Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix transit panic with invalid PEM #22753

Merged
merged 3 commits into from
Sep 5, 2023
Merged

Fix transit panic with invalid PEM #22753

merged 3 commits into from
Sep 5, 2023

Conversation

cipherboy
Copy link
Contributor

When an invalid (non-PEM) public key is given to Transit's import, this fails with a panic in server logs:

2023-09-05T08:11:11.526-0400 [INFO]  http: panic serving 127.0.0.1:42414: runtime error: invalid memory address or nil pointer dereference
goroutine 950 [running]:
net/http.(*conn).serve.func1()
    /usr/local/go/src/net/http/server.go:1868 +0xb9
panic({0x8371620?, 0x1050b390?})
    /usr/local/go/src/runtime/panic.go:920 +0x270
github.com/hashicorp/vault/sdk/helper/keysutil.(*Policy).ImportPublicOrPrivate(0xc003fff440, {0xaf02918, 0xc004509920}, {0xaf03670, 0xc0032e4180}, {0xc004532ea0, 0x188, 0x1a0}, 0x0, {0xae7f5e0, ...})
    /home/cipherboy/GitHub/cipherboy/vault/sdk/helper/keysutil/policy.go:1538 +0x687
github.com/hashicorp/vault/sdk/helper/keysutil.(*LockManager).ImportPolicy(0xc001a29410, {0xaf02918, 0xc004509920}, {{0xaf03670, 0xc0032e4180}, {0xc003eb5ab5, 0xb}, 0x3, 0x0, 0x0, ...}, ...)
    /home/cipherboy/GitHub/cipherboy/vault/sdk/helper/keysutil/lock_manager.go:517 +0x38a

This is unfortunate and doesn't reveal the cause of the failure: input was not provided in PEM format, per docs.

@cipherboy
Fix transit panic with invalid PEM
f65ac46 
When an invalid (non-PEM) public key is given to Transit's import, this
fails with a panic in server logs:

    2023-09-05T08:11:11.526-0400 [INFO]  http: panic serving 127.0.0.1:42414: runtime error: invalid memory address or nil pointer dereference
    goroutine 950 [running]:
    net/http.(*conn).serve.func1()
	    /usr/local/go/src/net/http/server.go:1868 +0xb9
    panic({0x8371620?, 0x1050b390?})
	    /usr/local/go/src/runtime/panic.go:920 +0x270
    github.com/hashicorp/vault/sdk/helper/keysutil.(*Policy).ImportPublicOrPrivate(0xc003fff440, {0xaf02918, 0xc004509920}, {0xaf03670, 0xc0032e4180}, {0xc004532ea0, 0x188, 0x1a0}, 0x0, {0xae7f5e0, ...})
	    /home/cipherboy/GitHub/cipherboy/vault/sdk/helper/keysutil/policy.go:1538 +0x687
    github.com/hashicorp/vault/sdk/helper/keysutil.(*LockManager).ImportPolicy(0xc001a29410, {0xaf02918, 0xc004509920}, {{0xaf03670, 0xc0032e4180}, {0xc003eb5ab5, 0xb}, 0x3, 0x0, 0x0, ...}, ...)
	    /home/cipherboy/GitHub/cipherboy/vault/sdk/helper/keysutil/lock_manager.go:517 +0x38a

This is unfortunate and doesn't reveal the cause of the failure: input
was not provided in PEM format, per docs.

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy
Fix additional PEM decode without error check
e3d0f55 
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy added bug Used to indicate a potential bug secret/transit backport/1.14.x labels Sep 5, 2023
@cipherboy cipherboy added this to the 1.14.3 milestone Sep 5, 2023
@cipherboy cipherboy requested a review from a team as a code owner September 5, 2023 12:43
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Sep 5, 2023
@github-actions
Copy link

github-actions bot commented Sep 5, 2023

Build Results:
All builds succeeded! ✅

@stevendpclark
Copy link
Contributor

This should probably have a changelog associated with it?

@github-actions
Copy link

github-actions bot commented Sep 5, 2023
edited
Loading

CI Results:
All Go tests succeeded! ✅

@stevendpclark stevendpclark mentioned this pull request Sep 5, 2023
Merged
@cipherboy
Add changelog entry
4d9d229 
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy enabled auto-merge (squash) September 5, 2023 13:36
kitography
kitography approved these changes Sep 5, 2023
View reviewed changes
Copy link
Contributor

@kitography kitography left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks Great!

@cipherboy cipherboy merged commit f150a52 into main Sep 5, 2023
@cipherboy cipherboy deleted the cipherboy-fix-panic-transit-with-invalid-pem branch September 5, 2023 14:32
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@kitography kitography kitography approved these changes

Assignees
No one assigned
Labels
bug Used to indicate a potential bug hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed secret/transit
Projects
None yet
Milestone
1.14.3
Development

Successfully merging this pull request may close these issues.
3 participants
@cipherboy @stevendpclark @kitography