Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing signature algorithms for awskms #468

Merged
merged 1 commit into from Mar 27, 2024
Merged

Add missing signature algorithms for awskms #468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 12 additions & 0 deletions kms/awskms/awskms.go
View file
Open in desktop
Expand Up @@ -46,6 +46,12 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA384WithRSA: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA512WithRSA: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
Expand All @@ -58,6 +64,12 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA384WithRSAPSS: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
3072: types.KeySpecRsa3072,
4096: types.KeySpecRsa4096,
},
apiv1.SHA512WithRSAPSS: map[int]types.KeySpec{
0: types.KeySpecRsa3072,
2048: types.KeySpecRsa2048,
Expand Down
8 changes: 8 additions & 0 deletions kms/awskms/awskms_test.go
View file
Open in desktop
Expand Up @@ -371,6 +371,10 @@ func Test_getCustomerMasterKeySpecMapping(t *testing.T) {
{"SHA256WithRSA+2048", args{apiv1.SHA256WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA256WithRSA+3072", args{apiv1.SHA256WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA256WithRSA+4096", args{apiv1.SHA256WithRSA, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA384WithRSA", args{apiv1.SHA384WithRSA, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSA+2048", args{apiv1.SHA384WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA384WithRSA+3072", args{apiv1.SHA384WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSA+4096", args{apiv1.SHA384WithRSA, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA512WithRSA", args{apiv1.SHA512WithRSA, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA512WithRSA+2048", args{apiv1.SHA512WithRSA, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA512WithRSA+3072", args{apiv1.SHA512WithRSA, 3072}, types.KeySpecRsa3072, assert.NoError},
Expand All @@ -379,6 +383,10 @@ func Test_getCustomerMasterKeySpecMapping(t *testing.T) {
{"SHA256WithRSAPSS+2048", args{apiv1.SHA256WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA256WithRSAPSS+3072", args{apiv1.SHA256WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA256WithRSAPSS+4096", args{apiv1.SHA256WithRSAPSS, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA384WithRSAPSS", args{apiv1.SHA384WithRSAPSS, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSAPSS+2048", args{apiv1.SHA384WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA384WithRSAPSS+3072", args{apiv1.SHA384WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
{"SHA384WithRSAPSS+4096", args{apiv1.SHA384WithRSAPSS, 4096}, types.KeySpecRsa4096, assert.NoError},
{"SHA512WithRSAPSS", args{apiv1.SHA512WithRSAPSS, 0}, types.KeySpecRsa3072, assert.NoError},
{"SHA512WithRSAPSS+2048", args{apiv1.SHA512WithRSAPSS, 2048}, types.KeySpecRsa2048, assert.NoError},
{"SHA512WithRSAPSS+3072", args{apiv1.SHA512WithRSAPSS, 3072}, types.KeySpecRsa3072, assert.NoError},
Expand Down
3 changes: 2 additions & 1 deletion kms/mackms/mackms.go
View file
Open in desktop
Expand Up @@ -402,7 +402,7 @@ func (k *MacKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([

cert, err := loadCertificate(u.label, u.serialNumber, nil)
if err != nil {
return nil, fmt.Errorf("mackms LoadCertificateChain failed1: %w", apiv1Error(err))
return nil, fmt.Errorf("mackms LoadCertificateChain failed: %w", apiv1Error(err))
}

chain := []*x509.Certificate{cert}
Expand All @@ -424,6 +424,7 @@ func (k *MacKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([
chain = append(chain, cert)
}

//nolint:nilerr // return only the intermediates present in keychain
return chain, nil
}

Expand Down