hvac
Allow configuring the possible salt lengths for RSA PSS signatures
The Golang crypto/rsa package allows for using at least two possible salt lengths (auto and hash for want better terminology) when creating/verifying RSA PSS signatures. However, these options are currently not exposed via the Vault Transit Secrets Engine and, hence, HVAC. These options would allow for cross-platform signature verification without modifying downstream clients (e.g., the https://github.com/secure-systems-lab/securesystemslib/pull/262 package, used by the python-tuf and python-in-toto supply chain security frameworks, which currently assumes a different salt length by default than Vault does).
This PR is related to Vault PR https://github.com/hashicorp/vault/pull/16549. Assuming that that PR is merged, this PR would update HVAC correspondingly.
Codecov Report
Merging #846 (2edcfbb) into develop (ad6b5d9) will decrease coverage by
0.39%. The diff coverage is100.00%.
:exclamation: Current head 2edcfbb differs from pull request most recent head 5145d79. Consider uploading reports for the commit 5145d79 to get more accurate results
@@ Coverage Diff @@
## develop #846 +/- ##
===========================================
- Coverage 77.91% 77.51% -0.40%
===========================================
Files 64 64
Lines 3600 3536 -64
===========================================
- Hits 2805 2741 -64
Misses 795 795
| Impacted Files | Coverage Δ | |
|---|---|---|
| hvac/api/secrets_engines/transit.py | 90.78% <100.00%> (+0.40%) |
:arrow_up: |
| hvac/constants/transit.py | 100.00% <100.00%> (ø) |
|
| hvac/v1/__init__.py | 54.77% <0.00%> (-3.33%) |
:arrow_down: |
| hvac/api/vault_api_category.py | 94.44% <0.00%> (-0.68%) |
:arrow_down: |
| hvac/adapters.py | 86.00% <0.00%> (-0.28%) |
:arrow_down: |
| hvac/utils.py | 78.89% <0.00%> (-0.20%) |
:arrow_down: |
| hvac/api/secrets_engines/identity.py | 93.98% <0.00%> (-0.03%) |
:arrow_down: |
| hvac/api/secrets_engines/kv.py | 100.00% <0.00%> (ø) |
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @trishankatdatadog thank you for this contribution adding support for a new feature you've added to Vault!
I noticed you have some commits where you modified the CI jobs and then effectively reverted the changes in successive commits.
If you don't mind, to keep our git history a little cleaner, do you mind rebasing and cleaning the git commits on your feature branch? I would be happy to review the changes once this is done.
If you don't mind, to keep our git history a little cleaner, do you mind rebasing and cleaning the git commits on your feature branch? I would be happy to review the changes once this is done.
In the interest of time, is it ok to just squash it all into one commit and force-push?
In the interest of time, is it ok to just squash it all into one commit and force-push?
Yes, I think that would be fine.
@trishankatdatadog I've reviewed the changes and the code looks good to me, I just have a few questions.
Looking at the Vault repo, this PR adds support for a Vault feature that is unreleased, correct? I'm not 100% sure how Vault reacts to unsupported parameters. Will this change be backwards compatible with older versions of Vault?
@trishankatdatadog I've reviewed the changes and the code looks good to me, I just have a few questions.
Looking at the Vault repo, this PR adds support for a Vault feature that is unreleased, correct? I'm not 100% sure how Vault reacts to unsupported parameters. Will this change be backwards compatible with older versions of Vault?
I don't know, TBH. Don't the unit tests test for this right now? They seem to be testing against rather old versions of Vault Enterprise.