vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

builtin/transit add pss_salt_length parameter

Open monomosc opened this issue 2 years ago • 4 comments

This change adds the ability to pass a Paramter of type integer called pss_salt_length which defaults to 0. This parameter gets passed to golangs crypto/rsa SignPSS(.., *rsa.PSSOptions). The value 0 is also the "special" value PSSSaltLengthAuto, equivalent to current vault default.

I have not run Integration tests as I was very scared of "incurring real costs" :).

Also, running all unit tests has been difficult as I do not have access to Docker on my Development Machine. I have however run all the builtin/transit unittests including my newly written RSA test)

We are currently very close to getting internal processes ready to sign a CLA. (Organization being https://github.com/datev)

https://support.hashicorp.com Ticket number: 77957

monomosc avatar Jul 06 '22 11:07 monomosc

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Jul 06 '22 11:07 hashicorp-cla

I am unsure, as the CLA requires me to affirm that I am "legally entitled to grant the above license". I am not certain of that, but have been able to find someone in my company who is. Can your CLA be signed by a representative for an entire organization?

monomosc avatar Jul 06 '22 11:07 monomosc

A few technical points though:

  • currently, passing a large salt value causes some kind of server error, as golangs crypto/rsa just returns an errors.New("..") and I was unwilling to add a specific check for a specific string to return a better user-facing error
  • Verifying tries to auto-detect salt length using some heuristics. This is, in my opinion, a possible issue in golang crypto/rsa. It is up to you if you want to trust they have audited this logic

monomosc avatar Jul 06 '22 11:07 monomosc

I am unsure, as the CLA requires me to affirm that I am "legally entitled to grant the above license". I am not certain of that, but have been able to find someone in my company who is. Can your CLA be signed by a representative for an entire organization?

Yes, we do have a corporate CLA available for organizations. That CLA would include a list of the member's organization, with GitHub handles, who are covered under that CLA. If that needs to be updated, please work with your organization to get that updated with the HashiCorp legal team. Thanks! :)

heatherezell avatar Jul 19 '22 18:07 heatherezell

This is now duplicated :/ I have managed to sign the CLA now though:

https://github.com/hashicorp/vault/pull/16549

monomosc avatar Aug 05 '22 07:08 monomosc

This is now duplicated :/ I have managed to sign the CLA now though:

#16549

Hi @monomosc, thanks for your contribution to Vault! Yes, I'd begun the process of reviewing the duplicated PR since the CLA had not been signed at that time. It's really unfortunate but I'll be continuing reviewing the other PR for now.

stevendpclark avatar Aug 08 '22 13:08 stevendpclark

It's really unfortunate but I'll be continuing reviewing the other PR for now.

That is OK by me. I'll close this one then.

monomosc avatar Aug 10 '22 14:08 monomosc