.com/segmentio/fasthash v1.0.3/go.mod h1:waKX8l2N8yckOgmSsXJi7x1ZfdKZ4x7KRMzBtS3oedY= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/sethvargo/go-limiter v0.7.1 h1:wWNhTj0pxjyJ7wuJHpRJpYwJn+bUnjYfw2a85eu5w9U= github.com/sethvargo/go-limiter v0.7.1/go.mod h1:C0kbSFbiriE5k2FFOe18M1YZbAR2Fiwf72uGu0CXCcU= github.com/shirou/gopsutil/v3 v3.22.6 h1:FnHOFOh+cYAM0C30P+zysPISzlknLC5Z1G4EAElznfQ= @@ -2140,6 +2163,7 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tencentcloud/tencentcloud-sdk-go v1.0.162 h1:8fDzz4GuVg4skjY2B0nMN7h6uN61EDVkuLyI2+qGHhI= @@ -2208,16 +2232,14 @@ github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxt go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.4.0-beta.0 h1:U7Y9yH6ZojEo5/BDFMXDXD1RNx9L7iKxudzqR68jLaM= go.etcd.io/bbolt v1.4.0-beta.0/go.mod h1:Qv5yHB6jkQESXT/uVfxJgUPMqgAyhL0GLxcQaz9bSec= -go.etcd.io/etcd/api/v3 v3.5.5/go.mod h1:KFtNaxGDw4Yx/BA4iPPwevUTAuqcsPxzyX8PHydchN8= -go.etcd.io/etcd/api/v3 v3.5.13 h1:8WXU2/NBge6AUF1K1gOexB6e07NgsN1hXK0rSTtgSp4= -go.etcd.io/etcd/api/v3 v3.5.13/go.mod h1:gBqlqkcMMZMVTMm4NDZloEVJzxQOQIls8splbqBDa0c= -go.etcd.io/etcd/client/pkg/v3 v3.5.5/go.mod h1:ggrwbk069qxpKPq8/FKkQ3Xq9y39kbFR4LnKszpRXeQ= -go.etcd.io/etcd/client/pkg/v3 v3.5.13 h1:RVZSAnWWWiI5IrYAXjQorajncORbS0zI48LQlE2kQWg= -go.etcd.io/etcd/client/pkg/v3 v3.5.13/go.mod h1:XxHT4u1qU12E2+po+UVPrEeL94Um6zL58ppuJWXSAB8= -go.etcd.io/etcd/client/v2 v2.305.5 h1:DktRP60//JJpnPC0VBymAN/7V71GHMdjDCBt4ZPXDjI= -go.etcd.io/etcd/client/v2 v2.305.5/go.mod h1:zQjKllfqfBVyVStbt4FaosoX2iYd8fV/GRy/PbowgP4= -go.etcd.io/etcd/client/v3 v3.5.13 h1:o0fHTNJLeO0MyVbc7I3fsCf6nrOqn5d+diSarKnB2js= -go.etcd.io/etcd/client/v3 v3.5.13/go.mod h1:cqiAeY8b5DEEcpxvgWKsbLIWNM/8Wy2xJSDMtioMcoI= +go.etcd.io/etcd/api/v3 v3.5.17 h1:cQB8eb8bxwuxOilBpMJAEo8fAONyrdXTHUNcMd8yT1w= +go.etcd.io/etcd/api/v3 v3.5.17/go.mod h1:d1hvkRuXkts6PmaYk2Vrgqbv7H4ADfAKhyJqHNLJCB4= +go.etcd.io/etcd/client/pkg/v3 v3.5.17 h1:XxnDXAWq2pnxqx76ljWwiQ9jylbpC4rvkAeRVOUKKVw= +go.etcd.io/etcd/client/pkg/v3 v3.5.17/go.mod h1:4DqK1TKacp/86nJk4FLQqo6Mn2vvQFBmruW3pP14H/w= +go.etcd.io/etcd/client/v2 v2.305.17 h1:ajFukQfI//xY5VuSeuUw4TJ4WnNR2kAFfV/P0pDdPMs= +go.etcd.io/etcd/client/v2 v2.305.17/go.mod h1:EttKgEgvwikmXN+b7pkEWxDZr6sEaYsqCiS3k4fa/Vg= +go.etcd.io/etcd/client/v3 v3.5.17 h1:o48sINNeWz5+pjy/Z0+HKpj/xSnBkuVhVvXkjEXbqZY= +go.etcd.io/etcd/client/v3 v3.5.17/go.mod h1:j2d4eXTHWkT2ClBgnnEPm/Wuu7jsqku41v9DZ3OtjQo= go.mongodb.org/atlas v0.37.0 h1:zQnO1o5+bVP9IotpAYpres4UjMD2F4nwNEFTZhNL4ck= go.mongodb.org/atlas v0.37.0/go.mod h1:DJYtM+vsEpPEMSkQzJnFHrT0sP7ev6cseZc/GGjJYG8= go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8= @@ -2231,6 +2253,8 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/detectors/gcp v1.29.0 h1:TiaiXB4DpGD3sdzNlYQxruQngn5Apwzi1X0DRhuGvDQ= +go.opentelemetry.io/contrib/detectors/gcp v1.29.0/go.mod h1:GW2aWZNwR2ZxDLdv8OyC2G8zkRoQBuURgV7RPQgcPoU= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= @@ -2245,6 +2269,8 @@ go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4Q go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= +go.opentelemetry.io/otel/sdk/metric