diff --git a/crypto/storage/vault/vault.go b/crypto/storage/vault/vault.go index 62555de58..4dc0909e4 100644 --- a/crypto/storage/vault/vault.go +++ b/crypto/storage/vault/vault.go @@ -34,6 +34,7 @@ import ( const privateKeyPathName = "nuts-private-keys" const defaultPathPrefix = "kv" +const vaultSecretkeyName = "key" // StorageType is the name of this storage type, used in health check reports and configuration. const StorageType = "vaultkv" @@ -102,8 +103,8 @@ func NewVaultKVStorage(config Config) (spi.Storage, error) { return vaultStorage, nil } -func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyName string) (crypto.PublicKey, string, error) { - return spi.GenerateAndStore(ctx, v, keyName) +func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyPath string) (crypto.PublicKey, string, error) { + return spi.GenerateAndStore(ctx, v, keyPath) } func configureVaultClient(cfg Config) (*vault.Client, error) { @@ -142,7 +143,7 @@ func (v vaultKVStorage) checkConnection() error { func (v vaultKVStorage) GetPrivateKey(ctx context.Context, keyName string, _ string) (crypto.Signer, error) { path := privateKeyPath(v.config.PathPrefix, keyName) - value, err := v.getValue(ctx, path, keyName) + value, err := v.getValue(ctx, path, vaultSecretkeyName) if err != nil { return nil, err } @@ -181,7 +182,7 @@ func (v vaultKVStorage) storeValue(ctx context.Context, path, key string, value func (v vaultKVStorage) PrivateKeyExists(ctx context.Context, keyName string, _ string) (bool, error) { path := privateKeyPath(v.config.PathPrefix, keyName) - _, err := v.getValue(ctx, path, keyName) + _, err := v.getValue(ctx, path, vaultSecretkeyName) if errors.Is(err, spi.ErrNotFound) { return false, nil } @@ -224,14 +225,14 @@ func privateKeyListPath(prefix string) string { return filepath.Clean(path) } -func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyName string, key crypto.PrivateKey) error { - path := privateKeyPath(v.config.PathPrefix, keyName) +func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyPath string, key crypto.PrivateKey) error { + path := privateKeyPath(v.config.PathPrefix, keyPath) pem, err := util.PrivateKeyToPem(key) if err != nil { return fmt.Errorf("unable to convert private key to pem format: %w", err) } - return v.storeValue(ctx, path, keyName, pem) + return v.storeValue(ctx, path, vaultSecretkeyName, pem) } func (v vaultKVStorage) DeletePrivateKey(ctx context.Context, kid string) error { diff --git a/crypto/storage/vault/vault_test.go b/crypto/storage/vault/vault_test.go index a631c4bd6..cf7db0ea9 100644 --- a/crypto/storage/vault/vault_test.go +++ b/crypto/storage/vault/vault_test.go @@ -26,6 +26,7 @@ import ( "errors" vault "github.com/hashicorp/vault/api" "github.com/nuts-foundation/nuts-node/core" + "github.com/nuts-foundation/nuts-node/crypto/util" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "net/http" @@ -103,6 +104,17 @@ func TestVaultKVStorage(t *testing.T) { assert.Equal(t, privateKey, result, "expected retrieved key to equal original") }) + t.Run("get", func(t *testing.T) { + pem, _ := util.PrivateKeyToPem(privateKey) + vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: pem}}}} + + signer, err := vaultStorage.GetPrivateKey(ctx, keyName, version) + + require.NoError(t, err) + pem2, _ := util.PrivateKeyToPem(signer) + assert.Equal(t, pem, pem2) + }) + t.Run("delete", func(t *testing.T) { t.Run("ok", func(t *testing.T) { vaultStorage := vaultKVStorage{client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {}}}} @@ -171,7 +183,7 @@ func TestVaultKVStorage(t *testing.T) { }) t.Run("error - encoding issues", func(t *testing.T) { - vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {keyName: []byte("foo")}}}} + vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: []byte("foo")}}}} t.Run("SavePrivateKey", func(t *testing.T) { err := vaultStorage.SavePrivateKey(ctx, keyName, "123") diff --git a/docs/pages/release_notes.rst b/docs/pages/release_notes.rst index fe5b658d8..81195b94d 100644 --- a/docs/pages/release_notes.rst +++ b/docs/pages/release_notes.rst @@ -2,6 +2,18 @@ Release notes ############# +*************** +Peanut (v6.0.2) +*************** + +Release date: 2024-11-14 + +- `#3556 `_: fix private key path when using native Hashicorp Vault integration, + broken since v6.0.0 (pre-v6.0.0 keys couldn't be found, post-v6.0.0 keys have an incorrect name). +- Update `github.com/golang-jwt/jwt/v4` to v4.5.1 to address vulnerability `GO-2024-3250 `_. + +**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v6.0.1...v6.0.2 + *************** Peanut (v6.0.1) ***************