Transit RSA example
611 views
Skip to first unread message
David Dawson
Feb 16, 2018, 7:43:03 AM2/16/18
to Vault
Hallo. I'm doing a little work with Vault transit and wondered if there was an example of something I'm sure has been done many times before.
I have generated an RSA_2048 key in transit, extracted the pubkey.
I then want to encrypt something externally using this and have it decrypted by Vault (it'll actually be a 1 time AES key sent to us with a message).
I've been trying a few examples this morning and I'm struggling to get something running cleanly. I was wondering if there's an example of this anywhere that anyone knows of?
Specifically using nodejs to do the encryption using the pubkey and then for vault transit to decrypt for m. I've not managed to get the correct match of node rsa lib/ params/ padding etc to work and the errors coming out of Vault are opaque. Specifically, I'm looking for how to format the message, what params on the encrypt and how to pass to vault.
If this is documented elsewhere that I haven't found, please feel free to direct me to RTFM, but I'd appreciate a link with that if possible! :-)
Best,
David
I have generated an RSA_2048 key in transit, extracted the pubkey.
I then want to encrypt something externally using this and have it decrypted by Vault (it'll actually be a 1 time AES key sent to us with a message).
I've been trying a few examples this morning and I'm struggling to get something running cleanly. I was wondering if there's an example of this anywhere that anyone knows of?
Specifically using nodejs to do the encryption using the pubkey and then for vault transit to decrypt for m. I've not managed to get the correct match of node rsa lib/ params/ padding etc to work and the errors coming out of Vault are opaque. Specifically, I'm looking for how to format the message, what params on the encrypt and how to pass to vault.
If this is documented elsewhere that I haven't found, please feel free to direct me to RTFM, but I'd appreciate a link with that if possible! :-)
Best,
David
Jeff Mitchell
Feb 16, 2018, 9:11:21 AM2/16/18
to Vault
Hi David,
The "how" of it ends up being pretty language/library specific, but the specifics are that Vault uses RSA-OAEP with SHA256 as the hash function. You can see an example of it being done with openssl at https://groups.google.com/d/msg/vault-tool/Kl3Bph7uueQ/t3f_3OotBQAJ
As for format, Vautl expects "vault:vX:<base64-encoded ciphertext>" where X is the key version.
Hopefully that's enough pointers to figure it out!
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e794f4fa-040f-4f49-84ad-ca5ea8e67956%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
David Dawson
Feb 17, 2018, 6:17:38 AM2/17/18
to Vault
Odd, I replied to this via email, not appearing here. I've got an issue with google groups I think! Here's what I said
Node forge does expose the hash function option properly, and so does work.
Not
sure if this needs more clearly documenting, or perhaps something you
can set on the generated key? Since so many libs don't seem to be able
to alter this option, at least not easily, and use different defaults to
Vault.
Thanks. I did go through the transit code and found most
of that, but I missed the MD/ hash bit, which was the problem in the
end, thanks for pointing it out, that did put me on the right track.
I've
tried every nodejs crypto library under the sun, and none of them let
me set the hash function appropriately, apart from node-forge. They seem
to be defaulting SHA1 or SHA512 (not sure really), either way, they
don't work with any setting I've been able to concoct.var forge = require("node-forge")
var rsa3key = `-----BEGIN PUBLIC KEY-----
blah blah
-----END PUBLIC KEY-----`
var rsa = forge.pki.rsa;
var publicKey = forge.pki.publicKeyFromPem(rsa3key)
var enc = publicKey.encrypt(Buffer.from("HELLO WORLD"), 'RSA-OAEP', {
md: forge.md.sha256.create()
});
var encoded = forge.util.encode64(enc)
console.log(`vault:v1:${encoded}`)
On Friday, 16 February 2018 14:11:21 UTC, Jeff Mitchell wrote:
Hi David,The "how" of it ends up being pretty language/library specific, but the specifics are that Vault uses RSA-OAEP with SHA256 as the hash function. You can see an example of it being done with openssl at https://groups.google.com/d/msg/vault-tool/Kl3Bph7uueQ/t3f_3OotBQAJAs for format, Vautl expects "vault:vX:<base64-encoded ciphertext>" where X is the key version.Hopefully that's enough pointers to figure it out!Best,Jeff
On Fri, Feb 16, 2018 at 7:43 AM, David Dawson <m...@daviddawson.me> wrote:
Hallo. I'm doing a little work with Vault transit and wondered if there was an example of something I'm sure has been done many times before.
I have generated an RSA_2048 key in transit, extracted the pubkey.
I then want to encrypt something externally using this and have it decrypted by Vault (it'll actually be a 1 time AES key sent to us with a message).
I've been trying a few examples this morning and I'm struggling to get something running cleanly. I was wondering if there's an example of this anywhere that anyone knows of?
Specifically using nodejs to do the encryption using the pubkey and then for vault transit to decrypt for m. I've not managed to get the correct match of node rsa lib/ params/ padding etc to work and the errors coming out of Vault are opaque. Specifically, I'm looking for how to format the message, what params on the encrypt and how to pass to vault.
If this is documented elsewhere that I haven't found, please feel free to direct me to RTFM, but I'd appreciate a link with that if possible! :-)
Best,
David
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Jeff Mitchell
Feb 17, 2018, 10:29:04 AM2/17/18
to Vault
Hi David,
More documentation is always good (if you have suggestions feel free to send a PR!) but I'd also recommend filing issues against the authors of those other libraries. It's a strange omission, considering how widely-used SHA256 is, to support only SHA1 and SHA512 and sometimes it's purely a lack of feedback/user demand that prevents it from being implemented.
Best,
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/6c910cbd-baa5-4ac6-a99a-49bbbce0f040%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages