diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 2ee3b1422f0f3..5d3373855f440 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -4805,6 +4805,35 @@ func TestSealWrappedStorageConfigured(t *testing.T) { require.Contains(t, wrappedEntries, "config/key/", "key prefix with trailing / missing from seal wrap.") } +func TestBackend_ConfigCA_WithECParams(t *testing.T) { + t.Parallel() + b, s := createBackendWithStorage(t) + + // Generated key with OpenSSL: + // $ openssl ecparam -out p256.key -name prime256v1 -genkey + // + // Regression test for https://github.com/hashicorp/vault/issues/16667 + resp, err := CBWrite(b, s, "config/ca", map[string]interface{}{ + "pem_bundle": ` +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINzXthCZdhyV7+wIEBl/ty+ctNsUS99ykTeax6EbYZtvoAoGCCqGSM49 +AwEHoUQDQgAE57NX8bR/nDoW8yRgLswoXBQcjHrdyfuHS0gPwki6BNnfunUzryVb +8f22/JWj6fsEF6AOADZlrswKIbR2Es9e/w== +-----END EC PRIVATE KEY----- + `, + }) + require.NoError(t, err) + require.NotNil(t, resp, "expected ca info") + importedKeys := resp.Data["imported_keys"].([]string) + importedIssuers := resp.Data["imported_issuers"].([]string) + + require.Equal(t, len(importedKeys), 1) + require.Equal(t, len(importedIssuers), 0) +} + var ( initTest sync.Once rsaCAKey string diff --git a/builtin/logical/pki/path_manage_issuers.go b/builtin/logical/pki/path_manage_issuers.go index 14f5f9a28e7f3..32fc3374e4039 100644 --- a/builtin/logical/pki/path_manage_issuers.go +++ b/builtin/logical/pki/path_manage_issuers.go @@ -191,6 +191,12 @@ func (b *backend) pathImportIssuers(ctx context.Context, req *logical.Request, d issuers = append(issuers, pemBlockString) case "CRL", "X509 CRL": // Ignore any CRL entries. + case "EC PARAMS", "EC PARAMETERS": + // Ignore any EC parameter entries. This is an optional block + // that some implementations send, to ensure some semblance of + // compatibility with weird curves. Go doesn't support custom + // curves and 99% of software doesn't either, so discard them + // without parsing them. default: // Otherwise, treat them as keys. keys = append(keys, pemBlockString) diff --git a/changelog/16721.txt b/changelog/16721.txt new file mode 100644 index 0000000000000..84e0ffa92ab67 --- /dev/null +++ b/changelog/16721.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) +```