Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix transit import/export of hmac-only keys #20864

Merged
merged 4 commits into from
May 31, 2023

Conversation

cipherboy
Copy link
Contributor

Fundamentally the second commit is the important one: we need to ensure HMAC-only keys exposes the same interface as non-HMAC keys, that is, the HMAC key is in .HMACKey and the "real" key is in .Key -- but in our case, HMAC should be the same value across both in case anyone is using the field directly in applications.

The first is more or less a duplicate, for backwards compatibility: we won't nuke the existing HMAC keys with different-HMACKey-field-values, so we'll want to export the real one under export/hmac-keys/.... For anyone who inadvertently used the wrong HMAC key, they can use a plaintext backup (and/or sys/raw) to import the separate, incorrect versions as proper versions into this key.


Related: #20804
Jira: VAULT-16702

@cipherboy cipherboy added bug Used to indicate a potential bug secret/transit backport/1.12.x labels May 30, 2023
@cipherboy cipherboy added this to the 1.12.7 milestone May 30, 2023
@cipherboy cipherboy requested a review from a team May 30, 2023 17:17
@@ -1585,7 +1590,7 @@ func (p *Policy) RotateInMemory(randReader io.Reader) (retErr error) {
if p.Type == KeyType_AES128_GCM96 {
numBytes = 16
} else if p.Type == KeyType_HMAC {
numBytes := p.KeySize
numBytes = p.KeySize
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shadowing was causing HMAC keys to be shorter than expected.

cipherboy added 3 commits May 31, 2023 13:34
When initially implemented, exporting HMAC keys resulted in returning
the unused, internal HMACKey value rather than the main Key value that
is used for HMAC operations.

This is a breaking change.

Signed-off-by: Alexander Scheel <[email protected]>
When generating HMAC-typed keys, set HMACKey = Key consistently, to
allow users of HMAC-typed keys to use them backwards compatibly.

Notably, this could discard the (unused) HMACKey field set today.

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy force-pushed the cipherboy-fix-transit-import-export-hmac-keys branch from f0ca27b to b0935e6 Compare May 31, 2023 17:34
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy force-pushed the cipherboy-fix-transit-import-export-hmac-keys branch from b0935e6 to 513eef5 Compare May 31, 2023 17:36
Copy link
Collaborator

@sgmiller sgmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@@ -0,0 +1,5 @@
```release-note:bug
secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI - these didn't format properly in the changelog. I think you might need a different backtick section for each bullet. Can you check the docs? Don't fix this file, just for next time.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, thank you! I thought I had seen an example like this, but maybe it was also fixed; perhaps we should fix this one, so that we know its not correct?

https://github.com/hashicorp/vault/blob/main/changelog/README.md doesn't really give any indication of how to format changelog files with multiple impacts, probably worth calling out, tbh.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, the upstream docs do call it out: https://github.com/hashicorp/go-changelog#change-file-formatting :

Sometimes PRs have multiple changelog entries associated with them. In this case, use multiple blocks.

cipherboy added a commit that referenced this pull request Jun 22, 2023
Related: #20903
See also: #20864

Signed-off-by: Alexander Scheel <[email protected]>
cipherboy added a commit that referenced this pull request Jun 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug secret/transit
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants