Intermediate Cross-Sign Fails for ED25519 keys #26089
Description
Describe the bug
Trying to follow the Build your own certificate Authority tutorial, but with ed25519 keys, vault fails when trying to generate a CSR to cross-sign the intermediate.
To Reproduce
Running the following test script:
#!/bin/bash
# https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine#step-2-generate-intermediate-ca but with ${key_type}
key_type=ed25519
vault secrets disable pki_${key_type}
vault secrets disable pki_int_${key_type}
# Create root CA
vault secrets enable -path pki_${key_type} pki
vault secrets tune -max-lease-ttl=87600h pki_${key_type}
vault write -field=certificate pki_${key_type}/root/generate/internal \
common_name="example.com" \
issuer_name="root-2023" \
key_type=${key_type} \
ttl=87600h > root_2023_ca.crt
vault write pki_${key_type}/roles/2023-servers allow_any_name=true
vault write pki_${key_type}/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki/crl"
# Create intermediate CA
vault secrets enable -path=pki_int_${key_type} pki
vault secrets tune -max-lease-ttl=43800h pki_int_${key_type}
vault write -format=json pki_int_${key_type}/intermediate/generate/internal \
common_name="example.com Intermediate Authority" \
issuer_name="example-dot-com-intermediate" \
key_type=${key_type} \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki_${key_type}/root/sign-intermediate \
issuer_ref="root-2023" \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int_${key_type}/intermediate/set-signed [email protected]
# Rotate root CA
vault write pki_${key_type}/root/rotate/internal \
common_name="example.com" \
issuer_name="root-2024" \
key_type=${key_type}
# Ask for CSR for cross-signing
vault write -format=json pki_int_${key_type}/intermediate/cross-sign \
common_name="example.com Intermediate Authority" \
key_ref="$(vault read pki_int_${key_type}/issuer/$(vault read -field=default pki_int_${key_type}/config/issuers) \
| grep -i key_id | awk '{print $2}')" \
| jq -r '.data.csr' \
| tee cross-signed-intermediate.csr
The output of the last command is:
Error writing data to pki_int_ed25519/intermediate/cross-sign: Error making API request.
URL: PUT http://localhost:8202/v1/pki_int_ed25519/intermediate/cross-sign
Code: 400. Errors:
* unsupported public key: ed25519.PublicKey{0x65, 0xc6, 0x8b, 0x33, 0x9, 0x5d, 0xbc, 0x6b, 0x20, 0x9e, 0x63, 0x3, 0xc8, 0xd, 0xa8, 0x10, 0x92, 0x48, 0x62, 0xa8, 0xbb, 0x3a, 0x4f, 0x49, 0x57, 0xae, 0xc2, 0x67, 0x5a, 0x8c, 0x20, 0xa3}
Expected behavior
Expected a CSR to be generated.
Environment:
- Vault Server Version (retrieve with
vault status): 1.15.5, 1.16.0-rc3 - Vault CLI Version (retrieve with
vault version): 1.15.6 - Server Operating System/Architecture: Docker/Linux
Vault server configuration file(s):
ui = true
listener "tcp" {
address = "0.0.0.0:8202"
tls_disable = 1
}
storage "file" {
path = "/vault/file"
}
api_addr = "http://127.0.0.1:8202"
disable_mlock = "true"
log_level = "Trace"
Am I wrong in expecting this to work? Perhaps there's something with ed25519 that makes it not, but seems unlikely.
Very confusing when I try to follow code path, error message seems to originate from getKeyTypeAndBitsFromPublicKeyForRole, but that function does seem to support ed25519.PublicKey