docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Some *privateKeyPem outputs contain hashes, not PEM data

Open nhinds opened this issue 5 years ago • 0 comments

The SelfSignedCert.privateKeyPem and CertRequest.privateKeyPem outputs are both documented as:

PEM-encoded private key that the certificate will belong to

Similarly, the LocallySignedCert.caPrivateKeyPem output is documented as:

PEM-encoded private key data for the CA.

However, all 3 of these outputs really contain some kind of hash of the private key input, rather than the private key itself. This is consistent with the upstream Terraform documentation for e.g. tls_self_signed_cert:

Only an irreversable secure hash of the private key will be stored in the Terraform state.

I understand that the Pulumi docs are generated from the Terraform docs, but is there any way to override the documentation for these 3 fields to explain that the fields really contain a hash of the private key? Or to rename the fields privateKeyHash / caPrivateKeyHash, since they don't contain any PEM data?

Reproduction:

import * as pulumi from "@pulumi/pulumi";
import * as tls from "@pulumi/tls";

const key = new tls.PrivateKey("key", { algorithm: "ECDSA" });
const selfSignedCert = new tls.SelfSignedCert("crt", {
  isCaCertificate: true,
  subjects: [ { commonName: "crt", }, ],
  keyAlgorithm: "ECDSA",
  allowedUses: [ "cert_signing", "crl_signing", ],
  privateKeyPem: key.privateKeyPem,
  validityPeriodHours: 365 * 24,
});
export const keyPrivateKeyPem = key.privateKeyPem;
export const selfSignedCertPrivateKeyPem = selfSignedCert.privateKeyPem;

const key2 = new tls.PrivateKey("key2", { algorithm: "ECDSA" });
const certRequest = new tls.CertRequest("certRequest", {
  keyAlgorithm: "ECDSA",
  privateKeyPem: key2.privateKeyPem,
  subjects: [ { commonName: "locally-signed", }, ],
});
const locallySignedCert = new tls.LocallySignedCert("crt", {
  certRequestPem: certRequest.certRequestPem,
  caCertPem: selfSignedCert.certPem,
  caPrivateKeyPem: key.privateKeyPem,
  caKeyAlgorithm: "ECDSA",
  allowedUses: [ "cert_signing", "crl_signing", ],
  validityPeriodHours: 365 * 24,
});
export const key2PrivateKeyPem = key2.privateKeyPem;
export const certRequestPrivateKeyPem = certRequest.privateKeyPem;
export const locallySignedCertCaPrivateKeyPem = locallySignedCert.caPrivateKeyPem;

After pulumi up, the outputs show that while the 2 PrivateKey.privateKeyPem outputs return a PEM-encoded certificate, the other 3 return hashes:

Outputs:
    certRequestPrivateKeyPem        : "ba4b0e4e58590c12c7fa53f0fd6e085c6229e8fa"
    key2PrivateKeyPem               : "-----BEGIN EC PRIVATE KEY-----\nMGgCAQEEHMe6jwbDrXN+jQVaqAtBtHFRRclv3oFC3tNAW5CgBwYFK4EEACGhPAM6\nAAQLPMFTzVj0eTL6sUywk9mw9qYjpwhadUCd/j8armzU6N2VooZVbwlxAhcEXPPs\nHVmyQpmKKfR23Q==\n-----END EC PRIVATE KEY-----\n"
    keyPrivateKeyPem                : "-----BEGIN EC PRIVATE KEY-----\nMGgCAQEEHNl5/fpQ9Xd4XNfuhUx2yt4KSG+G1jlpovXgJIOgBwYFK4EEACGhPAM6\nAAR8n8CchzPI4f0zmlBi2TetfrkAofDiWkJ/GKa1FWFiMNH5W2bnmKW3mEiWq5Et\n8ueSgNzLsXDqYw==\n-----END EC PRIVATE KEY-----\n"
    locallySignedCertCaPrivateKeyPem: "61b5f689025d58c0aa9d5fecc8ab5154f54ecfbc"
    selfSignedCertPrivateKeyPem     : "61b5f689025d58c0aa9d5fecc8ab5154f54ecfbc"

nhinds avatar Feb 24 '20 00:02 nhinds