Skip to content

Commit

Permalink
Merge pull request #468 from smallstep/mariano/aws-rsa384
Browse files Browse the repository at this point in the history 
Add missing signature algorithms for awskms
  • Loading branch information
@maraino
maraino committed Mar 27, 2024
2 parents cfab90e + cc6a200 commit fc1dd7b
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 1 deletion.
12 changes: 12 additions & 0 deletions kms/awskms/awskms.go
View file
Expand Up @@ -46,6 +46,12 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA384WithRSA: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA512WithRSA: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
Expand All @@ -58,6 +64,12 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA384WithRSAPSS: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA512WithRSAPSS: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
Expand Down
8 changes: 8 additions & 0 deletions kms/awskms/awskms_test.go
View file
Expand Up @@ -371,6 +371,10 @@ func Test_getCustomerMasterKeySpecMapping(t *testing.T) {
{"SHA256WithRSA+2048", args{apiv1.SHA256WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA256WithRSA+3072", args{apiv1.SHA256WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA256WithRSA+4096", args{apiv1.SHA256WithRSA, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA384WithRSA", args{apiv1.SHA384WithRSA, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSA+2048", args{apiv1.SHA384WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA384WithRSA+3072", args{apiv1.SHA384WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSA+4096", args{apiv1.SHA384WithRSA, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA512WithRSA", args{apiv1.SHA512WithRSA, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA512WithRSA+2048", args{apiv1.SHA512WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA512WithRSA+3072", args{apiv1.SHA512WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
Expand All @@ -379,6 +383,10 @@ func Test_getCustomerMasterKeySpecMapping(t *testing.T) {
{"SHA256WithRSAPSS+2048", args{apiv1.SHA256WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA256WithRSAPSS+3072", args{apiv1.SHA256WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA256WithRSAPSS+4096", args{apiv1.SHA256WithRSAPSS, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA384WithRSAPSS", args{apiv1.SHA384WithRSAPSS, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSAPSS+2048", args{apiv1.SHA384WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA384WithRSAPSS+3072", args{apiv1.SHA384WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSAPSS+4096", args{apiv1.SHA384WithRSAPSS, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA512WithRSAPSS", args{apiv1.SHA512WithRSAPSS, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA512WithRSAPSS+2048", args{apiv1.SHA512WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA512WithRSAPSS+3072", args{apiv1.SHA512WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
Expand Down
3 changes: 2 additions & 1 deletion kms/mackms/mackms.go
View file
Expand Up @@ -402,7 +402,7 @@ func (k *MacKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([

cert, err := loadCertificate(u.label, u.serialNumber, nil)
if err != nil {
return nil, fmt.Errorf("mackms LoadCertificateChain failed1: %w", apiv1Error(err))
return nil, fmt.Errorf("mackms LoadCertificateChain failed: %w", apiv1Error(err))
}

chain := []*x509.Certificate{cert}
Expand All @@ -424,6 +424,7 @@ func (k *MacKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([
chain = append(chain, cert)
}

//nolint:nilerr // return only the intermediates present in keychain
return chain, nil
}

Expand Down

0 comments on commit fc1dd7b

Please sign in to comment.