fix vault key path/key (#3558)

Author: woutslakhorst

crypto/storage/vault/vault.go

@@ -34,6 +34,7 @@ import (
 
 const privateKeyPathName = "nuts-private-keys"
 const defaultPathPrefix = "kv"
+const vaultSecretkeyName = "key"
 
 // StorageType is the name of this storage type, used in health check reports and configuration.
 const StorageType = "vaultkv"
@@ -102,8 +103,8 @@ func NewVaultKVStorage(config Config) (spi.Storage, error) {
 	return vaultStorage, nil
 }
 
-func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyName string) (crypto.PublicKey, string, error) {
-	return spi.GenerateAndStore(ctx, v, keyName)
+func (v vaultKVStorage) NewPrivateKey(ctx context.Context, keyPath string) (crypto.PublicKey, string, error) {
+	return spi.GenerateAndStore(ctx, v, keyPath)
 }
 
 func configureVaultClient(cfg Config) (*vault.Client, error) {
@@ -142,7 +143,7 @@ func (v vaultKVStorage) checkConnection() error {
 
 func (v vaultKVStorage) GetPrivateKey(ctx context.Context, keyName string, _ string) (crypto.Signer, error) {
 	path := privateKeyPath(v.config.PathPrefix, keyName)
-	value, err := v.getValue(ctx, path, keyName)
+	value, err := v.getValue(ctx, path, vaultSecretkeyName)
 	if err != nil {
 		return nil, err
 	}
@@ -181,7 +182,7 @@ func (v vaultKVStorage) storeValue(ctx context.Context, path, key string, value
 
 func (v vaultKVStorage) PrivateKeyExists(ctx context.Context, keyName string, _ string) (bool, error) {
 	path := privateKeyPath(v.config.PathPrefix, keyName)
-	_, err := v.getValue(ctx, path, keyName)
+	_, err := v.getValue(ctx, path, vaultSecretkeyName)
 	if errors.Is(err, spi.ErrNotFound) {
 		return false, nil
 	}
@@ -224,14 +225,14 @@ func privateKeyListPath(prefix string) string {
 	return filepath.Clean(path)
 }
 
-func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyName string, key crypto.PrivateKey) error {
-	path := privateKeyPath(v.config.PathPrefix, keyName)
+func (v vaultKVStorage) SavePrivateKey(ctx context.Context, keyPath string, key crypto.PrivateKey) error {
+	path := privateKeyPath(v.config.PathPrefix, keyPath)
 	pem, err := util.PrivateKeyToPem(key)
 	if err != nil {
 		return fmt.Errorf("unable to convert private key to pem format: %w", err)
 	}
 
-	return v.storeValue(ctx, path, keyName, pem)
+	return v.storeValue(ctx, path, vaultSecretkeyName, pem)
 }
 
 func (v vaultKVStorage) DeletePrivateKey(ctx context.Context, kid string) error {

crypto/storage/vault/vault_test.go

@@ -26,6 +26,7 @@ import (
 	"errors"
 	vault "github.com/hashicorp/vault/api"
 	"github.com/nuts-foundation/nuts-node/core"
+	"github.com/nuts-foundation/nuts-node/crypto/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"net/http"
@@ -103,6 +104,17 @@ func TestVaultKVStorage(t *testing.T) {
 		assert.Equal(t, privateKey, result, "expected retrieved key to equal original")
 	})
 
+	t.Run("get", func(t *testing.T) {
+		pem, _ := util.PrivateKeyToPem(privateKey)
+		vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: pem}}}}
+
+		signer, err := vaultStorage.GetPrivateKey(ctx, keyName, version)
+
+		require.NoError(t, err)
+		pem2, _ := util.PrivateKeyToPem(signer)
+		assert.Equal(t, pem, pem2)
+	})
+
 	t.Run("delete", func(t *testing.T) {
 		t.Run("ok", func(t *testing.T) {
 			vaultStorage := vaultKVStorage{client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {}}}}
@@ -171,7 +183,7 @@ func TestVaultKVStorage(t *testing.T) {
 	})
 
 	t.Run("error - encoding issues", func(t *testing.T) {
-		vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {keyName: []byte("foo")}}}}
+		vaultStorage := vaultKVStorage{config: DefaultConfig(), client: mockVaultClient{store: map[string]map[string]interface{}{"kv/nuts-private-keys/did:nuts:123#abc": {vaultSecretkeyName: []byte("foo")}}}}
 
 		t.Run("SavePrivateKey", func(t *testing.T) {
 			err := vaultStorage.SavePrivateKey(ctx, keyName, "123")

docs/pages/release_notes.rst

@@ -2,6 +2,18 @@
 Release notes
 #############
 
+***************
+Peanut (v6.0.2)
+***************
+
+Release date: 2024-11-14
+
+- `#3556 <https://github.com/nuts-foundation/nuts-node/issues/3556>`_: fix private key path when using native Hashicorp Vault integration,
+  broken since v6.0.0 (pre-v6.0.0 keys couldn't be found, post-v6.0.0 keys have an incorrect name).
+- Update `github.com/golang-jwt/jwt/v4` to v4.5.1 to address vulnerability `GO-2024-3250 <https://pkg.go.dev/vuln/GO-2024-3250>`_.
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v6.0.1...v6.0.2
+
 ***************
 Peanut (v6.0.1)
 ***************