Issue on importing transit ecdsa-p256 private key

Vault
1

Hello,
I have an issue when trying to import ecdsa-p256 private key to Vault transit.

I’m testing it having vault server running locally with transit enabled:

vault server -dev -dev-root-token-id root
vault secrets enable transit

My vault version is Vault v1.13.0 (a4cf0dc4437de35fce4860857b64569d092a9b5a), built 2023-03-01T14:58:13Z

Steps to reproduce:

openssl ecparam -genkey -name secp256r1 -out private_key.pem
openssl ec -in private_key.pem -outform DER -out private_key.der
base64 -i private_key.der > private_key.base64
vault transit import transit/keys/test-key-imported @private_key.base64 type=ecdsa-p256

I get the following output:

Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
failed to call import:Error making API request.

URL: PUT http://127.0.0.1:8200/v1/transit/keys/test-key-imported/import
Code: 500. Errors:

* 1 error occurred:
	* error importing key: error parsing asymmetric key: x509: failed to parse private key (use ParseECPrivateKey instead for this key format)

I would expect the key to be successfully imported.
Looking at the error description it looks like Vault is wrongly calling x509.ParsePKCS8PrivateKey(key) instead of x509.ParseECPrivateKey(key) for the type (https://github.com/hashicorp/vault/blob/6bb1f6a9046a0dc1d301cf2d2a8191bbe81fe4c8/sdk/helper/keysutil/policy.go#L1463)

Or is it me doing something wrong?

2

When wrapping an asymmetric key (such as a RSA or ECDSA key), wrap the PKCS8 encoded format of this key, in raw DER/binary form. Do not apply PEM encoding to this blob prior to encryption and do not base64 encode it.

Source: Transit - Secrets Engines | Vault | HashiCorp Developer

3

@macmiranda thank you. I’ve seen the sentence but I got confused on what PKCS8 format actually is. It’s all working for me now:

$ openssl ecparam -genkey -name secp256r1 -out private_key.pem
using curve name prime256v1 instead of secp256r1
$ openssl pkcs8 -topk8 -inform PEM -outform DER -in private_key.pem -out private_key.pkcs8 -nocrypt
$ base64 -i private_key.pkcs8 > private_key.base64
$ vault transit import transit/keys/test-key-imported @private_key.base64 type=ecdsa-p256
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to Vault transit.
Success!
1 Like