-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend #3489
Conversation
8c41bcb
to
da8df10
Compare
da8df10
to
3ea2ec7
Compare
5ab1fef
to
4acd786
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really good! No comments.
} | ||
} | ||
|
||
return "", fmt.Errorf("unknown key type %v", policy.Type) | ||
} | ||
|
||
func encodeRSAPrivateKey(key *rsa.PrivateKey) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC this actually depends on the format. For PKCS1 yes, but PKCS8 I believe should just be PRIVATE KEY because the type is encoded into the binary block. Might be worth mentioning that in the comment for the future as Go 1.10 will have PKCS8 encoding support and we will be adding it to PKI in this release.
builtin/logical/transit/path_keys.go
Outdated
} | ||
// Not making the header 'RSA PUBLIC KEY' since the format is | ||
// of generic public key and not specifically of RSA. If its | ||
// 'RSA PUBLIC KEY', 'openssl' complains. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just PUBLIC KEY
is correct since openssl (and x509) use PKIX and the type is encoded into the marshaled bytes. Can remove this comment!
For reviewers, script used to test is here: https://gist.github.com/vishalnayak/4bd3b7d9eb28956d1517e8a49b1c47c4