search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.31k stars 4.23k forks source link

ED25519 Public Key Format #25141

Open SchulzeStTSI opened 10 months ago

SchulzeStTSI commented 10 months ago

Describe the bug When retrieving the public key of an ed25519 key pair from the transit API the key is formatted in a strange encoding. After checking it, i found out that the key is simply a base64 encoding of ed25519.PublicKey which is the internal go type representation.

To Reproduce Generate ed25519 keypair and use the private one to extract the public: 

p := key.Public().(ed25519.PublicKey)
b := base64.StdEncoding.EncodeToString(p)

Output is an base64 string which is not a PEM or anything else "usable" by openssl. Something like this: DixHOIHXtDW0l6DHE2qGCRCfC/XjS5CHxHS+sEUICH0=

Expected behavior Convert the key into a PEM format/standard encoding that it matches with the other key pair types in format (they use all pub keys in PEM format) to have this format:

-----BEGIN PUBLIC KEY----- MCowBQYDK2VwAyEA8eIBpK/74foJBEzRn2kCImhWyVnOcqV5aX1L8DSHyxA= -----END PUBLIC KEY-----

This is then readable by openssl. 

bytes, err := x509.MarshalPKIXPublicKey(key.PublicKey())

if err != nil {
return nil, err
}

pemBlock := &pem.Block{
Type:  "PUBLIC KEY",
Bytes: bytes,
}

pubkey_bytes := pem.EncodeToMemory(pemBlock)
stevendpclark commented 9 months ago

Thanks for the report @SchulzeStTSI. Easy to reproduce. 

❯ vault write transit/keys/test type=ed25519
...
❯ vault read -format=json -field=keys transit/export/public-key/test/1 | jq -r '."1"' | openssl pkey -pubin -in - -text
unable to load Public Key
140704661346240:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: PUBLIC KEY

As a confirmation this works with the other types 

❯ vault write transit/keys/test-rsa type=rsa-2048
...
❯ vault read -format=json -field=keys transit/export/public-key/test-rsa/1 | jq -r '."1"' | openssl pkey -pubin -in - -text
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArdz+B1qr5UsjeHT/tYvG
l3ljIMPxI/FfiFGtTMrACDEMq+v7EGeahrzivraFaF1r5PUXLz5rQCP9d3+hlx2/
hv7qt9rxUTY/MtxtaeHekrH4kEvhTfe55r/AQ7dwsw5AWYuKqRlSZgyrFiMMTeVe
yXGQNaY76p2/AFLQsESK9YCE2ly9Epp2TEUVJZLk+CosXgBtkKf6/2BzddVblX4Z
Sa19pPxnqFHMQ8SGhXW47PH0PzVlCLJpGaeJnonUwXlmH7ba/or31Wn7ZonjlqsF
haCK8UVsbMExpQBKewsJRRrHuVsSXYRRTrekQP6d56M9Gcs2LXaCTZ8t9xRMZ8EU
jQIDAQAB
-----END PUBLIC KEY-----
RSA Public-Key: (2048 bit)
Modulus:
    00:ad:dc:fe:07:5a:ab:e5:4b:23:78:74:ff:b5:8b:
    c6:97:79:63:20:c3:f1:23:f1:5f:88:51:ad:4c:ca:
    c0:08:31:0c:ab:eb:fb:10:67:9a:86:bc:e2:be:b6:
    85:68:5d:6b:e4:f5:17:2f:3e:6b:40:23:fd:77:7f:
    a1:97:1d:bf:86:fe:ea:b7:da:f1:51:36:3f:32:dc:
    6d:69:e1:de:92:b1:f8:90:4b:e1:4d:f7:b9:e6:bf:
    c0:43:b7:70:b3:0e:40:59:8b:8a:a9:19:52:66:0c:
    ab:16:23:0c:4d:e5:5e:c9:71:90:35:a6:3b:ea:9d:
    bf:00:52:d0:b0:44:8a:f5:80:84:da:5c:bd:12:9a:
    76:4c:45:15:25:92:e4:f8:2a:2c:5e:00:6d:90:a7:
    fa:ff:60:73:75:d5:5b:95:7e:19:49:ad:7d:a4:fc:
    67:a8:51:cc:43:c4:86:85:75:b8:ec:f1:f4:3f:35:
    65:08:b2:69:19:a7:89:9e:89:d4:c1:79:66:1f:b6:
    da:fe:8a:f7:d5:69:fb:66:89:e3:96:ab:05:85:a0:
    8a:f1:45:6c:6c:c1:31:a5:00:4a:7b:0b:09:45:1a:
    c7:b9:5b:12:5d:84:51:4e:b7:a4:40:fe:9d:e7:a3:
    3d:19:cb:36:2d:76:82:4d:9f:2d:f7:14:4c:67:c1:
    14:8d
Exponent: 65537 (0x10001)
mju commented 7 months ago

Out of my curiosity, how does Vault collaborate with openbao? I saw that this has been fixed in openbao with a PR but this ticket stays open for vault. Do opensource contributors now work off of openbao's codebase and the code will be ported to vault by someone from time to time?

solutiongeek commented 6 months ago

Hello, we continue to welcome and encourage community contributions. We are currently reviewing this issue and deciding on the best architectural choice for our users. Please stay tuned. Thank you.