Hello,
I have an issue when trying to import ecdsa-p256 private key to Vault transit.
I’m testing it having vault server running locally with transit enabled:
vault server -dev -dev-root-token-id root
vault secrets enable transit
My vault version is Vault v1.13.0 (a4cf0dc4437de35fce4860857b64569d092a9b5a), built 2023-03-01T14:58:13Z
Steps to reproduce:
openssl ecparam -genkey -name secp256r1 -out private_key.pem
openssl ec -in private_key.pem -outform DER -out private_key.der
base64 -i private_key.der > private_key.base64
vault transit import transit/keys/test-key-imported @private_key.base64 type=ecdsa-p256
I get the following output:
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
failed to call import:Error making API request.
URL: PUT http://127.0.0.1:8200/v1/transit/keys/test-key-imported/import
Code: 500. Errors:
* 1 error occurred:
* error importing key: error parsing asymmetric key: x509: failed to parse private key (use ParseECPrivateKey instead for this key format)
I would expect the key to be successfully imported.
Looking at the error description it looks like Vault is wrongly calling x509.ParsePKCS8PrivateKey(key)
instead of x509.ParseECPrivateKey(key) for the type (https://github.com/hashicorp/vault/blob/6bb1f6a9046a0dc1d301cf2d2a8191bbe81fe4c8/sdk/helper/keysutil/policy.go#L1463)
Or is it me doing something wrong?