v1.29.0 h1:K2CfmJohnRgvZ9UAj2/FhIf/okdWcNdBwe1m8xFXiSY= +go.opentelemetry.io/otel/sdk/metric v1.29.0/go.mod h1:6zZLdCl2fkauYoZIOn/soQIDSWFmNSRcICarHfuhNJQ= go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= @@ -2273,7 +2299,6 @@ go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9E go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM= -go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= @@ -2310,8 +2335,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -2371,8 +2396,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= -golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2452,8 +2477,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2484,8 +2509,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= -golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= -golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= +golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -2502,8 +2527,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2573,7 +2598,6 @@ golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2639,8 +2663,8 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2660,16 +2684,16 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= -golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg= +golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -2746,8 +2770,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= -golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -2828,8 +2852,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0= google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= -google.golang.org/api v0.197.0 h1:x6CwqQLsFiA5JKAiGyGBjc2bNtHtLddhJCE2IKuhhcQ= -google.golang.org/api v0.197.0/go.mod h1:AuOuo20GoQ331nq7DquGHlU6d+2wN2fZ8O0ta60nRNw= +google.golang.org/api v0.207.0 h1:Fvt6IGCYjf7YLcQ+GCegeAI2QSQCfIWhRkmrMPj3JRM= +google.golang.org/api v0.207.0/go.mod h1:I53S168Yr/PNDNMi5yPnDc0/LGRZO6o7PoEbl/HY3CM= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2971,12 +2995,12 @@ google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOl google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak= google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= -google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 h1:BulPr26Jqjnd4eYDVe+YvyR7Yc2vJGkO5/0UxD0/jZU= -google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:hL97c3SYopEHblzpxRL4lSs523++l8DYxGM1FQiYmb4= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f h1:zDoHYmMzMacIdjNe+P2XiTmPsLawi/pCbSPfxt6lTfw= +google.golang.org/genproto v0.0.0-20241113202542-65e8d215514f/go.mod h1:Q5m6g8b5KaFFzsQFIGdJkSJDGeJiybVenoYFMMa3ohI= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f h1:C1QccEa9kUwvMgEUORqQD9S17QesQijxjZ84sO82mfo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -3005,7 +3029,6 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= @@ -3021,8 +3044,8 @@ google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw= google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM= -google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -3041,8 +3064,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=