hashicorp
diff --git a/‎builtin/logical/pki/ca_util.go‎
Lines changed: 11 additions & 2 deletions b/‎builtin/logical/pki/ca_util.go‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎builtin/logical/pki/issuing/issue_common.go‎
Lines changed: 7 additions & 0 deletions b/‎builtin/logical/pki/issuing/issue_common.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎builtin/logical/pki/issuing/sign_cert.go‎
Lines changed: 14 additions & 5 deletions b/‎builtin/logical/pki/issuing/sign_cert.go‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎builtin/logical/pki/path_intermediate.go‎
Lines changed: 1 addition & 1 deletion b/‎builtin/logical/pki/path_intermediate.go‎
Lines changed: 1 addition & 1 deletion
@@ -21,7 +21,7 @@ import (
 	"golang.org/x/crypto/ed25519"
 )
 
-func getGenerationParams(sc *storageContext, data *framework.FieldData) (exported bool, format string, role *issuing.RoleEntry, errorResp *logical.Response) {
+func getGenerationParams(sc *storageContext, data *framework.FieldData, isRoot bool) (exported bool, format string, role *issuing.RoleEntry, errorResp *logical.Response) {
 	exportedStr := data.Get("exported").(string)
 	switch exportedStr {
 	case "exported":
@@ -76,7 +76,16 @@ func getGenerationParams(sc *storageContext, data *framework.FieldData) (exporte
 	}
 	*role.AllowWildcardCertificates = true
 
-	if role.KeyBits, role.SignatureBits, err = certutil.ValidateDefaultOrValueKeyTypeSignatureLength(role.KeyType, role.KeyBits, role.SignatureBits); err != nil {
+	if role.KeyBits, err = certutil.ValidateDefaultOrValueKeyType(role.KeyType, role.KeyBits); err != nil {
+		errorResp = logical.ErrorResponse(err.Error())
+	}
+
+	signingKeyType := "any"
+	if isRoot {
+		signingKeyType = role.KeyType
+	}
+
+	if role.SignatureBits, err = certutil.ValidateDefaultOrValueHashBits(signingKeyType, role.SignatureBits); err != nil {
 		errorResp = logical.ErrorResponse(err.Error())
 	}
 
 
@@ -442,6 +442,13 @@ func GenerateCreationBundle(b logical.SystemView, role *RoleEntry, entityInfo En
 		CSR:           csr,
 	}
 
+	// Make Sure Signature Bits are Correct for EC (or ECDSA) Keys
+	// It's not possible to do later during the signing process because
+	// signingKeyType := role.KeyType // if root
+	// if caSign != nil {
+	// 	signingKeyType = caSign.ParsedCertBundle.Certificate.PublicKeyAlgorithm.String()
+	// }
+
 	// Don't deal with URLs or max path length if it's self-signed, as these
 	// normally come from the signing bundle
 	if caSign == nil {
 
@@ -10,6 +10,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"net"
+	"strings"
 
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
@@ -253,12 +254,12 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi
 		return nil, nil, errutil.InternalError{Err: fmt.Sprintf("unsupported key type Value: %s", role.KeyType)}
 	}
 
-	// Before validating key lengths, update our KeyBits/SignatureBits based
+	// Before validating key lengths, update our KeyBits based
 	// on the actual CSR key type.
 	if role.KeyType == "any" {
-		// We update the Value of KeyBits and SignatureBits here (from the
+		// We update the Value of KeyBits here (from the
 		// role), using the specified key type. This allows us to convert
-		// the default Value (0) for SignatureBits and KeyBits to a
+		// the default Value (0) for KeyBits to a
 		// meaningful Value.
 		//
 		// We ignore the role's original KeyBits Value if the KeyType is any
@@ -268,8 +269,8 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi
 		// docs saying when key_type=any, we only enforce our specified minimums
 		// for signing operations
 		var err error
-		if role.KeyBits, role.SignatureBits, err = certutil.ValidateDefaultOrValueKeyTypeSignatureLength(
-			actualKeyType, 0, role.SignatureBits); err != nil {
+		if role.KeyBits, err = certutil.ValidateDefaultOrValueKeyType(
+			actualKeyType, 0); err != nil {
 			return nil, nil, errutil.InternalError{Err: fmt.Sprintf("unknown internal error updating default values: %v", err)}
 		}
 
@@ -282,6 +283,14 @@ func SignCert(b logical.SystemView, role *RoleEntry, entityInfo EntityInfo, caSi
 		}
 	}
 
+	// We fetch the key type from the certificate because the caSign.KeyType might be ManagedKeyType which isn't an
+	// algorithm, this is awkward because of upper-lower case differences
+	underlayingCaKeyType := strings.ToLower(caSign.Certificate.PublicKeyAlgorithm.String())
+	role.SignatureBits, err = certutil.ValidateDefaultOrValueHashBits(underlayingCaKeyType, role.SignatureBits)
+	if err != nil {
+		return nil, nil, errutil.InternalError{Err: fmt.Sprintf("unknown internal error updating default signature length value: %v", err)}
+	}
+
 	// At this point, role.KeyBits and role.SignatureBits should both
 	// be non-zero, for RSA and ECDSA keys. Validate the actualKeyBits based on
 	// the role's values. If the KeyType was any, and KeyBits was set to 0,
 
@@ -122,7 +122,7 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 	data.Raw["use_pss"] = false
 
 	sc := b.makeStorageContext(ctx, req.Storage)
-	exported, format, role, errorResp := getGenerationParams(sc, data)
+	exported, format, role, errorResp := getGenerationParams(sc, data, false)
 	if errorResp != nil {
 		return errorResp, nil
 	}
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ func (b backend) pathGenerateIntermediate(ctx context.Context, req logical.Req`
`122`	`122`	`data.Raw["use_pss"] = false`
`123`	`123`
`124`	`124`	`sc := b.makeStorageContext(ctx, req.Storage)`
`125`		`- exported, format, role, errorResp := getGenerationParams(sc, data)`
	`125`	`+ exported, format, role, errorResp := getGenerationParams(sc, data, false)`
`126`	`126`	`if errorResp != nil {`
`127`	`127`	`return errorResp, nil`
`128`	`128`	`}`